|
SCJ: What is identity verification who needs to be concerned with it?
Creighton: Identity verification has always been important to businesses, but in today’s world of electronic fraud, phishing and identity theft, its importance goes well beyond corporate lines. All parties transacting business online, including consumers, businesses, government organizations and academic institutions, need to be sure that the identity of a person, device, business, document or application is authentic.
For example, take online shopping. We are in the midst of a holiday shopping season when billions of dollars will be spent online by consumers. Similarly, this is a busy time for online business purchases as companies begin planning for 2006. This level of activity makes it an ideal time for phishers and fraudsters to try to lure consumers and business users to counterfeit websites to solicit personal information, including credit card and Social Security data.
This is where identity verification comes into play. In this example, identity verification helps shoppers verify the authenticity of a website so that they can be sure that they are conducting commerce with a trusted party. There are a few ways that online shoppers evaluate a site’s security and identity credentials. First, they can make sure that the site with which they are dealing has an SSL certificate from a trusted third party. Second, they can use an anti-phishing toolbar to help them verify that the site is authentic and not a rogue URL that was created to look like an authentic site. Third, they can use an anti-phishing search service that will help them find and identify sites with whom it is safe to conduct business.
SCJ: What is the difference between identity verification and identity management?
Creighton: Identity verification is the first and most critical step in identity management. Unless you can establish a trusted identity for an individual, organization, device or application, business and commerce cannot be securely conducted and all other steps in the identity management process become irrelevant.
Surprisingly, commonly used identity management solutions will often make the dangerous assumption that an identity has already been verified. They simply govern the type of information an individual or application can access. But if someone has been given unauthorized access to critical information or systems without being verified, and the identity information is fraudulent, what use is managing that information?
Despite this problem, identity verification remains a largely unrecognized component of corporate identity management policies and solutions. When properly applied, however, identity verification can prevent everything from the nuisance and economic cost associated with spam, to the downtime and network damage caused by viruses, to personal identity theft and fraud or phishing. As a result, companies can save the time, money and/or brand equity typically lost when a security event takes place.
SCJ: What are the benefits of using managed services rather than implementing internally maintained systems?
Creighton: There are several benefits to using a managed service for identity verification and credentialing, whether that’s issuing SSL certificates, digital client certificates, tokens or smart cards.
The security industry has always been plagued by a serious shortfall of qualified professionals, leaving many organizations lacking the necessary expertise to properly implement an identity verification and credentialing system, especially when you consider the complexity of managing a digital certificate authority in-house. This shortfall also creates serious competition for the few qualified professionals available, adding to the cost of implementing an internal system. Therefore, using a managed service from an expert third-party is simply a more cost-effective proposition than implementing an internal system for many organizations.
For other organizations, using a managed service is critical to conducting business online. Financial services and insurance companies, banks, mortgage companies, online brokerages and e-commerce sites with high-volume, high-value transactions may not have a pre-established relationship with a consumer, so they need a trusted organization to assist in the verification process. And ultimately these companies aren’t in the identify verification business—they want to outsource the process to experts.
SCJ: We’re seeing an increase in the sharing of identities between different applications and organizations. What does this mean for the future of identity verification?
Creighton: As more economic activity moves online, the need for identity verification will become even more important. When two parties without a prior relationship want to transact business, and when organizations want to federate identities, third-party identity verification makes sense. A trusted third party can perform the vetting and credentialing process, as well as manage some of the technical, management, revocation and liability issues.
It is really analogous to the concept of credit bureaus. The big three credit bureaus share identity information with organizations so that they can conduct business with consumers in a trusted way. We see a similar role for identity verification in electronic business, but more from the credentialing and authentication aspect. The applications are limitless, and we believe that identity verification will be a critical enabler of business in the new economy.
Go Back
|
