ID Lifecycle 101: Credential management
Part three in a series on identity issuance and management
27 September, 2011
category: Contactless, Corporate, Digital ID, Government, Library, NFC
Issuing a credential is only the start of the identity lifecycle. As an individual moves around an organization, controlling and adjusting the systems he can and cannot access is equally important to the initial identity vetting. Throughout the ID lifecycle, this identity and credential management function is essential.
As identification has evolved, “it’s gotten much more detailed and much more broad,” says Terry Gold, vice president of sales North America at idOnDemand. “Over the past 10 years, the importance of identification within an organization has skyrocketed.”
When dealing with ID management, coordination of both physical and logical access points is key. However, different areas within an organization often have responsibility to control different access privileges. Security departments tend to manage the physical aspects, controlling who gets into buildings, garages, elevators, doors and doors within doors. IT manages the logical access functions, granting permission to devices, applications and networks.
“It takes a great vision to put the two together,” says Neville Pattinson, vice president of standards and government affairs at Gemalto. “You have to have oversight over the two. If you do one without the other, it can be chaos.”
Companies that don’t coordinate these two functions may waste a lot of money. “The bad way is to consider them separate (functions). Individuals are doing different things and buying incompatible equipment,” says Pattinson. This can result in having to issue separate IDs and credentials for each function, which can be a budget breaker.
“The good way is to have one central repository for identity of the individual. You provide the same credential for the logical and physical world. All systems understand the same credential, even if they’re used in different ways,” says Pattinson. “Central identity management is key.”
Along with making sure identity is centrally managed, Gold says it should also be managed in-house. While credential issuance can be outsourced, she believes it is risky to outsource the management functions as well. “Most enterprise and government agencies are very resistant to outsource much that relates to these controls,” says Gold.
“Our philosophy is to segregate the credential issuance process from these controls and let the customer completely own these areas as they wish. This ensures that they remain in complete autonomous internal control of who accesses what, views data, etc.,” says Gold.
Issuing identification to a new employee begins before the employee’s first day on the job. “When a new employee arrives, all the basic access should be there. All systems should be labeled for one credential and should be propagated,” says Pattinson. “You’re provisioning the person into the system from day one.”
Preparing for that employee involves making sure that he is who he says he is, and this requires diligent effort before the person is put into the system. “Vetting is the key to the kingdom,” says Pattinson.
Administrators of the identity system usually determine who accesses which applications within an organization. Many vendors provide solutions to make this process easier, through products such as Active Directory, LDAP and dedicated ID management solutions.
As a user gets into higher levels of access within a corporation, more authorization and verification is necessary, says Pattinson. Access levels can also be set for pre-determined periods of time.
“Once the individual is using the credential, there is post-issuance lifecycle support for functions that handle lost cards/devices, forgotten PINs, PIN changes, remote delivery and activation or onsite bureau printing and programming to offload traditional help desk functions into a secure self-service model,” says Gold.
Companies are beginning to explore different types of applications that can be added to a person’s identity badge. Functions such as time and attendance, transit ticketing and payment, parking and garage access, and cafeteria privileges are just a few of the applications being added to credentials.
Going mobile
The mobile device is also playing more of a role in identification and corporations are trying to figure out how to handle it. Enabling IDs on a mobile is a new area that many are still trying to figure out. Mobile identification is “getting increasingly interesting, but it’s not simple,” says Nichols. “Apple has this great ad where I can buy a Starbucks coffee (by waving my phone), but an ID has to be protected differently.”
Identification using a mobile device is complex and requires careful consideration, says Nichols. How will photo ID be managed? How will lost, stolen and voluntarily upgraded handsets to be managed within the identity management environments?
“Are we going to allow two credentials, one physical and one digital?” asks Nichols. “What complication does that have?”
As NFC phones become more prominent, companies will certainly look more into mobile as an identification tool. But Nichols cautions organizations to evaluate “the complete ecosystem when defining when and where identification can be provisioned onto the phone.” Organizations need to be sure that an ID on a phone can’t be easily cloned, compromising physical and logical security.
“Be aware … pay attention (to mobile),” says Nichols, “but if you’re making a decision right now, don’t base it solely on NFC.”
Shifting priorities
As ID management has evolved, the systems now center on the individual rather than the application. Instead of protecting the array of disparate applications via dedicated processes, a focus on authenticating the individual has enabled a more centralized and cohesive approach to security. “Let’s present the same credential and let the system decide whether or not to grant the individual access,” says Pattinson.
This convergence of physical and logical adds additional security. “For example, if you use your badge at the door in Denver, you can’t log in California,” says Pattinson. “It combines the physical presence with the logical presence.”
In terms of adoption, there’s still a long way to go. Although large organizations and governments are leading the way to ID management, Pattinson says we are still in the early days of converged access and identity management solutions.
While the government and companies that deal with sensitive information have hopped on the ID management bandwagon early, other companies are just now implementing these systems. “The take up is slow, but it’s beginning to get to critical mass,” says Pattinson.
As companies continue to adopt identification management systems, more self-help options and automated processes will be developed. “Help desks can cost a lot of money,” says Pattinson. Users will be able to use web portals to perform simple tasks like PIN resetting. Certificate renewal is another process that can be automated “by plugging into a portal and renewing credentials, rather than getting a lot of people involved,” says Pattinson.
Still, pervasive ID management may be further down the road than some might think. “A lot of these solutions are very complex to deploy, requiring large budgets and multi-year timelines. As a result, we will continue to see maturity in ID management applications and their ability to scale, deploy more easily, and include more applications,” says Gold.