The dollars and ‘sense’ behind federating identity
Gov study: Outsourcing online IDs can save $100 million +
06 January, 2014
category: Digital ID, Government
The Internal Revenue Service could save up to $300 million annually by outsourcing an identity credential, according to a report compiled by the National Institute of Standards and Technology. Moreover, the IRS stands to save $111 million up front should it establish an identity management system that aligns with the National Strategy for Trusted Identities in Cyberspace (NSTIC), the U.S. government initiative designed to encourage interoperable, secure credentials for citizens.
Recent research conducted by ABI further supports identity outsourcing by federal agencies. In a report entitled “Securing Online Access to e-Government Services Through Federated ID,” the federated identity model is promoted as a means to strengthen online government and health care utilities.
These reports have captured the attention of the public and private sectors, building momentum for the idea of federating identities.
Why outsource?
By shifting identity from an in-house operation to a third-party vendor the IRS could spread the work over multiple, trusted organizations rather than shoulder the entirety of the responsibility itself. Moreover, the addition of outside vendors to the fray means that they could bring their own, added levels of security.
“If the IRS continues to do its own identity management, it controls and is responsible for every aspect – from identity verification, to performing routine authentication accurately, to protecting its actual credential repository,” explains Eve Maler, principal analyst serving Security and Risk Professionals at Forrester.
The unfortunate truth, however, is that the IRS has a checkered past when it comes to protecting identities online. Following a recent agency breach that leaked some 2,000 Social Security numbers, it may come as significant relief that an alternative to online identity protection is available.
“As we’ve seen, data protection is hard and the IRS isn’t doing it very well,” says Maler. “With the use of external credentials, it would depend on a third party and thus give up some control, but the calculation is much the same as for outsourcing any function to the cloud.”
Though outsourcing identity could bring an added level of security, the real draw remains the cost savings. “Outsourcing identity credentials is appealing because of cost savings associated with maintaining identity repositories, performing authentication and performing password resets – particularly where these are mediated by call center personnel,” explains Maler.
There is real cost associated with utilities like password resets and other access management functions, and the agency could glean inspiration from the private retail sector.
“Marketing and retail web sites are increasingly enabling ‘social login (a form of identity outsourcing) in order to smooth the path to users’ account registration and gain access to user data,” says Maler.
Social login has been criticized for a perceived lack of user control and privacy protection. This poses a significant hurdle for citizen use as Maler points out. “Government-to-citizen identity outsourcing puts a premium on user privacy, shielding the sources and clients of those identities from knowing about each other.”
Enter NSTIC
Despite the apparent advantages of an outsourced identity management system, no U.S. federal agency has officially committed to the switch. As Maler points out, NSTIC might yet play a definitive role.
“A key motivation in the original Federal Identity, Credentialing and Access Management program that underlies NSTIC is government efficiency,” says Maler. “The NSTIC program takes into account broader government-to-citizen scenarios as well as entirely private-sector efficiencies such as safer online commerce.”
Should an NSTIC-aligned solution be implemented, the returns will likely make the move worthwhile. The NIST report estimates that an NSTIC solution utilizing third party credentials would cost the IRS $40 million to $111 million less to roll out than a proprietary, IRS-managed identity system. Additionally, it could save $2 million to $19 million annually.
The NIST report goes on to reveal that further savings could be recorded as an NSTIC-aligned solution would eliminate the need for the IRS to pay for the individual identity proofing of users. Instead, the NSTIC solution could accept third party, trusted credentials that have already been proofed. Leveraging third parties in this way would enable the IRS to spread proofing costs across numerous parties where the credential would be accepted.
Federated identity may already be a familiar to some who use Facebook, Google and other social media sites as login credentials on other sites. What is lacking with these current solutions, however, is an added layer of certainty that an NSTIC-aligned solution could provide, according to Phil Sealy, research analyst with ABI Research. At present, the social network driven, federated identity solutions don’t ensure that identities match their owner as a single person could maintain multiple accounts under different personas.
Thus, the argument for a more secure and reliable identity management system – one that tethers a digital credential to each individual citizen – is certainly understandable. As Sealy reveals, however, there remains concern as to how these credentials would be used by federal agencies.
Privacy, then, is an ever-present consideration and Sealy believes that the issuing of digital identity credentials to every citizen is sure to raise eyebrows – particularly amongst American citizens who are still reeling from the recent NSA leaks.
With this in mind, federated identity initiatives – especially those adopted by federal or health care agencies – will need to be approached with delicacy and transparency. Sealy posits that it will also be vital for the public to acknowledge the value that federated identity will provide – a means to limit the information the user shares with a web site – as opposed to how the technology could be abused.
Per the ABI report, federated identity promises to improve upon security and privacy by providing an easy to operate, user-centric service for accessing e-government services.
Despite being very early on in the process, ABI Research estimates that some 786 million federated identity credentials will ship in 2018. That’s a significant number, and one that has surely put identity vendors on high alert.
The facts and figures are just too significant for even a large federal agency like the Internal Revenue Service to ignore. Ancillary benefits aside, the financial incentive to outsource identity credentials simply makes sense.