Striking the right balance between security and usability is critical for any IAM program. However, it is only in rare and extremely small environments where a "one size fits all" approach will suffice in tackling this challenge. The balance to be struck is between risk and security controls and getting it right is rewarded by an improved user experience.

Levels of Assurance (LOA) is the industry parlance for frameworks that assess risk and define appropriate security controls. There are several LOA frameworks in circulation but one of the most popular is NIST 800-63 (http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf). The NIST framework was designed to guide federal agencies employ appropriate access controls based on risk profiles.

The Federal Identity, Credential, and Access Management  (FICAM) Roadmap and Implementation Guidance (http://www.idmanagement.gov/documents/FICAM_Roadmap_Implementation_Guidance.pdf) is a comprehensive model for LOA in action. It is meant as a guideline for federal agencies in tackling identity and access management in a world where risk exists in shades of gray and where security controls should be applied to the extent that they are appropriate.

FICAM Reference Architecture

Level of Assurance frameworks are clearly applicable to authentication systems. Risky transactions (for example to change financial data in the ERP) require a higher level of assurance that the person committing the transaction is actually who they say they are. Assurance can be increased by requiring a second factor of authentication (aka multi factor authentication or MFA).

Another application of LOA is in the area of credentialing and identity vetting. Assurance can be increased merely by the fact that someone has gone through a process to verify their human identity. A good example of how this process works is when a college ID is created - students are photographed and their drivers license (or some other ID) is validated.

One industry where LOA frameworks have garnered a great deal of attention is higher education. The InCommon Federation has developed a levels of assurance framework (http://www.incommon.org/assurance/) that is meant to set a common understanding of what level of identity vetting has been performed. This common language is valuable in higher education due to the importance of collaboration. Collaboration involves sharing of online resources and relying on the identity provider that the users have been appropriately vetted.

In-person Identity Vetting

I think the need for a guideline to understand risk at the application or transaction level and then applying specific controls based on that risk transcends industries. Having an LOA framework in place will help an organization decide when username and password is a sufficient control, when multi-factor authentication is needed, or even when "bring your own ID" (BYOId) is the appropriate control.

BYOId is a great example of why a level of assurance framework or guideline is so important. This BYOId trend is a truly powerful tool for organizations. It can provide a simple mechanism for the world to interact with your organization without creating an "enterprise identity" which may inconvenience people just enough to decide to go elsewhere. BYOId in the form of OpenID (e.g. using your Facebook, Yahoo! ID) just doesn't meet the level of assurance to replace the enterprise ID completely. However, maybe a BYOId is good enough for certain applications and transactions. A LOA framework helps organizations make those decisions.

I like to start with the premise that people want the right balance of security and usability. In my personal life, I feel compelled to use strong passwords and 2nd factors of authentication to protect my finances. I feel similar about my email account. However, there are times where I want to quickly use a new service and I don't even want to create an ID. I am comfortable using an external identity in these situations.

In summary, using a Levels of Assurance framework such as FICAM enables organizations to break the bonds of one size fits all IAM and provide the right balance of security and usability.

 

IAM Program Data Sheet

 

Jim McDonald

Jim McDonald

Jim McDonald is an Engagement Manager at Identropy, where he is responsible for delivering strategy and roadmap engagements for the company’s clients. He brings to this role his extensive expertise in rolling out identity and access management technologies from various vendors as a practitioner at companies like Ingersoll-Rand and Ally Financial. Jim is an avid baseball fan and is passionate about his New York Yankees.