Terminology used in the marketplace for identity management solutions can be confusing. In some cases, the same word is used to refer to more than one element of the identity lifecycle; in other cases, a certain concept or process may be referred to by varying terms depending on the person speaking or the situation. Things become even more confusing when language of identity management is merged with the business language of market verticals like government, healthcare, banking, and e-commerce. This confusion is the greatest barrier to early success in comprehensive identity management projects because it becomes difficult for organizations to know what they have in place, what they need to do, and what tools they should have in order to accomplish their business goals. This three-part blog series is intended to help clarify terminology and procedure.

The National Academy of Sciences defined “identity” in its seminal report “Who Goes There?”

               “The identity of X is the set of information about an individual X that is associated with that individual in a particular identity system Y.” (p. 20)

The definition in the National Institutes of Standards and Technology (NIST) SP 800-63-1 adds that the collection of attributes has to be sufficient to uniquely identify the individual to whom the identity refers.  From the perspective of a business owner, it is also important that the elements that comprise the identity have to be relevant to the business process in which the identity participates.

The identity management lifecycle involves a series of different processes, each with its own essential role. The goal of identity management is two-fold: to enable the right users to access systems, applications and data (authorization); and to ensure that the enterprise can accurately assign responsibility for access and associated actions (non-repudiation). The processes associated with identity management can be classified into three stages:

1. Identity creation, identity proofing, and electronic credential issuance
2. Authentication (electronic credential use)
3. Identity change management

The rigor or level of effort appropriate at each stage is defined by the risk presented by the information or the business process protected by the identity management system. It is important to remember that the degree of assurance in identity proofing does not necessarily correlate to the “strength” of a credential that should be required for authentication. For example, if an enterprise offers a service in which users can enter and retrieve sensitive data, the enterprise may not need to know the real identity of these users. However, it may need to provide strong access credentials, such as two-factor authentication, to ensure that only the person who entered the data can retrieve it at a future time and to establish non-repudiation of activities performed by the user.

Let’s look at each part of the identity management lifecycle and how it relates to the risk management concerns and business processes within an enterprise.

Building an Identity within the Enterprise:

Building an identity may be a complex workflow managed by a workflow management or identity management tool, or a simple process in the head of a system administrator. It involves:

• Registration--deciding which identity elements are relevant to the enterprise and collecting that identity data
• Identity Proofing--validating the data and its association with the individual
• Credentialing--deciding how the user will demonstrate that he is authorized to use the identity when exercising associated privileges

Registration: The workflow of building an electronic identity within an enterprise typically begins with registration. Registration is the process during which identity information is captured in a directory, authentication system, or other business systems. Registration information could be tied to an identity of an actual individual (e.g., biographic information about the individual), but it could also be a set of attributes that do not uniquely identify a specific person (e.g., a made-up user name). Depending on the business functions that an individual will be able to perform on the basis of the identity, the enterprise may choose to gather limited biographic data up front and do limited verification of this data, with the idea that they will gather more data or do stronger identity proofing in the future, if and when the individual requires greater privileges.

The registration process can be integrated seamlessly with other processes so that the end-user enters the information once, and the information is used for multiple purposes within the enterprise. For example, an electronic loan application can also serve as a part of an identity registration process, with the same data being used for both.

Identity Proofing: Unless an enterprise is issuing an anonymous credential, the next step after registration is identity proofing.  In identity proofing, the enterprise binds the collected identity data with the individual by verifying that the data actually identifies the individual who will receive and use the credential. Identity proofing can be done face to face, remotely, or based upon a reference. Depending on the business process that the user will be performing, it may be important to augment the individual’s biographical data with asserted professional qualifications or licensure. For example, if a user will be e-prescribing, it is important to bind the biographic data with valid medical licensure and prescribing credentials. The rigor of identity proofing is determined by the degree of risk associated with a benefit issued or an action permitted to the individual within the enterprise systems. 

Credentialing: Once all of these steps are completed, the individual is issued a credential. Upon the presentation of the credential, he will be authorized to perform actions that reflect permissions, rights, or other authorities granted by the enterprise.

In Part 2 of this blog series we will talk about authentication, i.e., about the use of credentials issued after identity proofing.