For those entrusted with setting standards for identity management, look to privacy first in architecting secure, scalable systems for authentication.
More privacy resources
Electronic privacy was an overarching theme of the OASIS Identity Management 2009 conference, held at the National Institutes for Standards and Technology in Gaithersburg, Md.
Rapid growth in key technologies deeply entwined with identity are driving this focus on privacy, including social networking, handheld devices, health care IT, smart grid, homeland security and cloud computing.
As regulatory guidance is updated at the federal level to accommodate the security and privacy in the changed digital landscape, effective management of customer, user and citizen identity is critical to consumer privacy, business success and civic engagement.
"The important thing about identity management is that it can create more trust," said Mary Ellen Callahan, chief privacy officer of the Department for Homeland Security, during the conference keynote. "It can also create more accountability."
Also speaking was Ari Schwartz, vice president and chief operating officer for the Center for Democracy and Technology, who pointed out the continued importance of the Privacy Act of 1974 to government identity management systems and electronic privacy. The Privacy Act governs federal use of personally identifiable information (PII) maintained by agencies under a code of fair information practices.
Callahan said she's concerned about more than making government identity management systems understandable: she's also focused on the consequences of errors. "What happens if something goes wrong?" she asked. "We all know about data breaches. But that's state law, a compliance element. Privacy as a procedural element is given short shrift."
The need for care with agency data was made clear by a recent Wired story on the potential data breach of more than 70 million veterans' records. That's in addition to the breach that put the PII of 26.5 million veterans at risk in 2006 after the theft of a laptop from the U.S. Department of Veterans Affairs.
"Harm-based analysis is a way privacy professionals talk about redress," Callahan said. "Even without the harm, you should think about redress from a policy perspective. There's obviously reputational harm; there could be financial harm. There's still the additional way you can be exposed because the [identity thieves] have information on you." Callahan said she sees the issue as composed of both "public safety and public interest elements."
Schwartz outlined the importance of the Identity, Credential and Access Management Subcommittee (ICAM) to identity management in government. ICAM is a subcommittee of the Information Security & Identity Management Committee and is co-chaired by the Government Services Agency and Department of Defense. There are six working groups associated with ICAM, including the Federal Public Key Infrastructure Policy Authority.
Principles of privacy, opt-in and choice make sense from identity management and technical perspective, she said, but they're "really important for relationship of the individual to government."
"Baking privacy protections into a government identity management system benefits the identity management providers and private-sector providers using that information," said Callahan.
Baking privacy protections into a government identity management system benefits the identity management providers and private sector providers using that information.
Security professionals are concerned about electronic privacy in this context. "As a CISSP who is concerned about the civil liberties that are being violated in lawful access legislation around the world, all we end up doing by implementing state-run IDM [identity management] infrastructure is providing an easier and unethical mechanism for tracking everyone," said Peter Hillier, an Ottawa-based information security practitioner. "It used to be the case that spying on your own was against the law, and we didn't do it."
Don Schmidt, principal program manager for the federated identity team at Microsoft, posed Schwartz and Callahan a tough question: "We see attributes falling into two buckets: Information about a user and data about access control, used for authentication. As a layman, I think of the term collection referring to first function. Does the term apply to latter?"
Schwartz said attributes presented during authentication are "collected," and thus trigger federal information processing standards. "If it's an attribute authentication, they can toss it," said Schwartz. "If it's Mary Ellen, that's different. If you're not storing it, it's not a collection."
Callahan added, "DHS was created post-9/11. There was an inability to connect the dots. There is now a statutory mandate on the information-sharing environment. Threat-related information must be shared. That said, data minimalization must be part of the dialogue." Insuring data flows in compliance with the Fair Information Practice Principles is "one of biggest challenges of my job," said Callahan.