printer friendly version

Introducing identity control

Ideco’s Marius Coetzee talks about how identity management is changing.

In an interview with Hi-Tech Security Solutions, Marius Coetzee, CEO of Ideco, outlines the principles of identity control.

As the disciplines of access control and identity management draw closer together, there is an opportunity to combine technologies and expertise from both disciplines in order to create business processes that are faster and more secure. Currently, there is little convergence between major players in the two fields – companies like Novell are not specialists in user-authentication and biometric companies like Morpho are not specialists in identity management.

Coetzee recognises that there is a clear and pressing need to encourage thinking around a new discipline – identity control. As he explains, “At Ideco, we want to encourage interactions that will provide a stronger link between two functions that are often quite separate – how we identify people and how that identity is managed.”

Linking recognition and response

For many years there has been a clear division between these two functions. Coetzee suggests that this division has been reinforced because authentication technologies are completely different to those employed within traditional identity management. And so are the companies that develop and deploy the technologies.

“We are talking about the difference between recognition and response”, says Coetzee. He draws an analogy with the differences between our senses and our thinking.

“We recognise elements around us through our senses. We see them, hear them, touch them and smell them. And we respond accordingly. Of course, the two are deeply interrelated but, as functions, they are utterly different. Our response is a function of our level of competency or the ability to influence or direct behaviour or the course of an event – this is the definition of control.”

In identity-based systems, the link between recognition and response is fundamental. For example, a physical access control system relies on its ability to recognise and respond appropriately, to either grant or deny entry.

Response can also be reactive or proactive. A proactive response will anticipate many other criteria such as potential risks and compliancy criteria before access is granted.

Coetzee says, “The accuracy of the response depends entirely on the accuracy of the recognition. Poor recognition means poor response.”

To illustrate this point, he uses the example of a card-based access system. “A modern card system is 100% effective at recognising cards. Consequently, it will react with 100% accuracy. That is the great strength of such systems. It is also their greatest weakness, they can only recognise cards. The person using the card is irrelevant to these systems. I can use your card and you can use mine. Card recognition is what it is, card recognition.

“The same weakness applies to systems that work with PINs and passwords. They are designed to recognise codes and lack any ability to recognise the person using the code. And yet we still persist in using them as the foundation for most identity management (IdM) solutions out there.”

Bridging the identity gap

Coetzee refers to this disconnect between recognition and response as the identity gap. He points out that many systems are able to manage and track a multitude of activities based on the authorisations that are allocated to system users. “We see high levels of competency in this regard within modern workforce management solutions that not only handle access and time worked, but also govern requirements relating to occupational health and safety.

“In terms of response, modern IdM solutions within IT also deliver high levels of functionality concerning access and activity.”

In any of these systems, it is obviously problematic if user-recognition relies on cards, PINs or passwords. It comes back to the fact that poor recognition leads to poor response. The wider the identity gap becomes, the more control organisations lose. If you cannot recognise users, if you cannot identify people, then you cannot hope to control what they can do.

Obviously, the purpose of an identity-based solution is not to control and manage cards or pins and passwords. Its objective is to manage people such as employees, partners, suppliers, contractors and customers within a set of rules that govern their access and activity.

Coetzee sees fingerprint biometrics as an obvious way to reduce the identity gap because they are so much more effective at recognising people: “The technology allows us to move much closer to achieving the twin goals of identity control: accurate recognition and accurate response.”

“It is this ability that has prompted thousands of SA organisations to replace cards and PINs with fingerprint recognition in order to reinforce the integrity of processes that control access and activity.”

The power of recognition

The benefits of narrowing the identity gap extend far beyond physical access control; the following areas are heavily reliant on recognition:

* Financial transactions: EFTs, payment cards and billing management systems.

* IT systems: managing and monitoring who does what, where and when.

* Licensing systems: motor vehicles and firearms.

* Civil identity solutions: passports, border control and ID documents.

In each of these areas, the process of confirming identity has become increasingly automated and is frequently performed remotely. A consequence of this automation is that the ability to recognise people has been diluted.

“Personal interactions have been replaced by interactions between people and systems. For example, we routinely conduct our financial transactions without dealing with somebody who actually knows and recognises us. Instead we use PINs and passwords and consequently are exposed to the widely-publicised risks of identity fraud.”

Coetzee suggests that competent identity control systems should be able to:

* Accurately recognise the identity.

* Proactively ensure compliance.

* Reliably direct the appropriate response.

* Diligently build audit chains that link identity with activities.

Creating audit chains

A key outcome of recording recognition and response within an identity control system is the ability to produce audit chains that link people with their activities. Coetzee says that the significance of such audit chains is entirely reliant on accurate recognition. He explains, “If we build definitive links between people and their actions, we can simultaneously prevent and deter unauthorised activity within the system.

“Firstly, we can prevent such activity by accurately controlling who can do what. Secondly, a potent deterrent to unauthorised activity is created by recording what they have done. However, if recognition is poor, if the identity gap is wide because the system relies on cards or PINs, then there is a proportionately weak link in the audit chain and we cannot positively connect identities and activities.”

Share this article:

Further reading: