Menu Close

Successfully implementing a digital identity framework

By David Mahdi, CSO and CISO Advisor, Sectigo

As an increasing amount of personal and critical business information is available online, stronger provisions are required to ensure the sensitive data is correctly safeguarded. A growing movement among government bodies is the adoption of a digital identity framework that allows users to provide alternative forms of security clearance to access important services, such as banking or medical records.

This involves creating a digital identity process and framework that can be used as a complement and in some cases an alternative to physical documents such as passports or ID cards. This certification process allows enterprises and users to prove themselves within the rules of the trust framework. The benefits of this are notable; it eases the burden on consumers, reduces delays in any conveyancing process, and crucially, helps reduce the risk of both fraud and cybercrime.

The UK government has set out its own research into establishing a digital identity framework, while France is set to release its government-issued digital verification mobile application. To make sure these frameworks are not only operational but also successful, there are a number of considerations.

The fabric of a framework

When it comes to any given trust framework, the fabric can be one of two things. Either it is centralized, like a credit card network with a central operator, or decentralized, such as a high-assurance blockchain-based network. For instance, look to Canada’s digital identity network, verified.me, which citizens can use to access government services. Canada was an early adopter to leverage blockchain technologies to further help drive better privacy as well as data controls for citizens. How this works is, as an example, when someone opens a digital wallet to make a transaction and that person selects bank and various factors of identification, the framework will check if all these factors meet the requirements to access certain accounts or pieces of information. This is all without the user having to get involved, whilst still knowing their data is staying secure throughout the transaction journey.

It is important to examine already established and existing examples of digital identity frameworks to learn best practices. Aside from Canada, there are a number of countries successfully implementing their own frameworks that can act as guiding lights of best practices, but also highlight pitfalls to avoid. The Nordics, for example, have been using BankIDs. This helps facilitate digital businesses in Scandinavian countries.

Although these cases specifically are yet to fully solve the problems that they set out to solve, they are the most mature in this journey. They also help act as evidence for the actual step-by-step process of building out a framework.

The building blocks of the framework

The steps involved in the process of developing a digital identity system or framework are two-fold. The first is the technology and the second are the people that will make up the framework.

From a technology perspective, the full software, the hardware and the connectivity stack will need to be aligned. This requires multiple parties to all be on the same page including the device manufacturers, the operating system providers as well as the identity solutions providers. All with the view of openness and interoperability; that is leveraging open standards that allow for maximum interoperability.

Additionally, and perhaps most critically, there is the non-technical alignment, clarifying who runs the systems and who owns what parts. This is particularly important in cases where there are any logistical issues such as a breach. While the technology has been available for quite some time, more often than not, the non-technical aspects are what have held governments and other parties back from adopting these initiatives. This is because the greater challenge is in ensuring that there is trust in this framework, or no one will use it.

Rooting a framework in trust

When it comes to implementing a digital framework to ensure the securing of identities, the main factor to consider is the trust itself. This means user control is critical when deciding what digital identities they will want to use in any given transactional process. To make sure that users are in control of their data, the first step is establishing this trusted framework that is backed by policies and by government.

Before committing to this framework, users must be assured throughout the process that any institution authorising the transaction (such as banks), does not need to store their data. Instead, they can use a cryptographic checkmark from the network. This gives users trust in the platforms they are using, while simultaneously improving the overall user journey. The goal here is furthered by reducing friction in the process and enabling the continuation of a successful business.

However, while it is important that the framework is trusted, it cannot be treated as a flawless system. We should always try and verify it. When looking at software and hardware, trust can be eroded at any moment and at any layer of the framework. This could be due to a system failure, clerical error, or a cyberattack. Therefore, trust can never be fully assumed.

Furthermore, while these risks are known, the unknown risks pose serious danger. As we continue on into the digital world, it is very likely that new threats will be created that do not exist today. So it is vital when establishing digital trust, that we pre-determine today’s known risks while anticipating potential threats and strategizing the best way to mitigate them with identity-first security principles.

It is very likely that in the next 10 years, our identities will be increasingly more digital. To prepare for that, governments and businesses alike must recognise the need and benefit of creating a digital identity system or framework. Users must have the option of whether or not they want to use the system, particularly those who would rather have non-digital options. Whether centralized or decentralized, to have a successful framework, all must anticipate different levels of reliability and responsibility.

About the author

David Mahdi is CSO and CISO Advisor at certificate/PKI firm Sectigo. A former Gartner research VP, identity, cryptography and cybersecurity visionary, Mr. Mahdi is an industry recognized pioneer.

DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update. Read More

Generated by Feedzy

Disclaimer

Innov8 is owned and operated by Rolling Rock Ventures. The information on this website is for general information purposes only. Any information obtained from this website should be reviewed with appropriate parties if there is any concern about the details reported herein. Innov8 is not responsible for its contents, accuracies, and any inaccuracies. Nothing on this site should be construed as professional advice for any individual or situation. This website includes information and content from external sites that is attributed accordingly and is not the intellectual property of Innov8. All feeds ("RSS Feed") and/or their contents contain material which is derived in whole or in part from material supplied by third parties and is protected by national and international copyright and trademark laws. The Site processes all information automatically using automated software without any human intervention or screening. Therefore, the Site is not responsible for any (part) of this content. The copyright of the feeds', including pictures and graphics, and its content belongs to its author or publisher.  Views and statements expressed in the content do not necessarily reflect those of Innov8 or its staff. Care and due diligence has been taken to maintain the accuracy of the information provided on this website. However, neither Innov8 nor the owners, attorneys, management, editorial team or any writers or employees are responsible for its content, errors or any consequences arising from use of the information provided on this website. The Site may modify, suspend, or discontinue any aspect of the RSS Feed at any time, including, without limitation, the availability of any Site content.  The User agrees that all RSS Feeds and news articles are for personal use only and that the User may not resell, lease, license, assign, redistribute or otherwise transfer any portion of the RSS Feed without attribution to the Site and to its originating author. The Site does not represent or warrant that every action taken with regard to your account and related activities in connection with the RSS Feed, including, without limitation, the Site Content, will be lawful in any particular jurisdiction. It is incumbent upon the user to know the laws that pertain to you in your jurisdiction and act lawfully at all times when using the RSS Feed, including, without limitation, the Site Content.  

Close Bitnami banner
Bitnami