​The identification game – proving who you are

It’s probably the most critical question ever asked from an infosec point of view. Who are you? Proving the identity of people and systems that connect to your network and access your data is a critical element of your security posture.

So, what are the big issues when it comes to identity? We spoke to HID’s Allan Malcolm, the Regional Director in APAC for Government ID Solutions at the recent Technology in Government conference held Canberra’s National Convention Centre.

“The two key areas are concerns over who accessing your data. The second one is the aspect of physical validation of an individual versus their written validation – whether you use biometrics or some other method of physically associating someone with their electronic identity,” he says.

One of the recurring refrains from the conference was a look back at the failed Australia Card initiative. Although that was 30 years ago, there’s still a lingering memory of its failure. But today, the idea of a single identity that potentially links together multiple datasets from many sources, is still a concern.

“I think that’s very much a perception issue,” says Malcolm. “One of the key considerations of that is, in this particular case we’re talking about a government, but if we look at some commercial and private organisations – Google being a specific case in point – they probably have far more data and information about people’s behaviour and their movements, likes and dislikes and they store all of that data and they openly admit they keep and retain all of that information. Whereas a government is really just trying to make sure that a citizen is genuinely a citizen and has a right to whatever services and facilities that the government is trying to provide”.

In order for an identity program to be accepted, there needs to be an understanding by citizens that there is a need for some sort of validated identity. Although there is lots of concern about cybercrime and that a government identity could be an avenue to cybercrime, there’s a counterpoint that a “highly-secured validation token” could be a far more secure method of validating a person.

Importantly, having a robust identification system does not abrogate the need to secure data and ensure its integrity. The breach at the Office of Personnel Management in the US highlights this.

Malcolm says the amount of data that would be needed to validate an identity would actually be quite small.

“It’s your date of birth, information about your birthplace and parents – who they are - and where you are and where you live, how old you are and some biometric information that’s used to validate you when you are trying to apply for other services”.

The objective would be simply to answer yes or no when asked if you are who you say you are.

Malcolm reiterated the same message we heard from Rachel Dixon from the Digital Transformation Office – there needs to be a clear benefit for consumers to have a digital identity. He says not needing to physically attend a government office in person or having to wait for various background checks to be done is a clear convenience for citizens.

“In addition, there’s a cost saving from a government perspective which could, in theory, be passed on,” he adds. Alternately, different cost models could be applied to services depending on how they are accessed.

What does an optimal identity system look like? Malcolm says “You have to be quite stringent about what your rules of acceptance are, what defines a citizen. Once you’ve reached that point, they key is to make sure the system is fit for purpose – make sure you have the information you need to support the services you want to offer”.

Malcolm noted that biometrics can be a critical element of an identity system. He pointed to international passport controls using automated gates where photos and facial recognition are not only faster for travellers but more accurate than customs staff.

But it’s also important to compartmentalise where data is kept. “There’s no need for someone from a national identity department to access your taxation information or your passport,” Malcolm says. “But the authentication system can be the same for all”.

Join the CSO newsletter!

Error: Please check your email address.

Tags credentialsSnapSendSolve@techingovauTechnology In GovernmentSeeClickFixcyber security#techingovauAnthony CaruanaTech in GovAnthony CaruanaAuthorisationopen datacanberraopen governmentgovernmentTechinGovAUCSO AustraliaOutware Mobileidentity management

More about APACGoogleHIDTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts