A Question of Identity

Like many telcos, Telstra was hugely busy during the dotcom bubble, releasing products and services onto the market. The company's exertions doubtless appeased Telstra customers clamouring for everything new and sexy under the sun, but they have produced some nasty headaches for Telstra further down the track.

The trouble is that since each of those products and services was developed in isolation, customers across all segments - consumer, SME and corporate - quickly ended up having to maintain numbers of different credentials to verify their identity. So while Telstra has built some excellent functionality that is now being developed internationally, it is paying well over the odds in support costs.

"From an industry perspective, we want to make sure that we embrace whatever standards that our customers demand of us, and it makes it very hard when you have a point solution,"says general manager technology in broadband and online services Mick Noonan. "Our customers have many complex interactions with us right across the business, and what they expect when they deal with Telstra is that we recognise them as the one customer, regardless of whether they've rung up our front of house to enquire about their bill, or if they've connected online to make some other query,"Noonan says. Identity management is thus critical in determining the Telstra customer experience.

To address the problem, Telstra over the past couple of years has been intensely focused on establishing a common customer access and identity infrastructure to allow it to manage customer access consistently. It's a long, hard haul - much harder than the team ever imagined it would be at the start - but Noonan has no doubt it is a path that Telstra must take. He says larger companies in particular must take a corporate view, and look at strongly encouraging the use of common identity infrastructure across the whole company. "It's very easy for different parts of the company to tend to go their own way, but I think for most companies, a key asset is understanding their customer and all of their interactions with their company. If that information is fragmented it's hard to accomplish that."

Identity management is becoming a major issue for leading organisations. A host of vendors are out there offering - mostly incompatible - solutions designed to ensure systems can be made more secure through the introduction of much more rigorous controls. But that in itself is not going to make life any easier for CIOs forced to wade through the morass of competing claims and counter-claims about the benefits of each in search of the optimum solution. And the complications go beyond trying to weigh the benefits of biometric solutions against digital solutions at a time when many of those biometric solutions seem vulnerable to hacking. Since anything can have an identity and be forced to authenticate at different levels, such that even a piece of code can be made to require an extra password before it executes, it is clear there is nothing simple about managing identity.

The need to get it right is critical. Research firm Gartner lists identity management/provisioning as one of the top three issues security groups should address quickly, not to mention the area with the best ROI potential. The problems arise because traditional IT infrastructures are not based around users but upon hardware or applications. As a result, many organisations are in the Telstra boat of having to give each employee or customer separate access to each application or database appropriate to their needs - each of which comes with its security system, its own set of information about authorised users and its own management interface.

Organisations see identity management solutions that place the user at the centre of the enterprise infrastructure as the answer. That way new employees or customers just need to be added to a single system to gain dynamic access to every application they need, according to identity. The fastest steps forward are coming from those technologies enabling that centralised management - the directory vendors.

As Bloor Research notes: "What they are selling is the peace of mind that comes from knowing that all of the access controls are managed within a single place and that, as long as the directory is not breached, the IT infrastructure should be secure. The security of that central directory is easier to manage - because there is only one - and it will also deliver all those nice user features that we want: single sign-on, desktop lockdown, automated software distribution and so on."

Manning the Gates

As well as developing their own internal solutions, organisations wanting to interact with others may end up following the lead of the federal government, which has directed that where government agencies transmit personal information via the Internet, they must use technologies accredited under its Gatekeeper policy. (To date, public key infrastructure or PKI is the only Gatekeeper-accredited Internet security technology.)To this end, the government has developed a standard for digital certificates called Australian Business Number Digital Signature Certificate (ABN-DSC) which is linked to an entity's Australian Business Number. The four major Australian banks - Australia and New Zealand Banking Group Limited, Commonwealth Bank of Australia, National Australia Bank Limited and Westpac Banking Corporation - are all either planning to or already issuing Gatekeeper-approved digital certificates to business customers.

The National Office for the Information Economy (NOIE) has also accredited the Australian Taxation Office, Baltimore Certificates, eSign, Telstra, Health eSignature Authority, KeyPost and PricewaterhouseCoopers to provide digital certificate services under the Gatekeeper strategy. Recently NOIE released a discussion paper on the potential for a National Authentication Technology Framework, looking at the trends in relation to authentication technologies (PINs, passwords, PKI, SSL, biometrics), and considering the possible future of the Gatekeeper accreditation framework, available at www.noie.gov.au/Projects/Authentication_Policy/index.htm.

The Tax Office is issuing digital certificates for online GST returns, with its certification authority delivering certificates on smart cards and providing users with a separate PIN mailer, a card reader and a CD-ROM. The Health Insurance Commission (HIC) is issuing them to doctor's surgeries. Customs is to use them for dealing with customs brokers, and Web site operators everywhere use them to create SSL links between client browser and Web server.

But the level of uptake belies the enormous amount of work that must go into assuring such solutions. For instance Telstra trust services manager, Policy Management Authority, John Gardiner says that while Telstra is very satisfied with where it has got to by working with NOIE, the degree of effort required was much greater than expected. Reducing complexity for end users remains an issue. Telstra also found getting the business model right - how you apply for a certificate, how you identify yourself to get one, how it is delivered in such a way that it meets all requirements - time consuming and complicated, Gardiner says.

And since customers can also find identity management time consuming and complicated, Telstra's own customers continue to have the right to choose the level of identity management they require.

"We have got to deal with the high-end corporates who absolutely love digital certificates because it's safe, and we're also dealing with consumer customers: the mums and dads who really just want username/password,"says Thai Bui, group manager customer access and identity, Retail and Technology Services Telstra. "Security for us is really the flexibility to allow our customers to choose. The infrastructure will be the same. We'll support the highest level of security, but if our customer opts to use username/password because it is more convenient for them to do so, we must meet the challenge of making the infrastructure adaptable to different types of credentials."

No Disputes

When it comes to e-business, one of the bigger challenges of identity management is non-repudiation: ensuring senders cannot, at a later date, dispute that they created and sent a message or order. With the issue so critical to the business offerings of the HIC, its identity choices were relatively easy.

CIO Dr Brian Richards says when the HIC opted for Rainbow eSecurity's iKey 2032 authentication token for a panel contract for a PKI-based Internet security deployment to facilitate the introduction of HIC PKI-secured services across the nation's healthcare sector, it had repudiation on its mind.

"The non-repudiation is very important to our business - we manage $14 billion worth of taxpayers' funds every year,"he says. "Non-repudiation means that once having been authenticated and been through that process, if [customers] undertake a transaction with us, they cannot at a later stage claim that it wasn't actually them who did it. That is a really important part of the PKI infrastructure that's not really provided by a number of the other technical alternatives."

To cover all the bases, the HIC has inserted contractual conditions that ensure that if users give someone else access to their PIN, then: a) it is a breach of contract, and b) they retain all liability. The PKI infrastructure also ensures confidentiality, allowing health professionals to use HIC's infrastructure to securely send patient information over the Internet. Another issue is the need to prevent access by unauthorised persons should the authorised user leave their desk while the session is open. To this end the HIC designed sessions to time out after a short period of idleness.

The HIC experience highlights a further issue surrounding identity management - if digital certificates are adopted as the standard, who pays? Richards says the HIC used its own resources for early rollout, with the underlying assumption the cost would eventually be borne by the person with the certificate - often a GP or district nurse. Then there was an about face, with this year's federal budget allocating $24 million over the next four years to continue to fund the cost of certificates to health sector users, a recognition that the efficiency benefits accrue within a number of places in that sector.

Richards can definitely confirm Telstra's experiences about the difficulties of implementation of identity management solutions, particularly since the HIC was well out at the leading edge. "When HIC decided to embark on an e-business route and PKI was the only Gatekeeper-accredited technology for this purpose, just setting up the certificate and getting Gatekeeper accreditation was a very arduous and complex process,"he says.

Determined not to lock itself into a proprietary solution, the HIC is now looking at integration issues relating to acceptance of other Gatekeeper-accredited certificates as they reach the market.

Meanwhile the Department of Employment and Workplace Relations (DEWR) also has opted for digital certificates, having decided that username/password protection is insufficient to protect Job Network members under its contracted service provider model. It is trialling the issue of the ABN-DSC on a smart card to provide an extra level of security, examining how well the certificates fit with the platforms and systems in use in its market.

If there is a snag, according to project manager, Business Authentication Framework, Mike Sibley, it is that mandating digital certificates involves demanding a certain level of IT sophistication from Job Network members. And there are many compatibility issues to be resolved as well.

"When people start looking at things like remote access there's some difficulties with ABN-DSCs and we're overcoming those problems,"Sibley says. "It has raised a whole lot of operability issues, because at the end of the day, you've got the person's system, you've got a smart card, you've got a smart card reader - and trying to get all of those things to talk to each other isn't as simple as it sounds. I think it will be, but it's fairly new stuff, so that the standards aren't quite there; I think there are some competing standards."

Sibley agrees the legal and policy arrangements are as difficult as the technical issues. He also says businesses should never underestimate how much time it takes to get those things right. "I guess the issue is: never underestimate what's required. Make sure that there's actually a business case for it. We're certainly not PKI zealots. We think there's definitely a need for it in our particular project, and so we're pushing forward, but we're certainly not suggesting it's the way of the world. Username/password and other forms of authentication are perfectly fine if the application only requires those sorts of things."

Getting the Balance Right

According to Stewart Carter, publisher and editor of the eCommerce Report, digital certificates have not proven to be suitable for all purposes and some experts have made telling criticisms of digital certificates in terms of their ability to authenticate people as opposed to their ability to authenticate machines.

Experts say most identity management products are very successful in reducing costs and in making systems more accessible, but for maximum security, any identity management products must be carefully selected only for their security aspects, not their ease of use. However, the usability issues explain why organisations like the National Australia Bank and Telstra are now giving customers a choice as to whether to use a certificate or stick with username/password.

In that sense identity can be a double-edged sword, says Norman Benstead, head of global emerging payment products, National Australia Bank. It not only has to protect the organisation from unauthorised access, but also it has to simplify access. If you do not do that, he says, your competitors will.

Benstead is responsible for the bank's identity management program, which considers identity issues for all the systems the bank wants to make available to customers and staff online. He says for Internet banking capability, the NAB partnered with a supplier who had built a system based on PKI and so had digital certificates in the hands of customers very early on. However, he says the system was restrained by other technologies.

"It was like technology was in a bottle - you could not branch from that to other capabilities. If we wanted to link our online trading system or whatever into that Internet banking platform, we had some difficulties," says Benstead. Not only did it prove too costly and too difficult to amend the whole Internet banking platform to accommodate that sort of customer flexibility, certain customers were unhappy about the need to carry the certificate with them, and worried about loading that certificate on machines other than their own.

And with the NAB's focus on speed to market, feedback from customers was that the old Java-based Internet banking platform demanded the full set of Java modules be loaded each time, causing frustration for users. Now some customers opt to use just username/password. To help manage security issues, NAB imposes restrictions on how much money customers can transfer over the Internet banking site using just an ID and password.

The bank has recognised that in order to provide all services online they must fully architect all of their systems first, particularly in the interest of preserving the many legacy systems it has maintained for many years and which continue to serve its purposes perfectly. "The real issue for us is going from those legacy systems which might have had a physical security layer around them into an environment where the customers are actually seeking straight-through processing, in the jargon. And in order to put that in place you need to put in a virtual security environment, and identity is part of that," Benstead says. Key to that has been defining standards for directories to provide a common identity layer across all the systems.

And guess what? The NAB also says it had underestimated the enormity of the task of putting an identity framework into the organisation. "It touches everything,"Benstead says.

Over at Telstra, Noonan would know just what Benstead means. Never underestimate the magnitude of the task, he says. And the other advice he can offer to others is: never try to build your own.

"It's taken us probably about 12 months to get all the functionality that we require, because you don't really understand what are the finer intricacies of a process from day one, and all the security pitfalls of getting your firewalls matched up to your identity management software," he says.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Sue Bushell

Latest Videos

More videos

Blog Posts