September 30, 2005 By Shane Peterson
Identity management -- a key ingredient to widespread IT interoperability -- suffers from both of these maladies.
At its root, ID management software is billed as the simplest way for enterprises to control both how users access information in discrete computer systems, and the mechanism for system-to-system information exchange between agencies or business units.
On the user side, the software is supposed to help enterprises with three key components of personal identity:
Unfortunately most ID management software isn't interoperable, which creates problems for governments that might want to share information, but are using different systems.
Another issue is the transparency of the government's identification process. If one agency doesn't trust another agency's methods of authenticating user identities, they are unlikely to share sensitive data.
As with other security vulnerabilities, an entire industry has sprung up to address identity management challenges.
Connecting IT systems blazes a trail for information sharing, but linking discrete systems into a unified chain puts the entire chain at risk, since the chain is only as strong as the weakest link. Since the Internet is the method for information sharing, the potential for outsiders to exploit weaknesses in security policies becomes very real.
As governments push to integrate information and systems, they up the ante for effective ID management solutions that span organizations, and perhaps jurisdictions.
But few authentication technologies are interoperable, which is a limiting factor facing those who decide to trust each other's authentication processes, said James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies.
"It's not seamless to get a credential from one system and then use it [in] another because you're using different technologies," Lewis said. "As I understand it, GAO [General Accounting Office] had an interoperability lab last year and found out interoperability wasn't as widespread as hoped."
Lewis also is former chairman of the Electronic Authentication Partnership (EAP), a multi-industry group of approximately 60 members developing interoperability between electronic authentication systems in the private and public sectors.
The EAP's members include representatives from the Pennsylvania and New Jersey state IT offices, and associations representing other public-sector officials, namely the American Association of Motor Vehicle Administrators (AAMVA), and the National Association of State Auditors, Comptrollers and Treasurers.
Lewis said the EAP is educating organizations about the value of transparent ID management policies. If one government agency doesn't know how another agency issued an electronic credential -- or token -- that identifies a person, the agency won't trust or accept it.
"If people don't know the basis for issuance, they limit their trust of the token," Lewis said. "Some of it is the lack of transparency -- you don't know what other people have done."
States' authentication processes may not be so different, but if Illinois goes through a certain process to authenticate a person's identity, California has no way of knowing how close the process is to its own.
"They're probably not that far apart," Lewis said. "But until they're the same, the result you get is, 'I don't know what these people
You may use or reference this story with attribution and a link to