Successfully implementing a digital identity framework
By David Mahdi, CSO and CISO Advisor, Sectigo
As an increasing amount of personal and critical business information is available online, stronger provisions are required to ensure the sensitive data is correctly safeguarded. A growing movement among government bodies is the adoption of a digital identity framework that allows users to provide alternative forms of security clearance to access important services, such as banking or medical records.
This involves creating a digital identity process and framework that can be used as a complement and in some cases an alternative to physical documents such as passports or ID cards. This certification process allows enterprises and users to prove themselves within the rules of the trust framework. The benefits of this are notable; it eases the burden on consumers, reduces delays in any conveyancing process, and crucially, helps reduce the risk of both fraud and cybercrime.
The UK government has set out its own research into establishing a digital identity framework, while France is set to release its government-issued digital verification mobile application. To make sure these frameworks are not only operational but also successful, there are a number of considerations.
The fabric of a framework
When it comes to any given trust framework, the fabric can be one of two things. Either it is centralized, like a credit card network with a central operator, or decentralized, such as a high-assurance blockchain-based network. For instance, look to Canada’s digital identity network, verified.me, which citizens can use to access government services. Canada was an early adopter to leverage blockchain technologies to further help drive better privacy as well as data controls for citizens. How this works is, as an example, when someone opens a digital wallet to make a transaction and that person selects bank and various factors of identification, the framework will check if all these factors meet the requirements to access certain accounts or pieces of information. This is all without the user having to get involved, whilst still knowing their data is staying secure throughout the transaction journey.
It is important to examine already established and existing examples of digital identity frameworks to learn best practices. Aside from Canada, there are a number of countries successfully implementing their own frameworks that can act as guiding lights of best practices, but also highlight pitfalls to avoid. The Nordics, for example, have been using BankIDs. This helps facilitate digital businesses in Scandinavian countries.
Although these cases specifically are yet to fully solve the problems that they set out to solve, they are the most mature in this journey. They also help act as evidence for the actual step-by-step process of building out a framework.
The building blocks of the framework
The steps involved in the process of developing a digital identity system or framework are two-fold. The first is the technology and the second are the people that will make up the framework.
From a technology perspective, the full software, the hardware and the connectivity stack will need to be aligned. This requires multiple parties to all be on the same page including the device manufacturers, the operating system providers as well as the identity solutions providers. All with the view of openness and interoperability; that is leveraging open standards that allow for maximum interoperability.
Additionally, and perhaps most critically, there is the non-technical alignment, clarifying who runs the systems and who owns what parts. This is particularly important in cases where there are any logistical issues such as a breach. While the technology has been available for quite some time, more often than not, the non-technical aspects are what have held governments and other parties back from adopting these initiatives. This is because the greater challenge is in ensuring that there is trust in this framework, or no one will use it.
Rooting a framework in trust
When it comes to implementing a digital framework to ensure the securing of identities, the main factor to consider is the trust itself. This means user control is critical when deciding what digital identities they will want to use in any given transactional process. To make sure that users are in control of their data, the first step is establishing this trusted framework that is backed by policies and by government.
Before committing to this framework, users must be assured throughout the process that any institution authorising the transaction (such as banks), does not need to store their data. Instead, they can use a cryptographic checkmark from the network. This gives users trust in the platforms they are using, while simultaneously improving the overall user journey. The goal here is furthered by reducing friction in the process and enabling the continuation of a successful business.
However, while it is important that the framework is trusted, it cannot be treated as a flawless system. We should always try and verify it. When looking at software and hardware, trust can be eroded at any moment and at any layer of the framework. This could be due to a system failure, clerical error, or a cyberattack. Therefore, trust can never be fully assumed.
Furthermore, while these risks are known, the unknown risks pose serious danger. As we continue on into the digital world, it is very likely that new threats will be created that do not exist today. So it is vital when establishing digital trust, that we pre-determine today’s known risks while anticipating potential threats and strategizing the best way to mitigate them with identity-first security principles.
It is very likely that in the next 10 years, our identities will be increasingly more digital. To prepare for that, governments and businesses alike must recognise the need and benefit of creating a digital identity system or framework. Users must have the option of whether or not they want to use the system, particularly those who would rather have non-digital options. Whether centralized or decentralized, to have a successful framework, all must anticipate different levels of reliability and responsibility.
About the author
David Mahdi is CSO and CISO Advisor at certificate/PKI firm Sectigo. A former Gartner research VP, identity, cryptography and cybersecurity visionary, Mr. Mahdi is an industry recognized pioneer.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.
biometrics | data protection | digital identity | Sectigo | secure transactions | trust framework