Measuring ID Assurance Through Complex Supply Chains – “The Weakest Link Breaks the Chain” Is There a Market for Assurance?

Submitted by: RL 'Bob' Morgan, University of Washington / InCommon Federation

This session was kicked off by some use cases related to the market value of identity assurance.

RL 'Bob' Morgan of the InCommon Federation observed that InCommon participant IdPs (mostly US universities) have been strongly encouraged by US government federation partners to meet ICAM Level 2 assurance requirements. This is a non-trivial cost (perhaps an average $50k per compliance project), multiplied across the 200 or so existing IdP sites (plus hundreds more to come). Site CIOs generally appreciate that assurance is important but need more motivation to invest. In this scenario the SPs (eg US government agencies) are gaining the benefits of reduced IdM risk and cost, so economics would suggest that the SPs bear some of the cost, but there is no existing business model for this.

Mark Coderre of Aetna described the Aetna federation situation. Aetna works with many federation partners both as SP and IdP. Many partners connect via other federations or identity hubs, forming complex chains of authentication that mirror business supply chains. All this connectivity is very functional but raises serious questions about assurance that are very important in an industry dealing with finances and health information. The issue is how to get assurance considerations inserted into the business relationships that form these chains.

Joni Brennan of Kantara observed that Kantara's Identity Assurance program is creating a market for certified assurance that is intended to support assessors charging for assessments and justifying their costs of participation in the program. The success of this market depends on IdPs and RPs understanding the value of certified assurance and working it into their business practices.

Discussion:

Someone involved with the NASPO National Identity Proofing and Verification Standard project NASPO described the work going on there, noting that it should be useful in convincing businesses that certified assurance is stable and useful. This would depend on the NASPO/ANSI output being integrated into assurance program's such as Kantara's.

A Canadian government person said that there has been an effort to include Kantara-certified assurance in government procurement procedures but it hasn't yet concluded.

There was agreement that getting assurance requirements into standard corporate RFP processes is essential. Another approach is to get assurance included in "Unified Compliance" procedures which cover things like Sarbanes-Oxley and HIPAA.

Another key development is to accurately reflect the costs and risks of the current way of doing business, both non-federated scenarios and federation without specified assurance. In particular risks of chained authentication scenarios need to be understood and assessed.