Data and identity security basics

Identity Management (IdM) is a critical part of any information security architecture. It concerns the digital identity assigned to a user in cyberspace and the task of controlling and managing information about that user.

Identity Management encompasses digital identity creation, management and deletion. Issuing ID and password is an obvious function. Less obvious is assignment of permissions, which allow users access to specific information or systems and/or denies them access to other systems.

• Authentication occurs when a user proves his/her identity to a computer system.
• Authorization occurs when a system allows access. The SAFE-BioPharma standard deals almost exclusively with the authentication element of IdM. Authorization is left to individual information owners within the enterprise, giving the application owner control of its systems.

IdM has traditionally been and continues to be primarily enterprise-based. The enterprise knows how to provide ID and passwords for use within the enterprise. However, outside of the enterprise those credentials are generally not useful. To prove identity outside their own enterprise, the user requires a different cyber credential, as do business partners and other non-employees.

The SAFE-BioPharma standard changes this paradigm by providing a set of business rules and technical specifications, which enable a trusted identity infrastructure and allows for use of a single digital credential across many enterprises, indeed, around the globe.

The standard enables trust in identity providers capable of providing high-assurance, trusted digital identity credentials used for authentication and for regulatory compliant digital (electronic) signatures. The standard also describes the rules which any Identity Management Provider must follow in order to be certified as SAFE-BioPharma compliant. These rules cover all aspects of identity management, including identity proofing, the form of the digital identity itself, and management of the digital identity through its end-of-life.

The starting point for all IdM systems is the registration of the user being credentialed and the associated proof that the user is that person. For credentials issued within the enterprise, HR-level identity proofing (e.g. a copy of government-issued photo identification) will suffice. However, establishing a single digital identity which will be trusted globally, across many enterprises, requires following a set of specific rules. SAFE-BioPharma establishes those rules and covers multiple identity proofing methods.

The SAFE-BioPharma standard also provides for two different types of digital credential. One, based on cryptography (Public Key aka “PKI”), may be used for authentication, but is mostly used to enable the user to apply a digital signature to an electronic document. The other, a non-cryptographic credential, is used exclusively for authentication. There are many non-cryptographic kinds of credentials, the increasingly outdated UserID/Password pair among them. Today, the SAFE-BioPharma Mobile Credential is two credentials in one: a non-cryptographic credential used for strong authentication and a PKI credential, which can be used for digital signatures in a fully cloud-based infrastructure.

NIST and EU Levels of Authentication

The need to know that the person on the other side of an online transaction is who he says he is has produced an abundance of private and public sector standards and solutions in the US, the EU and elsewhere. The National Institutes of Standards and Technology (NIST) has developed a four-level model that US government online applications must use to assess how well an online identity credential may be relied upon.

• Level of Assurance (LOA) 1 has no identity proofing* requirements. Identities are self-asserted and therefore offer little or no assurance that the identity credential is actually being used by the person it claims to be.
• LOA 2 satisfies some degree of identity-proofing and credential issuing practices acceptable for access to systems where risk of identity fraud is modest; for example, patient access to online read-only medical records and veteran access to online read-only military medical records.
• LOA 3 satisfies substantial requirements for identity proofing and two-factor credential issuing and management practices. LOA 3 is considered the minimum level of assurance to authenticate most online transactions in regulated industries such as pharmaceuticals, healthcare and financial services.
• LOA 4 requires a higher degree of identity proofing and a more secure manner of two-factor credential issuing and management practices.

The European Union has adopted a similar model for assuring online identity. Known as eIDAS (Electronic identification and trust services), it incorporates more stringent data privacy and protection requirements than the US government. Like the US system, it is based on risk assessment and risk mitigation, but with different standards documents. Credential issuer requirements for the three levels of identity assurance that the EU adopted in 2014 (Low, Substantial and High) generally map to NIST LOA 2, 3 and 4.

The SAFE-BioPharma Trust Framework Provider program serves as a crosswalk between NIST and eIDAS identity assurance frameworks and is used by members wanting to certify their credential issuance practices in both the US and global marketplaces. In addition, online applications managers may use the crosswalk to assess risk mitigation practices of credential issuers when determining whether to accept user credentials issued by external providers.

*Identity Proofing is the process of collecting attributes (e.g. medical license, proof of citizenship, date of birth, address) and establishing ownership of those attributes by way of legally binding methods. Those methods include Knowledge Based Authentication (KBA), the familiar set of computer generated questions based on public databases (e.g. past addresses, mortgage payments, etc.) and face-to-face meeting with a trusted agent (e.g. Notary Public) in person or via video conference.