Identity Management Best Practices

Discussion in 'Computer Security' started by a_monk, Jul 14, 2006.

  1. a_monk

    a_monk Guest

    Good day, fellow members;

    I am looking for a set of best practices for Identity Management (IdM)
    and had googled and wiki, but to no avail.

    Any ideas / help are appreciated.

    Thanks and have a nice weekend.

    A Monk
    a_monk, Jul 14, 2006
    #1
    1. Advertising

  2. a_monk

    Jim Guest

    I have a paper on that, part of which is posted on my web side
    www.JimGGeorge.com under the Ideas tab:

    Identity Issues - 6 R's and what a bank can learn from a casino

    When a "whale" (a.k.a. Private Banking customer) walks into a
    casino they are recognized, greeted at the door, and shown to their
    free suite and their favorite VIP gaming tables. When a "shark" (cheat,
    fraudster) shows his face he too is greeted, but with an entirely
    different response.

    Can your bank do this?

    Probably not. But banks have several reasons to be looking to advanced
    technologies to address identity issues and the casinos are where such
    technology has been pioneered. Those reasons include:

    Know your customer regulations - There is a difference between
    knowing a customer and knowing an account holder. A customer may have
    multiple accounts and their pattern of activity overall may be deemed
    suspicious even if no individual account looks suspicious on its own.

    Fraud reduction potential - No one is committing fraud today using
    their own name, address, and Social Security Number. Frauds involve
    creating or stealing identities, taking over real customers' accounts,
    and using real customers' identity tokens (codes, checks, cards,
    passwords, personal data) to steal from the customers' accounts.

    Customer management - It is just good business to know who your
    customers are, who they are related to, what their total product mix
    is, and then use that information for marketing and in the daily
    decision-making processes of the bank. Do you really want to cancel the
    credit card of the daughter of the CEO of your largest Corporate Trust
    customer?



    Recognition capabilities - the 6 Rs

    Knowing who is who actually requires several distinct capabilities to
    be effective:

    Resolve - Is Jane Smith also Jane Brown and/or Jane Brown-Smythe?
    Banks have long talked about "scrubbing the CIF," trying to create a
    customer information file that accurately relates account holders
    across their entire enterprise.Research - What is known about her? Is
    she a known criminal?

    Relate - Who is she related to and how? (Is she Gotti's limo driver
    or the wife of a CEO?)

    Recognize - In the branch, on the phone, on the Internet site, at an
    ATM, by mail...

    Respond - All the above is wasted without the capability to
    differentiate the bank's response

    Recover - If all else fails, do we have all of the information to
    make a recovery or support an arrest?

    Banks need to consider the need for each of these capabilities. Many
    "Identity solutions" address one or more of these needs but none
    fully address all of them. It takes more than simply buying and
    installing a "solution" to develop and implement full identity
    recognition capabilities

    Jim G. George


    a_monk wrote:
    > Good day, fellow members;
    >
    > I am looking for a set of best practices for Identity Management (IdM)
    > and had googled and wiki, but to no avail.
    >
    > Any ideas / help are appreciated.
    >
    > Thanks and have a nice weekend.
    >
    > A Monk
    Jim, Jul 19, 2006
    #2
    1. Advertising

  3. "Jim" <> writes:
    > Know your customer regulations - There is a difference between
    > knowing a customer and knowing an account holder. A customer may have
    > multiple accounts and their pattern of activity overall may be deemed
    > suspicious even if no individual account looks suspicious on its own.
    >
    > Fraud reduction potential - No one is committing fraud today using
    > their own name, address, and Social Security Number. Frauds involve
    > creating or stealing identities, taking over real customers' accounts,
    > and using real customers' identity tokens (codes, checks, cards,
    > passwords, personal data) to steal from the customers' accounts.


    this is something of a difference between strong identification and
    strong authentication. at places like point-of-sale ... it is
    desirable to have strong authentication (is the entity authorized to
    use the account) as opposed to strong identification (is the entity
    john doe) because of privacy issues.

    current infrastructure has included indentification somewhat because
    of poor authentication technology; you name is on the payment card at
    point-of-sale ... allowing clerk to ask for gov. photo-id and
    cross-check the name on the payment card with the name on the
    gov. photo-id ... as an authentication mechanism ... but relying on
    identification to achieve authentication ... and as a result results
    in privacy problems.

    at various points the EU has passed directives that payment cards were
    no longer to carry people names ... reducing level of privacy
    invasiveness (and hoping to promote strong authentication technology
    differentiated from identification technology); aka retail payments
    should be similar privacy invasive as cash.

    there have even been some US banks issuing payment cards w/o names on
    the cards ... i.e. while financial instituations have "know your
    customer" regulations ... that doesn't mean that your name needs to be
    publicly, boldly displayed on every retail transaction.

    the x9a10 financial standards working group had been given the
    requirement to preserve the integrity of the financial infrastructure
    for all retail payments (internet, point-of-sale, debit, credit,
    stored-value, aka "ALL"). the result was x9.59 financial standard.
    i've periodically claimed it to be privacy "agnostic" ... it uses
    strong authentication for transaction integrity w/o requiring names to
    be plastered all over every transaction.
    http://www.garlic.com/~lynn/x959.html#x959
    http://www.garlic.com/~lynn/subpubkey.html#x959

    whether a financial institution keeps a mapping between the account
    holder to a name ... is outside the x9.59 protocol.

    as to identity theft ... FTC and other institutions have made some
    attempts to differentiate betwen using personal information to
    establish new accounts (i.e. identity fraud) and account fraud
    .... where criminals use compromised information to perform fraudulent
    transactions against existing accounts. strong authentication in x9.59
    retail transactions is targeted at account fraud compromises.

    there has been some observations that just strengthening
    countermeasures to identify fraud won't actually reduce overall fraud
    as long as it is so easy to perform account fraud (differentiating
    between identification and authentication).
    Anne & Lynn Wheeler, Jul 19, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Peter Yardley
    Replies:
    0
    Views:
    509
    Peter Yardley
    Dec 27, 2003
  2. Abhi

    Cisco Best Practices

    Abhi, Apr 14, 2004, in forum: Cisco
    Replies:
    1
    Views:
    3,257
  3. TechNews

    Windows Identity Management

    TechNews, Jun 2, 2004, in forum: Computer Support
    Replies:
    1
    Views:
    479
    Boomer
    Jun 2, 2004
  4. itsecgirl

    Identity and Access Management (IAM)

    itsecgirl, Dec 8, 2005, in forum: Computer Security
    Replies:
    4
    Views:
    637
    Edward A. Feustel
    Dec 16, 2005
  5. Replies:
    0
    Views:
    376
Loading...

Share This Page