25 October 2014

58914

Bishwajit Choudhary - Nets

3 | posts 9,245 | views 4 | comments

Business Knowledge for IT

This community aims to provide links, resources, book suggestions, tips and insights to facilitate learning and development of IT professionals in financial services, and to develop a forum for IT professionals to exchange views on various related items.

I trust your passport, BUT ...

10 May 2012  |  2556 views  |  0

I recall a passionate debate in 2011 with some colleagues on if internationally trusted national passports (sometime in future) will be ever trusted by businesses to allow people access to their premises? Is such a scenario ever possible (as we move to digital passports and additional information on the chip)? More fundamentally, what does this internationally trusted passport lack that even a small office would rather issue a visitor or employee ID card for access to their premises, even as they trust your passport as first level of identity check.

Note that here I consider national-IDs and national-ID cards in same “league” as passports for simplicity.

Trust in digital identities is a complex issue and much more than identity-alone issue. Of far greater value than an individual’s identity is “information around identity” for example individual’s rights, roles, attributes, context information for e.g., where the ID was issued, by whom, validity period, certified living references etc. So if we issued an identity credential with all key additional information, would that become trustworthy or will the businesses still find new valid grounds to not allow such “extended passports or IDs” as replacement for employee ID cards?

The answer seems to be a straight – NO. Businesses will still not allow you to get through their premises, even with "extended" IDs/ passports with additional information.

WHY?

That brings us to the other part of trusted credentials – “control”. When it comes to security of an organization (=security of critical information assets), most CISOs do not hesitate long to say how much emphasis they put on “control” (some call it more softly as “flexibility”). This is because each major business is unique in its definition of “security thresholds and practices” and implementation processes that follow. Risk management and tolerance differ greatly across many organizations and as a consequence organizations end up working at rather different trust levels. Internal business environment where employees work “is a world of its own” (in the context of trust levels). Standard ISO certifications help organizations get a “feel” for each other, but that does not remove the differences in security practices.

The difference is not on “what” or even why, but how.

So does it mean we will never get a truly universal ID, allowing seamless travel in electronic and physical spaces?

NO, sir.

Trust and security issues are organizations’ and governments’ responses to their needs on security, interoperability and future preparedness to harness new opportunities. Recall that governments actually do make decisions for and on behalf of citizens, as do organizations for their employees. As long as these two key stakeholders do not reconcile their security policies and practices, a universally acceptable and usable ID seems to be to me) a distant dream.

Does it cause us to worry? Actually not - as diversity of security solutions also allows for continuous improvement in technologies, capabilities and all this keeps electronic security space an exciting area!

TagsSecurityRisk & regulation

Comments: (0)

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Bishwajit

I trust your passport, BUT ...

10 May 2012  |  2556 views  |  0  |  Recommends 0 TagsSecurityRisk & regulationGroupBusiness Knowledge for IT

eSecurity Infrastructures: Reflections and Lessons

09 November 2011  |  4051 views  |  0  |  Recommends 0 TagsSecurityRetail bankingGroupInformation Security

Market Trust and Innovation

07 November 2011  |  2639 views  |  0  |  Recommends 0 GroupInnovation in Financial Services
name

Bishwajit Choudhary

job title

Strategy & Customer Concepts

company name

Nets

member since

2011

location

Oslo

Summary profile See full profile »
I am responsbile for NETS' internationalisation initiatives, selected strategic projects and corp...

Bishwajit's expertise

What Bishwajit reads
Bishwajit writes about
Bishwajit's blog archive
2012 (1)2011 (2)

Who is commenting on Bishwajit's posts