Tuesday, 28 July 2009

Identity credentials for employees - new UK federated trust scheme British Business Federation Authority (BBAF)

There are plans for an ID credentials scheme for workers in UK businesses, which, who knows, might even end up being used more broadly instead of a national ID card.

Yesterday ComputerWeekly reported on a new cross-industry identity scheme which aims to enable UK regulated industries (initially intended to be financial services, telecommunications, aerospace and defence, pharmaceuticals, energy and law) “to trust how each other identify and authenticate their employees”.

A new organisation has been set up called the British Business Federation Authority (the article says as a new company, but they don’t appear on a Companies House search I tried, nor do they seem to have any website yet).

The BBAF will coordinate the development of the necessary protocols for the acceptance of employee credentials (e.g. smart card or software certificate), “with different levels of assurance, in different locations, across different industries, and potentially across national borders.”

The scheme is intended to include “geographic awareness for location based services, data loss prevention and common federation components in enterprise architectures”.

Its governance model is to be based on existing best practice e.g. the Kantara Initiative, NIST and ISO, and it’s currently being steered by the cross-domain enabling group (XDEG) whose members include parliamentary-industry forum Eurim, the British Computer Society, the Institution of Engineering and Technology, and Oxford University and London School of Economics academics.

It’s interesting that Patrick Curry, director of Clarion Identity and spokesman for the scheme, told ComputerWeekly that this scheme, which might get going as early as January 2010, would operate independently of the proposed UK national ID card scheme.

Coincidentally (or maybe not) Patrick Curry also gave a 50 min webcast earlier today entitled “The Future of IAM is FIAM” (federated identity and access management), at the request of the BCS. It’s worth playing through (you have to register before you can play it back, it’s free to register), even though he seemed to assume all listeners were male! (“guys”…) (I have written a review of the BrightTALK webcasting service in a separate blog post.)

He clearly thinks that inter-operability and collaboration are essential, for which a federation model is needed, and that mechanisms for selective disclosure of private information are critical. I couldn't agree more.

He shows a slide of the proposed structure of BBAF at about 42 minutes in (slide no. 23 on the slider), shown below in low resolution purely for the purposes of illustrating this report on his talk and the news about the formation of the BBAF:

If you're already familiar with the field and just want to hear his summary and thoughts on the future, just watch from that point i.e. about 42 minutes in. (The earlier part is an overview of identity and access management generally, key drivers, issues and challenges for government, enterprise and citizens.)

Here’s something else he said which I found particularly interesting:

“…There is a requirement for appropriate anonymity and pseudo-anonymity and privacy, and those do need to be addressed. But market forces will prevail, I'm suggesting, led by industry to meet those employee requirements, but consumers will benefit from the back of that.

The crucial question is how far employee credentials could be used as the basis for trust in your citizen function. We haven't seen a lot of that yet but we expect that to happen, and governments will be issuing credentials more just to prove citizenship and ID, but not really much more function than that. Why? Because most of the entitlement activity will take place in the back end...

Some of the credential issuance procedures [for authentication and authorisation] will be more distributed. Why? Because you’re going to get a credential maybe at work that you're going to use in private life, or vice versa...”

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.