Verizon has achieved a certification for a digital credentials program that in the short term will give the company a big advantage competing for work with the federal government, and in the long term might point the way toward the establishment of secure digital IDs in the consumer market.
Verizon is the first service provider to achieve Level 3 certification under the Identity, Credential and Access Management (ICAM) program.
ICAM is a federal program created to develop a method for establishing and safeguarding the identities of government employees and contractors working with the federal government that is consistent across all federal agencies.
Private sector groups likely to benefit include not only suppliers of equipment and services to the federal government, but also private sector businesses subject to federal oversight. An example is medical professionals issuing e-prescriptions that require verification under FDA rules.
Level 3 defines digital identification with some level of online screening; it is the highest level of security short of conducting a personal interview to establish identity (part of the definition of Level 4 ICAM security).
Verizon's chief identity strategist Tracy Hulver told CED that achieving the certification is an end unto itself, inasmuch as it will help Verizon compete for federal contracts providing identification services, but Verizon certainly expects that the effort might be a step toward establishing some sort of identity standards in the private sector.
One path toward moving ICAM-compliant identification services into the private sector might be through an Obama administration program called the National Strategy for Trusted Identities in Cyberspace.
NSTIC is aimed at creating an Internet identity ecosystem that uses interoperable technology standards and policies to authenticate not only consumers, but also organizations and IT infrastructure.
Security in the private sector is already believed to be a huge problem. The House of Representatives is considering a cyber security bill, co-authored by Rep. Mike Rogers, who noted, "There are two types of companies in this country: those who know they've been hacked, and those who don't know they've been hacked." A week after the introduction of that bill, Cablevision announced it had just fended off a DDoS attack.
NSTIC hopes to help encourage a coordinated response. It does not mention ICAM, Hulver said, but those involved with NSTIC see ICAM as an obvious possible starting point.
Ultimately, it would be beneficial to have a common credential, or set of credentials, that would both provide higher levels of security, but would also work in the consumer market.
"Why not be able to use that credential to log in to Amazon?" Hulver noted. That same ID security system would be just as applicable to FiOS and competing services, as well as for digital credit, he agreed.
Delivered via the cloud, Verizon Enterprise Identity Services are aimed at helping reduce the costs and complexity traditionally associated with identity rollouts. With this solution, users do not need to purchase additional hardware or software. If users lose a device, they can easily leverage a mechanism they already have – such as a mobile or home phone – or add an additional mechanism to retrieve their dynamic code for authentication, Verizon explained.
Verizon is leveraging two acquisitions to provide the security services: Cybertrust in 2007 and cloud services specialist TerreMark early this year.