So a few weeks ago, my colleague David Black explored how real world's identities, support ID, access management. Today, I'm gonna further explore how these identities together with real world evidence, underpin people, process and technology in the context of IM and identity governance and administration. And of course, the elephant in the room, the COVID 19 pandemic, which has changed a lot of things. I'm Gillen ward. I'm one of the directors consultants in ID crowd. We mainly work in to enable trusted data in terms of identity.
Proving a person is who they claim to be and eligibility proving that qualification skills experience and other data points are genuine and valid, and then binding these together to better enable I am by helping to mitigate against risks of, and threats of fraud, malicious actors, so that you can be sure that together, that the people that are who they claim to be and have the necessarily skills and competencies, which will explore a bit further as we go on that are required to perform those critical functions in your business and ensure that you only allow the right people access to data file services and estate.
And that's an interesting one we've exploring. And of course the current need to increasingly do everything in a remote environment, not in person. Now I am identity and eligibility go hand in hand and they can't be done in isolation. It's not just about understanding who someone is, but what they have done in order to understand whether people are eligible for or entitled to assets that you have your files, document systems, sites, equipment.
It's all about understanding this whole employee process life cycle and how we manage the risk with IM if we think about identity, it's typically the, we typically use biographic information about me, personal identify information, my name, my date of birth, and perhaps on place of birth. We also use biometrics, but they're more about the physical aspects of me.
And while identity proofing has been reasonably successful from the 1.4 billion in India, to the 1.4 million in Estonia each with different ways of reliability, proving who we are eligibility is is something that we typically haven't done as well as my colleague, Adam Cooper recently said, what you are is more interesting than who you are.
So if we think about the things about me and the difference, how we use trusted data, and, and this depends on the context, not necessarily who I am, if I want to buy age restricted goods, then the vendor that is selling me, those needs to have some assurance that I am over the legal age required. They don't need to know my name or my date of birth.
And ironically, what we do often is hold up a photo ID, particularly if, if you are under 21, however, to open a bank account or view health records or form a company, those organizations need to have more certainty and a higher level of assurance in understanding more about me. So they can be certain that I can do these things that require that more information. Another example is that's interesting to understand the differentiation is if I borrow you CA my, if I borrow your car, it's less about knowing who I am.
It's more about understanding if I have a valid license for a particular territory with no endorsements and up to date insurance. So if we think about successful, I am, it must work closely with human resources to ensure that efficient, effective employee on and off boarding and change around these whole processes from selection, interview and testing.
You know, initially I need to know more about the capabilities or whether people have the mandatory requirements before actually knowing who that person is. And these things get teased out in the interview and during any testing that may happen. And of course, when someone turns up in your office in the onboarding phase, you need to make sure it's the same person, and we're gonna explore that in a minute operational change. So if we think about promotion and transfers and has responsibility change, does an individual now have access to restricted documents or locations.
These are things we need to consider, and there needs to be seamless interaction or offboarding. You know, what was the reason for offboarding? Was it a rogue employee?
Do we, we, regardless of whether it's rogue or not, we need to make sure that we actually can take, we, we, we need to make sure that we, we do that process effectively and, and all the time. So this is an example in this selection interview and testing phase, there was a BBC drama called trust me, trust me, I'm a, doctor's often what, what we hear. And one of the things we need to consider is in these processes is whether the individual has the necessary skills or competencies. There are safety implications.
If you were onboarding or selecting nuclear power train, or crane operators, they need to be able to know, have the right skills to be able to form the job.
Same with finance and law. There's a liability and reputation risk. If people don't have the requisite skills. And of course, with health doctors, nurses, and surgeons and, and other healthcare professionals it's to could be even a life and death situation in this drama, this, the protagonist is a nurse who loses a job, following a whistle blowing exercise, doing the right thing.
And, and doesn't know what to do. She sees an opportunity when her friend, an a E doctor decides to immigrate to New Zealand and, and leave the profession. So she takes on the, this role now because she has the competence and is knowledgeable about, about the way things work. No one questions her too much, but what we really need to do is check that claim. Those claimed assertions, the evidence, you know, do they have the academic qualifications or the professional qualifications in the UK?
We can check with the general medical council to see if someone is a medical doctor.
And more importantly, if, if, whether they're able to practice or whether they've been struck off or, or it's lapsed. What we also found was with when working earlier this year with the NHS on workforce modeling and identity and eligibility was how do you create a big enough pool of people? And how do you look at people whose registration has lapsed?
You know, what is the period of time you need to look at? But even when we did, we found that while on paper, people might have had the qualifications and even the skills, they didn't have any recent hands on experience and they, and some of them were academics. Who'd never had any hands on experience. So you need to consider all of these things in this process.
In this example, we talked briefly before is the risk that the person turning up for work is not the same person that was interviewed or, or took the test.
This is a picture of Mike Ross, who was the main protagonist in the us drama suit about a legal firm. He illegally makes a living initially taking the law a mission test for others, but you know, what, how did that work? What checks were performed, if any, to allow him and others to be able to get through and then take up jogs.
He, he, he practices his lawyer, but again, no one questions. His ability has his knowledgeable and competent past this test. Many times initially he uses claim, but unproven and unchecked qualifications.
And, and ultimately he actually falsifies these. So all these things need to be checked. If we think about operational change, I've worked with, I am in large complex organizations, across many different sectors in the oil and gas sector and the construction sector.
Both these sectors have used staff and contractors across multiple estates that require access to individual sites to be changed frequently. For example, in the construction sector, there are often interim site offices while a development is being built that revert to normal usage once complete.
So what if people still have access and in the oil and gas sector, access to refineries nor rigs of business, critical infrastructure that require the right training to be in place before access both health and safety and operational training. So these things require close liaison with HR and supply chain management, to make sure that all the requirements are up to date and, and valid, you know, have any promotions or transfers being trickled down. All these things need to happen in a large organization, gets difficult.
What if the temporary site, as I said, reverts to previous use, that means someone might have access to a building where they shouldn't have, or temporary staff they're constantly moved around.
You need to manage that therapy with the supply chain. And of course we talked about this critical is the, is the off boarding process.
One, if they've left well again at, at a large oil company, I once named the exit form, the oil feels for an oil company. So the, the oil access termination form in reference to, to how's that, which is in cricket, technically the fielding team must make an appeal before an empire can rule a batsman out. But the point is, is that even being out needs governance, you need to make sure that you complete this and you do this whole life cycle. This is something that's often forgotten. So how do we do it?
Well, validating evidence is difficult in the old days. Old school com menus, fake alias and credentials with confidence, hence con men to fall people into believing them.
It's a picture of Frank AB now with Leonard DiCaprio who made a film.
He, he impersonated as we've seen before, Dr. Lawyer and a pilot and later confidently.
And, and, but later turned out and worked as a security consultant with the FBI and others for many years. But before the pandemic, these things were done in person, we were often asked to bring a photo ID, but how, how would you bind that? It's very difficult now in this online world, where remote is the new normal, how can you check that a document is, is genuine?
How can you check that it's not a modified photo or a stolen document, just because I hold up my document and you see a picture of me and the photos the same doesn't mean to say that it's genuine or valid, you know, are the staff adequately trained to check what is falsified?
We've got a picture of this utopia lady, which is a passport. There are certain holograms and security built into passports. And if it's knee passport, it will help hold some Biograph biometric information on the chip, which you could check. But obviously you can't do that in a remote context, we could check.
It was valid by going back to the issuing authoritative sources to see if it's been revoked. Cuz just cuz it's valid. Doesn't mean to say that it hasn't been stopped as a picture here of a university degree, there are many sites where you can buy them. How do you know it's genuine? You need to go back to the authoritative source. Of course there are Contra indicators. We need to consider of data sets of false documents. Sources. We need to check mortality of the people alive as the business trading.
I, I put zoom here because that's often been used in recent years to, to work out in recent times to, to work out who someone is. But what, there are lots of stories from HR professionals and managers who met people for the first time on zoom for those lucky enough to actually get into an office when they met them. Sometimes they weren't the same Heights. You're seeing me at eye level, but when you actually meet people, they can be different Heights. So we just, there are lots of things that we can't actually do. We need to consider this in this new world.
Luckily there are proven and emerging standards to help to do this. There are the good practice guides from the cabinet office in conjunction with the national cybersecurity center, which have good practice. 45 is about identity proofing of verification. We've also got the us N national Institute of standards, technology standards, 863 3, which again does pretty much the same thing.
They worked closely together.
And we we've been working with much an emerging standard about attributes for N 8 1 1 2, which allows you to measure and understand the data metadata around how, how attributes were created and provide an assessment to determine the strength who created them, the Providence and the quality of these. So I guess what we really need to think about with IM is that real world, the real world is dynamic. Things are changing all the time. We need to think about how IM should be combined with start of set of structured tests, to understand these process and outcomes of this employee lifecycle.
So we can reassess identity and eligibility as it changes over people's tenure and as organizations change new buildings, technology processes, technology's great. I can help, but we need to ensure it's not garbage in garbage out just cuz we've always done something doesn't mean say's right now or even that was right in the first place.
Human nature means there'll always be air and fraud. So we need to consider the people process technology. Can we assume the checks were robust?
You know, remember it was a point in time. So as things change and businesses, cease trading, which is happening a lot, unfortunately in this time and people die. There's a good chance. You'll need to do it again. Th this pandemic has accelerated the need for remote and digital use cases. So we need to reevaluate what we've done and check it's still fit for purpose. So identity eligibility and the binding is very important for IM I hope that's been interesting. Thank you very much.
