KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Okay, thank you very much. So good afternoon. So this discussion today is, is, is not really a technology discussion. It's a people and process part. So as we know, people process technology of a three components of a, an enterprise view of the world. And one of the considerations for this is that you have to kind of think what are the processes and what are the risks associated processes. If you think about identity access management, that is about allowing people access to your systems and your estates and your buildings and, and the likes, and that is based upon trust.
Trust is the foundation of, of most interactions you trust someone. And one of the pieces of onboarding is that you trust the person is who they claim to be that point of claiming who they, who they are and testing that is an important factor. And it's done it's we do it already. It's how robust is that? How much threat is there to that? And what are the risks in there? So breaking through those processes, you've gotta look at it in a stage by stage process. And we are working with a number of organizations related to fraud and in conversations we've had with them.
And in some of the areas that we've been dealing with, there are some quite considerable fraud vectors involved in interviewing selection. First of all, the risk of the individual being interviewed and tested isn't who they claim to be. Why would someone do that? And we were surprised at some of this, it, it, it almost defies belief that people will try this and strangely enough, often get away with it. And that's the point a good example of this?
The simplest point might well be that a recruitment agent quite often will go through the interview process on behalf of one of their candidates, especially if it's a remote process, especially if it's a set of tests or the likes. So it is difficult to, to CLA down on that. But one of the, the situations has been where people have found that they've employed people who don't have the skills or, or competencies that they claim to have had because someone else sat the test. This also happens where people get their friends to do stuff.
You know, we, we hear about this a lot in, in terms of, you know, someone stands up for someone else and those are malicious, but in their intent, they're quite, you know, benign in terms of what they do. They just get a person into the organization. It's when the threats become greater. And those threats could well be threat actors, including rival organizations or countries, potentially state actors looking for intellectual property and coming into the organization and stealing that that might be stealing ideas.
But it also is increasingly a threat from state actors getting involved in secure supply chains. So the likes of military suppliers and the likes, and it can go on far beyond the spread of just the step, the organization itself. So it could be subcontractors and the likes and obviously identity access management allows them into the system. But how do you know who you are letting in? Another part of this? My colleague Gill ward is gonna speak more of this in a, in a follow up presentation. I believe on the first is that the risk of the individual doesn't have claimed qualifications.
So again, this is an important factor and actually something that's prevalent in areas such as healthcare, where there are professional qualifications and other areas where people claim to be, or have skills and qualifications that they, they, they aren't entitled. I worked myself in the skills environment here, applying identity to skills because skills and and qualifications are often stolen by people who then masquerade as that individual, or they are forced.
That is to pick very difficult when you're bringing on people from other jurisdictions where you haven't necessarily got access to the professional bodies. And that could be a risk as well. One of the other serious consequences is onboarding. So this is where someone actually turns up for the job.
Now, some of the threats that are here are that obviously the wrong person or the right person in their minds, but the wrong individual turns up and gets employed by the company. This happens it's happened in some quite strong and high risk areas and things like terrorist groups actually manage to recruit all their friends into an organization and bring them on board using a combination of the factors that you saw earlier. So when you consider those areas, then what we do to mitigate some of the risk.
Well, you know, we, we have these written processes written down, ask them to show some photo ID. So I wave a passport at the screen and you look at the passport, you look at me, you go, yeah, that looks about right. Or you get them to wave a passport in your face when you walk into the office. But when you look at a, a passport of photographic evidence, one of the big questions that we have is how do you know it's genuine? How do you know it's not a, a counterfeit document for instance.
Now, if you think about some of the actors and, and the efforts that they're gonna put into this, they could be quite complex types of frauds with the document frauds, et cetera. How do you know the evidence is valid? It hasn't been lost and stolen and repurposed, for instance. So our staff adequately trained to detect fraudulent documents.
And one of the consequences of is that a whole load of processes, and we talk from onboard all the way from recruitment to onboarding are, and actually onboarding right into the company are being done remotely at no point in time, could you be standing in front of the physical person, everything may need to be done remotely.
So one of the key factors that we need to look at this is how can we use technology and, and areas such as digital identity to assist in onboarding, how do we stop these threat actors from coming in and masquerading, or coming in with a synthetic identity, this threat, and these threats of fraud are, as we say, prevalent in all areas, we're, you know, we're not just talking about recruitment and onboarding and bringing into the organization. It's prevalent in finance.
As we know, it's prevalent in government activities, claiming benefits, et cetera, and the discipline of digital identity, which is where we are in, in, in ID crowd is the outcome of a set of processes or tests to determine that the person is the true owner of that claimed identity. Now digital identity exist in, in a number of forms. Digital identity can be a point in time check that you don't do again. It could be a persistent identity that you create and someone represents, it could be a persistent identity that is then shared with other organizations.
I'm gonna be agnostic of that in this discussion. I'm just gonna talk about the process of digital identity and what it achieves. And we are actively working, as we said, on risk mitigation strategies for people who may well be bringing people on board into their organizations and digital identity, definitely forms. Part of that. One of the parts of digital identity is okay, I'm going to test you fine. I'm going to check that you are, that you have the right documents.
So again, like I said, you know, oh, well, we, you know, you've waved a passport in front of it. And how do I all know all those things? So first of all, I need to make sure that the evidence and we call it the evidence. So that's your passport or your driving license, or some photo ID or something that combines you back to a real world. Identity is effectively strong.
Now, when we talk about strength, again, I'll come on to the classifications of strength. We, there are questions that you might ask. So for instance, how strong is the issuance process? We undertook some work for the department of Homeland security in the us to look at their overall environment for remote verification of individuals using various technologies and methods and, and various pieces of evidence. And there are a number of things that were quite important in there that that surprised everybody. So didn't so much, but one of the things is the process of the driving license.
So in, in the us, something called the RealD actors come into play, which is basically a structured set of issuance processes for driving licenses. And my wife used to live in the us and, and told me of stories of people that would cross a border into another state, cuz it was easier to get her driving license. Now those are the kind of things that the real ID act, which harmonizes and strengthens the issuance process will achieve. So therefore you might wanna say, well, I'm gonna look at this piece of evidence. Has it been subject to a strong issuance process?
Now in theory, passports are all subject to the IKO set because you are within a, a trusted Federation of, of acceptors, of bearers, of passports that, that have an expectation that those passports all meet and have been issued at the same level. Not always the case, but, but in, in the majority of cases, that's the case. The other point is security features. So for instance, how strong are those features? Now the strongest as you think about knee passport is the cryptographic errors around that.
So for instance, the fact that there are a set of keys that you compare, you know, that the information on it has not been tampered with, et cetera, right down to a laminate documents like a past like a driving license and areas in between where there are templates available to show you what you can compare. And there are a number of vendors out there that allow that, but the strength of those security features are important. Can you validate the document against an issuing authoritative source?
So for instance, when we built go UK verifiers, the product manager of something called the document checking service that allowed identity providers to check documents against the driving license authority, the D VLA and the passport authority in, in the UK to determine that the document was valid and had not been reported, lost, and stolen or revoked, and those are becoming more prevalent into the private sector. But again, these are, these are the sorts of things that, that strengthen the product by having these there or strengthen the evidence.
The last, the part, which is so you validate that the person that exists in the real world as well by doing that, cuz you can look for that. So you might look for evidence in places like credit files or various other bits. You might get them to demonstrate something, a piece of evidence that's in line with anti-money laundering, issuance processes, for instance, the next part is that you verified that the individual claiming the identity is the owner of that identity. You bind that person. The simplest way is to possibly asked us some questions from something.
So it looks simple, but you ask them some questions from their credit file. In practical terms, when you come to implement, that's actually quite complex. So you actually turn to better technology. So I mentioned passports, you might NFC read the passport, take the picture off the passport and then get them to do a selfie and do a facial recognition exercise across that, that obviously you've gotta have controls.
There's, you know, a physical attack device, the defenses that you've got to have in place, for instance, liveness tests, there's a whole varying set of things you need to do, but that will give you a strong bind. Now the beauty of that process is that that you have a picture of the person claiming to be that person when they, if they turn up to the office or do a voice call or, or video call, you know, who you're expecting, how do you know I'm David Black? What evidence have you seen that proves that's the case?
Or if you had a digital representation of my passport passport photo with you you'd know to look at that and look at me and eh, I pretty much look the same. Obviously you would prefer to have technology tell you that's the same person. Verification also has different strengths. So one of the important things is you can use different methods. You can verify a photo ID and biometric comparison all the way down to, I mentioned before knowledge based verification of credit files, you could use the binding to a mobile phone issuance process.
So the strength of issuance then becomes the strength of verification. And then you would undertake a number of counter fraud checks. For instance, a mortality check is, is one of the most straightforward ones, but it's quite amazing how many people will use mortality and, and dead people's records. And obviously we know how that is used by Fisher Fisher organizations. It's also used by frauds. Obviously now it's very easy to talk about all of this in a, a very agnostic extracted way, but there has actually been a set of digital identity standards developed to assist people taking the check.
So it grades the evidence and methods to determine these strengths so you can measure them against each other part of the work we did for the DHS. And this is available online. If you search for ID, crowd DHS, you'll probably come across our paper, look on our website, you'll see that at the end of it, we measure this against this 863 3, the standards from this, which is related to good practice guide 45 from the cabinet office, which was jointly written with the NCSC and the cabinet office and these break areas into different activities.
So strength of evidence, validation, verification, Contra indicators, and then activity history, which stops people generating those synthetic identities by looking activity. But those all have grading within them. And through that grading, you can effectively determine the strength of evidence and the strength of a process. You then can do a risk assessment, basically a threat analysis and determine what level of verification you need.
So if we roll this all back in conclusion to the identity of a person employed by an organization, you might want a low grade set of identity, cuz your threat is actually quite low. And actually some people use it simply as a deterrent. The fact you put up a fraud check deters, I think from a national fraud unit, if something like 90 to 95% frauds will disappear, especially if they don't wanna have their photo taken as part of the process, but effectively you, you might have a low grade process.
However, if you are dealing in a sensitive area and you've got to do vetting on the back of this and you've got to try and do this remotely, then you would strengthen your identity up to a higher level. The last thing to consider is making the process user friendly. Think of the user need when designing this, don't make it a barrier for someone because they've gotta go and get a piece of evidence. Most people can get their passports and driving licenses, but probably gotta crawl around in a box in the attic to find their birth certificate.
So again, it's structuring that. So that in what we're saying here is you can use real world identities prior to bringing people board into identity access management and there tools and products that can in that.
