The world’s digital resources are both impressively public—with vast amounts of information available to anyone who goes online—and steadfastly private, with reams of data hidden behind user names, passwords, and other identifiers. These electronic gatekeepers—separately and collectively—constitute a person’s digital identity, and when inserted correctly, open the doors to an otherwise locked virtual world.
Digital identities can be as simple as the user name and password with which one logs onto a computer, or they can be as complex as the digital fingerprints and other personal data needed to view highly sensitive files. A physician who wants to access patients’ charts from home, for example, must typically navigate several security check points, first entering his or her user name and password onto a personal computer, then a second user name and more complex pass-code to connect to the hospital’s computers, and finally a third user name and password along with a special identifier (e.g., a unique physician identification number) to view a specific chart.
Across the board, digital identities are proliferating. Most people now have one or more identities for work, several for their online banking, credit card and financial needs, and still more to utilize various web-enabled services. Not surprisingly, the management—never mind protection—of multiple identities is a pressing concern.
Some of us try to apply the same user name and password to every situation, yet are thwarted when one site calls for passwords composed of six letters and another calls for a combination of eight letters and numbers, or tells us our user name has already been taken. Some of us write down our identities and hopefully remember where we’ve tucked them away. Despite such efforts, we still struggle.
Unfortunately, these identity issues are magnified for organizations. Multinational corporations, for example, must oversee hundreds of thousands of digital identities and mediate a raft of access privileges; even small companies may have multiple authorizations to manage per employee. Corporate mergers and acquisitions add to the confusion, with subsidiaries often hamstrung by system incompatibilities and myriad verification protocols. Similarly, umbrella associations, which have limited control over their members and affiliates, often struggle with the trustworthiness of their digital- identity database. And regional health-information organizations (RHIOS), though efficient repositories of patient records, must grapple with almost all these challenges.
Complicating the picture is that better identity management systems, though desperately needed, may create an unwelcome economic burden for both healthcare and financial organizations. But the consequences of inaction are also great. With so much identity information sequestered electronically, not only is the risk of unauthorized access rising, but along with it, the serious possibility of identity theft.
The Digital Identities project, which is supported by the Institute for Information Infrastructure Protection (I3P), brings together experts from six major research centers to address the privacy challenges posed by digital identification. Unlike other initiatives in identity management, the I3P project brings a multidisciplinary approach to its subject, devising technical solutions within a political, legal and social context. Moreover, the project focuses on two of the sectors, financial services and healthcare, for which privacy preservation and the protection of identity information are critically important.
The researchers are developing technologies, as well as policies and guidelines, to harden identity management within these sectors. Each prototype technology developed by the team will be assessed for feasibility, privacy, security, scalability and cost according to an analytical framework the researchers are devising. The result will be an array of solutions enabling organizations to exchange identity information with trusted partners and safely transact business via the Internet.
To ensure the relevance of their research and the applicability of their findings, I3P researchers are reaching out to both the financial and healthcare sectors, as well as to vendors, government agencies and other research groups. Drawing on this input, the team is developing digital identity management solutions as well as devising an analytical framework to assess the solutions’ effectiveness throughout the digital identity lifecycle.
Specific strategies being developed by the I3P team include:
The objectives of the Digital Identities project are to:
Team Leader: Bruce Bakis firstname.lastname@example.org
Funded by the Department of Homeland Security (DHS)
Last Updated: 1/23/12