Skip to main content

Safeguarding Digital Identity

Overview (pdf)

Frequently Asked Questions on Identity Theft

A Critical Challenge

The world’s digital resources are both impressively public—with vast amounts of information available to anyone who goes online—and steadfastly private, with reams of data hidden behind user names, passwords, and other identifiers. These electronic gatekeepers—separately and collectively—constitute a person’s digital identity, and when inserted correctly, open the doors to an otherwise locked virtual world.

Digital identities can be as simple as the user name and password with which one logs onto a computer, or they can be as complex as the digital fingerprints and other personal data needed to view highly sensitive files.  A physician who wants to access patients’ charts from home, for example, must typically navigate several security check points, first entering his or her user name and password onto a personal computer, then a second user name and more complex pass-code to connect to the hospital’s computers, and finally a third user name and password along with a special identifier (e.g., a unique physician identification number) to view a specific chart.

Across the board, digital identities are proliferating. Most people now have one or more identities for work, several for their online banking, credit card and financial needs, and still more to utilize various web-enabled services. Not surprisingly, the management—never mind protection—of multiple identities is a pressing concern.

Some of us try to apply the same user name and password to every situation, yet are thwarted when one site calls for passwords composed of six letters and another calls for a combination of eight letters and numbers, or tells us our user name has already been taken. Some of us write down our identities and hopefully remember where we’ve tucked them away. Despite such efforts, we still struggle.

Unfortunately, these identity issues are magnified for organizations. Multinational corporations, for example, must oversee hundreds of thousands of digital identities and mediate a raft of access privileges; even small companies may have multiple authorizations to manage per employee. Corporate mergers and acquisitions add to the confusion, with subsidiaries often hamstrung by system incompatibilities and myriad verification protocols. Similarly, umbrella associations, which have limited control over their members and affiliates, often struggle with the trustworthiness of their digital- identity database. And regional health-information organizations (RHIOS), though efficient repositories of patient records, must grapple with almost all these challenges.

Complicating the picture is that better identity management systems, though desperately needed, may create an unwelcome economic burden for both healthcare and financial organizations. But the consequences of inaction are also great. With so much identity information sequestered electronically, not only is the risk of unauthorized access rising, but along with it, the serious possibility of identity theft.

Project Overview

The Digital Identities project, which is supported by the Institute for Information Infrastructure Protection (I3P), brings together experts from six major research centers to address the privacy challenges posed by digital identification. Unlike other initiatives in identity management, the I3P project brings a multidisciplinary approach to its subject, devising technical solutions within a political, legal and social context.  Moreover, the project focuses on two of the sectors, financial services and healthcare, for which privacy preservation and the protection of identity information are critically important.

The researchers are developing technologies, as well as policies and guidelines, to harden identity management within these sectors. Each prototype technology developed by the team will be assessed for feasibility, privacy, security, scalability and cost according to an analytical framework the researchers are devising.  The result will be an array of solutions enabling organizations to exchange identity information with trusted partners and safely transact business via the Internet.

Working with Government and Industry

To ensure the relevance of their research and the applicability of their findings, I3P researchers are reaching out to both the financial and healthcare sectors, as well as to vendors, government agencies and other research groups.  Drawing on this input, the team is developing digital identity management solutions as well as devising an analytical framework to assess the solutions’ effectiveness throughout the digital identity lifecycle.

Specific strategies being developed by the I3P team include:

  • Standards that address privacy in healthcare-provider information and networked services to process and handle this information
  • Services that provide confidential information to authorized recipients, who are addressed by roles and attributes (rather than just by name or email address)
  • An identity verification service that cross-references a person’s identity information in a multi-institutional, federated environment
  • New methods of identity verification that distribute identity information across multiple trusted repositories
  • Identity verification tools that minimize disclosure of identity information so that privacy is preserved and only information required for a particular transaction is revealed
  • A service that facilitates trust negotiations across organizations wishing to share digital identities

Making an Impact

The objectives of the Digital Identities project are to:

  • Undertake a thorough analysis of identity management in the healthcare and financial services sectors
  • Develop models, tools, policies and rules for preserving the privacy of identity information that are applicable throughout the digital identity lifecycle
  • Devise comprehensive evaluation methods for new digital identity management strategies
  • Work with government and industry stakeholders to facilitate the widespread adoption of new solutions


Team Leader: Bruce Bakis bbakis@mitre.org

Funded by the Department of Homeland Security (DHS)

 

Last Updated: 1/23/12