idOnDemand | Article | Looking For An ID Solution? Get It From idOnDemand!


Published on

This month’s Smart Sense Newsletter features an interview with Terry Gold, VP of Sales North America for idOnDemand. In the interview, Terry discussed several topics, including:

- How does idOnDemand keep up with and contain identity fraud?
- What identification solutions does idOnDemand offer?
- Who is the end-user of idOnDemand’s products and what benefits do they receive?
- Could smart cards become obsolete in the near future?
- What is the next big thing we can expect from idOnDemand?

Follow idOD on Twitter:

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

idOnDemand | Article | Looking For An ID Solution? Get It From idOnDemand!

  1. 1. Looking For An ID Solution? Get It From idOnDemand! :: THESMARTSENSE.COM - Identification 8/21/11 9:01 PM Advertise | Contact Us For e-Mail alerts on the latest news,sign-up here. Login | Register Follow Subscribe About / FAQView by Sector : Payment | Identification | Transit | Contactless | Access Control & Tracking | Mobile & RetailView by Vendor : Smart Cards & Peripherals | Terminals & Readers | Chips, Tags & Inlays | Personalization | Testing | Software Identification Looking For An ID Solution? Get It From idOnDemand! Print Interviewee: Terry Gold Designation: VP of Sales, North America, Company: idOnDemand The SMART Sense: Identity fraud is ever prevalent, how does idOnDemand keep up and contain this menace? Terry: One of the real challenges is that identity fraud comes in many forms making it very difficult to combat. So letʼs first break this down a bit so there is context in my response. At a basic level, identity fraud is about getting someone or a system to grant one access that otherwise should not be granted. For example, transferring funds from one bank account to another, opening a mortgage in another personʼs name and liquidating the assets, gaining access to corporate trade secrets and either stifling their effectiveness, selling it or blackmailing the organization with it are all common forms of fraud. Attacks can be executed in person (physical possession of paper records such as files, U.S. mail, etc.), over the phone and over the web. Increasingly, many attacks are “multi-faceted” using a combination of these methods to get what they need and execute the purpose of their attack where there is the least point of resistance. Using an electronic system as a key component of an attack is becoming a very common element. Unfortunately, the vast majority of electronic systems identify people through usernames and Page 1 of 5
  2. 2. Looking For An ID Solution? Get It From idOnDemand! :: THESMARTSENSE.COM - Identification 8/21/11 9:01 PM passwords and are unable to scrutinize an imposter beyond what they had been built to do – verify that the [static] information that they had been programmed to asked for. For various reasons, passwords are not very good at keeping the bad guys out. They can be scraped Shirley Matthew, Visa Canada through malware, recorded by loggers, shared, written down, discovered, or even guessed. “We believe that Cardware is an important annual forum that brings Password policies only help in one or two of these aspects to a marginal degree. In effect, together key stakeholders in the card passwords are antiquated and result in a false sense of security. payments industry. I... There are many companies that provide alternatives to passwords but there are often challenges Itai Sela, Collis that prevent them from either being effective relative to what is expected of them. "Cardware offers a unique and up to date information presented all together in one exciting venue, with 1. Back-end – Many solutions assume that a fraudster is going to mandate themselves to participants from ... get to a back-end system by using a valid userʼs laptop or desktop, or that the information they seek is local on the front-end. Therefore, some solutions are designed to have a Jonathan Magder, Deloitte user present a unique credential on the front-end, only to pass through a static password Consulting to the back-end to perform authentication. Fundamentally, the same weakness exists on “Cardware is an excellent opportunity the back-end if a hacker goes directly to that system, which is often the case. Therefore, to network with key industry stakeholders and gain valuable implementing a method that changes the fundamental authentication credential on the insights into current state... back-end is key. For example, using Public Key Infrastructure (PKI), an application, server, or system no longer even looks for a password and is not vulnerable to such attempts while pass-through technologies are. 2. Single purpose – Some solutions like tokens address the static credential problem on the back-end, only to perform the same function they used to when they came to market 15 years ago. Requirements have evolved since then. Therefore, organizations need to setup stovepipes of different solutions, keys, clients, etc. which becomes a beast to implement and manage. 3. Inside outside cloud – Many solutions only address applications “inside their network”. With cloud computing already mainstream, data needs to be just as adequately protected. Many solutions do not yet incorporate ways to protect the identity both inside and outside the network and the cloud. 4. Trust – Most solutions are designed in such a way that the customer must trust the design of the vendor system for authenticity and implementation, and then apply that to their organization. The challenge with this is that one can seldom verify the processes the vendor uses to build their code or how the keys are generated, stored and who has access to them. Logically, since the person is neither in control of this, nor can they verify it, they cannot trust authenticity - and neither can other organizations in which they want to have a trusted relationship. Conversely, if we substantiate and control the keys in a way that we agree is proper, authenticity can be trusted to a higher degree and reciprocated between external parties. A good example of this is what happened recently with RSA SecureID. For many years, RSA was being used to aid organizations, individuals and consumers to trust one another. While we cannot say exactly what happened other than what has been disclosed, it is apparent that vulnerabilities were implemented and executed externally but impacted internal users who had no control over this. 5. Standards – Very few standards have traditionally existed in the security world which has created a lack of transparency and interoperability, but this is changing. Establishing a common ground by which credentials can be issued, keys generated and stored, and to what standards build their products, trust can be granted and become more pervasive. idOnDemand addresses all of these points by leveraging standards set forth by National Institute of Standards and Technology (NIST) and adopted across the Federal Government. Having been early pioneers in this area with the government and contractors issuing over 10 million of these identity credentials, idOnDemand knows it is a working system. We apply these standards and processes to our solutions and customers giving them a trusted, secure system that is multi- function, where THEY are in control and it can be applied across a broad variety of identity threats. We are able to “keep up” with identity threats in two meaningful ways. First, most industries do not have standards to imposing regulations. It is common to look to what the government has already established and adopt that as a guideline, especially since many industries need to comply with the government around identity. Therefore, we find that industries are evolving to adopt what we already do, verses the other way around – and that is a nice change of pace for a vendor. Secondly, we innovate on top of these standards to make them “more usable” for organizations without locking them in. Page 2 of 5
  3. 3. Looking For An ID Solution? Get It From idOnDemand! :: THESMARTSENSE.COM - Identification 8/21/11 9:01 PM The SMART Sense: Tell us more about the identification solutions idOnDemand has to offer. Terry: We enable organizations to produce a single trusted identity for their users, partners and consumers. This is a smart card, and as such is a form factor that is already in use and familiar to most users. This corporate identity card replaces the one they already carry with one that is “smarter”, more secure and can do many more things. It becomes their “platinum card” of sorts to use for many touch points and transactions with the resources they need and the people they require to interact with. The smart card is different because it is a highly secure “microcomputer” that is purpose-built to protect the key, which is unique on every card and never leaves the card in any transaction. So from a security standpoint, it is about the most secure platform that can be used. Functionally, it can authenticate a user to a computer either at the OS level or pre-boot with disk encryption, to the network, to applications, perform email signing and encryption, and other uses like signing documents. Of course, since it is a visual ID, it is your corporate badge that also gets you in the door, except it is much more secure than the normal badge. On that point, it also makes sense to point out that over 90% of the building access security card implementations are so wrought with basic security flaws that this makes executing an in-person attack of identity fraud perhaps the easiest to execute of them all. Why? Because one doesnʼt even have to hack into any system. Want access to the CEOʼs office, untracked? How about a data center? In many cases it can be done for under $100 and 15 minutes of searching online. After that, about 5 seconds each time one wants to impersonate a valid user and walk around where they are authorized to do so. Check out this whitepaper for more details. Keep in mind that this is based on the most common technology. This same technology that the industry perceived as secure was hacked recently due to a poor implementation of security principals. In this respect, we use the secure element in the card to strengthen building systems as well. Using industry standards, we innovate on top to help organizations use the legacy infrastructure they have previously invested in to transition to a much more secure system as gradually as they like. We are often able to repurpose the expensive components so it can be done economically for around the same operational budget that is currently in place. Finally, implementing smart cards has traditionally been very costly, complex, and with long timelines. In my discussions over the years with security professionals, they have questioned the ROI but not the value if costs could be brought down to size. So we built the first commercially available Software as a Service (SaaS) model for smart card deployments. By already having the Enterprise-class infrastructure, people, and operations in place, our customers have secure access to our service to be able to produce identity cards. They are also able to link to a trusted source or use their own if they have one. It is very flexible, low cost, and only takes weeks to implement instead of years. Our service also doesnʼt eliminate smart cards as an option because of organization size and budget. Users only pay for what they use and at the same time get access to a world-class infrastructure, team and standards model that is typically out of reach for all but very few organizations. The SMART Sense: Who would you identify as end-users of your products? What benefits can be attained by them? Terry: We serve different areas. Federal, state and local government as they look to adopt the PIV standards, address identity related matters, and comply with mandates to do so. The Federal government pretty much already did a lot of the work here through large-scale funding and internal programs that partnered with various contractor and vendor ecosystems around the standard. It is actually very impressive how the industry came together to have a very honest discussion, reach a consensus and partner to make a lot of progress. State and local governments are starting to see more activity now that the Fed has done so and is rolling downhill as they have similar issues and in many cases need to comply. I suspect we will see this rending over the next 2-3 years around Federal Identity, Credential, and Access Management (FICAM), how first responders identify themselves in crisis (FRAC), and other initiatives. Page 3 of 5
  4. 4. Looking For An ID Solution? Get It From idOnDemand! :: THESMARTSENSE.COM - Identification 8/21/11 9:01 PM While we are engaged in Fed, State and Local deals, we continue to see most of our activity within Corporations as they struggle with all of the challenges we have been discussing. We basically hit all of the areas that are challenging them in a way that uniquely solves their underlying issues, enabling them to focus on their core business in more productive ways. This goes beyond security and often enables them to reduce disparate single-purpose authentication solutions, skill sets, budgets, and run a more efficient security and remediation program. On the building access side, we enable Corporations to consolidate down to one card instead of various forms of identification, without requiring them to swap out systems for millions of dollars. Our solution is easier to manage, less cards, simpler for the end-user, and everyone is quite happy. Just on the last point alone we hear more times than not that large organizations have been trying to solve this for years, but legacy vendor implementations are restrictive because they are proprietarily built to not play well with other systems and lock you into going back for more cards. We open it up, make them have multiple personalities, base them on standards so you own the keys, the cards, your systems, and if we arenʼt doing a good job, you can go work with another vendor tomorrow with the same technology. I should add that this motivates us to live up to that challenge. Buyers these days are VERY smart. Many are aware that there are standards, better ways to do things, but none of it is put in a nice little box for them. They donʼt have time to figure it out or ask 10 consultants and get 10 different asnwers and take a risk. They need to focus on core business and initiatives that make them money, satisfy their customers and grow their business. We make it simple, make it work, and let them focus on other things. The SMART Sense: With most of idOnDemandʼs products taking the form of smart cards while other form factors are emerging at a rapid rate, is there a possibility that smart cards be obsolete in the near future? Terry: We have no religion specifically about smart cards. Its a secure container for digital credentials. However, our customers have found it to be the most practical and useful form factor for corporate ID. This becomes evident in that most still require a physical photo ID badge to be displayed on the person as a matter of policy, and to gain access to buildings. Most poeple carry a building access card today and it makes sense to combine other uses into this same card as they only need (and want) one secure container. There has been a lot of talk about mobile phones, but reality is that people still cannot use a mobile phone as a visual identity effectively. Therefore, I see the smart card form factor in the forefront for some time, at least until Corporations and Government agencies alike either change their policies or technology innovations advance considerably. Of course, anything is possible but there is a cost element where it has to be affordable and pervasive, so I am confident that we are not going to see smart cards obsolete in the near term. What is more likely is that we will see other form factors used for targeted scenarios or be complimentary to existing ones during this time. This is not to say that there hasnʼt been a lot of activity on this front and that we arenʼt excited about it. To the contrary, and we have been innovating in this area with close attention to where it can solve tangible challenges for organizations. Let me give you an example of one of them:- Corporations increasingly have to deal with heavy user demand to have pervasive access to information anywhere which increasingly places emphasis on mobile device usage (Android, iPad, BlackBerry phones, etc). We have been listening to our customers and there are three recurring themes that stick out. 1. Their lack of effectiveness (and desire) to distribute and install software to mobile devices; 2. Supporting the increasingly broad scope of platforms, versions and flavors; and 3. Enabling users to use devices of their choice without having to manage them or be concerned about private information on them. idOnDemand solves this by using the smart card as a secure portable computer in a card... by touching different devices using open standards like Near Field Communication (NFC), the user is able to securely authenticate directly to a variety of applications. It is very convenient because Page 4 of 5
  5. 5. Looking For An ID Solution? Get It From idOnDemand! :: THESMARTSENSE.COM - Identification 8/21/11 9:01 PM it lets you select the app, opens the browser and fills the credentials for you, while employing the smart card security paradigm of PIN and the private keys never leave the card. No software is installed on the mobile device – it is all in the card and talks natively to the OS that supports NFC. So, no installing software, managing devices, and private information doesnʼt leave the card and get stored on the device. A user could literally buy an NFC device, take it out of the box and touch their corporate ID card to it and it now functions like a corporate device. We not only support corporate applications, but applications in the cloud so this user experience (and credential issuance model) can be applied both inside and outside the firewall. The SMART Sense: What is the next big thing we can expect from idOnDemand? Terry: The feedback we have received on the NFC functionality has been overwhelming, and since the issuing party does not need to manage devices and it is based on standards, it applies very well to the growing consumer identity and authentication market. So you can expect that we will continue to build on this in a distinctly “usable” way. In addition, the building security market has been, and continues to be, largely without interoperable industry standards. There is an enormous “awakening” going on where customers are now realizing how locked in they have been, and what it would mean if they had similar opportunities for vendor choice and integration that their IT counterparts have (philosophically) been practicing. I had a recent conversation with a CSO from an F500 company that had been undergoing a large acquisition. He was struggling because he had to choose between either spending millions of dollars to swap out the acquired companyʼs systems to match current parent company systems so people have only one Identity and Access Card, or leave the systems in place and have people carrying around multiple crards. We were able to quickly provide him with the option of just purchasing new cards that were standards-based as he needed to rebrand them anyhow, are highly secure whereas his current ones were not, and could be applied to any systems, eliminating him having to spend millions to replace systems to get there. The amazement was that all of his system integrators, his internal teams, and vendor network never proposed such an option – and he was absolutely floored. I am having A LOT of these conversations which is refreshing for both idOnDemand and our clients, so you can bet we will continue to innovate in this area to open things up, give customers the choice, put them in control, and provide functionality that is meaningful and works the way they need to work. Related Identive Group Acquires idOnDemand An Exclusive With GFH Group, INSIDE Secure & Multos International! idOnDemand & NXP Bring Smart Card Security To Mobile Device Authentication idOnDemand Announces Breakthrough In Secure Mobile Device Access Using A Universal Corporate Identity Bell ID Appoints Todd Freyman As Vice President Of Operations (U.S.) idOnDemand Terry Gold identification ID U.S. PKI RSA SecureID NIST smartcard OS ROI SaaS PIV FICAM FRAC Android iPad BlackBerry software NFC contactless PIN IT CSO F500 access control Copyright © 2011 All rights reserved. Page 5 of 5