Telecom operator Verizon (New York) announced on Monday that its cloud-based managed identity-as-a-service offering has been approved for Level 3 Identity, Credential and Access Management (ICAM)  certification. According to Verizon, its Universal Identify Service is the first service with Level 3 certification for online identity protection for federal employees and visitors of government websites.
ICAM, which was established by the U.S. General Services Administration  and the U.S. Department of Defense , is responsible for aligning the government’s identity management activities to help safeguard online identities. Before ICAM, identity standards varied from one agency to another, offering no interoperability.
According to Tracy Hulver, Verizon's chief identity strategist, agencies that do not outsource through a cloud-based service may be more inclined to do so now that there is a universal standard and certification process.
“There wasn’t really a standard that they knew,” says Hulver. “They didn’t know what to look for, but now there are these guidelines and frameworks to rely on.”
ICAM has four levels of certification, with one being the weakest and four being the strongest. According to Hulver, the first level does not require any type of vetting to prove identity. All that is needed is a username and password for entry. The second level requires a vetting process that verifies a person’s legal name, address, phone number, email, and perhaps the last four digitals of a social security number or license.
Level 3 goes even further and asks for verification of name, address, phone number, email, and social, as well as questions that only that individual would know.
For example, it could ask a series of eight questions that you would have to respond correctly to in a four minute time window, according to Hulver Types of questions could include information such as of five addresses listed, which one haven’t you lived that, or of four companies listed, which one haven’t you worked at.
The fourth and highest level requires an in-person vetting process where you have to prove through various methods that you are who you say you are. This is reserved for the highest level of authorization, for example top secret clearance.
According to Tracy Hulver, through level 3 certification, this cloud -based service can provide four things to users. The first, is identify proofing, meaning that they can prove that the person is who they say they are using information only the person would know. The second is through credentials, by not only proving who they are through information but by something they have, like a hardware token that has a random number generator on it or a one-time password sent to a smartphone. The third is authentication, meaning Verizon can intercept an Authentication request and process it. Lastly, the service can provide access management, so once a person authenticates themselves they will automatically be given access to other systems they have privilege to gain access to.
“Four of the top six breeches that we investigated involved some attack vector using a credential ,” says Hulver. “ None of the breeches we investigated involved that second factor, so that shows you that using not only something you know, but something you have, exponentially increases the security of making sure only the right people get in an access to the system.”
Having something like a hardware token or smart card may increase security, but it is also one more thing to carry around, and in the event that it is lost could cause increased problems, according to Hulver. Not only that, but the cost associated with these tokens could be steep for employees, who will have to provide these devices.
“One of the things that universal identity services allows you to do, is if you have a smartphone you can be issued a onetime password,” says Hulver. “It’s just as strong and it’s a lot easier to use my cell phone because I already have it. The other thing is that we can provide back-up methods, so that if my cell phone goes dead or is lost, I may decide that my back-up will be a one-time password to a landline number or a onetime password to an email address.”
The service cost varies due to a lot of different elements, says Hulver. For example, the number of offerings the customer wants (whether all four or just one), how many users they may have, if they would provide their own devices, etc.
“Typically, we can be 20-70% less compared to what they are paying for their own infrastructure because of the scale that we have, the way we are doing things and the ability for the user to use devices they already have,” says Hulver.