IDENTITY QUALITY BEST PRACTICES FOR THOSE WHO MANAGE HSMs
Your enterprise's HSM - and those who touch it - are truly the keepers of the keys to the kingdom. You probably trust the individuals who manage your HSM implicitly. After all, that's why they were chosen for such a sensitive job. But can you be sure that whatever happens, you'll be able to assure the management, board, and stockholders that this important responsibility was delegated strictly in accordance with best practices?
"Best practices" is a concept that exists to protect you and everyone in your organization. Let HSM-ID assure all your stakeholders that the identities of those with access to this very important key repository are who they say they are. Establish their identities to the very highest degree of reliability with an Identity Quality score of at least 45 on a scale of 0-54.
Your organization's most important digital assets are secured by cryptographic keys
Those cryptographic keys are secured in an HSM (hardware security module.
Shouldn't the identies of those who manage your HSMs be thoroughly checked as a matter of best practices?
Identities and Identity Management are two different things. Know the quality, and therefore the reliability, of the identities in your system. Is the Identity Quality of each one appropriate to its current and planned application?
The Six Dimensions of Identity Quality™
1. Quality of Ownership Does the user have "skin in the game" or are the organization's assets the only ones at risk? If the only reliable way to prevent credential sharing is with credentials that protect the user's financial, reputational and identity assets then to what extent does the identity protect those personal assets?
2. Quality of Enrollment Practices What type of enrollment procedure was used? Did it involve PII corroboration? Was it face-to-face notarial or remote? How is provisioning performed? How is the process supervised and audited? How many eyes are watching? Each risk profile and highest protected digital asset value will call for a particular enrollment procedure.
3. Quality of Means of Assertion A well-used identity is a more reliable identity; the more places it is used, the more its holder will be aware of the need to protect it. Does the credential support OpenID, i-Name, Shibboleth, CardSpace? Does it use SAML assertions?
4. Quality of Attestation Who attests to the validity of the assertion, that is, the claimed identity? Is the attesting party a certification authority? How reliable are their attestation practices? How is identity status reported: CRL or OCSP or another method?
5. Quality of the Credential What are the characteristics of the credential and its carrier? Is one key pair used for everything, or are different key pairs or simple serial numbers used for different applications? The carrier of the credential is equally important. Some risk profile / asset value situations call for two, three or four factor hardware tokens, or a one-time password, while a soft credential in the client computer will suffice for others.
6. Quality of Assumption of Liability If fraud is committed with the use of the credential, who carries the liability? Is that commitment bonded? What are the terms of the bond? What is the source of funds for fulfillment of the bond? Are there caveats or is the commitment absolute, regardless of the circumstances that made the credential available to the perpetrator? To protect assets and processes of the highest value, where a compromised identity would have the most serious consequences, there should be both civil and criminal liability involved in the issuance and ongoing use of the credential. Equally important is protection against fraudulent repudiation. Nonrepudiation is perhaps the most difficult goal for a trust system to achieve, but it is necessary for the system to be useful to relying parties where significant transactions are involved.
IDQA™ and Identity Quality Assurance™ are trademarks of Reliable Identities. Patent Pending. The Identity Quality methodology is licensed by HSM-ID Inc. from Reliable Identities.
Learn more about IDQA™