There are four levels of certification under the federal Identity Credential and Access Management (ICAM) program, Tracy Hulver, chief security strategist for Verizon, explains. The lowest level is Level 1, in which a user identifies himself or herself as who they say they are and no further identification is needed. Level 2 certification matches the person’s name with some identifying information, such an address or the last four digits of his or her Social Security Number. Level 3 adds an additional layer of vetting called second-factor authentication.
With Verizon’s UIS product, users enter their name and perhaps an ID number, but then are also given an "online antecedent," Hulver says, which could be a list of questions someone has to answer in a given amount of time. For example, the person could be shown a list of addresses and be asked which of them is not an address at which he or she has ever lived. The vetting could include a number of such questions.
"The more questions you answer within the time frame, the higher the level of probability that you are who you say you are," Hulver says. Level 4 is the highest level of authentication and also requires a third factor, such as a smart card with a biometric identifier attached to it. Hulver calls Level 4 "the equivalent of a notary certification."
Level 3 certification hardens a protected website, database or other network asset better than conventional user name and password systems that have too often been hacked, Hulver says, citing the widely read 2011 Verizon Data Breach Investigations Report, which studied incidents reported in 2010. It divided computer network attacks into two main groups: malware and hacking. Of the hacking incidents, a majority were due to "weakened credentialing," he says, such as passwords that were too easy to figure out--like 123456--or server passwords that weren’t set so that the default password was "password." "None of the breaches that we had investigated in 2010 involved a breach of second-factor authentication, so that shows you just how strong second-factor authentication is," Hulver says.
Although there are other providers of second-factor authentication on the market, Hulver says, Verizon has an advantage in that its UIS is a cloud-based service. Because of that, hackers would not only have to break into the target’s network to get what they want, they would also have to hack into Verizon’s cloud.
ICAM was established by a subcommittee co-chaired by the General Services Administration and the Department of Defense (DoD). The program is not mandated, but it is intended to set a standard for various federal agencies--including the DoD, IRS and NASA--to follow to secure their networks. Offering a uniform standard like ICAM "would get the agencies themselves out of the ID management business," Hulver says.
Verizon’s certification for the Level 3 ICAM designation was granted by the Kantara Identity Trust Framework, an independent third-party organization not part of the government.
Verizon’s UIS product and other identity management and network security services are delivered through its Terremark subsidiary following the $1.4 billion acquisition of Terremark by Verizon earlier this year.
See more on this topic by subscribing to Network Computing Pro Reports Security That Never Sleeps (subscription required).