3. Planning

Online authentication establishes to the required level of confidence, that the person you are interacting with online, is the person they claim to be. The interaction may be around something as basic as providing information on an agency website or it could be a transfer of land title or a benefit application. It is important for agencies to clearly understand the type of transaction they are seeking to deliver online and to understand the level of risk related to the transaction. This is because as the level of risk rises, so does the level of authentication required to provide the service online in a secure fashion.

This section explains how risk assessment and the classification of online services by 'Trust Level' provides a guide to determining the best means to implement authentication for your online service.

Risk Assessment for Authenticated Online Services

Risk management is an iterative process of well defined steps which, taken in sequence, support better decision making by contributing a greater insight into risks and their impacts

AS/NZS 4360:1999 - Risk Management

Authentication for online transactions should be considered in the context of an agency's overall information system security framework. As this section focuses only on authenticated online services, government agencies should refer to the following sources for more comprehensive and detailed analysis of the risks associated with a complete information system:

• Information Technology - Code of Practice for Information Security Management. AS/NZS ISO/IEC 17799:2001;
• Risk Management. AS/NZS 4360:1999;
• Government Communications Security Bureau. New Zealand Security of Information Technology [NZSIT] publications; and
• Guidelines for Managing and Monitoring Major IT Projects - published by the State Services Commission and Treasury.

Risk Assessment Approach

Risk assessments are intended to enable agencies to identify the risks relating to a proposal or operation and to determine what, if anything, could and should be done about those identified risks.

The risk assessment process set out in the chart and steps below is designed to provide agencies with guidance on how to develop their own assessment plan based on their organisation's individual requirements and objectives.

Risk assessment is an iterative process. With each iterative cycle, risk criteria and management processes become more detailed and stronger. It is important to note that even after an online service has been implemented, periodic monitoring and review to identify any new risks, potential opportunities and benefits should be carried out.

Benefit of providing the service online - Step 1

The first step in assessing risk is to complete an assessment of the benefits of providing the service online. This may include financial benefits (such as a reduction in transaction costs if the client can initiate and partially complete a service request online) and client benefits (such as a reduced requirement to appear in person at an agency). Determining the benefits to Clients may require a qualitative approach to measuring aspects such as convenience, acceptance, usability and satisfaction [For a detailed explanation of quantitative and qualitative analysis, refer to section 4.3.4 of 'Risk Management - AS/NZS 4360: 1999.] .

Other benefits will not be so easily quantified and will have a reliance on:

• management's strategic vision to determine how providing the service online compliments the agency objectives and mission statement;
• business units determining how it best fits with business drivers and existing processes; and
• client feedback and consultation around areas such as convenience, ease of use and acceptability of the service.

Identify risks - Step 2

Allowing online access to all personal information and services may be beneficial to the agency and the client, but this must be balanced against the risk of the information being fraudulently or erroneously obtained or accessed by an unauthorised individual.

To allow for accurate mitigation action to be identified, it is important to accurately identify the potential risk itself and to not get side-tracked on the result if the risk eventuates. For example, a stolen password may allow unauthorised access to account information and the subsequent fraudulent receipt of a service. In this example the risk is that a password may be compromised and not the provision of an unauthorised service.

Detailed and accurate risk identification will assist in identifying cost effective mitigation factors.

Cost resulting from risk occurring - Step 3

Once the risks have been identified, the cost to the agency and its Clients of the risk occurring can be investigated and subsequent mitigation plans can be developed. Similar to the quantification of benefits in Step One, the cost of a risk occurring may not be easily quantifiable. For example, quantifying loss of trust and confidence in the agency, reduced acceptance of future online initiatives and loss of data integrity.

Cost to mitigate the risk - Step 4

Once likely risks and their impacts have been identified, options and solutions to mitigate the risks can be investigated. A combination of technology, policy and processes should be looked at as potential mitigation options. For example, it may be possible to mitigate the most severe risks by designing applications that allow most of the transaction to be completed online, but to require the person to complete that part of transaction with the most risk potential using an in-person, offline component.

In formulating risk mitigation approaches, care needs to be taken to ensure that risk avoidance, in the form of being overly risk averse, is not mistaken for risk management, which is adopting a proactive approach to minimising the impact in the event of a worst case scenario.

Having identified the most appropriate approach to mitigate against the identified risks, the agency can then determine the cost of that risk mitigation approach.

Evaluation of costs versus benefits - Step 5

The final step is to evaluate whether the benefits of providing the service online are greater than the cost of providing the service and managing the risks involved.

One means of ensuring that the evaluation is carried out consistently is to use a pre-determined threshold based on business objectives and cost benefit returns. If the assessment indicates that an online service is consistently below the threshold this may be an indication that more benefits can be obtained and/or that the implementation is too risk adverse. Being consistently above the threshold may indicate the risks and/or the projected returns from the service have been set too high. For these reasons it is important to establish the threshold prior to performing the assessment, to ensure the initial objectives and business drivers of the project maintain an influence on the direction of the project.

Trust Levels

One of the key factors influencing the authentication requirements for an online service is the degree of certainty required about the identity of the individual seeking to use the service. The Transaction Trust Levels ('the Trust Levels') were developed to provide guidance to those agencies considering providing a service online by enabling them to categorise transactions on a consistent basis. This was intended to ensure that transactions of a similar type are implemented using similar authentication solutions.

A Trust Level assessment is ordinarily carried out in parallel with a Risk Assessment.

Four Trust Levels for transactions

The policy framework for online authentication in New Zealand specifies the following Trust Levels. The definition of the Trust Levels is based upon the Trust Levels developed by the UK Office of the e-Envoy. :

Level 0 - Anonymous user.

Transactions that do not require the user to be identified or require protection of a users identity. For example, access to online publications.

Level 1 - Pseudonymous user.

Access is provided for transactions that do not require a person to be uniquely identified but the service agency must be able to respond to the user. For example, to 'recognise' the person when he/she accesses the service on return visits.

Level 2 - Identified user.

Access is provided for transactions that require that a person be specifically identified. For example, establishing a bank account.

Level 3 - Identified user and verified transaction.

Access is provided for transactions that require the person to be specifically identified; verification of the integrity of the data exchanged and the exchange itself; and the creation of sufficient evidence to indicate that the person agreed to be bound by the transaction. For example, obtaining a passport.

Categorising Online Transactions

Trust Levels assist in categorising transaction types based on individual agency requirements around three components of an authentication transaction. The three components are:

1. Evidence of Identity [EOI] Strength

EOI strength is the level of confidence an agency requires in any identity information provided by the user. For example, a utility bill with the users name and address compared to the users passport and confirmation of the details from a third party.

2. Authentication Strength

Authentication strength is the level of confidence implied through the use of an authentication method. For example a simple 4 digit PIN on its own would have a lower authentication strength compared to a digital certificate or complex userid/password combination.

3. Transaction Strength

Transaction strength is the level of confidence an agency requires in an online transaction. For example, a low strength transaction may only require an acknowledgement via email that a service request has been received, a high strength online transaction may require many of the factors related to non-repudiation of a transaction, for example evidence of who authored the request, proof a message was sent and received, and the message was not tampered with and can be stored securely.

Determining component strength

The requirement for component strength is based on the need for protection against a pre-determined risk level. These risk levels should be based on an individual agency risk assessment using their own criteria and specific risk management processes. This would include impact on their Clients, effect on existing business processes and the overall agency strategy and objectives.

For example, for a transaction where there is a high likelihood of identity fraud taking place, the Evidence of Identity component would need to be strong. However, for another transaction the risk of identity fraud might be low but the fall-out from information being released inappropriately, very high. In this case the agency may determine the need for a strong transaction strength component.

Balance between the components

Within each Trust Level there are valid combinations of the three components at different strength levels. This means that a particular transaction can be assessed at Trust Level 2 with the need for very strong Evidence of Identity, while another Trust Level 2 transaction may only need moderate Evidence of Identity.

However, when considering an authentication system it is important that the strength of the components is appropriately balanced. For example, imposing a robust and onerous Evidence of Identity process on a user and then allowing them to authenticate themselves using a low strength authentication technique reduces the overall security strength of the system.

The diagram below illustrates how the Trust Levels provide an indication of how the Evidence of Identity and Authentication components should be balanced for a robust transaction.

Applying Trust Levels across different stages of a transaction

Online transactions may be broken down into Trust Levels across various phases of the overall service. For example: to take advantage of online access, an agency may allow a customer to complete a service application online.

The application can then be formalised in-person at a later stage, therefore taking advantage of the online access and reduced requirement on the user to establish an online identity and maintain a username/password that they may use infrequently.

This approach also allows the online service to be introduced and at lower cost to the agency and provides a phased approach that can be added to and developed as expected returns are realised and customer acceptance and expectations increase.

It also takes advantage of the all-of-government approach of separating authentication from authorised access to an online service. The long-term strategic vision for all-of-government is to provide a single robust online authentication service to agencies and the public that they can use to establish their identity online. If this strategic vision is realised, the in-person requirement to achieve Level 3 status could be substituted with the online identity provided as part of the all-of-government approach, this would reduce agency cost and development in this area.

Application of Risk and Trust Levels to this Framework

This section explains how the outcome of an agency's risk assessment and Trust Level analysis can be used to determine how to apply this Framework.

How to interpret the diagram and concepts

To assist in illustrating the concepts the following diagrams use three risk levels of:

• minor;
• moderate; and
• significant.

These are not intended as an indicator of how many levels of risk there are or what they should be. This is for individual agencies to determine and is likely to include more levels of detail or granularity. The three risk levels used are for illustrative purposes only.

Once the risk levels have been determined, individual agencies need to determine the appropriate strength levels required to mitigate each risk, and to decide how it can be achieved within each of the transaction components. This will be influenced by available agency resources, existing infrastructure and long-term agency strategy.

Guideline to the diagrams.

Trust Level 0 - Anonymous

Transactions that do not require the user to be identified or require protection of a user's identity. For example access to online publications. The only risk would be incorrect information provided in the web site.

Trust Level 1 - Pseudonymous

Access is provided for transactions that do not require a person to be uniquely identified but the service agency must be able to respond to the person; e.g. to 'recognise' the person when he/she accesses the service on return visits.

Trust Level 2 - Identified User

Access is provided for transactions that require that a person be specifically identified. For example, establishing a bank account.

Trust Level 3 - Identified user and verified transaction

Access is provided for transactions that require:

• the person to be specifically identified;
• verification of the integrity of the data exchanged and the exchange itself; and
• the creation of sufficient evidence to indicate that the person agreed to be bound by the transaction e.g. obtaining a passport.

[ Previous | Next ]