Legislating Identity

"Drivers" are a funny thing. They're those often-ambiguous factors cited by analysts and reporters as they attempt to explain why a technology is catching on.

"Drivers" are a funny thing. They're those often-ambiguous factors cited by analysts and reporters as they attempt to explain why a technology is catching on. Of course, there are usually deeper underlying factors "driving" a technology adoption, than the official technology "drivers." But, even as we explore those underlying factors, its still helpful to know who's behind the wheel of our technology car with their foot on the gas.

In the world of identity, legislative and industry regulations have become some key drivers (and boy, are there a lot of them). A quick look at this dizzying array might betray the importance of identity in today's world:

The Real ID Act is a de facto national ID card act that was slipped onto the end of some military spending bills. It started as an initiative led by state motor vehicle administrators, and quickly grew into a federal mandate for all state driver's licenses. The mandate includes requirements for "biometrics" and machine-readability (i.e., RFID chips). There is (as the link above illustrates) some state-level protest, but mostly because the law mandates that states spend money and doesn't write the check.

Sarbanes Oxley, Section 404 is the law that grew out of the accounting scandals of the late 90's bubble. The law (which applies to public companies), and specifically Section 404, mandates that companies control access to sensitive information, and be able to conduct an audit of that access. All of that means one thing: identity management systems.

The Gramm-Leach Bliley Act is the law that seeks "modernization" and privacy protections for the financial services industry. "GLB," as its commonly known has been around since 1999, and is seen as a general driver of identity management's privacy benefits.

HSPD-12 and FIPS 201 are the directives ("Homeland Security Presidential Directive") that mandate the security standards for access cards and initiatives across government agencies. The Department of Defense's "Common Access Card" (CAC) project is often cited as one of the largest and most successful of theses deployments.

California SB 1386 is the state law that mandates notification of customers in the event of a data breach or leak. It is widely seen as the prototype for a national law, though none has been enacted yet. That said, the California law seems to be having enough pull, so as to force many companies to comply.

The FFIEC guidance on authentication in Internet Banking are the guidelines that all financial institutions must adhere to (the FFIEC is the Federal Financial Institutions Examination Council, or the same guys that run the FDIC insurance that protects your bank accounts to $100,000). This is the big one for 2006, as its pushing online banks and brokers to deal with the sticky wicket of consumer strong authentication. The result is the rapid adoption of "risk-based" or "layered" authentication.

That's just the beginning. Did I mention BASEL II, HIPAA, or the EU's mandates for privacy? The funny thing is this: all of these mandates, regulations, legislative initiatives and guidances are seeking to "secure" something, or to make a process more secure (for auditing purposes). And in so doing, all of them have to demand identity mechanisms. Its almost as if identity is the precursor to all IT security (he says with tongue firmly in cheek).