Tag Archives: authentication

ISNow – Digital Loss Prevention

The following introduction was originally published in the BCS Information Security Now Magazine, Winter 2011 issue (Volume 6, Issue 1), which was on the topic of Digital Loss Prevention:

Gareth Niblett, Chair of the ISSG, says that many people see DLP software as something that magically stops your data from being lost, whereas the reality is quite different. 

DLP is often used as a catch-all term for technology that somehow magically stops all unauthorised information flows once it has been installed.

In reality DLP has much wider implications in an organisation and can be quite nuanced. It could be considered as part of information lifecycle management, and should focus on ensuring the organisation can share the information it needs to, both internally and externally, in a correct, accountable and secure manner – data loss is then also prevented as a beneficial by-product.

To achieve robust inter-organisational collaboration capabilities, we would need common policies for identity proofing and verification (IPV) of organisations, people and devices, issuance of credentials, authentication, authorisation so that interoperability can be obtained (for consistency and cost reasons).

Add a bridge, to tie together disparate systems and organisations with cross certification, along with an independent verification process, to ensure assurance is provided to all parties. Mix.

Levels of trust

One leading initiative, which I am involved with, is working towards such federated trust, at higher levels of assurance between regulated companies and industries. The British Business Federation Authority (BBFA) http://federatedbusiness.org/ is a not-for-profit self-regulating organisation born out of a government request for a body to represent the needs of UK industry in relation to identity management, which came at a joint BCS/eema seminar in 2009.

The BBFA Steering Group is made up of companies from regulated industry sectors and, along with its policy management authorities, is working with both private and public sector organisations towards standards- based and interoperable IPV, strong authentication and authorisation, federation and PKI bridge policies, procedures and mechanisms, as it recognises that without these no technology can meet the real needs of customers and end users.”

A PDF version of the magazine is available online at:


ISNow – Identity Management

The following introduction was originally published in the BCS Information Security Now Magazine, Summer 2008 issue (Volume 2, Issue 4), which was on the topic of Identity Management:

“Is your identity simply based on your DNA, or is it more ephemeral and flexible? Is it limited to what is on a card or in a database? Can your identity be stolen, or merely assumed? There is no black and white with identity, merely shades of grey.

Someone may have multiple ‘identities’, to suit particular purposes – e.g. banking, dating, online (public / private), acting – with legitimate or criminal intentions. On the other hand, government and business often need to uniquely identify the people they interact with. This does not predicate a universal identity, but multiple John Smith’s have to be managed.

To authenticate someone’s (claimed) identity, there are four common methods:

  • something you know – e.g. password, PIN, mother’s maiden name
  • something you have – e.g. identification card, authentication token
  • something you are assigned – e.g. name, NI/NHS number, IP address
  • something you are – e.g. fingerprint, retina, DNA, voice, signature

The risk of misidentification is managed through the appropriate selection and application of these authentication methods and their associated data. Generally, the more factors that are used the stronger the authentication and greater the accountability, but this needs to be balanced against usability and failure rates.

If you’ve managed to get beyond (mis)identification then there needs to be a link to a level of authorisation for each user. These rights need to be properly maintained for each role or user, as this is the second step in identity and access management.”

A PDF version of the magazine is available online at: