This month’s Smart Sense Newsletter features an interview with Terry Gold, VP of Sales North America for idOnDemand. In the interview, Terry discussed several topics, including:
- How does idOnDemand keep up with and contain identity fraud?
- What identification solutions does idOnDemand offer?
- Who is the end-user of idOnDemand’s products and what benefits do they receive?
- Could smart cards become obsolete in the near future?
- What is the next big thing we can expect from idOnDemand?
Follow idOD on Twitter: http://twitter.com/idondemand
http://www.idondemand.com
http://www.identive-group.com
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
idOnDemand | Article | Looking For An ID Solution? Get It From idOnDemand!
1. Looking For An ID Solution? Get It From idOnDemand! :: THESMARTSENSE.COM - Identification 8/21/11 9:01 PM
Advertise | Contact Us For e-Mail alerts on the latest news,sign-up here. Login | Register
Follow Subscribe About / FAQ
View by Sector : Payment | Identification | Transit | Contactless | Access Control & Tracking | Mobile & Retail
View by Vendor : Smart Cards & Peripherals | Terminals & Readers | Chips, Tags & Inlays | Personalization | Testing | Software
Identification
Looking For An ID Solution? Get It From idOnDemand!
Print
Interviewee: Terry Gold
Designation: VP of Sales, North America,
Company: idOnDemand
The SMART Sense: Identity fraud is ever prevalent, how does idOnDemand keep up and
contain this menace?
Terry: One of the real challenges is that identity fraud comes in many forms making it very
difficult to combat. So letʼs first break this down a bit so there is context in my response.
At a basic level, identity fraud is about getting someone or a system to grant one access that
otherwise should not be granted. For example, transferring funds from one bank account to
another, opening a mortgage in another personʼs name and liquidating the assets, gaining
access to corporate trade secrets and either stifling their effectiveness, selling it or blackmailing
the organization with it are all common forms of fraud. Attacks can be executed in person
(physical possession of paper records such as files, U.S. mail, etc.), over the phone and over the
web. Increasingly, many attacks are “multi-faceted” using a combination of these methods to get
what they need and execute the purpose of their attack where there is the least point of
resistance. Using an electronic system as a key component of an attack is becoming a very
common element.
Unfortunately, the vast majority of electronic systems identify people through usernames and
http://thesmartsense.com/identification/30397 Page 1 of 5
2. Looking For An ID Solution? Get It From idOnDemand! :: THESMARTSENSE.COM - Identification 8/21/11 9:01 PM
passwords and are unable to scrutinize an imposter beyond what they had been built to do –
verify that the [static] information that they had been programmed to asked for. For various
reasons, passwords are not very good at keeping the bad guys out. They can be scraped Shirley Matthew, Visa Canada
through malware, recorded by loggers, shared, written down, discovered, or even guessed. “We believe that Cardware is an
important annual forum that brings
Password policies only help in one or two of these aspects to a marginal degree. In effect,
together key stakeholders in the card
passwords are antiquated and result in a false sense of security. payments industry. I...
There are many companies that provide alternatives to passwords but there are often challenges Itai Sela, Collis
that prevent them from either being effective relative to what is expected of them. "Cardware offers a unique and up to
date information presented all
together in one exciting venue, with
1. Back-end – Many solutions assume that a fraudster is going to mandate themselves to participants from ...
get to a back-end system by using a valid userʼs laptop or desktop, or that the information
they seek is local on the front-end. Therefore, some solutions are designed to have a Jonathan Magder, Deloitte
user present a unique credential on the front-end, only to pass through a static password Consulting
to the back-end to perform authentication. Fundamentally, the same weakness exists on “Cardware is an excellent opportunity
the back-end if a hacker goes directly to that system, which is often the case. Therefore, to network with key industry
stakeholders and gain valuable
implementing a method that changes the fundamental authentication credential on the
insights into current state...
back-end is key. For example, using Public Key Infrastructure (PKI), an application,
server, or system no longer even looks for a password and is not vulnerable to such
attempts while pass-through technologies are.
2. Single purpose – Some solutions like tokens address the static credential problem on
the back-end, only to perform the same function they used to when they came to market
15 years ago. Requirements have evolved since then. Therefore, organizations need to
setup stovepipes of different solutions, keys, clients, etc. which becomes a beast to
implement and manage.
3. Inside outside cloud – Many solutions only address applications “inside their network”.
With cloud computing already mainstream, data needs to be just as adequately protected.
Many solutions do not yet incorporate ways to protect the identity both inside and outside
the network and the cloud.
4. Trust – Most solutions are designed in such a way that the customer must trust the
design of the vendor system for authenticity and implementation, and then apply that to
their organization. The challenge with this is that one can seldom verify the processes the
vendor uses to build their code or how the keys are generated, stored and who has
access to them. Logically, since the person is neither in control of this, nor can they verify
it, they cannot trust authenticity - and neither can other organizations in which they want
to have a trusted relationship. Conversely, if we substantiate and control the keys in a
way that we agree is proper, authenticity can be trusted to a higher degree and
reciprocated between external parties. A good example of this is what happened recently
with RSA SecureID. For many years, RSA was being used to aid organizations,
individuals and consumers to trust one another. While we cannot say exactly what
happened other than what has been disclosed, it is apparent that vulnerabilities were
implemented and executed externally but impacted internal users who had no control
over this.
5. Standards – Very few standards have traditionally existed in the security world which has
created a lack of transparency and interoperability, but this is changing. Establishing a
common ground by which credentials can be issued, keys generated and stored, and to
what standards build their products, trust can be granted and become more pervasive.
idOnDemand addresses all of these points by leveraging standards set forth by National Institute
of Standards and Technology (NIST) and adopted across the Federal Government. Having been
early pioneers in this area with the government and contractors issuing over 10 million of these
identity credentials, idOnDemand knows it is a working system. We apply these standards and
processes to our solutions and customers giving them a trusted, secure system that is multi-
function, where THEY are in control and it can be applied across a broad variety of identity
threats.
We are able to “keep up” with identity threats in two meaningful ways. First, most industries do
not have standards to imposing regulations. It is common to look to what the government has
already established and adopt that as a guideline, especially since many industries need to
comply with the government around identity. Therefore, we find that industries are evolving to
adopt what we already do, verses the other way around – and that is a nice change of pace for a
vendor. Secondly, we innovate on top of these standards to make them “more usable” for
organizations without locking them in.
http://thesmartsense.com/identification/30397 Page 2 of 5
3. Looking For An ID Solution? Get It From idOnDemand! :: THESMARTSENSE.COM - Identification 8/21/11 9:01 PM
The SMART Sense: Tell us more about the identification solutions idOnDemand has to
offer.
Terry: We enable organizations to produce a single trusted identity for their users, partners and
consumers. This is a smart card, and as such is a form factor that is already in use and familiar
to most users. This corporate identity card replaces the one they already carry with one that is
“smarter”, more secure and can do many more things. It becomes their “platinum card” of sorts
to use for many touch points and transactions with the resources they need and the people they
require to interact with.
The smart card is different because it is a highly secure “microcomputer” that is purpose-built to
protect the key, which is unique on every card and never leaves the card in any transaction. So
from a security standpoint, it is about the most secure platform that can be used. Functionally, it
can authenticate a user to a computer either at the OS level or pre-boot with disk encryption, to
the network, to applications, perform email signing and encryption, and other uses like signing
documents. Of course, since it is a visual ID, it is your corporate badge that also gets you in the
door, except it is much more secure than the normal badge.
On that point, it also makes sense to point out that over 90% of the building access security card
implementations are so wrought with basic security flaws that this makes executing an in-person
attack of identity fraud perhaps the easiest to execute of them all. Why? Because one doesnʼt
even have to hack into any system. Want access to the CEOʼs office, untracked? How about a
data center? In many cases it can be done for under $100 and 15 minutes of searching online.
After that, about 5 seconds each time one wants to impersonate a valid user and walk around
where they are authorized to do so. Check out this whitepaper for more details. Keep in mind
that this is based on the most common technology. This same technology that the industry
perceived as secure was hacked recently due to a poor implementation of security principals. In
this respect, we use the secure element in the card to strengthen building systems as well. Using
industry standards, we innovate on top to help organizations use the legacy infrastructure they
have previously invested in to transition to a much more secure system as gradually as they like.
We are often able to repurpose the expensive components so it can be done economically for
around the same operational budget that is currently in place.
Finally, implementing smart cards has traditionally been very costly, complex, and with long
timelines. In my discussions over the years with security professionals, they have questioned the
ROI but not the value if costs could be brought down to size. So we built the first commercially
available Software as a Service (SaaS) model for smart card deployments. By already having the
Enterprise-class infrastructure, people, and operations in place, our customers have secure
access to our service to be able to produce identity cards. They are also able to link to a trusted
source or use their own if they have one. It is very flexible, low cost, and only takes weeks to
implement instead of years. Our service also doesnʼt eliminate smart cards as an option because
of organization size and budget. Users only pay for what they use and at the same time get
access to a world-class infrastructure, team and standards model that is typically out of reach for
all but very few organizations.
The SMART Sense: Who would you identify as end-users of your products? What benefits
can be attained by them?
Terry: We serve different areas.
Federal, state and local government as they look to adopt the PIV standards, address identity
related matters, and comply with mandates to do so. The Federal government pretty much
already did a lot of the work here through large-scale funding and internal programs that
partnered with various contractor and vendor ecosystems around the standard. It is actually very
impressive how the industry came together to have a very honest discussion, reach a consensus
and partner to make a lot of progress. State and local governments are starting to see more
activity now that the Fed has done so and is rolling downhill as they have similar issues and in
many cases need to comply. I suspect we will see this rending over the next 2-3 years around
Federal Identity, Credential, and Access Management (FICAM), how first responders identify
themselves in crisis (FRAC), and other initiatives.
http://thesmartsense.com/identification/30397 Page 3 of 5
4. Looking For An ID Solution? Get It From idOnDemand! :: THESMARTSENSE.COM - Identification 8/21/11 9:01 PM
While we are engaged in Fed, State and Local deals, we continue to see most of our activity
within Corporations as they struggle with all of the challenges we have been discussing. We
basically hit all of the areas that are challenging them in a way that uniquely solves their
underlying issues, enabling them to focus on their core business in more productive ways. This
goes beyond security and often enables them to reduce disparate single-purpose authentication
solutions, skill sets, budgets, and run a more efficient security and remediation program.
On the building access side, we enable Corporations to consolidate down to one card instead of
various forms of identification, without requiring them to swap out systems for millions of dollars.
Our solution is easier to manage, less cards, simpler for the end-user, and everyone is quite
happy.
Just on the last point alone we hear more times than not that large organizations have been
trying to solve this for years, but legacy vendor implementations are restrictive because they are
proprietarily built to not play well with other systems and lock you into going back for more cards.
We open it up, make them have multiple personalities, base them on standards so you own the
keys, the cards, your systems, and if we arenʼt doing a good job, you can go work with another
vendor tomorrow with the same technology. I should add that this motivates us to live up to that
challenge. Buyers these days are VERY smart. Many are aware that there are standards, better
ways to do things, but none of it is put in a nice little box for them. They donʼt have time to figure
it out or ask 10 consultants and get 10 different asnwers and take a risk. They need to focus on
core business and initiatives that make them money, satisfy their customers and grow their
business. We make it simple, make it work, and let them focus on other things.
The SMART Sense: With most of idOnDemandʼs products taking the form of smart cards
while other form factors are emerging at a rapid rate, is there a possibility that smart
cards be obsolete in the near future?
Terry: We have no religion specifically about smart cards. Its a secure container for digital
credentials. However, our customers have found it to be the most practical and useful form factor
for corporate ID. This becomes evident in that most still require a physical photo ID badge to be
displayed on the person as a matter of policy, and to gain access to buildings. Most poeple carry
a building access card today and it makes sense to combine other uses into this same card as
they only need (and want) one secure container.
There has been a lot of talk about mobile phones, but reality is that people still cannot use a
mobile phone as a visual identity effectively. Therefore, I see the smart card form factor in the
forefront for some time, at least until Corporations and Government agencies alike either change
their policies or technology innovations advance considerably. Of course, anything is possible but
there is a cost element where it has to be affordable and pervasive, so I am confident that we are
not going to see smart cards obsolete in the near term. What is more likely is that we will see
other form factors used for targeted scenarios or be complimentary to existing ones during this
time.
This is not to say that there hasnʼt been a lot of activity on this front and that we arenʼt excited
about it. To the contrary, and we have been innovating in this area with close attention to where
it can solve tangible challenges for organizations. Let me give you an example of one of them:-
Corporations increasingly have to deal with heavy user demand to have pervasive access to
information anywhere which increasingly places emphasis on mobile device usage (Android,
iPad, BlackBerry phones, etc). We have been listening to our customers and there are three
recurring themes that stick out.
1. Their lack of effectiveness (and desire) to distribute and install software to mobile
devices;
2. Supporting the increasingly broad scope of platforms, versions and flavors; and
3. Enabling users to use devices of their choice without having to manage them or be
concerned about private information on them.
idOnDemand solves this by using the smart card as a secure portable computer in a card... by
touching different devices using open standards like Near Field Communication (NFC), the user
is able to securely authenticate directly to a variety of applications. It is very convenient because
http://thesmartsense.com/identification/30397 Page 4 of 5