* A reader weighs in on level of assurance
It’s winter in the antipodes, and those long nights give my friends in Oz a long time to ponder the breathless prose of this newsletter — and an even longer time to cobble together a response. One recent edition (“What does Level of Assurance really mean?”) evoked a stronger than usual response from Sydney, Australia, IdM consultant Allan Milgate, which he posted to me.
What Allan sent to me was this:
“I believe you’re unnecessarily complicating things, Dave, by trying to rename and redefine the issue. I’ve said it numerous times before, for years past. There is only one unified LoA [level of assurance]– it relates to Authentication, and it resolves the two types that you have invoked. Your government, the UK government, the Australian Government and others use it in exactly the same way. It is described [as “The Assurance Framework,”] at https://identityaccessman3.blogspot.com/.
“Your first type (“verification”) is actually called Registration Strength. It is reflected in the number of points required to be met when you register an identity (for a passport, bank account, etc). It is a “strength” because it represents a number of points, usually 100 points, but sometimes 150 points for some digital certificates.
“Your second type (“login”) is actually called the Credential Strength. It’s a “strength” because it represents the strength of the credential that you supply to login (password, digital certificate, biometric, etc).
“When the two are plotted on an XY graph, it creates a framework or model where one axis is the registration strength and the other axis is the credential strength, and the intersection of any instance of a login provides the level of assurance (LoA) of that particular user. This in turn allows an organization to determine what transactions that user is allowed to carry out. “
Milgate can get rather worked up about this — especially as he feels it’s little understood outside a select circle. Since that was my theory also, and the reason I wrote that issue of the newsletter (along with an attempt to better explain LoA to those of you not deeply involved in these areas), I’ll thank Allan for keeping me on my toes and explaining the full import of LoA. I’d also recommend visiting the link noted above to read more about Assurance Frameworks, which may become more important generally over the next few years.
New resources from IdM Journal: Identity Intelligence Insider: The SailPoint Podcast Series. This is an ongoing series of podcasts (already up to No. 21) featuring SailPoint execs as well as industry analysts and others discussing issues such as “Identity and Access Management’s Growing Importance”, “Managing the Tangled Web of User Access Risk during a Merger, Acquisition or Layoff” and “Reality Check — A Real-World Discussion of IT GRC and Managing Risk.” Check them out here, download (and listen to) the ones that interest you.




