Anil John
Making Digital Services Secure and Trustworthy

Anil John

Should RP Business Process Data Collection and Validation be Outsourced to a CSP?

 Tweet  Share  Share  Comment  Print  Email

Service Providers (a.k.a. RPs) are in the business of delivering services. But delivering high value services and benefits, especially in the public sector, requires knowing both the identity of the individual as well as additional information that is business process specific. Who should collect and validate the business process specific information?

In many of the attribute conversations going on regarding identity federation, there is often a blurring between the attributes needed for identity resolution at the RP and the attributes needed by the RP in order to provide services to its customer. This has resulted in two items worthy of discussion:

  1. RPs wanting the CSP to collect and validate data that is not authentication or identity resolution specific
  2. Concerns by the CSPs that they may be liable when something goes awry when such data is used by the RP for authorizing access to services

To me it all comes down to one word: Accountability!

It is my considered opinion that in a federated world, one should assign accountability where it makes the most sense:

  • CSPs are in the authentication and identity proofing business and they should be held accountable for that function
  • RPs are responsible for their business processes and accountable for authorization and access control related to that function
  • RPs should not be asking CSPs to collect and validate business process data. Instead, once they have verified and enrolled the customer, they should collect the information directly from the customer

If RPs don't 'trust' the data provided by their enrolled customer, they should put into place alternate means of validating customer provided information.

If a federation environment actually chooses to go down the slippery slope of asking a CSP to collect and validate RP specific business process data, that should be a signal to have a crucial conversation resulting in clear assignment of accountability in that environment.

RELATED INFO


Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!

I will never share, rent, or sell your information to anyone. Cancel anytime.

This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.

Topic(s):
By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post. Please leave a comment below!

I am a digital security coach. I help technical leaders make digital services secure and trustworthy. Learn more »

Free Updates

I will never share, rent, or sell your information to anyone