In Identity and Access Management, Levels of Assurance (LOAs) are an attempt to harmonise the riskiness of online transactions and matching the strength of authentication needed to secure them. Four-level LOAs (levels 1/2/3/4) have been instituted by governments in the USA, Australia and elsewhere, and they’re a cornerstone of federated identity programs like NSTIC.
All LOA formulations are based on risk management methodologies like the international standard ISO 31000. The common approach is for organisations to assess both the potential impact and expected likelihood of all foreseeable adverse events (threats) using gauges that are customised to the local business conditions and objectives. The severity of security threats can be calculated in all sorts of ways. Some organisations are able to put a dollar price on the impact of a threat; others look at qualitative or political effects. And the capacity to cover the impact means that the same sort of incident might be thought minor at a big pharmaceutical company but catastrophic at a small clinical research organisation.
I’ve blogged before that one problem with LOAs is that risk ratings aren’t transferrable. Risk management standards like ISO 31000 are intended for internal customised use. Their results are not inherently meaningful between organisations.
To appreciate this, take a look at another type of risk rating: the colours of ski runs.
All ski resorts around the world label the degree of difficulty of their runs the same way: green, blue, black and sometimes double black. But do these labels mean anything between resorts? Is a blue run at Aspen the same as a blue at Thredbo? No. These colours are not like currency. So skiers are free to boast “Ha! That black isn’t nearly as tough as the black I did last week”.
LOAs are just like this. They’re local. They’re based on risk metrics (and risk appetites) that are not uniform across organisations. They cannot interoperate.
As far as I am aware, there are still no examples of LOA 3 or 4 credentials issued by one IdP being relied on by external Service Providers. When there’s a lot at stake, organisations prefer to use their own identification and risk management processes. And it’s the same with skiing. A risk averse skier at the top of a black run needs more than the pat assurance of others; they will make up their own mind about the risk of taking on the hill.
Image credit: SnowKing winter trail map-1024×799.jpg from Wikimedia Commons, licensed under the Creative Commons Attribution-Share Alike 3.0 Unported license.