Behavior-based Identity Management

I was in Australia recently and I bought a necklace. The next morning I was asleep in my hotel room and my cell phone rang (it was early Australia time). My husband was calling because Visa had called him with a “very suspicious transaction” and he wanted to let me know and see if I knew anything about it. At first, I thought that was just really funny – I hadn’t even had time to break the news to him before Visa got to him (fortunately, he’s a great guy and supports my forays into the unnecessary). Then I started thinking about how this type of activity could be applied to identity management. We need to set our sights on moving from a era in which we have views of identity that are historical and/or current-state focused, i.e., “who-has-access-to-what” and “who-did-access-what”, to an era where we make more sophisticated decisions in real time about who-IS-doing what and if that appropriate or “normal.”

We have a lot to learn in cross-enterprise identity management from the behavioral modeling technologies with which the credit card companies are so advanced. This is where we’re headed – to real-time behavioral decision making on identity-based transactions. So if something is happening on the network that is out of pattern for an identity’s usual or expected behaviors – we can automate the process for session close, notification, instant message, etc. based on the value of the transaction in order to make better decisions and keep things safe. Going back to an earlier posting – this will let us accelerate without fear (and for those among us who love to shop, purchase without question).

Comments:

Setting aside the big ideas (which are good), I recommend you do what I do: call my credit card provider to notify them of the dates and destinations of my overseas travel. They appreciate the data: it helps them tune their fraud detection software.

Posted by Geoff Arnold on November 17, 2005 at 05:00 AM CST #

Interesting. I was talking to a consulting client a couple of weeks ago, and he does exactly what Geoff suggests: he notifies his bank in advance whenever he's travelling, even if it's within the US (for example, New York to Chicago).
It seems like a massive inconvenience to me.
Not only that, but he said that his bank didn't differentiate between his transactions and his wife's, as they have a joint account. Incredibly, this means that if he uses his card in Chicago and his wife uses hers in New York within a short space of time, the bank is likely to revoke one or both cards on the basis that 'he' can't be in both places at once, and therefore one transaction or the other must be fraudulent.
I would ditch my bank like a dead skunk if they did that to me....

Posted by Robin Wilton on November 28, 2005 at 08:25 PM CST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

saragates

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today