Pennsylvania CISO Erik Avakian

A pilot project the state of Pennsylvania is launching to develop single identities for residents could help reduce fraud as it piggybacks on existing enterprise directory services, state CISO Erik Avakian says.

The National Institute of Standards and Technology awarded Pennsylvania a $1.1 million grant as part of the National Strategy for Trusted Identities in Cyberspace, or NSTIC, a public-private initiative to seek ways to create a so-called identity ecosystem that lets individuals choose from an array of credentials to transact business online (see States Test New Credentialing Approaches).

"This is really going to enable convenient, secure, privacy-enhancing online transactions for our customers," Avakian says in an interview with Information Security Media Group (transcript below).

"This grant is going to enable a secure ... online transaction which should also reduce fraud," Avakian says.

Pennsylvania is conducting the project at the Department of Public Welfare because it maintains a robust enterprise directory that provides single identities to employees. The pilot will be extended to other agencies as the state validates the new credentialing approach.

In the interview, Avakian discusses how the pilot project:

Could help reduce fraud; Piggybacks on existing enterprise directory services that provide single identities to state employees; Employs outside identity verification services.

Avakian became the commonwealth's CISO in June 2010 after serving more than three years as deputy CISO. Before joining state government, Avakian spent more than a year as a security consultant to the state. He holds a number of certifications, including Certified Information Systems Security Professional, Certified Information Systems Auditor and Certified Information Security Manager.

Single Identity Project

ERIC CHABROW: Take a few moments to tell us about this project.

ERIK AVAKIAN: NSTIC, which is the National Strategy for Trusted Identities in Cyberspace program under NIST, put out a grant and we were lucky enough to get one of those grant offerings from them as an award. ... We have a pretty robust identity management program in place in the commonwealth and it enables us to enhance that process where, as far as vetting inside users which we do, we can vet outside users as well.

We've been working with partnering with one of our sister agencies, the Department of Public Welfare. Through working with them and the funding that we have, we can really pretty much provide identity verification for users that are outside the commonwealth, users inside the commonwealth, and it's really to bridge that gap between the public and the private sector. I think that's one of the goals [of the] NSTIC grant.

This is going to really enable convenient, secure, privacy-enhancing online transactions for our customers, and it will also help reduce fraud by enhancing the user experience by allowing them to register once. Once their identity is validated through certain entities, then they won't have to repeat that same process multiple times as they transact business with other entities. It's really to bridge that gap between the private and the public sector by using identity verification services, and it's something that the federal government has been looking to do for a long time. We hope that, through this grant and through this process, we can provide that type of example for other organizations to follow.

Consolidating Identities

CHABROW: In describing the challenges the state faces in developing a single identity, you gave an example of a resident who might be known with one agency as J. Smith, with another agency as John Smith, and with another agency as 123456. How difficult is it to combine those various identities into one? What are the steps you need to take that you will see in this project to get these different identities into one identity?

AVAKIAN: When we look at the different John Smiths that might be in these directories, one of the ways that we're going to help utilize this is by consolidating our directory structure. For instance, the Department of Public Welfare today has a pretty advanced enterprise directory with over 2 million citizens in it. Utilizing that directory as the enterprise directory, we can really avoid all of these other user names and user accounts, because they're all in one directory.