Digital Identity—Will the New Oil Create Fuel or Fire in Today’s Economy?

Digital identity has the power to propel your enterprise forward…or it can cause you to crash and burn. How you govern and manage it will make all the difference.

Think about your current state. Most in-place identity and access management (IAM) deployments are outdated and do not scale to current volumes of people, data and things—much less what is coming. Few organizations have yet adapted to emerging regulatory risk and privacy issues in the global environment. However, those that optimize their IAM architectures now can improve operational effectiveness and reduce risk. They can leverage transformative mobile, cloud, Internet of Things (IoT) and machine learning trends into innovative, identity-enabled capabilities for competitive advantage.

The New Oil

To repurpose an old quote,¹ personal data is the new oil. Historically, companies have harvested that value by launching new online customer offerings and marketing campaigns with few constraints. But tightening privacy regulations are forcing global companies to obtain and document consent in a manner compliant with jurisdiction-specific standards when leveraging personal data.

Like oil, personal data can be toxic when spilled. Studies based on industry data show the costs of a breach in the US can easily run into the 10s of millions of US dollars.² Even higher consequences will arrive for companies storing European Union (EU) citizens’ data once the General Data Protection Regulation (GDPR)³ comes into effect in May 2018.

Why so much friction in the brave new world of digital identity? Facing disruptive change to business practices and technologies, people and practices evolve more slowly than technology. Citizen and consumer angst are behind the privacyrelated risk. Human error is often the root cause of data spills.

IAM Innovation Is About Relationship Management

Organizations use IAM for internal control, to achieve operational efficiencies and to launch new customer-facing products. Over the years, they have extended IAM to business-to-business (B2B) partners and suppliers as well as individuals or consumers.

Today, IAM must cover relationships of people, mobile devices, consumer devices, cloud services, service providers and manufacturers. Privacy compliance and consent management must operate across all domains. Handled safely, a business may claim a success story like one international airport that has leveraged identity in cloud delivery models to scale operations for more than 40 million passengers annually amidst exacting security requirements.⁴

Call to Action

Handled unsafely, personal data breaches can put a company on a wall of shame.⁵ On the flip side, even avoiding breaches and complying with regulations does not guarantee profits. According to Ctrl-Shift’s Liz Brandt, a purely compliance-driven approach to GDPR could deliver a Pyrrhic victory, resulting in compliance with 20 percent fewer customers and loss of permission to market to a further 60 percecnt.⁶ To avoid this:

• Modernize the architecture
• Adopt privacy principles
• Take an identity and privacy engineering approach

Modernize the Architecture (Federate, Do Not Aggregate)

The rise of local area networks (LANs) and the commercial Internet in the ‘90s spawned waves of innovation that brought us Lightweight Directory Access Protocol (LDAP) and enterprise identity-provisioning products designed to consolidate identity information into services such as Microsoft’s Active Directory. Centralized directories became a mainstay of internal control. Now, with data sovereignty regulations spreading globally, centralized directories are going away.

Without them, what is next? In the second golden age of identity,⁷ directories will move into the cloud and become much more distributed, virtualized and abstracted. OAuth, Open ID Connect and other standards provide a “federated identity” capability that supersedes LDAP by enabling cross-domain single sign-on, attribute management, and access control.

Successful businesses are integrating IAM with applications via application programming interfaces (APIs) leveraging OAuth and related standards. Internally, organizations should be integrating IAM with human resources (HR), awareness/training, supplier relationship management and security analytics. Externally, they should be building consistent customer relationship management processes across their various business units. Identity as a Service (IDaaS) solutions are gaining favor by making it easier to integrate identity across diverse IT ecosystems including Software as a Service (SaaS) environments.

Adopt Privacy Principles Into the Business Process

Australia, Canada, the European Union and many other jurisdictions mandate strong privacy rights that consider individuals to be the owners of personal data. In addition to compliance, companies have other incentives to get privacy right. Adopting privacy-friendly principles and communicating them clearly may encourage customers to share information they would otherwise hold back.

What principles? We can summarize GDPR principles⁸ as an example:

• Provide fair, lawful and transparent processing of personal data.
• Limit use to declared purposes.
• Limit collection.
• Ensure data quality.
• Limit retention periods.
• Allow persons to delete or remove records where possible or legally required.
• Provide data security.
• Demonstrate compliance.

Take an Identity and Privacy Engineering Approach

Companies that successfully “talk the talk” with privacy principles should also “walk the walk” by giving customers easy-to-use tools to control their own data in ways appropriate to the service provided. Winning hearts and minds on privacy may win share amidst the coming GDPR churn.

The next challenge is to securely extend identity and privacy functionality across global partner ecosystems. Online retail is converging with brick-and-mortar retail, and both are converging with media, mobile, financial services and business services. Using modernized federated architectures, innovative IAM architectures can provide customers with a convenient experience across these domains without the Yet Another User Password (YAUP) drag. They can maintain brand consistency and trust in the process.

Few have mastered the multidomain customer experience challenge to date. Either the front-end customer authentication is too weak to be so widely trusted, trusted brokers are not available to transfer attributes needed for authorization, or back-end business processes are not integrated across domains. Further adoption of multifactor authentication and standards from groups such as FIDO Alliance⁹ for online authentication will help. But organizations also need to develop or subscribe to sophisticated identity provider (IDP) hub architectures and interconnect them via APIs.

Unfortunately, regulations such as GDPR will increase the risk to companies interconnecting their online ecosystems and brands. The YAUP will not go away easily. But there are opportunities to add privacy and consent machinery to the federated identity environment. For example, new standards such as User Managed Access (UMA)¹⁰ and the Consent Receipt Specification¹¹ are emerging that will make it easier to either put customers in control of personal data and their usage and/or implement explicit consent processes.

To fuel the business in the second golden age of identity, we must all be innovators.

Endnotes

¹ Rotella, P.; “Is Data the New Oil?,” Forbes. com, 2 April 2012, http://www.forbes.com/sites/perryrotella/2012/04/02/is-data-the-new-oil/#64ee40a57db3
² Blum, D.; “Security Business Case for Breach Risk Reduction (Part 1),” Security Architects Partners, 13 April 2016, http://security-architect.com/security-business-case-part1/
³ Karczewska, J.; “COBIT 5 and the GDPR,” COBIT Focus, 29 May 2017
⁴ Okta, Gatwick Airport Takes Flight With Okta, http://www.okta.com/customers/gatwick-airport/
⁵ Information Is Beautiful, World’s Biggest Data Breaches, 5 January 2017, www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
⁶ Brandt, L.; “GDPR: Spend It and Sink It or Spend It and Grow It,” LinkedIn, 23 February 2017, http://www.linkedin.com/pulse/gdpr-spend-sink-grow-liz-brandt-nee-brown-
⁷ Blum, D.; “The Second Golden Age of Identity,” Security Architects Partners, 22 November 2016, http://security-architect.com/second-golden-age-identity/
⁸ Gabel, D.; Hickman, T.; “Chapter 6: Data Protection Principles—Unlocking the EU General Data Protection Regulation,” White & Case, 22 July 2016, http://www.whitecase.com/publications/article/chapter-6-data-protection-principles-unlocking-eu-general-data-protection
⁹ FIDO Alliance, http://fidoalliance.org/
¹⁰ Kantara Initiative, UMA, 14 March 2017, http://kantarainitiative.org/confluence/display/uma/Home
¹¹ Kantara Initiative, Consent Receipt Specification, 8 May 2017, http://kantarainitiative.org/confluence/display/infosharing/Consent+Receipt+Specification