In part 1 of my blog post expanding on my Cloud Identity Summit talk on Invisible Identity, I proposed ‘The 4 Core Principles of Invisible Identity‘ that ensure that security and usability stay in a symbiotic partnership for an organization. I believe that adopting the concept of Invisible Identity will be vital to securing people in the digital age. But while security and usability are the two main goals of Invisible Identity, there is a third aspect to consider, and that is privacy.
It is obvious that Invisible Identity relies quite a bit on data collection mechanics – whether it be attribute, environmental, biometric or behavioral data. And it generates a bunch of data as well, what Stephen Wilson calls synthetic personal data. While the privacy wonk in me squirms uncomfortably when exploring this topic, the pragmatist in me understands that in this age of ecommerce analytics, customer analytics, targeted marketing, and increased sensitivity to fraud and insider threats, this sort of monitoring and data collection is here to stay. So the real question is, how can we give people the plums they want without asking them to sacrifice their freedom?
It is my opinion that there are 3 things that really need to happen in order for Invisible Identity to balance security and usability with privacy needs.
Respect the User
The first goes back to the Invisible Identity principle of Respect the User. People know there is no such thing as magic. And nothing will lose you their trust faster than turning into Big Brother. Which is why creating the framework for Invisible Identity must start with an application of Privacy by Design and fighting the desire to over-identify. The More you Know may be a good PSA line for NBC, but it isn’t a good motto for security professionals.
And as I mentioned in my previous post, giving people visibility and choice is crucial. Incorporating good notice and consent mechanisms will not only create a better relationship with them, but will inevitably lead to fewer people working around the security mechanisms because of a general sense of mistrust.
IDaaS and Identity Services
The second is the emergence of IDaaS and Security-oriented Identity Services. We’re talking about a lot of very sensitive data here, and there are very few enterprises in this world that can take on the burden of assembling the infrastructure needed to do these identity operations at scale while also doing a good job of protecting the data. For everyone else, I say there’s no point in doing it yourself. Or as Ian would say, don’t be a toxic waste farmer.
Protecting this data really well is crucial to protecting people’s privacy and maintaining their trust in your business. And the big identity providers and IDaaS players will almost always do a better job of protecting the data, creating scalable and secure APIs and services that you can leverage, and continuously enhancing it. I refer you to my CIS talk from a few years ago called ‘IDaaS. The Now Big Thing.‘
The third part is gonna come from an architectural innovation that we are on the cusp of. As the compute power in our mobile devices and endpoints increases dramatically, I believe that we’re gonna reach the point where a lot of the continuous authentication, authorization and data analytics can be and will be done right on the device itself, avoiding the need to have all that data transmitted over the internet and aggregated in a single place in the cloud/data center, where it is a magnet to identity thieves and hackers.
We see some of this already with the way secure elements are used to store biometric data locally, and share only the results of the evaluation with the services relying on it. I think this will be a different way of doing distributed yet consistent security that is going to be a boon to the scalability, usability and, most importantly, privacy of these security solutions.
I will note here that at their WWDC keynote yesterday, Apple execs talked about incorporating on-device intelligence into iOS (and I’ll guess other product lines eventually) going forward. Given that I gave my talk a full week ahead of this, I am going to go ahead and give myself some prescience points. Take that, Madsen.