General security

Identity Comes of Age

August 9, 2017 by Susan Morrow

I remember going to the Internet Identity Workshop at the Computer History Museum back in 2009. It was an “unconference,” which meant that anyone could present as long as you got your idea up on the board quickly. I presented on the topic of “Information Cards.” Information Cards were an identity framework brought to fruition by Kim Cameron et al., of Microsoft. Cameron had also developed the idea of the “Laws of Identity” that Information Cards were based on. These laws were a set of seven bold tenets that focused on user-centric control, privacy, and flexibility of use. At the time, they were groundbreaking in their attitude toward both the user and the idea of what an online identity was. They introduced, firmly into the identity equation, the concept of “claims,” which are basically just snippets of information about an individual. To roll back a bit here, we have to put these laws into the context of what identity was in 2009. In terms of years, 2009 wasn’t all that long ago; in terms of digital identity, it is a lifetime. In 2009, the concept of users having control over their identity, or identity being based in the cloud, was unheard of. My talk at that conference was about taking the Information Cards outside the Microsoft stack and placing it into a cloud context.

To understand why I was giving this talk, I need to tell you a little of my own history.

Before 2009, I had worked in product design for enterprise security products, including email encryption and rights management of documents. We came across an issue at the time that caused reduced scope of the product use. This issue revolved around allowing enterprise users to share protected emails and documents outside of the enterprise. Remember, this was 2009 and cloud computing was still a buzzword. The issue of sharing revolved around how to identify an external user. Inside the enterprise, there were Active Directory, LDAP, and even personal digital certificates that could be used. Outside the enterprise, you had passwords; we found that personal digital certificates were much less used outside of larger enterprises, so they were off the cards. Passwords, as we all know, are annoying at best and had other issues such as how to communicate the password securely to the recipient. As a product designer, I had to find a good alternative. So, I looked to the emerging world of digital identity and found Microsoft’s Information Card system.

The trouble with Information Cards, however, was that they were Microsoft built and were stuck, for all intents and purposes, on a Microsoft OS. If you didn’t use Microsoft, you couldn’t use the cards. The card was also desktop-bound. You had to install software. These were barriers to using the cards with our product as a way of controlling external user access to a protected document. So we designed and developed a cloud-based system to allow users to pick and chose Information Cards to determine access. The trouble was that Information Cards were based on a protocol called WS-Trust. WS-Trust as a protocol works fine. It does the job. But it never had great uptake like its competitor SAML. SAML 2.0 is a widely used protocol by many folks, including government, financial, retail, healthcare, and so on.

To cut a long story, short, I gave the talk about Cloud identity to an audience that was just not ready for it. We were too early and we were using the wrong protocol, but I had a vision and Cameron’s Laws of Identity underpinned that vision.

Since 2009, we have witnessed a revolution in how companies of all types work. Cloud computing has transformed how we share data and so we need new ways to identify the people we wish to share these data with. Enter a modern online identity that is cloud-based and user-centric, with privacy baked in.

In this series of articles, I’ll be looking at what online identity is, and what it ultimately can be. I’ll look at the driving forces behind this new world order, and the challenges we still face in creating a usable, mass-scale, secure, and privacy-enhanced identity system within a world where the Internet makers forgot to add identity in as a layer.

What Is Driving Identity Today

I can’t quite remember when the enterprise perimeter was smashed, but it began sometime in the late 2000s. And it was less of a smash and really more of a slow opening. But open it did, and we now have a situation where 85% of enterprises have a multi-cloud strategy. In terms of identity-as-a-service (IDaaS), Gartner is predicting that, by 2020, 40% of enterprises will use an IDaaS model.

But what is driving this change?

There are a number of factors acting as a driving force for change in the whole area of identity and access management (IAM). Below are some of the main drivers, both internal to the enterprise as well as some changes happening in the population as a whole that is determining the future of customer online identity.

Inside the Outdoor of the Enterprise

Cloud and mobile computing

The use of an identity is really about proving that you are who you say you are in order to be given access to something. As already alluded to, cloud computing has created a major change in the way we share information. A survey by SkyHigh showed that the average organization uses 1083 cloud apps and the average employee accesses 28 of them. The survey also found that, on average, 27.8% of employees upload sensitive data to a file sharing app, like Dropbox. The cloud is simply awash with data and we have to access it, securely. The trouble is compounded when you need to prove your identity to access apps from mobile devices, from any location; authentication can then become an issue. You can connect Active Directory to Dropbox using third-party connectors, but this starts to complicate things. This is where we start to look for one identity to rule them all—an identity that is portable, adaptable and that connects the device to the cloud app like an umbilical cord.

Remote working

At a Global Leadership Summit in 2015, 34% of those surveyed expected their full-time workforce to work remotely by 2020. This fits in with a report from the Bureau of Labor Statistics, which shows that 38% of people working in business, management, and financial occupations, did some or all of their work from home.

Remote working brings unique access control and authorization challenges for a business. The new era of IAM has to accommodate a complex working environment that sees our workforce using their own devices, requiring access across multiple cloud applications, and working from various geographic locations. The use of freelancers and outside consultants only exacerbates the problem of access rights. The days of a single identity repository are long gone. Enterprises have to rethink identity and, in doing so, they can open up their approach to controlling access.

The Age of the API

It seems that every vendor and their dog has an API. APIs are highly effective tools. They open up functionality to all (in theory). The API economy is a natural extension of cloud computing and the ubiquitous nature of the Internet. We need API’s to connect everything together seamlessly. It is the humble API that will drive the capability behind the modern IDaaS solution. API-based identity solutions will let organizations with existing customer bases and employee repositories link up to cloud-based apps more easily and rapidly and provide extended functionality to the enterprise identity scheme.

Outside of the Enterprise

External to the Enterprise, many aspects of our society have seen change. Consumer attitudes toward technology have changed, Internet access is normalized, even obsessed over; and even the rise of social media has played into modern IAM drivers. Our customers expect us to provide a certain level of contact, a great UX, and a place to store and share data. Compliance drivers like the EU General Data Protection Regulation (GDPR) layers expectations of consent and security on top of these expectations.

Consumer Identity – Symbiosis in Action

The rise of customer identity access management (CIAM) has begun. Where we once had a closed environment with a single repository of users, we now have the need for an open, mass-use identity system that can accommodate our customers. CIAM is all about the user. You can see how the Laws of Identity set out by Kim Cameron back in 2005 are now resonating. CIAM is about user choice, privacy, and enhanced usability. Enterprises are finding the need to engage with their audience at a much deeper level to ensure competitive lead. A CIAM system has a number of prerequisites to make sure you comply with regulations, meet KYC, and have excellent levels of security. Some of the basics of a CIAM system include:

  • An excellent self-service user experience.
  • Verification of the user by some means; for example, a credit file agency
  • User-friendly/but secure authentication measures (one of the trickier features)
  • An account that connects your organization to the user (using consented marketing)
  • API-driven to let you use existing accounts within the CIAM system
  • Robust self-service account recovery
  • Privacy and consent as a design goal within the system
  • Massive scalability

The above matrix of features is a powerful tool for both the consumer and the organization. The consumer is given the power to interact and the organization, in turn, benefits from a deeper connection with the customer; some systems will let the organization send personalized vouchers and notifications to the customer, for example. The system is built to be symbiotic.

How CISO’s Can Use Identity in Their Own Vision

The Kantara Initiative, a global consortium looking at innovations in identity and data sharing, put out a press release about their new guide on the design principles of using identity relationship management (IRM) tools. The treatise is about how identity is more about relationships than about individual attributes or claims. The report states that:

“Relationships are not a one-time thing; they are dynamic and driven by the context of the access control decision that needs action.”

It goes on to describe various situations and principles that should be applied to those use cases.

The idea of identity being tied to relationships is a strong one in a world that is becoming hyperconnected. As a CISO, this connectivity is your bugbear. It is the barrier you have to cross to ensure safe data sharing that is also going to tick the compliance box around privacy in a shifting regulatory landscape.

As a CISO, you need to be able to bring to the table innovative solutions that can answer some of the questions that remote working and data sharing across multiple cloud apps can open.

If you work in retail or finance, you need solutions that can give your customers an easier on-boarding process; keeping registrations and transactions online as much as possible. If you work in healthcare, you need to ensure that the patient has access to their patient data from any device and can consent to access by other healthcare professionals. You may even want to connect patient health wearables back to your patient record repository under their consent and with privacy built in.

Modern IDaaS and CIAM systems can offer you the solution to much of your needs, but this does not necessarily make them an easier option. The identity vendor landscape is itself going through a change, with a number of M&A’s from smaller players into large well-known vendors. Products are morphing from enterprise solutions to CIAM solutions. Working out which is the best fit for your enterprise, or even whether you want to build the solution yourself, can be a challenge because of this. However, the industry is breathing new life into the old IAM solutions and this will be a positive for all.

In my next article, I’ll look at some of the challenges of designing and building large-scale verified identity services for your customers.

Posted: August 9, 2017
Susan Morrow
View Profile

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure. Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.