The evolution of credentials and data management
22 January, 2013
category:
“We are Federales … you know, the mounted police.”
“If you’re the police, where are your badges?”
“Badges? We ain’t got no badges. We don’t need no badges! I don’t have to show you any stinkin’ badges!”
The next number of years will see the continued evolution of our thinking about identity. We will shift from twentieth century understandings and physical manifestations towards something more subtle and pervasive: a new experience of identification and how identification and identity intermediates between the individual and the myriad of physical and logical assets to which they have been granted access.
This shift is being driven by serious business concerns arising from the emergence of cyberspace as a domain of human activity and the intensification of globalization. The weaknesses of classical identification methods and memes create areas of vulnerability ranging from internet safety for children, to supply chain and financial transaction integrity, to national security. At the same time, issues around cost, convenience and privacy make traditional, stove piped identification systems clearly unsustainable.
We must make a dramatic shift in our approach to identification and individual privacy. The old approach tackles identification as an enterprise or program function, collecting and storing extensive personally identifying information (PII) as an integrated part of the process of authorizing access to specific physical or logical assets.
The individual is then provisioned with a least-costly means – a physical card with their picture, a username and password – of proving their connection to the original enrollment and authorization process. As we know, the least costly means usually do not deliver the best results.
Consequently, personal information is scattered in systems of highly variable security across the world, to the great dismay of privacy advocates. Its misuse only becomes apparent when we are notified of breaches and we all pay the price. Although enterprises – particularly in the financial world – have created the impression that we as individuals are shielded from the costs of these breaches, this is patently not so: we pay for them in the form of service charges.
The new approach, consistent with the National Strategy for Trusted Identities in Cyberspace and its international counterparts, addresses identification as a business process performed on behalf of the individual.
It encompasses:
- The gathering of identification claims
- The assessment of evidence for claims
- The storage of personal information for subsequent re-use and discrete sharing – for example, instead of sharing Date of Birth, share a certified statement like “over the age of 18”
- The provisioning of a means that enable the individual to establish a physical connection with those claims.
By shifting to the new approach, we can reduce the aggregate cost of identity, raise the overall level of security and integrity of identity-mediated programs, and most importantly, help individuals recover practical privacy: the ability to control and govern the use of personal information.
At the same time that we reduce the unnecessary proliferation of PII, we will enable secure methods of highly personalized service from commercial and government enterprises.
In the new world, identity is not a credential. It is a process that generates a myriad of context-specific permission credentials, each of which is associated with the identity, but minimizes the collection and storage of personally identifying information. The national strategy and its counterparts point the way.
Executives in business and government need to pay close attention, and get their operations and enterprise architectures ready to benefit from smarter, individualized identity solutions provided by third party services. The way enterprises treat data will enable them to strengthen their brands and build trust with clients. Data management practices will become a differentiator.
About the AVISIAN Publishing Expert Panel
At the close of each year, AVISIAN Publishing’s editorial team selects a group of key leaders from various sectors of the ID technology market to serve as Expert Panelists. Each individual is asked to share their unique insight into what lies ahead. During the month of January, these panelist’s predictions are published daily at the appropriate title within the AVISIAN suite of ID technology publications: SecureIDNews, ContactlessNews, CR80News, NFCNews, DigitalIDNews, ThirdFactor, RFIDNews, EnterpriseIDNews, FinancialIDNews, GovernmentIDNews, HealthIDNews, FIPS201.com, IDNoticias es.