Operations // Identity & Access Management
3/11/2014
09:06 AM
Mark Bregman
Mark Bregman
Commentary
Connect Directly
RSS
E-Mail
100%
0%

Can We Control Our Digital Identities?

The web and cloud need an identity layer for people to give us more control over our sprawling digital identities.

There was a time when you were identified by two pieces of information: your phone number and your address. But with the rise of social apps, mobile, and big data, your identity -- now your digital identity -- is far more complex.

Your digital identity encompasses a staggering amount of information. Every credit card transaction, uploaded photo, shared social post, social login, sent email, and site cookie shapes our digital identity. It's all out there somewhere in the cloud.

Much of this gets linked and correlated (often through social logins or other identifiers such as phone numbers and email addresses), and the aggregate effectively represents you online -- that's your digital identity -- and gives you wonderfully personalized services and precisely targeted ads. But you don't own your digital identity -- or at least you don't manage or control it.

[In the next five years, expect vendors to roll out digital-self services. Read How Will You Manage Your Digital Self?]

As our digital identity becomes more useful and more accurate, there are both concerns and excitement about the new value it creates. The British research firm Quocirca published a report last year detailing BYOID, or Bring Your Own Identity, discussing how employers are using social and third-party SaaS logins to replace or augment enterprise identity, and how identity brokers -- meaning companies that establish the holistic view of the customer through insights and analytics -- add degrees of verification through social graphs and digital information.

In other words, who you are is increasingly cross-linked across multiple domains, in multiple dimensions, and even across your real-life persona.

Closer to home, the National Strategy for Trusted Identities in Cyberspace (NSTIC) calls for what it dubbed the Identity Ecosystem, a digital environment built on clearly defined guidelines for the use/access of personal data by individuals and corporations. The Identity Ecosystem will be defined as a success so long as it is enhances privacy and is voluntary, secure, resilient, interoperable, cost-effective, and easy to use.

That's all well and good, but what does that mean for consumers and organizations?

First, though no service provider is yet able to have a holistic view of your digital identity, the potential for the linkages are technically there, and that is the overall direction we are headed -- like it or not.

Second, it means that individuals need more control over their digital identities. The NSTIC may spark some paradigms for this. And the online industry, as well as regulators, are debating the right ways to ensure security, privacy, and personal data control. At the same time, they are allowing the personalization of online services and the economy that drives the availability of those services, which to a great extent is fueled by the very data that makes up our digital identity.

But none of this addresses the core question of ownership and control of one's digital identity. And, really, it can't. Our digital identities are not something integral that reside in one place. Rather, they are spread across our online data and identifiers, and most of that belongs to the services we use.

It's possible that the web and the cloud need a new layer -- an identity layer for people and organizations -- similar to the identity layer for web sites (DNS) that built the web as we know it. Today, we don't have an analogous service that allows us to discover people and organizations (or things, for that matter). We can do this within a social app or a proprietary web app, but we can't do this across the whole web.

Such a layer would help us get control over our digital identities. For example, it would allow us to link and share our various cloud identities (such as social identities, SaaS logins, and other identifiers such as phone numbers) and data. Through federation and other delegation, we can assert control over our identities and data via a graph. Those familiar with gateways, DNS, and RDF graphs will see how these concepts can be joined together, so that a discoverable identity could act as an authorization manager for all of the cloud-based assets related to our identity.

As our lives move online and our digital identities achieve a kind of power they never had before, we need to own our digital identities. The best way to achieve this is through a web infrastructure that rides above the applications we consume on the web. We will finally have durable digital identities, and because we control access to our personal clouds via these identities, we'll be able to control our own privacy threshold.

Interop Las Vegas, March 31 to April 4, brings together thousands of technology professionals to discover the most current and cutting-edge technology innovations and strategies to drive their organizations' success, including BYOD security, the latest cloud and virtualization technologies, SDN, the Internet of things, and more. Attend educational sessions in eight tracks and visit an Expo Floor more than 350 top vendors. Register with Discount Code MPIWK for $200 off Total Access and Conference Passes. Early Bird Rates end Feb. 21. Find out more about Interop and register now.

Dr. Bregman is responsible for Neustar's product technology strategy and product development efforts. Prior to joining Neustar in 2011, he was Executive Vice President and Chief Technology Officer of Symantec since 2006, where he developed the company's technology strategy ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
3/12/2014 | 5:51:02 PM
Re: Can we own our own identities?
Love the comparison with banks.
Eddie Mayan
50%
50%
Eddie Mayan,
User Rank: Apprentice
3/12/2014 | 6:54:54 AM
Re: Can we own our own identities?
Great!
Madhava verma dantuluri
100%
0%
Madhava verma dantuluri,
User Rank: Apprentice
3/11/2014 | 11:21:27 PM
Nice
Very good article and spot on. Very true that our digital identiry dimensions changed a lot.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Moderator
3/11/2014 | 5:48:36 PM
Can we own our own identities?
That's a great, forward looking way to think about digital identies and a way for each of us to own them, Mark. Thanks for posting these thoughts. Ownership of identies is now shared. Facebook, Google, Microsoft, Yahoo all think they own a piece of our identity because we conduct interactions and transactions there. By that standard, the banks would own most of our retirement funds. There must be a better way, and you're pointing toward it.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.