Operations // Identity & Access Management
3/11/2014
09:06 AM
Mark Bregman
Mark Bregman
Commentary
Connect Directly
RSS
E-Mail
100%
0%

Can We Control Our Digital Identities?

The web and cloud need an identity layer for people to give us more control over our sprawling digital identities.

There was a time when you were identified by two pieces of information: your phone number and your address. But with the rise of social apps, mobile, and big data, your identity -- now your digital identity -- is far more complex.

Your digital identity encompasses a staggering amount of information. Every credit card transaction, uploaded photo, shared social post, social login, sent email, and site cookie shapes our digital identity. It's all out there somewhere in the cloud.

Much of this gets linked and correlated (often through social logins or other identifiers such as phone numbers and email addresses), and the aggregate effectively represents you online -- that's your digital identity -- and gives you wonderfully personalized services and precisely targeted ads. But you don't own your digital identity -- or at least you don't manage or control it.

[In the next five years, expect vendors to roll out digital-self services. Read How Will You Manage Your Digital Self?]

As our digital identity becomes more useful and more accurate, there are both concerns and excitement about the new value it creates. The British research firm Quocirca published a report last year detailing BYOID, or Bring Your Own Identity, discussing how employers are using social and third-party SaaS logins to replace or augment enterprise identity, and how identity brokers -- meaning companies that establish the holistic view of the customer through insights and analytics -- add degrees of verification through social graphs and digital information.

In other words, who you are is increasingly cross-linked across multiple domains, in multiple dimensions, and even across your real-life persona.

Closer to home, the National Strategy for Trusted Identities in Cyberspace (NSTIC) calls for what it dubbed the Identity Ecosystem, a digital environment built on clearly defined guidelines for the use/access of personal data by individuals and corporations. The Identity Ecosystem will be defined as a success so long as it is enhances privacy and is voluntary, secure, resilient, interoperable, cost-effective, and easy to use.

That's all well and good, but what does that mean for consumers and organizations?

First, though no service provider is yet able to have a holistic view of your digital identity, the potential for the linkages are technically there, and that is the overall direction we are headed -- like it or not.

Second, it means that individuals need more control over their digital identities. The NSTIC may spark some paradigms for this. And the online industry, as well as regulators, are debating the right ways to ensure security, privacy, and personal data control. At the same time, they are allowing the personalization of online services and the economy that drives the availability of those services, which to a great extent is fueled by the very data that makes up our digital identity.

But none of this addresses the core question of ownership and control of one's digital identity. And, really, it can't. Our digital identities are not something integral that reside in one place. Rather, they are spread across our online data and identifiers, and most of that belongs to the services we use.

It's possible that the web and the cloud need a new layer -- an identity layer for people and organizations -- similar to the identity layer for web sites (DNS) that built the web as we know it. Today, we don't have an analogous service that allows us to discover people and organizations (or things, for that matter). We can do this within a social app or a proprietary web app, but we can't do this across the whole web.

Such a layer would help us get control over our digital identities. For example, it would allow us to link and share our various cloud identities (such as social identities, SaaS logins, and other identifiers such as phone numbers) and data. Through federation and other delegation, we can assert control over our identities and data via a graph. Those familiar with gateways, DNS, and RDF graphs will see how these concepts can be joined together, so that a discoverable identity could act as an authorization manager for all of the cloud-based assets related to our identity.

As our lives move online and our digital identities achieve a kind of power they never had before, we need to own our digital identities. The best way to achieve this is through a web infrastructure that rides above the applications we consume on the web. We will finally have durable digital identities, and because we control access to our personal clouds via these identities, we'll be able to control our own privacy threshold.

Interop Las Vegas, March 31 to April 4, brings together thousands of technology professionals to discover the most current and cutting-edge technology innovations and strategies to drive their organizations' success, including BYOD security, the latest cloud and virtualization technologies, SDN, the Internet of things, and more. Attend educational sessions in eight tracks and visit an Expo Floor more than 350 top vendors. Register with Discount Code MPIWK for $200 off Total Access and Conference Passes. Early Bird Rates end Feb. 21. Find out more about Interop and register now.

Dr. Bregman is responsible for Neustar's product technology strategy and product development efforts. Prior to joining Neustar in 2011, he was Executive Vice President and Chief Technology Officer of Symantec since 2006, where he developed the company's technology strategy ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Strategist
3/11/2014 | 5:48:36 PM
Can we own our own identities?
That's a great, forward looking way to think about digital identies and a way for each of us to own them, Mark. Thanks for posting these thoughts. Ownership of identies is now shared. Facebook, Google, Microsoft, Yahoo all think they own a piece of our identity because we conduct interactions and transactions there. By that standard, the banks would own most of our retirement funds. There must be a better way, and you're pointing toward it.
Madhava verma dantuluri
100%
0%
Madhava verma dantuluri,
User Rank: Apprentice
3/11/2014 | 11:21:27 PM
Nice
Very good article and spot on. Very true that our digital identiry dimensions changed a lot.
Eddie Mayan
50%
50%
Eddie Mayan,
User Rank: Apprentice
3/12/2014 | 6:54:54 AM
Re: Can we own our own identities?
Great!
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
3/12/2014 | 5:51:02 PM
Re: Can we own our own identities?
Love the comparison with banks.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2227
Published: 2014-07-25
The default Flash cross-domain policy (crossdomain.xml) in Ubiquiti Networks UniFi Video (formerly AirVision aka AirVision Controller) before 3.0.1 does not restrict access to the application, which allows remote attackers to bypass the Same Origin Policy via a crafted SWF file.

CVE-2014-5027
Published: 2014-07-25
Cross-site scripting (XSS) vulnerability in Review Board 1.7.x before 1.7.27 and 2.0.x before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via a query parameter to a diff fragment page.

CVE-2014-5100
Published: 2014-07-25
Multiple cross-site request forgery (CSRF) vulnerabilities in Omeka before 2.2.1 allow remote attackers to hijack the authentication of administrators for requests that (1) add a new super user account via a request to admin/users/add, (2) insert cross-site scripting (XSS) sequences via the api_key_...

CVE-2014-5101
Published: 2014-07-25
Multiple cross-site scripting (XSS) vulnerabilities in WeBid 1.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) TPL_name, (2) TPL_nick, (3) TPL_email, (4) TPL_year, (5) TPL_address, (6) TPL_city, (7) TPL_prov, (8) TPL_zip, (9) TPL_phone, (10) TPL_pp_email, (11) TPL_authn...

CVE-2014-5102
Published: 2014-07-25
SQL injection vulnerability in vBulletin 5.0.4 through 5.1.3 Alpha 5 allows remote attackers to execute arbitrary SQL commands via the criteria[startswith] parameter to ajax/render/memberlist_items.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.