Operations // Identity & Access Management
3/11/2014
09:06 AM
Mark Bregman
Mark Bregman
Commentary
100%
0%

Can We Control Our Digital Identities?

The web and cloud need an identity layer for people to give us more control over our sprawling digital identities.

There was a time when you were identified by two pieces of information: your phone number and your address. But with the rise of social apps, mobile, and big data, your identity -- now your digital identity -- is far more complex.

Your digital identity encompasses a staggering amount of information. Every credit card transaction, uploaded photo, shared social post, social login, sent email, and site cookie shapes our digital identity. It's all out there somewhere in the cloud.

Much of this gets linked and correlated (often through social logins or other identifiers such as phone numbers and email addresses), and the aggregate effectively represents you online -- that's your digital identity -- and gives you wonderfully personalized services and precisely targeted ads. But you don't own your digital identity -- or at least you don't manage or control it.

[In the next five years, expect vendors to roll out digital-self services. Read How Will You Manage Your Digital Self?]

As our digital identity becomes more useful and more accurate, there are both concerns and excitement about the new value it creates. The British research firm Quocirca published a report last year detailing BYOID, or Bring Your Own Identity, discussing how employers are using social and third-party SaaS logins to replace or augment enterprise identity, and how identity brokers -- meaning companies that establish the holistic view of the customer through insights and analytics -- add degrees of verification through social graphs and digital information.

In other words, who you are is increasingly cross-linked across multiple domains, in multiple dimensions, and even across your real-life persona.

Closer to home, the National Strategy for Trusted Identities in Cyberspace (NSTIC) calls for what it dubbed the Identity Ecosystem, a digital environment built on clearly defined guidelines for the use/access of personal data by individuals and corporations. The Identity Ecosystem will be defined as a success so long as it is enhances privacy and is voluntary, secure, resilient, interoperable, cost-effective, and easy to use.

That's all well and good, but what does that mean for consumers and organizations?

First, though no service provider is yet able to have a holistic view of your digital identity, the potential for the linkages are technically there, and that is the overall direction we are headed -- like it or not.

Second, it means that individuals need more control over their digital identities. The NSTIC may spark some paradigms for this. And the online industry, as well as regulators, are debating the right ways to ensure security, privacy, and personal data control. At the same time, they are allowing the personalization of online services and the economy that drives the availability of those services, which to a great extent is fueled by the very data that makes up our digital identity.

But none of this addresses the core question of ownership and control of one's digital identity. And, really, it can't. Our digital identities are not something integral that reside in one place. Rather, they are spread across our online data and identifiers, and most of that belongs to the services we use.

It's possible that the web and the cloud need a new layer -- an identity layer for people and organizations -- similar to the identity layer for web sites (DNS) that built the web as we know it. Today, we don't have an analogous service that allows us to discover people and organizations (or things, for that matter). We can do this within a social app or a proprietary web app, but we can't do this across the whole web.

Such a layer would help us get control over our digital identities. For example, it would allow us to link and share our various cloud identities (such as social identities, SaaS logins, and other identifiers such as phone numbers) and data. Through federation and other delegation, we can assert control over our identities and data via a graph. Those familiar with gateways, DNS, and RDF graphs will see how these concepts can be joined together, so that a discoverable identity could act as an authorization manager for all of the cloud-based assets related to our identity.

As our lives move online and our digital identities achieve a kind of power they never had before, we need to own our digital identities. The best way to achieve this is through a web infrastructure that rides above the applications we consume on the web. We will finally have durable digital identities, and because we control access to our personal clouds via these identities, we'll be able to control our own privacy threshold.

Interop Las Vegas, March 31 to April 4, brings together thousands of technology professionals to discover the most current and cutting-edge technology innovations and strategies to drive their organizations' success, including BYOD security, the latest cloud and virtualization technologies, SDN, the Internet of things, and more. Attend educational sessions in eight tracks and visit an Expo Floor more than 350 top vendors. Register with Discount Code MPIWK for $200 off Total Access and Conference Passes. Early Bird Rates end Feb. 21. Find out more about Interop and register now.

Dr. Bregman is responsible for Neustar's product technology strategy and product development efforts. Prior to joining Neustar in 2011, he was Executive Vice President and Chief Technology Officer of Symantec since 2006, where he developed the company's technology strategy ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Moderator
3/11/2014 | 5:48:36 PM
Can we own our own identities?
That's a great, forward looking way to think about digital identies and a way for each of us to own them, Mark. Thanks for posting these thoughts. Ownership of identies is now shared. Facebook, Google, Microsoft, Yahoo all think they own a piece of our identity because we conduct interactions and transactions there. By that standard, the banks would own most of our retirement funds. There must be a better way, and you're pointing toward it.
Madhava verma dantuluri
100%
0%
Madhava verma dantuluri,
User Rank: Apprentice
3/11/2014 | 11:21:27 PM
Nice
Very good article and spot on. Very true that our digital identiry dimensions changed a lot.
Eddie Mayan
50%
50%
Eddie Mayan,
User Rank: Apprentice
3/12/2014 | 6:54:54 AM
Re: Can we own our own identities?
Great!
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
3/12/2014 | 5:51:02 PM
Re: Can we own our own identities?
Love the comparison with banks.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5395
Published: 2014-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users ...

CVE-2014-7137
Published: 2014-11-21
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4...

CVE-2014-7871
Published: 2014-11-21
SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

CVE-2014-8090
Published: 2014-11-21
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nes...

CVE-2014-8469
Published: 2014-11-21
Cross-site scripting (XSS) vulnerability in Guests/Boots in AdminCP in Moxi9 PHPFox before 4 Beta allows remote attackers to inject arbitrary web script or HTML via the User-Agent header.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?