Identity: The Missing Leg of the Stool

I had the pleasure of representing the Identity Ecosystem Steering Group (IDESG) at the International Association of Privacy Professionals’ Global Privacy Summit this week. Laura Hamady of PayPal, Heidi Wachs of Jenner and Block, and I talked about navigating the maze of online retail. My part in the talk was to illustrate the flow of personal data between the various players in different online retail scenarios. (Here’s a copy of our presentation if you are curious.) Now, as the only non-lawyer in the bunch, and likely the only identity person at the conference, I had a blast pointing out all of the data protection and handling issues that stem from identity interactions.

The movement of identity data between social identity providers, your back-office systems, and third-party service providers is a dance of varying elegance. Regardless of how well those pieces are integrated, the information being shared helps your organization delight your customer. But in order to do so, the customer’s privacy needs and expectations must be met. (Not to mention sectoral and legal data protection requirements as well.)

And that got me thinking. The relationship/dramatic tension/codependence of privacy and security gets a lot of rightly deserved attention. But neither privacy and security professionals can fully meet these challenges in part because their default tools are the wrong ones for the job. What’s missing from the conversation is identity management.

Identity is the missing third leg of the stool. Identity helps mitigate a vast number of security threats including insider threat through the minimization of access. Identity also helps address privacy requirements but governing access control to customer data. In this regard, we can think of identity management as the operational means by which privacy implements some of its required controls. And to be clear I am not saying that identity meets all of the requirements on its own; there are many other privacy controls that require security, and not identity, to meet – traditional data protection and event monitoring being just a couple.

By working with identity professionals, privacy teams can better understand the flow of customer data. They can sharpen the focus of their privacy impact assessments and can more easily identify third-parties provide services and whose terms of service need to be harmonized with the organization’s privacy policy and notices.

Simply put – an organization that coordinates the efforts of its privacy, security, and identity professionals is more likely to not only meet its customers privacy requirements and most importantly, more likely to delight its customers.