Beyond Industrial Era Identity Management

(The following is the statement I’ll deliver today at the National Strategy For Trusted Identities in Cyberspace event at the White House.)

Our way of thinking about identity management is outdated. This outdated thinking poorly reflects the way we interact on Main Street, and it doesn’t fit the needs of people and enterprises trying to interact on the Internet.

On the whole, current thinking regarding identity management is that of the Industrial Era. Enterprises are creating “company towns” for identity. In the Industrial Era, companies, such as Pullman, created towns for their workers to live in, and these towns provided all the services that the employees could use. In today’s identity “company towns,” the enterprise has created your identity, owns your identity, and you cannot use your identity anywhere else – it has no value or meaning outside of “the town.”

This model is problematic. First, this is antithetical to our belief in self-determination. Second, this model is costly. Enterprises have to create and support extra services to manage identities. This also increases information security risk because the enterprise possesses potentially sensitive information that it must protect, not to mention the problems and risks related to over-collection of personal information. The last problem with this outdated way of thinking is that it doesn’t reflect how the non-digital world works.

In the “real” world, I can choose how I want to be known and how much I want to share with others. I can pick my nicknames; I can choose not to share my name. I can choose to tell a merchant my phone number or that my first car was made in America.

Businesses have grown to accommodate and augment the way we interact. Companies offer services to help an enterprise strengthen individually asserted claims, such as my name and my address. Credit bureaus and other services help businesses gain higher assurance that the “Ian” in front of them is really me.

We must leave the “company town” model of identity management. We must shift our digital interactions to be more like our day-to-day, face-to-face ones. The evolution toward federated identity would mean that our identities are no longer owned by parties other than ourselves.

Just as in the real world, third parties can be consulted to help an enterprise have greater assurance that the “@iglazer” using its service is me. Such third parties can help the enterprise have greater confidence that “@iglazer” is over-21 and has a verified mailing address here in DC. By the way, the services offered by these third parties are new business opportunities.

With both greater assurance about the individual’s identity and confidence in what they claim about themselves, business can:

  • avoid managing identities and thus not have to deploy extra services such as password reset
  • reduce information risk by collecting less information about individuals
  • deliver higher value services to the individual

In the last year, NSTIC has acted as a catalyst, not only for protocol and specification development, but has also driven policy conversations, and more importantly, business conversations. In a way, NSTIC has given the “all clear” signal for the business to get involved in this evolution of identity management.

I used to take calls from Fortune 500 companies asking, “Should we care about OpenID?” Now I take calls that ask:

  • “What are business models for identity providers?”
  • “What communities of interest are likely replying parties for our identity services?”

Within these questions are lie new business opportunities that my customers are looking to capitalize upon.

Now is the time to act. Study your current use of identity – are you the mayor of an identity “company town?” If you truly think you own other people’s identities, take a hard look at whether that ownership brings enough value to offset the expense and risk of maintaining those identities. For most organizations, the risk and expense of owning identities outweighs any tangible benefits. For most organizations, owning identities is a vestige of outdated thinking. As NSTIC gains momentum, now is the time to plan and deploy for our federated future. I am very eager to hear from my fellow panelists and the audience what they are doing and what they have planned.