Phil Becker on Identity -- Why Now?

Phil Becker is the Editor-in-Chief of Digital ID World, which I have contributed to before. Phil is also the organizer of the Digital ID World conference. The title of his presentation is "Why Digital Identity and Why Now?"

Phil makes the point that while Hollywood frequently gets technical details wrong (or purposefully distorts them for entertainment value), they are very good at identifying trends. He has a great presentation using audio clips from movies starting with "2001: A Space Oddesy" that he uses to track societies perspective on computers from mainframes to PC's to hackers. His point is that this history has led to a situation where we commonly have used location as an implicit proxy for identity. PCs exposed some of these problems, but the qualifications and skills necessary for using early PCs allowed these problems to be ignored. The rise of the Internet and networked computing and the improvements in ease of use has changed all of that. Witness: script kiddies. Universal networking drives information towards the public domain through loss of access control. The only effective response to this is to architect applications and data around identity.

Security issues are often the drivers of digital identity. Firewalls and VPNs are the last stand of virtual location based on physical security. Identity infrastructure and security are intertwined. Most security problems, other than those that result from software bugs, are a symptom of incorret or missing identity structures.

Privacy is an interesting problem because its about enforcing a negative. Privacy is about what you agree not to do with data. To be effective, privacy must be created structurally, not with policy.

Phil sents for the following deployment path for digital identity:

  1. Intra-enterprise identity management. Utah did this with their master directory project. Many other large organizations are working on this as well. Phil claims that large organizations spend $450-$750 per employee per year on password resets. Just automating this is a huge win. Moreover, you gain security though identity life-cycle management (create, modify, and remove identities). Phil says 15% of IDs and passwords in a large organization are for people who haven't worked there for more than 3 years. This would be a wonder audit at the State.
  2. Inter-enterprise identity managenment. This allows user customized business to employee portals (this is inter-enterprise bacause almost no one does employee management like 401K, helath insurance etc. themselves). It also allows secure, managable B2B integration and enables web services. For inter-enterprise identity management to work, we must develop federated identity systems.
  3. Consumer identity management. Phil believes this will grow organically from the tools and techniques built for inter-enterprise identity management and be driven by key applications.