Trust and Identity Management


InfoWorld has a special feature this week on the relationship between identity management and privacy. Large organizations have a lot of relationships with customers, trading partners, and employees. Furthermore, in a service economy, digital identity matters and those relationships take the form of a collection of records in databases. This makes tools for identity management more important than ever. The problem is, that doing it right isn't easy.

This article, entitled Trusting ID management technology talks to some of the privacy issues. Some of the first computers in existence were used by banks and this drive to automate hasn't abated, putting financial institutions at the forefront of this problem. Large numbers of transactions and a natural fit on the web have caused banks to create huge repositories of information about their customers. Unfortunately, this has made the issue of privacy all the more important:

"We see the [privacy] problem getting worse. We see the entire financial industry in the U.S. putting their heads between their knees right now hoping the problem is going to go away," says Jim Hurley, vice president and managing director of information security at Boston-based Aberdeen Group. "These guys better get their heads out of the sand, or they're going to be in trouble."

Another industry in a similar situation and just as much in denial is the health care industry. HIPPA mandates a lot of privacy protection, but there's still a lot of people unsure how to proceed and hoping that it will go away. Good identity management can solve many of the issues HIPPA raises.

Some say that its the large collections of data that are the problem, but I think that's one of those statements that looks right on the surface but is fatally flawed in practice. The fact is that secure, private identity management isn't a problem that can be solved a million times. If every department of a larger corporation is in charge of making their own small collection of data secure and private, none of it will be. What's more, it ignores one of the prime drivers of large collections: customer demand. Customers increasingly want to be treated "in total" by the organizations they deal with. When I call up and request DSL service from Qwest I want the DSL division to know I'm a phone customer, all the relevant data about me, and that I pay my bills on time. Of course, at the same time I expect them to not get any information they don't need---like my waist size.

There's an interesting relationship between identity, privacy, trust, risk, and security. I don't need much trust in you to supply you with my zip code so you can personalize your online service to my location. I don't expect much privacy and if someone steals your cookie database with my zip code in it, I'm not out much, if anything--low risk. On the other hand, when it comes to my bank, they hold a lot of sensitive information about me. For example, they not only know my bank balance, they also hold the bits that represent that balance--high risk. I expect a much greater degree of privacy from them and they have to work harder to gain my trust. That trust is based, in part, on the wholly unsubstantiated belief on my part that they run a secure operation. Because of my history with them, I believe them secure until proven otherwise. That will only work for the banks until they start having problems.