In this exclusive interview with ForgeRock, VP of Emerging Technology, Eve Maler tells IoT Now what organisations can do to better protect customer information online.
IoT Now: What kind of information goes into a digital identity online?
A digital identity is the online manifestation of a specific individual. As such it can consist of a great deal of identifiable information about that person. The most obvious types are personal information (name, address), demographic information (age, marital status), health data (ongoing medical conditions, history) and financial information (bank account details, credit history etc). However, in many cases it can also consist of observed behavioral information pertaining to online shopping habits, social media usage or personal interests, much of which is extremely valuable to online retailers and marketers – even if it might be incorrect in many particulars. With the huge growth of the Internet of Things (IoT), the volume of digital identity information is set to grow even further. Whole new streams of personal data from devices such as wearable fit-tech and smart devices in our homes help organisations to build increasingly accurate profiles of us as individuals online.
IoT Now: How has the role of identity management in business changed in recent years?
For businesses, the ability to understand and harness the power of customer identity is pivotal to effective digital transformation. Those who achieve it are able to deliver what customers want, when they want it, through the medium most suitable to them.
But achieving this goal requires a consistent, clear, and secure identity management strategy that brings the customer to the centre rather than IT concerns. For many businesses, this is uncharted territory. Legacy identity management solutions typically focus on internal security and employee-centric activity. They were only designed to manage the identities of a fixed and relatively small number of users and can’t handle millions of identities (be it users, mobile devices or “things”) connecting to a company’s networks from anywhere, at any time.
However, technology is evolving rapidly. Now there are user-centric identity platforms that provide businesses with the tools to build comprehensive customer profiles across multiple channels and touch points. In doing so, they can develop a digital picture of each customer and their habits, helping to guide the development of new, more meaningful products and services. As a result, customers receive instantaneous, relevant delivery of digital and physical services. Importantly, they also benefit from intelligent security, based on dynamic characteristics such as location, device, time of day and familiarity.
IoT Now: How important is the role of digital identity management within the IoT?
As the IoT continues to expand, the role of digital identity management will only increase in importance. These days, it’s not unusual for a single individual to own ten or more connected devices. The challenge this presents to organisations is how to most effectively manage digital identities across all these platforms, so that no matter what device an individual uses, they receive a consistent user experience/service. Then of course there are the privacy issues that go with it. More on that below…
IoT Now: With security becoming more of an issue online, what can organisations do to better protect customer information online?
What all organisations need to understand is that behind every online identity and digital profile is an actual human being. As such, they need to start thinking about how to give their customers more control over their personal data in order to form trusted digital relationships. This is even more time-sensitive for U.S.-based enterprises and government organisations with ties to Europe. The European Parliament will soon enact the General Data Protection Regulation (GDPR), which requires businesses to give individuals rights to better direct their privacy and data protection. What’s more, the reform requires true individual choice in consent and withdrawal of that consent, which is a high bar indeed.
IoT Now: How will the recent ruling against Safe Harbor and subsequent announcement of Privacy Shield affect the collation and storage of digital identities around the world?
Whenever online connectivity and digital data sharing are discussed, the issue of privacy is never far behind. Regardless of the popularity of any new service, customers have demonstrated that they are willing to walk away if they feel that by using it they are letting their privacy be compromised.
The recent announcement of Privacy Shield is the latest twist in this ongoing saga. Following the much publicised EU Court ruling against Safe Harbor at the end of last year, many businesses in the US and Europe were left scrambling for a new solution to an increasingly tricky privacy problem. Fast forward two months and we now have the EU-US Privacy Shield.
This new framework will “protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses.” With the name ‘EU-US Privacy Shield’, the agreement at first glance appeared to be a resolution to the contentious international wrangling around personal privacy and the transfer of data between Europe and the US. But digging down, it’s apparent this was more of a “we’re announcing that we’ve agreed to agree on something, but we’re still working out the details.” Hence the heavy reliance on the word “framework,” which shows up eight times in the one-page press release.
It’s clear that the heavy lifting of working out exact provisions remains, and it’s possible that an agreement acceptable to both sides is still possible. But the debate is likely to continue for some time.
IoT Now: How does the new User-Managed Access (UMA) standard make it easier for users to protect their privacy online? How does it differ to what’s already in place online?
An important consent-related standard used today is known as OAuth. You may not know it by name, but you’ve almost certainly come across OAuth in action online. It’s most commonly used as a way for a user to allow two sites or applications to exchange personal data on their behalf – for example, granting a specialised third-party Twitter mobile app access to your Twitter account to see and post tweets, or letting a news website access your email address and contact information through Facebook.
OAuth, along with its cousin OpenID Connect, used for making digital identity data portable, enables users to consent to sharing this data, creating easy mashups of information that make the online experience more convenient. It also lets users revoke the application’s access to their data should they change their mind at a later date. However, today’s technical landscape has some limitations. For example, while it enables data sharing between applications, it doesn’t allow data sharing with other people – sometimes called delegation. Further, revocation is relatively inconvenient, requiring visiting each of the services where consent was granted, and permissions at that service must all be revoked at once.
User-Managed Access (UMA) is a next-generation standard that builds on OAuth and OpenID Connect by putting the emphasis squarely on the individual. In short, UMA enables solutions that give individuals a unified control point for authorising who and what can get access to their digital data from cloud, mobile, and IoT sources, no matter where all those things live on the web. Thus, an individual can authorise sharing data not only with apps, but with other people as well. Similar to the Share feature on Google Apps, UMA-enabled services can let users set whatever levels of access permission they feel are appropriate (such as read and edit) based on each app’s available permissions. UMA-enabled services can also arrange for requesters to ask for user consent. UMA-enabled app ecosystems can span multiple organisations by virtue of implementing the standard’s APIs, and individuals, while individuals can remain in convenient central control of their data and their consents.
Uptake of UMA and its underlying standards will be critical to enabling better privacy controls for customers in the IoT, making them more comfortable using new digital services and platforms. OAuth arose as a “security companion” to the API economy and is a key starting technology for any business – but increasingly consumers will expect the flexibility and customisation around granular delegation and consent that the User-Managed Access standard permits.
The author of this blog is Eve Maler VP of Emerging Technology, ForgeRock.
Comment on this article below or via Twitter: @IoTNow_ OR @jcIoTnow
