Last week, I was fortunate enough to attend and take part in Consumer Identity World (US) in Seattle, KuppingerCole’s first conference this side of the Atlantic. (KuppingerCole is the leading analyst firm in Europe, especially when it comes to Identity & Access Management.) Axiomatics has been a long-time sponsor of their European Identity Conference in Munich, the prime event in Europe when it comes to IAM.
The conference focused on CIAM – consumer identity & access management – which is becoming an increasingly relevant topic today, especially in light of high-profile hacks such as Equifax in the US or the data breach that occurred in Sweden this past summer.
Barbara Mandl, a lead analyst for KuppingerCole and the former CISO Senior Manager Global Security and Identity Management for Daimler, kicked off the conference by stating “Knowing your business strategy now goes through knowing your CIAM”. In other words, how we engage with consumers online, what information we gather, and how we augment their experience, are all key factors to a company’s core interests.
In a separate keynote, Christian Goy, the Co-Founder & Managing Director at Behavioral Science Lab, stated that any CIAM strategy needs to create utility for the consumer. This means CIAM needs to move from being a burden to being an enabler. Given the set of tooling and technology we have today, we are at a stage where this can happen: the most obvious cases are when we are asked to create a new customer account for a website and the latter gives us the option to use a well-know identity provider, e.g. Facebook or Google. The likes of AirBnb and Expensify already enable this scenario.
As I was listening, I doodled a little Venn diagram. After all no conference would be complete without a Venn.
The key issues CIAM is battling with are user experience, security, and privacy:
- It is important that the UX be the right one. It should be the path of least resistance that consumers will be happy to take. Using single (or “seamless”, as I heard it referred to at the conference) sign-on from one website to another reduces friction. I am more likely to use AirBnb if they offer Google authentication than if they use their own. Google and Amazon are trialing other means of authentication (2-factor usually) that are as smooth as possible (going from using their authenticator apps to just a tap on a mobile device).
- Security, of course, is paramount: retailers and businesses should make sure only authorized users attempt any given action (e.g. purchase a plane ticket). Often times security is seen as a friction generator and a hurdle to business. This image needs to be flipped around. Consumers will understand more and more the importance of good security.
- Privacy is important too: knowing what data is being held and shared – and for what purpose – is fundamental. The Equifax hack in that regard is interesting. Not only did they have poor security (and they blamed a third party, Apache Struts, for it) but on top of that, they held too much information about you, me, and everybody without having notified us. We, the consumers, are not in control of what data the likes of Equifax hold on us. And it’s not just data they own about us; it’s data they sell to others or worse yet data they think is true about us (but isn’t). Cathy O’Neil in her excellent book on (big) data (and its) mining, Weapons of Math Destruction: How Big Data Increases Inequality and Threatens Democracy, illustrates how hard it’s become for a consumer to correct a mistake that big corporations make (e.g. the wrong credit score).
So what’s at the intersection of the Venn diagram? Is it a solution or an experience that gives us, the denizens of this e-world, access to our data in a transparent world, as well as control over who gets access to what and for what purpose? Yes, that sounds ideal. But who will deliver this? Private sector? Government? Would such a solution be transnational?
That brings us to a great talk by Ryan Fox of Capital One who came to introduce their API-first strategy. As a bank, they are implementing and offering a set of APIs to enable business interactions that deliver better consumer experiences. This goes through an API that can be used for user identity verification.
This conference wouldn’t have been complete without a fair dose of GDPR, the European Union’s General Data Protection Regulation. Oh, it’s Europe, I needn’t worry about it. Wrong! GDPR may have started in Europe but it will spread to other continents and will involve any business that has a presence in Europe or handles European data. But instead of seeing GDPR as a hurdle, businesses should consider it an opportunity, or even as a competitive advantage. That’s essentially the message Tim Maiorino of Osborne Clarke came to deliver. GDPR is all about defining a data strategy around your consumers. Define what you withhold and why. Declare who you share it with. Gather consumer consent; and keep information fresh. Tim argued that there will be the need for a Data Collection Officer. As a matter of fact, GDPR requires a data protection officer (DPO): an enterprise security leadership role. Data protection officers are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.
There are many questions left to answer: will the US (or any) government ever provide a central means of authentication for all citizens? Would this be seen as too close for comfort? Phil Lam (he served in the Obama Administration as both a Trusted Identity Strategist and an NSTIC Pilots Program Manager) argued that there have been initiatives to issue e-identities in some areas but that these have not picked up as much as initially intended. Even in countries such as Sweden, e-identity schemes are usually only used for authenticating oneself with government services (e.g. taxes, health benefits) or banks.
So where does Axiomatics fit into all this? As a company that has focused on authorization for the past ten years, I can see how our solutions will be used to drive policy-based decision making around sharing data. Our data masking and filtering solutions can be used for data minimization. This makes secure data sharing easier, be it via APIs, Big Data systems (as in IoT), or relational databases. Given the right metadata (about users, data, businesses, transactions), Axiomatics can be used in real-time to deliver the right decisions about who can see or do what on which pieces of data.
One more thing: as a tech community focused on IAM, we need to drop the identity technical lingo. Consumers don’t know and don’t care what single-sign-on means let alone OAuth. We need to start speaking in their terms, not ours.
And with that, just a key reminder: keep your data safe. Only share what you must. Make sure websites you use only store the minimal amount of data, and of course always use strong means of authentication and never reuse passwords.
Video: To view David’s CIW panel discussion, “How to Work Together in a Privacy Preserving Way to Mitigate Risks” in full, please visit KuppingerCole’s website.