Limited functionality available
Traditionally identity management is about making sure the right people get access to the right things at the right time. This definition is largely from the perspective of an organisation providing services to its employees. The perspective of the people interacting with these systems has been regarded as a lessor concern until recently.
Online services are now the norm and so the customers' perspective of identity has become very important. Customers expect secure and frictionless access to the services they need. They provide details about their identity to the service provider and have an expectation that those details are required for the sole purpose of conducting business with them. However, many organisations have traditionally taken liberty with this arrangement and have either asked for more information than they need, or trawl through people's transactions to glean further insight. These activities are conducted "to provide a better service to our customers".
Why is it a hot topic now?
The accelerated growth of online services such as social media has captured a significant percentage of the world's population. For a while this shared space was considered harmless and fun. Recent events have shown that the information provided over time has been sold to third parties and used to influence advertising on the one hand, and elections on the other. What people have come to realised is that they have very little control over their private data and once out of their control it is impossible to put back in box. It is this concern over the proliferation of personal data that given rise to both an increase in regulation, such as GDPR, and a withdrawal by many from the social media landscape. Other examples exist along the same lines.
The emerging risk is that organisations will continue to glean more information about their clients for competitive advantage at the expense of their clients. The fear is that either alone, or between collaborating organisations, a digital-twin of the customer may be created that represents a high-resolution model of the person's activities, likes, dislikes, health issues, food preferences and host of other characteristics. This is a disturbing prospect for most people as decisions may be made based on who the organisation believes you are and not on who you actually are.
Why is strong data governance important when it comes to privacy and identity?
The way in which data is (technically) created and managed today means that it can be copied and distributed with ease without the relevant people ever knowing. It may be encrypted, but at some point, to be useful, it will need to be decrypted. Current systems rely heavily on access to actual data to make decisions, for example, your date of birth may need to be known to determine if you can make a purchase, vote, drive a call or buy beer at the bottle shop. While in the future methods such as zero-knowledge-proofs via Self Sovereign Identity and homomorphic encryption will allow organisations to act without having access to the actual data, their general adoption is some years away. In the meantime, the only practical way to protect personal data is through strong data governance.
The success or failure of many organisations will depend on the Digital Trust they form with their customers. If they address the identity and privacy concerns of their customers in a demonstrable and comprehensive manner then the business will benefit from the increased loyalty of the customers and the halo effect it generates for the business as a whole.
Key identity questions for any organisation
• Are you confident you know who has access to what information?
• With segregation of duties, is there also segregation of access? Combinations can be toxic to data security.
• Can and are you tracking access and combinations of access?
For more information on how to turn risk into rewards, talk to Deloitte’s Risk Advisory team.
John leads a national team focused on the design and delivery of identity and access management solutions to organisations across Australia. Prior to Deloitte in 2015, John was the founding member and Director of Qubit Consulting, a specialist identity and access management consultancy where he lead the company to its position as leader in the design and delivery of Oracle IAM solutions in the region. He has over 30 years’ experience in the IT industry in both Australia and the United Kingdom.