Home > iam > The Upcoming Identity Apocalypse

The Upcoming Identity Apocalypse

How’s that for a catchy title? Really it should read “the upcoming apocalypse for identity professionals”. Focusing on federated identity has made clear what happens when “bring your own identity” becomes the norm. There isn’t a place for identity management experts at every organization. We’re quite far from that, but it’s worth thinking about.

The first time I thought about “bring your own identity”, I found it silly. Who would want to be in a business like an IdP? Who would trust the people who would be in that business? The answer to the first question is easy. There is a long and growing list of identity providers, google and facebook most notably. But these identities are not made of the stuff that security conscious organizations want. Anyone can open a google account. Anyone with an email account can open a facebook account. No one wants just anyone to have access to their resources and services. The identity proofing just isn’t strong enough; these providers fail to answer the second question positively. But it’s easy to see how a whole crop of strongly verified identities from trusted sources could make their way into the market. It’s likely that banks, governments and large corporations will end up in this business. Why? Governments would do it for their own reasons; they have a lot of call to have electronic IDs for their citizens to do their own business. BankID in Sweden is a perfect example of this. For places where the government won’t or can’t do it, I envision banks doing it. Why? Loyalty is why. For a whole generation that largely doesn’t even have bank accounts and for whom switching cell phone providers is an everyday thing, the idea of having an anchor to a bank will seem absurd. But if that bank is their ID, the ID they use for daily business with their various businesses they have contracts with, then that would be a whole different matter. As predictions of a more mobile, fluid, skilled workforce are growing stronger, this idea carries more weight. Just picture Jane looking at some great balance transfer offer from Bank of America and wondering if she should switch over from Chase to take advantage. If she uses her Chase ID to access all her applications at the three active contracts she has today, then she may think twice. Does she really want to make them reprovision her access? What if there’s a mistake in the process? How long did it take the first time; does she want to wait that time again?

There is also good in this for the employers. I had a long conversation with a major pharma in NYC about how they have to go through hell today to provision their tokens for two factor access. Now imagine a completely non-centralized workforce (if you have to, this is here for many today). You want to take on a new contractor for a project. You want to create their accounts, but now you need to do the identity proofing. Where do you send them? Do you fly them to the main office? Is there anyone in your HR group even sitting at that office? Do you send them to the HR company you’ve outsourced to? Do you fly to meet them? The problems pile up quick. If you take their credential from somewhere like a bank that already has done identity proofing and has a large, robust network that is primed for doing just that, then maybe you’re a lot better off. After all, who do you trust more, the organization you’re going to send the contractor’s money to or the fresh out of college admin sitting at the desk in the random office you send this contractor to who likely doesn’t even have a passport much less have the ability to spot a fake passport. “But what if they open a bank account, give you that ID, use it to get in, then run a script to suck out all of your data and just disappear with it to sell to the highest bidder?!?” Fair question, but what’s to stop someone from doing all of that today? To open a fake bank account they would need proof of ID good enough to fool the bank. Unless you happen to have the resources of the NSA or FBI, you’re likely to be fooled by that, too. So you hire this hacker the traditional way and they do the same thing. Not only is the bank less likely to be fooled, but I’m sure someone could come up with a score of some kind for how trusted the ID is using real terms like how long the bank account has been open, how strong the proof of ID was when it was opened, how many other times it’s been used for trusted transactions, etc. Having the data and the impetus to make identity scores like that are just one of many things there IdPs could do to add value to the employers.

Finally we come back to the organization doing the hiring and we see that they don’t have many identities being managed on premise at all in the “bring your own identity” world. No identities means no identity professionals, either. Of course, there will be a swell of positions for these folks at the IdP organizations, but not as many spots as there were in the clients. So the music has started and there are only so many chairs. Luckily, nothing is ever so stark. It’s very likely there will be a swing from cloud and outsourced models back to on premise in some way at some point. Of course, you can have on premise services with federated “bring your own identity” style systems as well. But I’d never say anything will be so complete that it will see things completely go away. Things that work tend to stick around and evolve rather than disappear. There is also likely to be competition for the spots as a trusted IdP. That will mean more call for identity professionals who can add value to the offerings these organizations offer as an IdP. The cell phone companies will want in the game, but won’t have the same gravitas as banks. How will they compete? I’m sure there are identity professionals that could make them more competitive. In one of my favorite movies, Mindwalk, the poetic character muses that to people in the middle ages “judgment day was the ultimate day off, not the ultimate off day”. I think this apocalypse could be similar to that. There will be less people left after it, but the ones who are left will be able to make the kind of strong, flexible systems they have always wanted.

  1. Brian Casey
    May 12, 2010 at 3:33 pm

    This is an extremely thought provoking article. My thoughts are that a perfect federated “bring your own identity” scenario is way off in the future. Obviously we’d have to get past the privacy concerns of our current generation, whether at an individual or corporate level. With a whole generation raised on blogs, Facebook, Twitter, and Youtube, I’m sure that privacy concerns will become a much lower priority, opening the doors to this sort of solution. Is this actually a good thing? Apocalypse is absolutely right, and not just because I won’t have a job.

    BTW, great meeting you at TEC, I look forward to speaking with you in the future. Once again, a great article.

  2. May 12, 2010 at 3:47 pm

    Brian, I agree this is far off. And I also bet it would be a mixed world where some BYOI will become normal, but there will also still be plenty of IAM infrastructure at large, security and audit sensitive organizations. What the up and coming digital generation has to offer is the opportunity to take advantage of their large digital footprint (both to and against their advantage) and the more casual attitude about privacy you allude to. Though, just to be anti-generalization, I do know many 20-somethings that are much more privacy sensitive than I am. In every case, they also seem to be generally techno-phobic as well, but in a few it’s more about their parents banging into their heads the danger of leaving too large a digital wake for them to carry around for the rest of their lives.

    It was good to meet you as well. I’m still trying to pry those slides out of our mutual friend’s hands.

  1. February 23, 2010 at 3:06 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: