There is a school of thought that says – in relation to cyber security – that identity is the new perimeter. And certainly identity has become a central pillar of digital transformation.
On the back of widespread cloud adoption and the ubiquity of powerful smartphones, the underlying architectures for how, when and where people – or employees – consume services have fundamentally changed in the past four to five years.
These fundamental changes in the tech are moving us into a “golden age of identity,” according to Andre Durand, the founder and chief executive of Denver-based Ping Identity.
What device the user is on when they access services has changed, and where those applications reside has changed, Mr Durand says – now they’re in public clouds, they’re in multiple clouds, they are not just sitting in a data centre.
This has completely changed the concept of where you put the firewall, how you secure it, and how you provide access. It is where the notion of ‘identity as the perimeter’ comes from, because you need a modern identity infrastructure to connect the right users with the right applications and control that access.
In enterprise transformation, identity is fundamental. That is as true of government as it is of any brownfield enterprise.
The role of government in identity management interesting. Government is in the unusual position as being an issuer of foundation documents – like birth certificates and de facto identities like driver’s licences – as well as being a heavy ‘user’ of identity.
And in fact government documents have come to be relied on in a way that was not originally envisaged.
“Most of the private sector is boot-strapped off social security numbers and drivers licences,” Mr Durand says. “It wasn’t designed that way and it wasn’t intended that way.”
“They [governments] issued drivers licences so that you could drive. But everyone says ‘Who are you? Show me your driver’s licence’ because it was a recognised and somewhat trusted government proofing system for your identity,” he said.
“I think for the original vetting and proofing, governments are in a prime position to do that, frankly.
“That’s the issuance of passports, the issuance of driver’s licences, the issuance of social security numbers which are used for the purposes of tax and benefits – those are all instances of governments taking on proofing functions.”
The private sector already piggy-backs on this proofing system, Mr Durand says, which is why you always get asked for your driver’s licence to authenticate who you are.
But in a world of digital transformation, government identity management gets much more interesting.
And frankly this is where governments are required to ask themselves how they allow the private sector to similar leverage these documents in a digital environment.
It might be the case that the private sector can make a call to a set of APIs that allow it to authenticate an individual – and so they don’t have to authenticate that individual again. In effect, this is the same process as producing 100 points of ID while standing in front of a bank teller, or a telecommunications company when buying a phone.
And this is where the Digital Transformation Agency is up to – the early stages of a process that may ultimately allow the private sector to provide identity services (the DTA is understood to be working with Australia Post as an initial partner, which is a little like private sector-Lite.)
Different governments have different views on identity issues. Australia’s has been evolving.
Australian identity specialist Versent’s founder and CEO Thor Essman says government “a” single source of truth, rather than “the” single source of truth.
“They have some great sources of truth for us – like passports and drivers licences – and they play a very critical role in being a starting point for the validation of identity,” Mr Essman said.
“But the commercial market will need to enrich that starting point and create the experience that customers want. [Government] needs to provide better standardised starting points … and they are starting to do that now,” he said.
Mr Essman says the power of the smartphone changes everything, and should provide systems that enable ultimate flexibility. Biometrics are more broadly accepted these days – after the fingerprint security of Apple iPhones and Google Pixels got everyone acclimatised. A single phone can now have multiple biometrics.
And these features can be integrated into broader identity solutions for big and small applications.
But the Ping Identity’s Mr Durand’s point that we have entered a “golden age of identity” – it is inarguable that there is a huge amount going on.
The challenge, he says, is that people become somewhat numb about identity issues. And he warns that it is human nature to trade away an unseen security in favour of a here-and-now convenience.
“Secure by default goes straight out the window,” Mr Durand said. “I do think it is incumbent on the people who are deeply involved in these issues to really think through the ramifications [of identity and security design].”
“The big fear of identity as a whole is that if we’re not careful about how we architect what we build, the potential for future abuse is massive,” Mr Durand said.
“That’s the fear. And it’s rightfully founded.”