Blog posts by John Tolbert
Consumer identity and access management solutions are bringing value to the organizations which implement them, in terms of higher numbers of successful registrations, customer profiling, authentication variety, identity analytics, and marketing insights. Many companies with deployed CIAM solutions are increasing revenue and brand loyalty. Consumers themselves have better experiences interacting with companies that have mature CIAM technologies. CIAM is a rapidly growing market segment.
CIAM systems typically collect (or at least attempt to collect) the following attributes about consumers: Name, email address, association with one or more social network accounts, age, gender, and location. Depending on the service provider, CIAM products may also pick up data such as search queries, items purchased, items browsed, and likes and preferences from social networks. Wearable technology vendors may collect locations, physical activities, and health-related statistics, and this data may be linked to consumers’ online identities in multiple CIAM implementations. To reduce fraud and unobtrusively increase the users’ authentication assurance levels, some companies may also acquire users’ IP addresses, device information, and location history.
Without the EU user’s explicit consent, all of this data collection will violate the EU’s General Data Protection Regulation (GDPR) in May of 2018. Penalties for violation can be up to €20M or 4% of global revenue, whichever is higher.
Consider a few definitions from the GDPR:
(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(2) ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
(4) ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
(4) ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
(5) ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
This means that companies that are currently deriving benefit from CIAM must:
- Perform a privacy data assessment
- Create new privacy policies as needed
- Plan to clean and minimize user data already resident in systems
- Implement the consent gathering mechanisms within their CIAM solutions
If your deployed CIAM solution is not yet fully GDPR compliant, talk with your vendor about their product roadmaps. Find out when they will release a GDPR compliant version, and determine how to work that into your own release schedule.
If your organization is considering deploying CIAM in the near future, make sure that GDPR compliant consent mechanisms and storage schemes are on your RFP requirements list.
This article is not intended to provide detailed technical or legal advice. For more information, see the full text of GDPR at the link above, and visit www.kuppingercole.com. Over the next few months, we will examine other aspects of GDPR and what it entails for business, IAM, and IT infrastructure.
KuppingerCole just concluded our first Consumer Identity Summit in Paris. In fact, this was the first Consumer focused digital identity event of its kind. The event was very well attended, and featured excellent expert speakers from all across the globe. The popularity of the event and enthusiasm for dialogue among attendees demonstrates the need for treating Consumer Identity differently than traditional Enterprise Identity. The technology has been evolving significantly, to meet rapidly changing business requirements and encompass newly developed technologies.
Businesses and public sector organizations are finding that they need to “Know Your Customer” (KYC) better for a number of reasons. Consumer Identity and Access Management (CIAM) services can help meet these objectives. For example, retail and media outlets can provide better experiences to registered users. These companies can offer incentives, special sales, and other features to increase loyalty to their brands. Banks and financial institutions can better comply with Anti-Money Laundering (AML) regulations by establishing digital relationships via CIAM, and provide competitive advantages.
Consumer identity is becoming more than just a competitive advantage though. Katryna Dow, CEO of Meeco, said “Consumer Identity is the new channel”. What this means is that digital service providers are in many cases beginning to bypass traditional distribution channels to directly engage and sell to consumers. This will have increasingly profound effects on business models. Consider, for example, the changes in entertainment media and its prior distribution channels. Where consumers once bought movies and programs on VHS or DVD at stores such as Blockbuster and Hollywood Video, consumers are now streaming content straight from Amazon, Hulu, Netflix, Sony, and more. The same can be said for online retailers: those utilizing consumer identity solutions have ways to alert interested buyers, solicit feedback, and create revenue streams that others can’t.
Allan Foster, VP of Community at ForgeRock and President of Kantara Initiative, described the difference between enterprise IAM and CIAM: “with enterprise IAM, IT provides the identities; in CIAM, IT provides the means for consumers to build their own identities.” This saves administrative effort, and puts control over which attributes to share back into the consumers’ hands, making them a participant in the process.
Ian Glazer, Senior Director at Salesforce Identity, highlighted the need for improved user experiences, showing how effective consumer identity management promotes a much better user journey. He stated that businesses must reduce friction for consumers by using social logins, progressive profiling, and progressive proofing. Logins should not require “Yet Another Username & Password”, or YAUP. Consumer identity should work across multiple channels, including tying users to their IoT devices.
Several speakers touched on the importance of preparing for the EU General Data Protection Regulation (GDPR), which will take effect on 25 May 2018. GDPR contains language which governs the treatment and handling of information gathered and used by CIAM systems. GDPR defines what personally identifiable information (PII) is: name, email, photos, posts on social networks, medical information, and financial information are examples. Some of the most important provisions include explicit consent for PII data usage, localized processing (EU citizen data must be housed and processed within the EU itself), data portability (EU citizens must be able to export their data from systems), and the right to be forgotten (data deletion). CIAM solutions must be able to meet all these requirements to be viable within the EU in the post-GDPR regulatory schema. For more information on GDPR, follow KuppingerCole’s updates, and to see the full text, go to http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf.
To meet the privacy objectives of GDPR, Dr. Maciej Machulak discussed Kantara Initiative’s User Managed Access (UMA) specification. UMA provides a framework for web applications to obtain user’s consent for use of their data. KuppingerCole believes that UMA will be a major enabler for GDPR compliance. For more information on UMA, see https://kantarainitiative.org/confluence/display/uma/Home.
We also presented the results of our CIAM Leadership Compass at the Summit. For this paper, ForgeRock, Gigya, IBM, iWelcome, Janrain, LoginRadius, Microsoft, Okta, PingIdentity, Saleforce, SAP, and SecureAuth participated. Each company has products that serve the CIAM needs of their own customers, with different strength, challenges, and target markets. For the full report, see https://www.kuppingercole.com/report/lc71171.
Lastly, our own Martin Kuppinger weighed in on the ownership aspect of CIAM deployments. There are a variety of ways that CIAM can be implemented and maintained. In some companies, marketing takes the lead. In others, IT is completely responsible. The hybrid ownership approach works best: IT owns the deployment, but operates it as a service for the business as a whole. This promotes tight integration with enterprise IAM, without being encumbered by enterprise IAM limitations. It also allows businesses to efficiently promote regulatory compliance and security, while offering consistent and feature-rich solutions for sales and marketing.
KuppingerCole will continue to track with CIAM solution developers and customers to provide the most up-to-date information on CIAM, KYC, and the regulatory drivers in this space.
GlobalPlatform recently held their annual conference in Santa Clara, California. GlobalPlatform is an international standards organization that defines specifications for the Trusted Execution Environment (TEE), or the secure virtual operating system within the OSes of mobile devices. It also specifies requirements for Secure Elements (SE), the protected storage components within mobile devices. Used together, Trusted Apps run inside the TEE, protected from rogue apps and malware. Trusted Apps control access to data stored in SE. The use of TEE also protects confidentiality and integrity between the user input and display. The specifications are becoming widely used in the protection of premium content (digital media), financial apps, telecommunications, automotive components, healthcare devices, and transit systems.
TEE is being used to secure processing and messaging in many IoT scenarios already today, such as parking meters, food monitoring, and "smart cities" street light monitoring. On the consumer side, TEE is implemented in watches, home automation, and even cars. Remote monitoring of manufacturing, logistics, agriculture, and environments is increasingly being performed by IoT sensors. The number of Internet connected devices is rapidly rising.
Given the recent spate of record-breaking DDoS attacks launched from compromised IoT devices, expect to see greater emphasis and consumer demand for security and privacy on IoT manufacturers. Most consumers do not want their webcams and refrigerators to be involved in illegal activities, such as knocking websites off the air, or sabotaging food production.
Beyond providing specifications for execution and storage, GlobalPlatform can help with IoT security by adopting device identity standards. The IoT devices that have unwittingly participated in attacks have done so because bad actors took control using default usernames and passwords. In most cases, users aren't directly involved, so having a username/password identity scheme does not even make sense for IoT sensors.
The lifecycle for IoT device identities is quite different from human users. Some devices are designed to last a few hours, such as passive WiFi concrete hardening sensors. Some agricultural sensors are designed to last a growing season. However, in other cases, Internet-enabled durable goods and medical devices are expected to last from several years to perhaps decades. Thus, the identity lifecycle and difficultly associated with modifying attributes pose new security risks. Time will tell, but ultimately a PKI-lite certificate-based device identity paradigm may emerge, if revocation issues can be sufficiently addressed. IoT device vendors and third party service providers will likely find that device identity and access management could generate long-term subscription and fee revenues.
With regard to user authentication, GlobalPlatform and the FIDO Alliance will be cooperating with cross-certification and joint testing programs. The FIDO Alliance is an international Standards Development Organization (SDO) focused on multi-factor and mobile authentication technologies. GlobalPlatform currently provides test tools and certified test labs to perform independent security testing of TEEs. This yields qualified products. Many vendors are already building and certifying TEEs. FIDO authenticators and clients are being deployed in the TEE. Apps that run in the open, or "Rich OS" can request authentication from the FIDO client/authenticator, running securely in the TEE.
FIDO is also adding security certification. The first priority is protecting the authenticator’s keys. Security certification for FIDO will re-use other organizations’ standards, such as FIPS 140-2 and GlobalPlatform TEE. FIDO security certification will look for and confirm the use of TEE by FIDO components. FIDO certification will then include functional certification by FIDO (as it is today), and Global Platform TEE certification as a component of security.
GlobalPlatform and FIDO are planning to synchronize certification processes. Independent certified test labs will provide the testing services for both organizations. OEMs will be able to get both needed certifications much more quickly. Such an approach is a "win-win" for the mobile IAM community, as there are many common members between FIDO and GlobalPlatform, and this should reduce the cost and time needed to obtain security certifications from both organizations.
As we know, IoT devices are proliferating but security is severely lacking. The number of FIDO certified products is also beginning to grow. GlobalPlatform’s TEE will add needed runtime and I/O security to both IoT and FIDO applications. KuppingerCole recommends that both IoT device manufacturers and FIDO implementers utilize TEE to:
- improve the overall security posture of IoT devices and FIDO authenticators
- reduce the risk of malware taking over IoT devices and turning them into DDOS botnets
- increase integrity of key generation, storage, and use in FIDO authenticators
- add credibility to IoT and FIDO products in the marketplace.
KuppingerCole will continue to monitor developments in the mobile and IoT security space.
GlobalPlatform TEE specifications can be found at https://www.globalplatform.org/specificationsdevice.asp.
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.
The emergence and prominence of bitcoin and its underlying technology Blockchain with open source, real-time payments capabilities and without centralized regulatory authority has sparked the Financial Services industry into exploring how Blockchain technology might be applied to mainstream banking and insurance sectors. Blockchain technology goes further than just a distributed ledger. Another initiative gaining acceptance is Smart Contracts that use computer protocols to facilitate, verify, or enforce the negotiation or performance of a contract or that obviate the need for a contractual [...]