Event Recording

How to Work Together in a Privacy Preserving Way to Mitigate Risks


Log in and watch the full video!

Digital identity is central to all electronic transactions. Prevention of credential misuse is the first responsibility of identity management professionals today. Proper identity management includes identity vetting, issuance of credentials, risk-appropriate authentication and authorization, auditing, and more. Regulations such as GDPR also mandate that identity management systems must work to preserve the privacy of users. This session explores contemporary means of protecting identities to lower cyber risk while safeguarding the privacy of users.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
A feasible alternative anytime soon, you know, those of us who know about and understand GDPR, we might have EU NV or UNV, I guess we could call it, you know, wanting to prevent these Equifax types of situations from because yeah, there is health consent. Yeah. You know, what, what do you, think's the path forward in protecting consumer primacy from a purely us perspective?
So I guess I should take it since that. So do, do folks know what the ends stick is or does that familiar tenure? It's the national strategy for trust identities in cyberspace who was an Obama initiative back in April 11. And that's, that was the office that I worked for. And they, the, the premise at the time was that it has to be private sector led back then touch ID. Wasn't that thing. There's no biome. We have two step wasn't there yet. So the idea was let's inject some funds into the private sector. Let's have you guys innovate and bring together solutions to the marketplace, hopefully develop a market so that companies can, you know, consume those services. You know, capital one, I think is a success of the gas stick. You know, there's a bunch of other companies that are now in the field gig as well.
There's, there's a lot, the private sector has stepped up now in terms of right now, the NS stick has changed. They're the trusted identities group. It is still a priority within mist, but I can say this cause I'm not government anymore. It's not anymore. That's the problem. So, so I think it's now holding on us as private citizens, really to take the mail moving forward. We're not going to see a large push. I don't perceive a large push from the current administration in terms of investing in privacy or security. There may be an investment from, from the DHS side. And, but it's more on enforcement and law enforcement and making sure citizens are really citizens and things like that. But I think it's, it's, it's on us as leaders in the private sector as leaders in the commercial and banking to, to move this forward so that we can protect our customers.
Yeah. Just add to that. I think it's interesting that the, the view of what is meant by privacy actually varies quite a bit by GE, just as you were saying. And so the types of things that we think are important in the us for example, are very different from in Europe, which is why you had GDPR, for example. So there's not really a one size fits all solution. And I would, in my view, there are a couple keys to success. The first is establishing the right incentives to drive companies, to make good decisions about protecting data. So a good example of this, I, I think you used a credit card fraud in the us. People may not have a cavalier attitude towards the security of their card, their card data, but it's yeah, they don't really care. He was sitting right here. So I didn't even feel too bad, but yeah, they do.
And the reason is we're not personally alive. You go to other countries where frequently people are, they're very protective of their cards to the point, you would never give your, your card to a waiter in a restaurant, right. They bring the terminal queue, you cover the pin pad. So it's a very different mentality driven by incentives. The second point that I would make is that I think you related to the differing notion of what privacy means, we need to think about solutions that put users in control of their data and, and make them make it possible for them to make informed decisions about what data should they can share, how they should share what should be protected. This would even be, I think, relevant for different types of authentication. If we probably all read the news about the iPhone 10, very interesting, some concerns about facial recognition, but a lot of people are gonna make the choice to use that. And that's fine, you know, that same sort of freedom of choice that needs to be extended to other aspects of online security.
Yeah. John, I, I don't have the answer nor I think anyone else on this panel probably in this room has on, on how to solve for this. But I think, you know, going back to the, the title here of how to work together, I think that's the important thing that we need to start doing a better job of much like, you know, Facebook connect is my most convenient way of authenticating to a site. No, site's gonna trust that to know that it's actually me associated with that or that the identity information has been validated, but, you know, having the convenience aspect, layered with some KYC verified identity from a bank and providing that in a consumable easy to integrate way for the business to complete kind of a, a solution for them that solves their business problem is, is probably moving in the right direction.
Again, unfortunately, a lot of us have been trying to solve these consumer identity issues in silos or specific just to our vertical in the stack, you know, but that said that obviously has not been getting a job done. And a lot of these have been designed void of the consumer input, so that obviously needs to change quite drastically. So this is where I thought what your colleague presented this morning was really interesting because I he's really smart. Yeah. Yeah. I'm not gonna see who the smart one or the two is. I do think there needs to be services online that will provide one very specific point of information in your case, it was the identity of user and then credit card related activities around the identity, but it could be another service. It could be the DMV service for your ability to drive, or it could be the, the trauma services to, so that we know where you are and, and more of these services, because that helps establish who you are that helps establish whether you're patterning activity is the right one.
So we do need these trusted sources instead of just having a, a multitude of services where we don't really know where, whether we can trust them. And we actually see that model in Germany, they have post ID, Swiss ID and Switzerland. Verby, there's a few of these IDPs that are kind of pseudo government, I guess you would, would call it. But you know, my big question is when the heck is Facebook gonna get their act together, cuz they already are claiming 2 billion humans inside their system. Right. And you know, who's to say like right now I feel pre darn good that my Facebook is pretty secure, more so than I thought, you know, Equifax, I thought was more secure and I was gonna rely on them as an IVP. But you know, at the end of the day, I'm like if Facebook actually put a little bit of effort into this, everybody else watch out, why would you use anything else or LinkedIn? No.
Yeah, but I think again from our consumer research, I mean, and, and you know, the Facebook, some of the Facebook folks are here, so they could obviously chime in with their consumer research if they wanna share. But our shows that consumers don't want to like have one only one identity and they want to keep 'em segregated, you know, for a multitude of reasons. But that said like Facebook getting their act together, your word's not mine, you know, is, you know, is that the right thing for them to pursue a, a fully verified identity associated with a Facebook account? And they've tried it in the past, right? There was a, there was an initiative to verify your driver's license against your Facebook account. And I, you know, from what I read publicly, it didn't look like it was very successful, but that said, people want to keep their identity separate for different purposes.
It's a matter of us collaborating and integrating together in order to provide a full end solution. So wouldn't you agree though, that there's identities that are worth more? For instance, I, I don't, I use Facebook a lot, but I use it for personal dumb stuff. So I would want to use that as a basis for my identity, but I do use Google for everything else. So I would argue that my Google identity is, is worth a lot of money and that's what I would want to do to authenticate with whatever service I use online. As matter of fact, when I authenticate to coopering a call, I use my Google identity and I'm pretty happy with that. When I authenticate to another consumer consuming website, I don't know a retail shop. I'm happy to have Google open ID connect, but I would want to create, get another set of credentials for those websites that I would not want to use Facebook. For sure. Yeah. I think we've got enable personal product choice for the users
And showing visibility of data flow, knowing what data is being shared.
Okay, go ahead. So I, I don't know if this is thetic but so, so what we're all talking about here is this concept of identity Federation. If that makes sense to all you guys, where you have a trusted identity, why not reuse that instead of creating many, many, many, many, many identities where, you know, passwords and all that information gets duplicated. And I just wanna make sure that the audience is familiar and understands it cause that that's a, that's a key privacy preserving element of, of where we're now versus, you know, five years ago, six years ago, we're talking about Federation and in real sense, and that's, that's absolutely a way that we can help promote privacy preservation.
But I think you had a great comment though, right? About the, the need to enable people to continue to choose their identity provider. You know, those of us who you have been in the field for a little while, probably remember Microsoft password and some of the, the much earlier attempts where we were gonna have this panacea, its gonna be a worldwide identity provider for
Everything that that's what I'm wondering about. This is what I would want. So let's take the example. You just talked about the terrible disastrous product post. It never worked. Okay. Just give an example. The Swiss one doesn't work either. The Austrian works a little bit, but Austria has the advantage. They don't have big industry. So coming and now this is the Austria. Well I'm Austria. So don't, don't try to insult me that, but no I'm asking you, the question you have to ask yourself is the answer is not, it is Facebook for trashy stuff. Don't to Facebook, but, but for stuff I don't really care. Yeah. But if I go further on and I sometimes believe maybe the answer would be to have various, I can face because at that doesn't ensure me. The assurance for me from a bank is not sufficient for everything I do for a lot of things. It's okay. But there are things on top, like what would be an example? I'll give you a very good example. What you can't do if you take IOT and IOT and we are growing together. Yeah, sure. And the problem you have, you have a risk assessment of, if you wanna invest more money and say, okay, my risk is not that my customer will lose money because you know, I didn't protect them enough. Your risk assessment will always be like, okay, this is the amount of money you could lose. That's your risk assessment
Risk. Assessment's also on the identity.
But I know. So I, so now go a step further and this is the issue I'm having or I had, so I had a bank, but we also had cars driving around cars are more dangerous than your bank account. Cause one dead person is really bad. So the question is, if you go and your question, Liam, I like that very much to put a model in place. I'm not saying that you can't do it. You can do it, but then you have to put a lot of money in it. So question to you guys, do you rethink, there will be one IDP worldwide. No, because that would be Facebook, but Facebook doesn't work in China.
No. It's time to let Facebook respond. So,
So I think at this conference we would've room for like an entire fifth day. That is just Facebook myth busting. I'm not gonna do that. What I'm gonna do instead is say that we are breaking new ground in this space in terms of how identity Federation can work in a privacy protecting way. We a new protocol that we've released open sourced and implemented delegated account recovery. That is all about taking that last resort of how do you really prove who you are putting it choice in consumer's hands of where they want to root those ultimate sources of their identity and truth on the ground of where they are and maybe do it in multiple places. Come see, John's talk tomorrow. He's gonna talk a lot about it. We really would like to see a lot of people. The kinds of businesses and companies are in this room explore in this space. It's anonymous, it's privacy, preserving. It's very strong authentication and it's consumer choice friendly. So I think there, you know, Facebook's trying to take the lead in making this stuff work along those principles of Federation choice and privacy. We're not the company we were five years ago. And so please couldn't see chance. Talk about
That.
Sounds good. And I know from some of our discussions, I think Facebook, Microsoft, Google, they do a pretty good job of keeping the, keeping their ecosystem pretty clean. There's
Plenty of
That's true. You're next?
Thank you. So kind of play this out for me. So it sounds like you have a lot of businesses. I mean the capital one example is great. So it's like from a financial institution, we want to be an IDP of a highly, you know, high level assurance type identity Aetna or my background age to work United health group Optum. They want have the identity is gonna be for all healthcare and you know, but these are large us banks gonna wanna do the same thing. Well, as far as we wanna do the same thing, so kind of carried it out, there's gonna be a bunch. It feels like there's gonna be this growth of these highly secure IDPs that within their, within their vertical, they're gonna try to be the IDP for this area. And so I'm just trying to see like, oh, how do we, I mean, if right now we complain about the NASCAR dashboard, when you're trying to pick which social authenticator to use now it's gonna be like, which we, which vertical authenticate I'm like, how does this end up? How does this play out? Because it just seems like the value proper proposition that one is doing. This is like, well, yeah, that sounds a great opportunity for every other major bank to also try and every healthcare and every 3m and whatever they do.
So
For IOT, so comments on that. So this one, that's what I call a good problem to have. Right. I mean, if we're in a state where we have a plethora of highly assured credentials that strong authentication out there, I mean that I'd be happy as, as a right, but, but I mean to your point of the NASCAR situation, I mean, there's, there's fixes to that, right? You choose one that, you know, the brands can differentiate, of course, depending on, I don't know who they interact with, but also, you know, there's, there's ways to remember what you loved. And last, I mean there there's, I think there's solves there and I think as the industry matures, sure. There's gonna be a lot of new entrants or hopefully a lot of new entrants, but folks will also drop out as, as, you know, as any mature markets would have. So I would, I would encourage that problem. I think that would be a great thing to,
Yeah. I concur with, with Phil that that would be a great problem. I don't see it happening quickly, but I do think like the gig is of the world, the IDP networks could play a meaningful role in giving consumers early choice in which IDP they want to use. I think that's going to be an emerging opportunity for IDP networks to kind of, you know, tee up a contextually relevant IDP in a specific use case. It either is more focused on convenience and access and an anonymous transaction versus a fully verified one. And if you've kind of selected your settings, if you will, within this IDP network, then it'll know what to position. So you don't have, you know, the complexity of too many choices when you're trying to log in no, and basically right, sizing the security to the type of transaction you're doing as well from the, the fund stuff to, you know, the serious financial transaction.
But also then I think, you know, your comments earlier about, you know, you need to become a network to fight a network, right? And I think there's a huge opportunity as, as technology organizations to share some of the attack data. So even within Gigi's network, we've introduced something called network protected identity, which says, if any note on the network is attacked, we're gonna take those kind of credentials and step that up on other spots in the network so that, you know, that site X was attacked, but you've just protected that identity across hundreds of different sites. And we, we are a small microcosm of what the potential of some of this sharing could potentially do to help protect entities across
That. That's a great point and kind of brings up another topic, but they, the same point I was gonna make. And that, you know, we talk about information, sharing across organizations, which is important, but oftentimes we're not sharing information effectively within organizations. So, you know, we always think in our silos, like you talked about, you know, your past life, but I think, think it's important that we think about identity as part of a larger set of capabilities in order for it to really operate effectively. It must be integrated whether it's with analytics or, you know, some of these other pieces as well.
Hi Mike Beach, I'm retired. Haven't thought about this in a while, but, and I haven't really thought this question through, but I've been hearing about privacy all day and we thought about privacy in about five years a whole lot, but I'm wondering if we are clear what the real issues and problems we're trying to solve are, I don't know, as I care if people know when I'm born or what my social security number is or where I live or anything else, what I don't want to have happen is people fraud me of money or other things of that sort. And, and I think another thing we talk about is, is having choices of, you know, well, gee, you've got this IDP and that IDP and the reality is, is that 95% of the consumers out there don't know what an IDP is. They don't know why they would pick one IDP over another. They want, they need usability and you can't expect the consumers to make decisions about this stuff. So the reality in, in my mind is what, what are we trying to solve? We're trying to solve usability and prevention of fraud. And as consumers getting screwed, now, there may be some cases where yeah, I did stupid things out on the internet and now gee, I want my privacy back because I don't want people to know it. But
Yeah, I, I don't think you can divorce the fact that you don't care about other people knowing your date of birth, your address, all this stuff, your PII from the fraud. That is the exact reason people are trying to get all that information. So I like you trying to divorce those two things from each other. I don't, I don't think works cause that's, that's why people breach Equifax is to get all that information so they could commit financial fraud in your identity.
But we focus that on GE privacy has been breached. And, and if we didn't, if we had another way to solve
The problem, well sure privacy was breached because an organization was storing massive amounts of information about your identity that you didn't give permission to. There's a couple of different points. I mean, one of you earlier said that we need to devalue the different attributes that we own about people. So to your point, date of birth shouldn't really matter. And we should use those to recover accounts. You know, when were you born? Where were you born? Where was your mother's ma and name so and so forth. So we should absolutely try to devalue as much as we can. Those bits of information you could argue also that, you know, you talking about privacy is my medical record. That sensitive. Some parts might definitely be my blood type. Definitely isn't, I'd be happy for all of you to know my blood type, cuz if something happens, it would be useful.
So one is devaluing tidbits. Two is being able to prove who we are based on means that can't be easily hacked. Three is having better visibility of who owns which data. What does Facebook know about me? What does Equifax know about me? As far as I know, not being a us citizen, I don't think or know that they have any information about me, but I do have a social. So maybe they do. I don't know. There's no visibility. So bringing that visibility in is important. And then your earlier point as well was really interesting. So I'm a bit of a geek and SW you can authenticate with a soft token, a heart token. You can have one of those cards that you slide in. I think it's so cool. My wife doesn't, she hates it. She just doesn't understand why it's so complicated login. So usability is gonna be an issue.
I'm gonna take conversation back to identity attributes. That should not matter. The
Identity attributes that should not matter is actually you're absolutely right. My health record, the reason that it matters to me because I'm worried in the United States that whether any insurance company is going to deny me insurance or increase my, my premium because of the fact that they know I have, I don't know disease or something, right. That that's why it matters. The question is the very first elements of this are, as I mentioned earlier, is the government and the financial institutions. This burden is on capital one and like, and D O D and others to protect people's identity attributes and replace the, the how stupid we have been for several decades on dealing with this at nevermind the date of bread, which everybody and their dog knows, nevermind your social security, that at least 90% of them are already breached experience next. Right? So the, the question is what do we replace these identity attributes?
How do I, when it, when it comes into context of IDPs, how do I know if my identity attribute is being used at anywhere in cyber, right? That's the problem that we need to solve? Not the fact that is this identity attribute good or bad. Is it breached or not? Is information going to the owner of the identity attribute? That's what, that's the problem that we need as a community need to solve? How do I know? How do I get a notification? Whenever my identity attribute is used when somebody retired or not is, is breached. And now that social security is used to get a new capital one credit card. Now the person who gets a new capital one credit card might not do anything else other than the fact that uses my name and my social security. And they pay, they pay it off because they just want to have a credit card and they pay it off and they, they use it and everything is okay. So that's the key thing that I want to ask. One of the panel Analyst to answer. Do you see a future in how we can re we can either replace it, the attributes that are used wrongly today or last several decades, or is there a way to inform the owners of the identity attributes when this, this use
I'll make a quick comment? I think that it goes back to something you said earlier, really the heart of this matter is you giving people visibility into what identity is used, where and giving them choice about how it's used. You said that the, your medical records not important to you. I'm sure many people would find that to be very important, very sensitive information, regardless of you know, how the insurance company would view it. But you could say the same about many of these identity attributes. And so, you know, just to kind of couple this with the previous question about the, you know, too many identity providers and the NASCAR dashboard, this could be a key differentiating service that companies could offer, right? Capital one might say, we have these privacy enhancing techniques, for example, and this is why, if this is important to you, you should use our service versus another. So from a technology provider standpoint, we wanna make sure that we're giving clients these types of capabilities. So I personally, I don't see a top down solution coming where we're gonna have an industry or worldwide governance over how identity attributes are used and where I don't think that would be feasible, but certainly we wanna give individual organizations the capabilities to implement these types of services and, and differentiate themselves in this way so that the market can decide what's, what's important. And what's not,
Yeah.
Have a question about this different type of customers. So I think what we kind of heard today is today is really we talking about like B2C kind of scenario, right? So we talking about individual customers and automat customer data, but is there any kind of, you know, research or study have we done on the B2B world? For example, like we have bunch of, a lot of B2B customers, right? So they are now individual person, right. They basically have their own like B2B account, right. They could be alive university hospital in the company, especially, you know, why I look at you, our company in particular, we have kind of combination, right? And we have, you know, B2C customers, we have B2B customers, the B2C customers, that number B2C customers must be than B2B, but in the revenue perspective, right. Life than B2C. So it's nice that B2B, so is when we talk about this kind customer data management strategy, can we apply the same strategy and solution to B2B customer? So there, it should be kind of handled separately or in different way.
Well, I think, I think it's interesting cause I'm actually a B2B marketer, so I market to companies, but I don't market capital one. I market to Matt. Like I want to, I want to get to Matt. So I think even in a B2B partnership, I'm right here.
Yeah. We'll talk later now I'm just kidding. But, but in all seriousness, I think even in the B2B contents, you're still dealing with individuals. Right. And what you're trying to do is ensure that the individual's acting on behalf of the organization of which they represent. So there's an additional level of perhaps assurance that that's typically done through something as simple as maybe even just email address match or the fact that you and I are doing business together. And I know that you're representing that company and signed the contract, the partner agreement or whatever that is. But at the end of the day, many of the privacy and security implications are the same. And a B2B is a B2C because much of the information is the same email address, phone number. Maybe you don't have social security number, but you probably have, you know, wire transfer information.
If there's financial transactions taking place payment terms, all kinds of sensitive data that needs to be held at the same foreign level. Now managing a total relationship is a little bit different because you might have 30 or 40 or a hundred or a thousand people acting behalf of that partnership that need to have maybe different levels of assurance against them, depending on the type of transaction, but at the heart of it, it's still individuals and individual people that need to be assured in that relationship. Paul, do you have any comments on B2B since you do a lot in the identity space there on what what's needed, what's necessary.
I think to follow onto that comment, there's kind of two perspectives to look this, right. And I think as an industry, IM we tend to look at it from enterprise out the consumer. If we flip it around from consumer, towards the enterprise, B2B simply a set of attribute associated with right. So point you make Jason. Yeah. If we think about it as human beings and how do we facilitate collaboration amongst human beings, it's fundamentally the same problem.
So,
So I have a question, Jason, you alluded to the network protected identity, and I was kind of gonna go in that direction at some point, too. You know, when you look at some of the social identity providers or the cm providers or the, I ask providers, you know, obviously they've got many, many accounts and there's a lot of internal scrubbing that goes on. I know that's exactly what you guys are doing with net network protected identity. You know, Facebook is, you know, constantly vigilant about looking for rogue accounts and keeping things cleaned up and, you know, Microsoft and the rest are doing the same sorts of things. Then, you know, you've got companies that are doing services. Like I think Steve's over there, you know, very clouds with, you know, it's essentially an automated, have I been PO check, you know, so, you know, to get back to the title here, how can we work together to preserve privacy and mitigate risks? So, I mean, there's obviously not islands of identity and cleanup, but continents. I mean, arguably, you know, some of these identity providers are, are huge and how can we begin to work together? Is there certain kinds of information sharing, you know, are there standards that need to be defined? So you guys just take it away.
So I think that the, the key here is, I mean, context, so you can see CIM, we say it's consumer. I am, you can also say contextual. I am to the ability to define what it is you can do based on contextual information. And when I look at my credit card statement and it shows that I bought a plane ticket from say Chicago to Seattle, and then I try to use my credit card and I don't know Tallahassee, then the credit card company should say, hang on a minute, you should have flown this Seattle and you shouldn't be in Tallahassee plus the fact that we can't really go in there right now. But so if we, if the different providers that consumers interact with, be it banks, be it Google be Facebook. If they exposed some form of API that we could use to consume information about where the user is, it would help us make smarter decisions.
So when I do credit card transaction, if capital one can turn to Facebook and say, oh, where's David and Facebook replies, okay. David did connect Facebook to capital one. Therefore I can share that information with capital one. David just checked in at the Marriott in Seattle, therefore is not townhouse, which if you used your capital one card, we would know that you were there as well. But yeah, that's one. Yeah. And it's actually interesting, cuz I think at the identity event in Munich that cutting and Cole did, we had the chief innovation officer from department of Homeland security actually was there speaking about some new threat intelligence Sharon standards that they put in place sticks and taxi, which I think is really kind of where this needs to go, whereby we all know the attacks are happening. I think Maggie made the point earlier that I know every second of every day, somebody's trying to hack capital one right now, but really the opportunity is for us to all share that information.
Look, here's the attacks. Yeah. They're failing on capital one. Cause you guys are brilliant. Never gonna get hacked, but you know what, sharing that information with other people that may aren't as sophisticated and go, oh shit, you know, I excuse my language. Whoa, sorry about that. But you're, you're the chief marketing guy, right? Yeah, I am. But, but it's like, oh shoot, you know, here's a threat that capital one just shared they deflected it. Or, or maybe not, you don't even whether it worked or not is kind of irrelevant, but sharing the fact that these acts are happening and this nature allows the whole network to up their, you know, ability to defend against those types of attacks. Yeah. I I'm a believer in, you know, one of the SIG pilots that I thought had a really meaningful, one of the many S stick pilots, I should say that have meaningful purpose was Andrew Nash. And his team would confirm. And the shared signals model that O wrote about, you know, where they're sharing of risk and compromise around the credentials in a network in anonymous way. And you know, I think we need to come together and to share that kind of information to alert each other, to, to risk associated with
Guys get together. So, you know, the bad guys are sharing, what's working. Right? Yeah,
It's exactly right. And I would argue though that a lot of the sharing probably takes place more than we and the identity silo know. So you mentioned sticks and taxi, which are pretty well well developed standards, you know, the ISAC, you know, so the information that are specific to industries like financial services. So, so in fact, this, this type of threat and tell is pretty widely shared, including with different parts of the us government and the intelligence community. So I'm,
I'm confused. I really wanted to understand this because you're saying in the us, this is not happening.
No it,
Because we share everything Germany,
Those are us federal government standards to be clear. So it happen was my point and that I think there's an opportunity or to an extent, right. It's not perfect. But I think in the private sector, there's more, there's even
More, we just do it in the private sector, Germany, it's working, it's working, it's all private sector. So, so I'm just asking, I told you, you all,
Yeah. Facebook has thread exchange, which we host, which is a whole thread information sharing platform like that built on our same technology stack, which is a different schema related for sharing incidents and indicators, a compromise and all this kind of stuff. And we share with Google, Microsoft, everyone, Microsoft has their own platform for doing that. So this is
Already scale. IBM has their own platform. I think many companies have this in addition to the industrywide consortiums, which are go back so
Well. I think we're, there's a couple of different angles though. Cause what you were talking about, David is more of a real time lookup of, oh, somebody checked in Austin, consumer info yeah. On Facebook. So I know that their credit card transaction is likely to be coming from there. I mean that that's different than sticks and taxi. And I think that means there are several different kinds of information sharing we need to have. So where do we go from there? Steve's probably got an answer.
Steve, count on you.
I have more questions than answers to be honest, but in terms of the, the, the standards that I, that I see emerging, another one in addition to sticks and taxi is the open ID working group called risk, you know, have discussions with members of the group and with large, very large enterprises that see that as the answer makes me concerned because I see that, you know, if only a very few large companies are giving together to define the standards, some of them are represented here. There's a lot of other, very excellent large enterprises and, and mid-market companies that aren't gonna benefit from participating in that and therefore exclude a, a big share of the market, including SMB, which is, you know, gonna continue to perpetuate the problem. And not, not only that, even when the companies do come together to define standards such as the schema or the taxonomy for how to share the information they're missing.
One of the most important elements, they're not gonna share credentials, either the breached ones or the ones that exist in the company's database, which is probably the most important thing to, to be able to verify and standards. Aren't gonna be able to enable that that's gonna require, you know, private sector companies coming up with commercially available solutions to actually go after the largest cause of data breaches, which is compromised credentials and the standards bodies can, you know, bless, you know, whatever approach company wants to take. But you know, it's not really going to do a lot to enable those kinds of solutions,
Credentials like address and passwords that are,
And yeah, rainbow tables or, you know, frequently compromise passwords. But in terms of a user's history of compromise passwords, I don't know that any one company is sponsoring, maintaining such a database unless you're doing it in a peer tope sharing fashion. And if a company is doing it in a peer-to-peer sharing fashion, you're again, excluding the benefit of that to the large portion of the marketplace. So Steve you're proposing something or did you have a question I'm trying to facilitate a dialogue, ask the questions. That's my job. I'm seeing, you know, what I'm seeing in terms of the existing standards today. I see some, some gaps in it potentially excluding benefiting a lot of others in the broader ecosystem. Yeah. The ones who aren't gonna go to threat exchange and directly integrated into their authentication systems.
So would part of the answer be, if you're gonna start a business, you're gonna start an online retail service or online presence should the first thing to do is not implement authentication, not even handle user name password, but just assigned to fully rely on a third party IDP. Cause in that case, you're, you're getting rid, well, partly you rid of the problem of, oh, the credentials are gonna get stolen. So take that point. You open an Amazon account, you have to have an Amazon user name, ID and password. But what if Amazon said, well, no, well just let either Google or Facebook, you choose handle the authentication. And then we, Amazon will just store your preferences. We won't even store your credit card cuz we're gonna use PayPal or maybe capital one as, as a means to pay. So you sign up with those services and you don't fill in your, your credit card information with us because then if you get hacked, it's gonna be minimal information that was stolen.
So one last question about exactly how this works. I mean, so what kind of information exchanges could you describe? You know, the threat exchange that may go on between capital one, other banks, Facebook and other identity providers. Do you have a quick overview you could tell people about, or if not, would you like to address that?
So, so I think that there were several good ones mentioned thread exchange. IBM has the X four exchange. They, the information clearinghouse that are set up by industry, the retail Fs, chemical cetera. So, so that there or not that these don't exist, there are actually quite a few out there and, and they are very effective. I think that question is adoption. And this is always a problem in the industry, whether they're talking about yeah, education adoption, whether it's information sharing forums or, or technologies where it's, you know, different, you know, new technologies themselves, you know, they could be made available. But your point about the SMBs, it's an adoption problem just because the Sanders are set by the big companies doesn't mean that they can't be used more widely. Someone's gotta go drive the adoption in the marketplace or they've got people need to be in companies need to be incentivized to adopt these technologies in their forums, through things like liability rules.
And, and to the extent that they're closed, because the value of this information also in large part, keeping the knowing what you know behavior. So there's an inherent tension there between making it open access to everybody and providing information versus having with more trusted group where you know that information's so there's, there's very much inherent tension there, which goes back to point that if you're a small meeting business, you shouldn't think about you're committing malpractice. If you roll your own using password solution in 2017,
Right?
Speaker 10 00:40:49 I mean, I think there's a lot of value in the thread exchange, but I think David, what you were saying doesn't exist at all today needs to exist for the consumer space, which is the context sharing, right? And we, we deal in adaptive authentication in some respects, trying to learn about devices and locations and velocity and Danes, but that's not enough context, right? As a consumer, I want control of my context. So I can, as you said, it link my credit card to my travel system, to my Facebook account, to my email, to my list, to my that. So they can all generate context about me cuz I've allowed them to do so. Like today I can come here to Uber
Speaker 10 00:41:26 And Uber automatically scans my receipting to SIFY the expense sends it to my bank. I mean, you know, it submits for me to my approver in, in expense pay or sorry, expense payable, payables who sent a direct deposit to my account, who I then linked to my credit card and paid my credit card. Like it is no touch, but I went through the burden of telling everybody to talk and fill out forms and here's the password. And like that was cumbersome, but I did it cuz now it's no touch. We need a better way to allow consumers to create context about themselves so that, so that we can combine user experience privacy and security in control by the consumer. And I guess that wasn't a question I was soapboxing sorry.
And then adding transparency on that so that you know what information flows from a TOB, I think one of the cultural aspects and the end of the sex world, you UK us included is that you're afraid the government's gonna know too much about you in the door. It's totally different. It's like the government knows everything I earned every last penny I earned. Oh great. I don't want to do my taxes anymore. You know? So it's, it's cultural thing. If you're happy, the government knowing information about you, then you're gonna rely on the government for authentication. You're gonna rely on the government for information sharing. It's not a panacea because everyone is so going back to threats, the fact that it's the government handling it or, or someone else handling it, I don't think it necessarily reduces the risk. Right. Was Equifax any better? Any worse than us government it's people at the end of the day. It's true. Okay. So that's it. Thank you to the panel.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Better Business With Smooth and Secure Onboarding Processes

In the modern world of working, organizations need to digitally verify and secure identities at scale. But traditional IAM and CIAM strategies can’t identity-proof people in a meaningful way in the digital era. Finding an automated digital identity proofing system that is passwordless…

Webinar Recording

Advanced Authorization in a Web 3.0 World

Business and just about every other kind of interaction is moving online, with billions of people, connected devices, machines, and bots sharing data via the internet. Consequently, managing who and what has access to what in what context, is extremely challenging. Business success depends…

Analyst Chat

Analyst Chat #146: Do You Still Need a VPN?

Virtual Private Networks (VPNs) are increasingly being promoted as an essential security tool for end users. This is not about the traditional access to corporate resources from insecure environments, but rather about privacy and security protection, but also about concealing one's actual…

Analyst Chat

Analyst Chat #118: A first look at the new Trans-Atlantic Data Privacy Framework

On March 25th, 2022 the European Commission and the US government announced a new agreement governing the transfer of data between the EU and the US. Mike Small and Annie Bailey join Matthias to have a first look as analysts (not lawyers) at this potential milestone for data privacy…

Analyst Chat

Analyst Chat #115: From Third-Party Cookies to FLoC to Google Topics API

Online tracking is a highly visible privacy issue that a lot of people care about. Third-party cookies are most notorious for being used in cross-site tracking, retargeting, and ad-serving. Annie Bailey and Matthias sit down to discuss the most recently proposed approach called…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00