By Joni Brennan, Executive Director, Kantara Initiative
Introduction:
In the interest of supporting trust toward economic growth, the OECD Privacy Guidelines provide a tool for privacy best practices supporting European Union data protection legislation (and cultural expectations) as well appropriate transborder flow of personal data. The IEEE-SA and Kantara Initiative provide this article as participating members of the OECD-ITAC to discuss the changing nature of identity management with more focus toward relationships between people, entities, services, and things. The concepts provided are observations in development within the Kantara Initiative open and transparent community.
Identity and access management (IAM) is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons [1]. IAM services were traditionally built for a company’s internal use, to assist with manual on and off boarding and for establishing access privileges to organizational data and systems. Today organizations must implement a dynamic IAM solution that serves employees and customers, partners and devices, and all those in between, regardless of location. This is the evolution of IAM to Identity Relationship Management (IRM).
IRM evolves IAM by focusing on:
- business values of consumers and things, adaptability, top line revenue, and velocity.
- technical values of internet scale, dynamic intelligence, borderless, and modular.
As people and “things” are assigned identities across networks simple, flexible and scalable IRM services designed to quickly verify identities and access privileges become imperative for any business or institution to safely and efficiently engage with their users. People expect solutions to link devices from laptops to social apps into a single secure platform that works anywhere at anytime. Basic trust of stakeholders in these ‘shared spaces’ is key to enabling market growth and innovations.
With more networked devices sharing data, privacy tools are paramount to ensure systems are trustworthy. References are made to “contextual identity”, where “context” focuses on connectivity and data that reveals something about a user. Use of context can improve the user authentication experience. However, enabling use of personal data while protecting users’ privacy is challenging. Communities must understand how this data may be used and what governance policies are necessary.
Communities must provide user data control tools to enable trust. Examples include Privacy Lens [2], an Internet2 pilot funded by the US National Strategy for Trusted Identities in Cyberspace, and User Managed Access (UMA) [3] for resource authorization, a project of Kantara Initiative. Vendors may review the OECD Privacy Principles [4] for a sense of their performance regarding respect for user privacy.
Conclusion:
We suggest organizations engaging with hyper-connected customers to:
– Understand the risks your organization takes in context of the resources used to manage current and future systems for customer and vendor relations.
– Limit data collection to only what is needed to safely perform a transaction.
– Be transparent about your data collection and practices
– Connect with your peers and competitors through vendor neutral consortia.
– Seek solutions that have been verified by a neutral body.
– Adopt industry standards and build your unique optimizations around them.
– Adopt third party vendors who deploy open standards.
When shifting from the closed world of IAM to the open world of IRM, advanced user engagement tools are necessary to protect privacy while providing dynamic engagement.
[1] Source: http://www.gartner.com/it-glossary/identity-and-access-management-iam/
[2] https://spaces.internet2.edu/x/RILYAg
[3] https://kantarainitiative.org/confluence/x/LgAPAQ
______________________________________________
Joni Brennan builds diplomatic and collaborative relationships within and across communities of interest. She participates in international organizations and industry standards committees including: OECD ITAC, ISOC, IEEE, OASIS SSTC, ISO SC27 WG5, and ITU-T SG17 Q6. She has served as the NSTIC / IDESG Trust Framework WG Chair. She has provided testimony regarding Trusted Identity and Access Management systems for the US ONC HITSP as well. Joni has helped drive and formalize strategic partnerships between Kantara Initiative and organizations including: Geant, Terena, OASIS, IDESG, DirectTrust and EHNAC.
She leads Kantara Initiative as the premiere Trust Framework Provider facing multiple industry sectors. As a US ICAM Trust Framework Provider Kantara Initiative will provide Accreditation and Approval verifications for Identity Providers / Credential Service Providers to be deemed qualified for access to connect to the US Federal Cloud Credential Exchange. In addition, working with multi-stakeholder representation, Joni has help to ensure that the Kantara Initiative program is aligned and referenced in multiple eGovernment strategies including: Government of Canada, New Zealand, and Sweden.
Joni has over a decade of service to the IEEE Standards Association (SA) and Industry Standards and Technology Organization (IEEE-ISTO) as a Senior Program Manager . She is a member in good standing of the American Society for Association Executives (ASAE) and an honors graduate of of the first class of Rutgers University Information Technology and Informatics (ITI) programme at the School of Communication and Information (SC&I).