Industry 4.0 | April 21, 2022
AoID
ALL OTHER IDENTITIES
Identity Over the Years...
I’ve spent the largest part of my technology career focused on cybersecurity in general and identity specifically. Over the past dozen years, I’ve seen a lot of changes in the C-suite and across governments, organizations and agencies in their recognition of the critical role that identity plays in achieving safety, security and privacy. I wish I could say that those changes had been significant enough to yield tangible results in the escalating curve of cyber-related fraud, losses and breaches but the data clearly shows that most enterprises and organizations still treat identity as an afterthought instead of as the core tenet of their security frameworks. We don’t have to look any further than the last several years of the Verizon Data Breach Incident Report (DBIR) to confirm that while vulnerability exploits only account for 3% to 5% of causal factors for breaches, identity related or enable pathways are the primary cause for more than 80% of all recorded breaches. And folks, that percentage hasn’t changed for years.
That isn’t to say that the security solutions industry hasn’t made great strides in providing tools to address secure access control to company assets. While several identity providers still focus heavily on access administration (decidedly not a security focused approach) most are barreling down the path of multi-factor authentication, identity risk scoring, proofing and verification. But the roots of identity start with the workforce. Our first and continuing efforts were solidly oriented to providing a unified management method to manage employee access across a diverse set of assets, systems, applications and infrastructure deployment methods.
Workforce Identity
Access Management
The workforce identity access management (WIAM) use case has been a focus for so long now that it is fair to suggest that access control for workforce has been solved. If an organization is struggling with implementing a high-quality workforce identity program, the reality is that it isn’t because of technology. The harder truth is that companies are consciously electing not to the expend the money or the effort to bring most of their technology architecture up to date with today’s identity capabilities. Cost is most certainly the Damocles sword that senior management wails about when the subject of paying for that high quality identity control environment comes up. The fact that the Verizon 2021 Data Breach Investigations Report pinpoints identity as the majority driver for all breaches while the IBM Cost of a Data Breach Report 2021 recorded a 17-year high of $4.24 million per event completely crushes that line of reasoning. Workforce identity is solved, you just need to get on board.
Workforce identity is solved, you just need to get on board."
Customer Identity Access Managment
But WIAM isn’t the only game in town. We’ve also seen the rise of customer identity access management (CIAM) as both a discipline and a solution over the past few years. The CIAM frontier is a bit like the wild, wild, West currently. Customer accounts have previously, and may currently, be managed by dozens of different organizations and services within a company. Who “owns” a customer identity within a company? That is a question that is causing many Tombstone-esque shoot-outs, figuratively speaking, within companies. Who “owns” that customer identity is not just a topic of economics, but of corporate politics. While the organizational mechanics of creating a holistic digital identity for a customer have impacted both the evolution of CIAM (Is it ease of use or security and privacy that we should strive for? Doesn’t security and privacy make it hard to provide ease of use?) and the speed of acquisition and adoption; many enterprises are rapidly moving to apply the existing solution base to a business problem that is ripe for change and improvement.
But What About All Other Identities? (AoID)
Digital Identity
- Control WHAT
- Control WHEN
- Control HOW
You may be asking “what are all these other identities of which you speak”? That question is itself a reflection of how the entire digital world has been architected to neglect and forget identities, from the very beginning of the digital age. The programs addressing the weaknesses and exploitable characteristics of both WIAM and CIAM use cases are really nothing more than an attempt to create the digital world’s most persistent defect; that an account and password equals you. An account and password are nothing more than a key to a lock. The history of technology is the repeating of the error of marginalizing and excluding identity from the mix.
But assigning identities to everything is what human beings do and have done for millennia. And the digital identity universe of all other identities is way larger than just WIAM and CIAM. Contractors, service partners, agents, bots, devices, volunteers, operational technology; the types of other identities we deal with every day are almost too expansive to enumerate.
Third Parties
Contractors
Vendors
Suppliers
Service Providers
Agency Staff
Partners
Agents
Franchisees
Affiliates
Retailers
Distributors
Individuals
Students
Volunteers
Freelancers
Researchers
Residents
Non-Humans
Bots/RPA
Service Accounts
Applications
Devices
Controls
That "Thing" has a Name
Many argue that we shouldn’t ascribe an identity to everything in the digital world. Why not? Why would we treat the digital world differently than the analog world? Let’s engage in a thought experiment to dispel the notion that ascribing an identity to a digital “thing” is wrong.
Have you ever had a car that you gave a name? How about a boat? Have you given your pets names? Go to any summer resort community and see how many of the cabins and cottages have their “names” emblazoned on a little plaque on the porch. We have assigned human identities and characteristics to everything around us.
Mt. Hood. The Chrysler Building. The Regina Sofia. What is the name of the giant stone face in Yosemite? El Cap. We call a giant rock wall in the California wilderness, The Captain.
We even give corporate-funded names to stadiums, racetracks, and sports venues. Assigning inanimate objects and non-human beings an identity is what we do. Except in the digital; because it's special?
No, the digital world isn’t special. It isn’t mystical. It isn’t unknowable. The digital world is a means of production, pure and simple. The fact that it moves faster and travels on light waves doesn’t mean it is a separate world and it doesn’t mean it operates differently than the analog or real world. Assigning identities to stuff is what we do, and it has proven to be highly effective throughout human history.
The WIAM world was our first frontier. A decade or two ago, managing 100,000 or 200,000 human identities in the corporate world was a massive number. In the last few years, as large companies have focused on CIAM, the numbers of identities have dwarfed the corporate workforce space. Hundreds of millions of identities are more common than not with a handful of companies managing billions. But, the universe of all other identities (AoID) is exponentially larger than both WIAM and CIAM combined. AoID isn’t just the next stage of identity. AoID encompasses the use cases where the greatest risk to our operations, revenue and reputation resides.
All Other Identities
An AoID authority has to answer one of the least often asked questions about an entity seeking access to your systems; why?"
These use cases for all other identities today are widely known in most enterprises, but almost completely ignored from a security and control standpoint. They include identities like those found in agency and franchise models; agents and owners that need business critical access but don’t technically work for the parent enterprise. Contractors working in the banking, defense contracting, retail and supply and logistics industries aren’t in human resource systems and aren’t managed effectively by existing identity solutions. Seasonal workers and volunteers aren’t company hires. Massive events like NFL football games and the Olympics or the Glastonbury Music Festival have thousands or tens of thousands of identities needing to be coordinated across digital systems. And the use cases for AoID are growing rapidly as more companies begin to realize that assigning an identity to devices, service accounts, robotics and operational technology is the quickest and most effective route to reducing risk. And for the longest time, there has been no solution focused solely on this space of all other identities.
Without a focused solution, many companies have had to resort to home-grown approaches or bending other identity solutions to meet the most basic functionalities not covered by CIAM and WIAM. This bending is usually accomplished with custom code, which rapidly turns bending into breaking with every subsequent upgrade, enhancement or sprint. AoID requires a different approach and focus, one that is driven by actively and constantly seeking to know and mitigate the risk associated with an identity that you do not fully control. AoIDs require an identity authority that isn’t based on managerial hierarchies and roles like WIAM or business product associations like CIAM. An AoID authority has to deliver a relationship based view of identity. And most importantly, an AoID authority has to answer one of the least often asked questions about an entity seeking access to your systems; why?
Next in Industry 4.0...
