Let me clarify what I mean by this.
When most people talk about identities they are really talking about identifiers – such as a username. I explored this insight in 2007 with Kim Cameron of Microsoft in this Gartner Fellows interview.
So getting past the confusion with identifiers, what is an identity? An identity is who the person really is. However, no one (probably including the person themselves) really knows who they are.
We all work with “models” of who we think people are, based on the information we have at the time (context). More intimate relationships have better models, but there is no such thing as a perfect model.
A spouse or a parent should be able to build really good identity models with really intimate information as to who a person really is. But often when something really bad happens – a murder, a robbery, an act of violence, etc – you’ll hear people close to the person say that they “never really knew the person” and that they had no idea the person was capable of whatever happened. Even intimate models aren’t perfect.
Why does all this matter?
Increasingly, we are tearing down the walls of our enterprise and our systems to provide access to people that aren’t employees. I had one client in the pharmaceutical space tell me already they are supporting more external users accessing their internal systems than internal users.
What’s the difference between an employee and a non-employee needing access? Not much really. It’s mostly just a matter of the confidence in our model. We have more information (and thus, better models) of employees so we tend to place higher trust in them. But, this really is an outdated notion. We never had absolute trust and we never had absolute identities.If we acknowledge this, then we can have a discussion on how much information do we need to have a “good enough” model of the identity so that we can engage in the requested transaction.
Instead of perceived absolute trust (which we never really had), we will shift to a paradigm that embraces variable levels of trustability — adaptive and context-aware security policy enforcement mechanisms that help us answer the real question:
“Do I have enough trust in the entities involved to take the requested action at my current level of risk tolerance and given the current context to allow the action to take place?”
That’s a direct quote out of my most recent research note for clients titled The Future of Information Security is Context-Aware and Adaptive.
If all you are doing is registering for a webcast, a valid email address may provide enough information for the model. If you are subscribing to a newsletter, perhaps I’ll ask about more of your interests and preferences. If you are signing up for a bank account, I’ll want your social security number or some other type of government-issued identifier as well. These are all just variations of precision and confidence in the model of the identity of the user requesting the transaction.
Identities are adaptive models. Trust is not absolute. Our enterprise authentication and authorization systems must become context-aware and adaptive to support this.
Food for thought.