If you come from a software engineering background, the tradeoff between requirements, quality and delivery dates is one you’ll be intimately familiar with. In corporate or transaction law, there is a natural tension between facilitating deals promptly and with least friction whilst satisfying critical legal and policy obligations. Investment professionals balance risk against return with every trade they make or advise.
I’m increasingly struck by one of the balancing acts we need to perform in the digital identity profession: ‘knowing’ who someone is, whilst affording them an appropriate level of privacy and security.
“Appropriate” and “knowing” are perhaps dangerous words to use: they are open to wide interpretation, and will change with context. Different transactions have different needs; different societies or interest groups have different sensitivities and tolerances.
There is, however, an increasing and noticeable trend in the direction of the use and sharing of ‘verified’ attributes which warrants careful consideration. There are absolutely cases where such sharing has value – permissioned sharing in the provision of financial services, for example, holds much promise in terms of driving down the costs of regulatory compliance, providing better security and improving customer service and access. There are also examples where the quid-pro-quo is perhaps less clear – age verification? Registering an account to read an online publication (not comment – just read)…?
There are other areas where balance is important. In this month’s issue, you’ll find the second part of Ken Robertson’s series on Privileged Access Management (if you missed Part I, you’ll find it in the January 2018 issue). PAM is a critical part of an identity (and system) security strategy; as Ken points out, the success of a PAM program depends in part on understanding which systems to protect first; how to protect legacy systems; and which technologies will best fit the needs of the organisation as a whole. In other words: balancing the identity security priorities against the other daily needs of the business.
Finding balance is one thing, keeping it is another! These are hard questions – finding answers (and convincing others that you are right) takes time, effort, and energy. It’s all too easy to sit back at that point – but circumstances change, technologies evolve, challenges mutate. Sometimes, that means the answers will change too. That doesn’t mean the original answer was wrong; just that it’s wrong now. It’s OK to course-correct, if that’s what the situation requires.
Of course, you might also find you need to balance a change of direction against a strongly held principle… but in the interests of balancing my desire to get into the topic of ‘principled identity management’ and the word limit for the editorial, perhaps I’ll leave that to another time.
Chair, Editorial Committee
Board Member, IDPro
Are you preparing for the #CIDPRO exam? In addition to the #IDPro #BodyofKnowledge, view this list of sources for information relevant to the CIDPRO Foundations exam: https://bit.ly/3t8i6TD #IAM
#IDPro is hosting a members-only #virtual #meetup today at 1 pm Eastern / 6 pm GMT - details provided in the #general channel in IDPro’s Slack workspace. We hope to see you there!
In the #IDPro #BodyOfKnowledge, Mary McKee shares an overview of Policy-Based Access Control. Access control systems protect an organization’s mission through changes in users, personnel, responsibilities, organizational structure, and legal obligations: https://bit.ly/3eKTRUG
#Identity correlation is the process of mapping an account from an application or system back to its authoritative origination point. Review the steps outlined in this #IDPro newsletter article to better understand the Identity Correlation Framework: https://bit.ly/3yyQOXu #IAM
Do you have questions about the #CIDPRO certification? Explore the CIDPRO FAQ page to find exam logistics, available resources to help you prepare for the exam, scheduling and more: https://idpro.org/cidpro-faq/ #IAM #identity