If you come from a software engineering background, the tradeoff between requirements, quality and delivery dates is one you’ll be intimately familiar with. In corporate or transaction law, there is a natural tension between facilitating deals promptly and with least friction whilst satisfying critical legal and policy obligations. Investment professionals balance risk against return with every trade they make or advise.
I’m increasingly struck by one of the balancing acts we need to perform in the digital identity profession: ‘knowing’ who someone is, whilst affording them an appropriate level of privacy and security.
“Appropriate” and “knowing” are perhaps dangerous words to use: they are open to wide interpretation, and will change with context. Different transactions have different needs; different societies or interest groups have different sensitivities and tolerances.
There is, however, an increasing and noticeable trend in the direction of the use and sharing of ‘verified’ attributes which warrants careful consideration. There are absolutely cases where such sharing has value – permissioned sharing in the provision of financial services, for example, holds much promise in terms of driving down the costs of regulatory compliance, providing better security and improving customer service and access. There are also examples where the quid-pro-quo is perhaps less clear – age verification? Registering an account to read an online publication (not comment – just read)…?
There are other areas where balance is important. In this month’s issue, you’ll find the second part of Ken Robertson’s series on Privileged Access Management (if you missed Part I, you’ll find it in the January 2018 issue). PAM is a critical part of an identity (and system) security strategy; as Ken points out, the success of a PAM program depends in part on understanding which systems to protect first; how to protect legacy systems; and which technologies will best fit the needs of the organisation as a whole. In other words: balancing the identity security priorities against the other daily needs of the business.
Finding balance is one thing, keeping it is another! These are hard questions – finding answers (and convincing others that you are right) takes time, effort, and energy. It’s all too easy to sit back at that point – but circumstances change, technologies evolve, challenges mutate. Sometimes, that means the answers will change too. That doesn’t mean the original answer was wrong; just that it’s wrong now. It’s OK to course-correct, if that’s what the situation requires.
Of course, you might also find you need to balance a change of direction against a strongly held principle… but in the interests of balancing my desire to get into the topic of ‘principled identity management’ and the word limit for the editorial, perhaps I’ll leave that to another time.
Chair, Editorial Committee
Board Member, IDPro