Identity and Human Rights

The Universal Declaration of Human Rights enshrines the concept of recognition as a person before the law as a fundamental human right. Digital identity is a new aspect of that fundamental right, a topic covered by Elizabeth Garber and Mark Haine in the white paper “Human-Centric Digital Identity: for Government Officials.” This right has also inspired the United Nations Development Programme (UNDP) Model Governance Framework for Digital Legal Identity System. 

Source: UNDP Digital Legal ID Governance website – https://www.governance4id.org/ 

Digital Identity and the United Nations

It might seem like a big stretch to go from our day-to-day worries about our IAM systems to a governance framework designed for governments worldwide to adapt as they build their digital identity programs, but it’s happening. The UNDP argues that there is a significant social and economic benefit for governments to digitize their identity programs and close the identity gap. Just in financial services alone, a strong digital public infrastructure is expected to speed up growth by 20-33%. 

Think about it. Our little corner of the world, which focuses on a specialty so young you almost certainly don’t have a degree in it, is now a core aspect of global economic growth!

Eight Core Themes

So, what does the UNDP’s framework look like? As expected of the UN, they are taking a broad approach that considers all elements of society. Specifically, they offer guidance on:

• Equality and Non-Discrimination
• Accountability and the Rule of Law
• Legal and Regulatory Framework
• Capable Institutions
• Data Protection and Privacy
• User Value
• Procurement and Anti-Corruption
• Participation and Access to Information

The UNDP model comes from their legal identity AND digital public infrastructure efforts, which is the right combination of organizations to bring together. Digital transformation is a bit of a buzzword, and yet, that’s what is happening. The UNDP is trying to help provide some guidance so countries are at least somewhat going in the same direction. They’ve already noted that there are at least as many failed identity programs as successful ones, usually because of inadequate governance. 

Digital identity always comes down to governance.

Applying the Framework

We can always learn from others, and we have an opportunity, regardless of what sector we work in, to learn from the UNDP framework. While targeted towards governments and civil society, there is quite a bit here that the public sector can apply to their IGA programs. The need to take into account as a foundational principle the need to support equity and diversity is one example. Another is ensuring the systems and programs are adequately funded and clear of undue influence. 

Wrap Up

So why is this a Letter from Leadership post (which we’re also posting to the blog)? Because identity governance is our space and everyone in this organization has an opportunity to be a leader in ensuring the identity programs they are part of are well-designed and developed. So, as one leader to the next (that’s you), I hope you take a few moments to think about this bigger picture and how you can make the governance of the identity systems around you better.

Author

Heather Flanagan, Acting Executive Director and Principal Editor for IDPro (and Principal at Spherical Cow Consulting) comes from a position that the Internet is led by people, powered by words, and inspired by technology. She has been involved in leadership roles with some of the most technical, volunteer-driven organizations on the Internet, including the IETF, IAB, and IRTF as RFC Series Editor, ICANN as a Technical Writer, and REFEDS as Coordinator, just to name a few. If there is work going on to develop new Internet standards, or discussions around the future of digital identity, she is interested in engaging in that work.

The post Identity and Human Rights appeared first on IDPro.

The conference this year will have a particular focus on Trust, which the Oxford English Dictionary primarily defines as a “Firm belief in the reliability, truth, or ability of someone or something; confidence or faith in a person or thing, or in an attribute of a person or thing.”

Questions of trust lie at the very foundation of our identity systems.  We trust standards bodies to develop protocols that will be useful, practical and secure.  We trust developers and vendors to build products, solutions and services that will implement those standards in performant, scalable and extensible ways.  We trust providers to deliver robust services that we and our customers can rely on.   We trust executives to listen and to support and fund the crucial work that we do.  And, of course, we develop and implement mitigations in case our trust is misplaced.

But trust is broader than this; and trust goes both ways.  As consumers and as citizens, we would like to trust that organisations won’t collect information they don’t need; that they will handle that data safely and properly; that they will keep pace with rapidly evolving best-practices in identity, security and privacy.  A world in which that trust is not assured is an uncomfortable world at best; and many people today live, work or interact in circumstances which are not inherently trustworthy. 

The OED has a secondary definition of Trust.  “To take on (also upon) trust (formerly also †to take up in (also upon) trust  †to receive in trust and variants): to believe or accept a statement, story, etc., without seeking verification or evidence for it.” (Emphasis added).  

Over the past 24 months, we’ve seen an explosion in digital identity assurance and verification programs.  Mobile drivers’ licenses, COVID and other healthcare passes and certificates, digital boarding cards, facial recognition for age verification and in-store check-out… the list is long, and it is growing.  As a result, we’re also seeing an explosion of interest in governance and interoperability within and between use-cases and sectors: trust frameworks, attribute mapping and matching, account linking and more besides.

These advances hold great promise to make our lives more efficient and connected; to reduce friction, and fraud, and risk.  But a balance is needed, too.  Trust is a fragile thing—hard to gain, easy to lose, difficult to rebuild.  Organisations and institutions must take care not to overstep the bounds of our trust, lest they lose our engagement and, in the end, our support.

Trust is an important topic, but it’s certainly not the only issue of note in the industry!  The topic focus each year for Identiverse infuses but does not dictate the agenda and the event.  New and emerging standards and architectures; deployment stories and leading practices; identity for connected devices; new approaches to privacy, security, devops, engineering; sector-specific identity practices in healthcare, manufacturing, government, education, financial services and more; and specific identity-related disciplines like CIAM, auth’n, auth’z, self-sovereign, IGA…. That list barely scratches the surface: and your proposals on these and many other topics will inform and contribute to the agenda.

This year’s content committee and I look forward to seeing your proposals; and I trust that we’ll be able to get together in person in Denver in June.

Andrew Hindle

Independent Consultant, Board Member IDPro

Andrew is an independent consultant specialising in digital identity, cyber security and privacy. He is a founding member, and Chair of the Board, of IDPro; he participates as a voting member of the User Managed Access Working Group at Kantara; and he is an active member of the Open Identity Foundation (OIDF).  Since 2015, he has been Content Chair for Identiverse®. Andrew has over 20 years experience in the software industry in a range of technical sales, pre-sales, product marketing and business development roles. He maintains CIPP/E, CIPM and CIPT privacy certifications with the IAPP; a CIDPRO certification from IDPro; and holds a BA in Oriental Studies (Japanese) from Oxford University and an advanced professional diploma in corporate governance. Outside of the world of identity, Andrew is Chair of Trustees for his local scouting group, rides regularly with a local road cycling group, and plays keyboard, guitar and bassoon (not at the same time) with more enthusiasm than skill, and for an audience of one. Andrew is based in the UK.

The post Identiverse® 2022 appeared first on IDPro.

The end of May and beginning of June were dominated by the news about ransomware attacks on food (JBS), gas (Colonial pipeline), water (Florida), hospitals (New York, Nebraska, Ohio, Missouri and Michigan), transportation (Steamship Authority) and responses by high level officials: POTUS, Deputy National Security Advisor for Cyber and Emerging Technology, Energy Secretary, etc. The FBI director compares these current attacks to 9/11. Media headlines on this subject are very grim and talking about potential disaster due to lack of cybersecurity. 

Everybody knows it is a time for action. President Biden’s executive order talks about sharing threat information, partnership between government agencies and private corporations, Zero Trust Architecture, cloud security, multi-factor authentication, and encryption for data at rest and in transit as well as other cyber-tech buzz words.  Anne Neuberger, current Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology, wrote an open letter on this subject and again focused exclusively on technology (best practices, backup, patch, test incident response, check your security team work, segment your network, etc.). 

Both of the documents do not even mention cybersecurity culture and awareness, which made me, as a human factor specialist, very concerned. Some of the suggestions, like having a “skilled, empowered security team” sounds like a pipe dream for many enterprises. 

Moreover, in the CNN article “Ransomware attacks saddle Biden with grave national security crisis“, the authors wrote: “all it takes is one computer user to inadvertently open the gateway to cyber attackers through malware”. As you see, the theme of “users as the weakest link” in cybersecurity is still popular: instead of discussing how to protect and build an awareness with positive impact, we are back to square one on culture. If people are left alone against bad actor attacks with no appropriate support, if an organization relies on their employees (often working 50+ hours a week from home and dealing with life issues at the same time) to be “vigilant” without a safety net, then it is a cybersecurity culture crisis, not a user problem. It is time to raise these cultural issues to the highest level.

KnowBe4 has released a new Security Culture Report in 2021. The main message is that “Security culture is a critical, need-to-have asset in the security toolbox. By assessing employees’ security awareness, behaviors and culture, organizations can adapt their policies and training programs to the constantly changing threat landscape.” For example, “organizations with poor security culture have a risk that is 52 times higher for employees sharing credentials”.  I strongly support the author’s position that we will see real positive dynamics in digital security only after human beings and cybersecurity culture made the center of attention. 

Culture is not built overnight: it takes time and requires a lot of work. In my opinion, our job as identity subject matter experts is promoting people-centric security, creating positive identity-friendly experiences related to cybersecurity awareness, and shifting the focus from technology to human factor mitigation.

Our recommendations are the following: 

• Discuss current events with your non-technical colleagues and solicit their opinions of the situations
• Promote cybersecurity culture within your organization by educating your leadership about it. Use the KnowBe4 report as one of your tools.
• Actively participate in consumer and internal user education around how to recognize and withstand social engineering attacks. Show them that identity professionals are here to help.
• Start researching existing guardrails and safety nets in your organizations which could protect your users in case of mistakes, such as clicking on a bad link. This is especially important when it comes to monitoring lateral movement or questionable requests for access outside one’s job responsibilities.

Question to our readers: What would you propose as a step for building positive cybersecurity culture in your company? As always, please share your feedback and opinions on our #humanfactor Slack channel.

Vladislav Shapiro

The post #HumanFactor 11 – Ransomware, cybersecurity culture, and IGA appeared first on IDPro.