Rethinking digital identity


Digital identity is a critical issue for all governments as they look to join up services and match data to enable smarter and better applications. There are a few different options as to how they approach the issue, writes Nic Nuske.

Every day we read about a new threat to personal, government and business systems despite, the billions of dollars spent annually on cyber security. In fact at least one in four people reading this will personally experience an identity breach in the next two years.

Direct losses are often covered however the reality is that we all ultimately pay for the economic impact of cyber-crime. Recent cyber-crimes have also had dramatic political and social outcomes that have arguably changed the course of history. It is estimated that the economic impact of cyber-crime in Australia will exceed $15 billion this year and Forbes estimates that the cost is tripling every two years. The actual cost, including the significant costs of building cyber security layers, are becoming increasingly apparent, and are clearly unsustainable on their current trajectory.

If these new threats are not enough many of us are also carrying a few battle scars of escalating IT costs or project blowouts as we try to implement better customer services. Everyone is grappling with the complexity that has built up over many years -multiple networks (open and closed) on premise and cloud based applications, millions of devices, software for every function and the challenge of trying to recognise and manage what access users have in each environment. Meanwhile smartphones and platforms have transformed how people go about their lives moving from organisational dependence to individual control.

Whilst we are designing systems to make our customers lives easier online, we are often having to trade off either security or convenience. Entering in long strings of numbers, multiple steps to select street signs in pictures, all adds to complexity of the user experience online. Further we are also expecting users to trust organisations and give up unique information (which can’t be reset when breached) like facial features or fingerprints.

The bottom line is: it’s hard for anyone to realise the benefits of digitisation when grappling with the complexity of mixed architectures, threats of cyber-crime and escalating costs and risks associated with both.

Time to stop paving the same path!

Many of our current systems were created to work as private networks, where access to individuals and devices can be controlled with rules and audit trails. Although the concept of the internet dates as far back as the 1960’s and the World Wide Web went mainstream in the mid 90’s, the opening up of these systems to outsiders has been gradual. We are still grappling with the convergence of mixed systems (open and closed), the trillions of devices connected to the internet and the millions of applications co-existing in hybrid environments without any real standards for proving identity (the internet was purposely developed without an identity layer).

The answer to the emerging change have been mostly to keep developing and layering on more and more of the same architectures – re-paving the same cow path in an effort to keep up.

We need a new Security Architecture

In this world of joined up data/services, mixed private and public data, AI driven cognitive systems and sophisticated algorithms, more flexible security architectures that switch between open and closed networks seamlessly, together with a trusted universal ID and verifiable authentication, are essential.

Paving the same path has meant that we are not only building tomorrow’s legacy of problems, but we are also increasingly exposing citizens to the potential threats emerging with the internet of things, such as riding in hijackable machines like autonomous buses and cars. A risk managed approach may have unacceptable outcomes.

So, if we have the luxury of designing this new security architecture and trusted distributed system from the ground up, how would it look?

It is made for the internet, and can switch millions of private connections from user to user across the internet, in and out of open or closed environments.

  • Users can control their own ID and consent, and store their own ID information, not organisations.
  • It uses secure methods that can remove the occurrence of any unauthorised use of an ID.
  • Its security can protect a transaction or transmission against hijacking or interception.
  • It can work securely over multiple systems, operating systems and platforms.
  • It can provide the user with the tools to have complete confidence in the party at the other end of a transaction or communication.

At this point, many people would propose Blockchain or Distributed Ledgers as a possible solution, certainly billions of dollars are pouring into R&D to explore this. While it continues to have much data integrity potential, a number of recent publications have highlighted that Blockchain is yet to solve the security, identification, scalability and privacy features required for an identity platform.

One that gives the power of identity and privacy to its users

If we could rapidly implement a security architecture that switches private connections between individuals and organisations, we would be able to manage our living and working lives with confidence. At the heart of this is the capability to prove authentication of identity and security and to manage privacy. It can be argued that this requires a shift from traditional organisation-bound identity credentials to externalising and aggregating the identity with the true owner – the user. Consumers want power, comfort, convenience and security, so for any solution to be quickly and effectively adopted it should:

  • Deliver a simple ID credential with a single re-usable way to login.
  • Provide the user with complete control over usage and any changes to identity details.
  • Be able to be used with any system, device and operating system.
  • Have security that protects the end user and allows them to trust who they are dealing with online.

Being innovative does not have to be risky!

The real risk is that we don’t shift our mindsets quickly enough from always looking at established technologies to seeking out the innovations which are being specifically designed for mixed architectures such as Melbourne based VeroGuard or Sydney based Meeco. New architectures can deliver the true citizen centric models we desire by converging security, identity and convenience together, in turn delivering a new level of trust for the economy of people.

We have an extraordinary opportunity and some might say responsibility to pursue and trial these step change security solutions that protect all Australians across domains, particularly those developed in our own back yard. Considering what is at stake with cyber crime impacts, a sustainable digitization path which more people can use and trust is essential and, the opportunity is massive for those leaders who open new paths that at the same time could actually reduce their ongoing risks.