Q&A: Protecting Data Privacy and Security as the Number of Digital Identities Surge

Establishing user identity and protecting data are among the key basics of cybersecurity, but as organizations are increasingly tested by data breaches, the old username and password combination is no longer up to the task. Many companies have added multifactor authentication and other tools to enhance security, and more are on the way.

“We need to rethink concepts like data privacy and security, and in some communities that rethinking is already taking place,” says Joni Brennan, president of the Digital identification and Authentication Council of Canada (DIACC). The Canadian partnership of public and private members aims to create an economically beneficial national digital identity framework that enhances both privacy and security.

“A lot about identity is about verifying pieces of data about you,” says Brennan, former executive director of Kantara Initiative, a U.S. trusted-identity group. “Identity shows up everywhere. People might not call it identity, but it is data and it is about you.”

If data is the new oil, as the popular saying goes, it’s important to remember that an oil spill can be toxic, Brennan notes. The growth in device use and the number of people working from home during the COVID-19 pandemic has urgently advanced the work of security professionals, she says.

“Every time we try to use a new service, we are asked to make a new account. And every time we make a new account, every time we share data with a third party, we create more complexity regarding privacy and security technology and policy,” Brennan says.

In this interview with Mimecast contributor Mercedes Cardona, Brennan talks about new identity technologies, new thinking around data protection and how privacy and security are part of the same family.

Editor’s Note: This is the third in a series of interviews with leading cybersecurity experts from academia, research institutions and the private sector.

Mimecast: As more of our lives get connected with more devices and identities, do we need to rethink what we consider data privacy and how we enforce it? Can we ever be 100% secure?

Joni Brennan: Privacy and security are related to each other; they’re family members. Maybe sometimes family members are at odds with each other, but they’re in the same family and they do work together. If we rethink privacy and data protection as being integral to data empowerment, the ecosystem starts to look a bit differently.

I look out the window at my desk, and I have blinds that come down on the window. Quite often, the way that data protection or privacy is thought of today is like building a big wall in front of my windows. We’re going to put up a big wall in front of your window, and that’s going to be protection. And that kind of protection might be good, but I really prefer the window blinds that I have versus a wall. I can pull them up or I can pull them down, and I can turn them a little bit. I have a lot of choices about who sees in or what I share and for what purpose.

We, the people, are not using data the way it can and should be used. We’re not putting people in control of data about them. By putting people in more control of data about them, security and privacy practices can be more efficient because we’re in control of what information is shared and when and for what purpose.

I think that’s the big missing link — we as citizens and consumers don’t yet have access to or control over information that’s issued about us, whether that data sits in governments or whether that data sits in institutions like banks or telecommunications providers.

Mimecast: How do you mediate that tension between the user experience and security?

Brennan: This digital identity space has many different tensions that are working with and across each other. That’s because identity — data about me — is something that I think about as a horizontal practice; nearly every sector needs good digital identity. If it’s construction, you want to know that your construction workers have the right credentials to be on the site and to do the job that you need them to do. If it’s healthcare, you want to know that it is the right doctor, it’s the right patient, that they should have access to that information, or the right hospital. If it’s a hotel, you want to make sure that the elevator repair person is actually from the company that you hired and is qualified to repair the elevator for you. If it’s banking, it’s, “Am I who I claim to be or am I trying to do some sort of fraud?”

We need to accept and embrace these tensions. We have to work with and through these tensions. Part of it is the need to focus on the root requirements for solutions. It’s very common for organizations to look solely at point-to-point solutions and say, “OK: point A, point B. Let’s solve in between there.”

The challenge is that there is a root issue that needs to be addressed. That issue is: There’s data about me in many systems, but often I can’t access that data and make actual use of it. That data might be a driver’s license or a passport, or that data might be that I’m a certified information security professional, or that I’m a patient, or that I’m a doctor.

Mimecast: When blockchain was a buzzword, there was some talk about creating blockchain-based tokens that would make your personal data portable. Could that be our next digital fingerprint?

Brennan: There are definite advancements regarding uses for blockchain or for distributed ledger technologies and for permission-based networks, as well as for a network-based approach called self-sovereign identity. Regarding networks, we see that a small number of networks exist and will emerge.

We don’t believe that a singular solution will solve the many digital identity challenges. As security people, we have to stay abreast of different trends and innovations as they develop.

We do see value in international industry standards that are developing toward the establishment of a common model for how data is created and how data is shared. For example, there is a World Wide Web Consortium [W3C] industry standard developing for something called “verifiable credentials.” In the W3C, the verifiable credentials is an interesting development because it contemplates the establishment of a common model for data to be issued and consumed by different networks built on different technologies with different governance models. This could be a common data model that a blockchain-type network could leverage. This kind of data could also be leveraged by more established industry standards, including OpenID, or in other technologies.

There will always be people and organizations that are ready to adopt new technologies and those that are not ready. And it’s worth noting that we’ve seen a shift in the trend regarding the concept of interoperability. Regarding interoperability, we used to focus on the use of one technology implemented in a prescribed way. Now when we talk about interoperability, we’re talking about the ability for different systems with different networks and different governance to be able to consume and leverage common data. That’s a definite change in the concept of the definition and value of interoperability.

Identity management technologies like blockchain and distributed ledger are yet one more piece of the puzzle. New technologies are additive to the ecosystem. Federated identity and single sign-on will continue to exist for quite some time. We have to think about new technology as additive and focus on learning as a community.

Mimecast: Biometric identity is being added to that. What’s its status today?

Brennan: At DIACC, one of the issues that we are talking about is biometrics. I have a phone that unlocks with a face biometric. I don’t find it works [for me] all the time. It is important to me that this biometric stays in the phone [inside of my trusted module] versus being stored by a third party. That said, some communities will agree that the biometric should be stored in the cloud. There should be transparency about how a biometric is used and stored.

When the pandemic started and we all started wearing masks, well, guess what? That basic phone recognition is not as valuable anymore, and it’s hard to make it work. How biometrics are used may be driven by culture and by events – like the pandemic.

You also see third-party organizations that have scraped the whole Internet for facial photos without permission. They are grabbing photos and creating databases. That’s a very scary thing. It’s difficult. The biometric space will continue to evolve. We will continue to see good uses for it, and we will also see bad actors coming forward.

While biometric technology, and its use, moves forward, real policy work must be done. That policy work must be informed by technology and experienced professionals. We’ve known that policy moves much slower than technology, but we’re seeing that gap grow more exponentially from the policy application to the operational reality.

Real coordination and effort is needed to codify ethical use policy. No amount of standards work is going to replace the real and necessary hard policy work. Standards should and will inform policy, but standards will not replace the policymaking that has to happen urgently.

Mimecast: We have leapfrogged over so much digital transformation during the pandemic. How does this affect the control of identity given so many people remain, for the foreseeable future, working remotely?

Brennan: Early on through DIACC, discussions regarding identity-related solutions and services were focused more on convenience. Now those discussions are about real-life security — keeping that job or, as a business owner, being able to securely and efficiently leverage workforce from around the world.

Something industry practitioners and policymakers must also consider is the word “responsibilization.” Responsibilization is an academic word that contemplates pushing something that used to be an authority’s responsibility, like a government or a bank or otherwise, to a personal responsibility. Some of the newer innovations are focused on putting more responsibility in a person’s control. This can be empowering. However, there must also be guardrails — or rules and tools — in place to codify where a person can expect protections or where there is no expectation of protections.

We have to consider the ability of customers, citizens or clients to have enough digital literacy to take security measures. The newer models for identity verification assume that people will take much more responsibility. That shift in responsibility requires business, legal and technical innovation. We can’t rely on citizens and customers and clients to be totally responsible to manage privacy and security challenges on their own.

Mimecast: Are there any other developments and technologies that look promising in the near future?

Brennan: Organizations that would like to learn more can review our DIACC five-year strategy, which was published in October 2020. The five-year strategy provides a short primer on where identity has been and where identity is going regarding real-world adoption.

DIACC sees a small number of networks that either exist now or are emerging. These networks are likely finely tuned for the purpose of information-sharing and verification. One of these networks has launched here in Canada, using banks, life insurance and life services products, telecommunications providers and network solutions providers — all collaborating in a consortia-based ecosystem.

Our advice to professionals, as well as those who are simply interested in identity, is to consider the existence and emergence of different networks, built on different technologies, with different governance and liability models layered on top. What’s more important to consider? Not every network will be created exactly the same.

A verification program will help our ecosystem to verify the processes and practices that have been implemented by networks and network actors. Through a massive collaboration effort, Canada has a pan-Canadian Trust Framework, [which is] a process-based framework published by DIACC. And we will be launching what we call our “Voilà Verified” program in 2021. Voilà Verified is a program that can be used to verify different technologies and processes for identity-focused services and solutions.

The pan-Canadian Trust Framework and Voilà Verified represent important pieces of the puzzle, and having a PCTF Trustmark would help people, business and governments. And finally, the pan-Canadian Trust Framework and Voilà Verified are concerned with international and economic-sector application. We must ensure that people, business and governments can transact with privacy and security anytime and everywhere around the world.