By Daniel Raskin, VP of Strategy at ForgeRock
Identity. We all have one, each uniquely individual. It’s what defines us and tells others who we are. In the connected modern world, the ability of businesses to understand the power of user and customer identity is pivotal to effective digital transformation. Those that can harness this power are able to deliver highly targeted services customers want, when they want them, through the medium most suitable to them. Those that cannot are destined for the business scrap heap.
Yet if identity management is so fundamentally important to future business success, why do so many businesses struggle with it? The main reason is their inability to fundamentally change the way they approach it. Traditional identity management solutions have long focussed on internal security and employee-centric activity. They were designed to manage the identities of a fixed number of users doing a rigid number of tasks. However, the type of strategy required for effective digital transformation turns this conventional thinking on its head, putting customer identity at the centre of the business model for the first time. For many businesses, this is uncharted territory. What’s more, there’s no way their existing legacy identity management systems can cope with this new approach, or the millions of external identities required for an effective customer-centric solution.
However, technology is evolving rapidly. Now there are user-centric identity platforms that provide businesses with the tools to build comprehensive customer profiles across multiple channels and touch points. In doing so, they can develop a digital picture of each customer and their habits, helping to guide the development of new, more meaningful products and services. As a result, customers get instantaneous, relevant delivery of digital and physical services. Importantly, they also benefit from intelligent security, based on dynamic characteristics such as location, device, time of day and familiarity.
However, the elephant in the room here is privacy. Businesses can't offer more identity driven services without also implementing better privacy controls. Regardless of how good any new service is, adoption will suffer if customers feel that by using it, their privacy is being compromised. Furthermore, the impending arrival of the new EU Data Protection Regulation is likely to further intensify any issues caused by perceived disparity between identity and privacy when it comes into force (likely in 2017).
For a while now, the identity industry has been working to develop universal standards that give more effective privacy controls to users, delivering the peace of mind required to spur adoption of identity-driven services.
The prevailing identity and privacy-related standard used today is known as OAuth. You may not know it by name, but you’ve almost certainly come across OAuth in action online. It’s most commonly used as a way for a user to allow two sites or applications to exchange personal data on their behalf – for example, granting a specialized third-party Twitter mobile app access to your Twitter account to see and post tweets, or letting a news website access your email address and contact information through Facebook. OAuth enables users to consent to sharing this data, creating easy mashups of information that make the online experience more convenient. It also lets users revoke access to their data should they change their mind at a later date. However, OAuth has some limitations. For example, while it enables data sharing between applications, it doesn’t allow data sharing with other people – sometimes called delegation. And because the apps’ business models rely on asking the user to join the sharing connection only at the last possible moment, users find that their privacy controls are far less granular than they want and expect.
User-Managed Access (UMA) is a next-generation privacy standard that builds on OAuth by putting the emphasis squarely on the user. UMA extends OAuth’s capabilities to authorise the sharing of a user’s data not only from app to app, but from person to person as well. UMA also provides users with a much greater level of control around how their data is shared. Similar to the Share feature on Google Apps, it lets users choose "scopes" of sharing based on specific rules (such as read and edit) that are specific to each app. And just like the Share feature, UMA allows users to “push” sharing to other people whenever they choose, as opposed to when an app requests access. All of these features add up to a greater level of flexibility that gives online users the chance to tailor what information they are sharing about themselves, with whom, and for how long.
Uptake of both standards will be critical to enabling better privacy controls for customers in the Internet of Things (IoT), making them more comfortable using new digital services and platforms. OAuth is a great place for any business to start; but increasingly consumers will expect the flexibility and customisation that the more advanced User-Managed Access standard permits.
Crucially, the concept of identity and privacy together creates the new "killer app" for businesses. As more and more devices and objects join the IoT, businesses must successfully balance services with effective privacy controls. You simply can't undergo effective digital transformation without it. Ultimately, customers want to use new technology, but they also need assurance that their identity is being protected and shared in a responsible manner. Many businesses are embracing digital transformation, but only those who offer efficient identity management and effective privacy controls will reap the full rewards that it has to offer.