Anil John
Making Digital Services Secure and Trustworthy

Anil John

If Identity is the New Money, Standardized Assurance is the Currency of Trust

 Tweet  Share  Share  Comment  Print  Email

Many of the current conversations about identity are triggering echoes in my mind of the Cycle of Time quote from Battlestar Galactica "All of this has happened before, and all of it will happen again". So in the interest of not reinventing the wheel, I wanted to provide pointers to some existing definitions regarding Assurance Concepts and Trust Frameworks that could serve as the foundation for meaningful conversations.

The phrase "Identity is the New Money" is something I saw first on Dave Birch's blog post and the concept became much more real to me when he provided a synopsis of a recent SXSW Session on "Identity+30" by Sam Lessin, Head of the Identity Product Group at Facebook. It yielded some very interesting insights about the role of identity at some of the big players in the industry, and how it is driving their current behaviour.

At the same time, in order to get to an operational "trust and trade layer" leveraging the social graph and/or credentials, standardized identity assurance is needed as the currency of trust. As such, clarity on assurance and related aspects are foundational to understanding the big picture.

Unfortunately, this is where I see a lot of re-inventing the wheel happening these days.

So, if you are looking for a model on assurance and related concepts, a good place to start from are the definitions in the Pan-Canadian Assurance Model. [Credit to Tim Bouma from Canada TBS who put the above model together, and from whom I got the phrase "standardized assurance is the currency of trust"] The only minor terminology issue I have with the Pan-Canadian Assurance Model is their use of "Credential" instead of "Token".

As to the definition of a Trust Framework, I like the one from the American Bar Association's Federated Identity Management Legal Task Force:

An Identity Trust Framework is the governance structure for a specific identity system consisting of:

  • the Technical and Operational Specifications that have been developed
    • to define requirements for the proper operation of the identity system (i.e., so that it works),
    • to define the roles and operational responsibilities of participants, and
    • to provide adequate assurance regarding the accuracy, integrity, privacy and security of its processes and data (i.e., so that it is trustworthy); and
  • the Legal Rules that govern the identity system in order to
    • regulate the content of the Technical and Operational Specifications,
    • make the Technical and Operational Specifications legally binding on and enforceable against the participants, and
    • define and govern the legal rights, responsibilities, and liabilities of the participants of the identity system.

What Is an Identity Trust Framework? (PPT)

RELATED INFO


Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!

I will never share, rent, or sell your information to anyone. Cancel anytime.

This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.

Topic(s):
By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post. Please leave a comment below!

I am a digital security coach. I help technical leaders make digital services secure and trustworthy. Learn more »

Free Updates

I will never share, rent, or sell your information to anyone