I’ve talked before about how having a strong organisation identity can create significant value, and we’ve seen plenty of use cases where that value is unlocked. At Ubisecure we delivered such a use case over a decade ago that reduced costs for the Tax Office in Finland by 99%. Despite an arguably limited adoption in other jurisdictions, I think we are now at a point where the importance of organisation identity is finally receiving the mainstream recognition it deserves.
In this blog we’ll recap on organisation identity, explore the similarities and differences between organisation and individual identity, and examine the emerging value enablers that are rapidly transforming this field.
What is digital identity?
Before delving into organisation identity, let’s just consider digital identity in a broader context. A digital identity is either directly or indirectly a statement about an entity. This statement may include claims or assertions related to the entity, such as their name or age. The reliability and trustworthiness of these claims depends on how the identity was created and validated. Some identities may have low assurance, making their claims untrustworthy, while others may have high assurance, ensuring that their claims are beyond any doubt.
As individuals, we are accustomed to various methods of expressing our online identity, ranging from low assurance claims made via social media to potentially high assurance government or bank-issued identity documents.
Organisation identity parallels individual identity when it comes to assurance, with both low and high assurance forms existing. For instance, low assurance organisations include family units and social clubs, while high assurance organisations include legal entities and government offices
The assurance of an identity is very important when we look to rely on the presentation of such identity to undertake transactions. Higher assurance will reduce transaction risk enabling higher value transactions to occur based on the presented identity.
We are very familiar with this from an individual identity point of view, but the same also holds for organisation identity, although we as individuals tend to be more trusting of organisations than of individuals.
It’s a common example that I use, but consider the last transaction you made, it was most likely individual (you) to organisation (the other), maybe an Amazon order, or a Tesco delivery. You would have been well identified in that transaction, the organisation almost certainly less so.
Individual Identity vs Organisation Identity: Demonstrating Legal Intent
There are similarities between these two identity types, but what are the differences?
It’s easy to suggest that the ability to authenticate is the primary difference between individual and organisation identity, I would argue that is not the case. Authentication serves as a mechanism to demonstrate that you are interacting with the same entity. We can think of username and password/passwordless plus MFA plus some sort of biometric lock as mechanisms to demonstrate to a strong level that we are the same entity. In the modern world, this often comes down to the ability to unlock a mobile device, after which most of the process is automated through services like password managers, MFA apps on same device, and secondary biometric checks like Touch-ID. Ultimately as an individual you are technically proving control of a key (or maybe just a password). Organisations have been doing this for years through purely technical means.
Organisations can sign documents using technology such as Org Validated x.509 Certs or eSeals or participate in private API networks using PKI based authentication.
The main difference, and I think the drag on adoption, is the matter of legal intent. In the majority of jurisdictions only individuals can show legal intent, an organisation cannot. We see this embodied in eIDAS Certificates, eSignature certs for individuals and eSeals for organisations.
This difference means that individuals have remained front and centre in executing business, which effectively breaks the ability to automate.
To deliver true business value, it is essential for organisations to have the capability to automate their participation in transactions, while also ensuring compliance with technical risk controls and other governance requirements.
Today’s Closed B2B Frameworks
We do see automation between organisations for high value transactions today, think about B2B supply chain management and just-in-time ordering and inventory supply. This capability is possible due to a pre-defined, tightly coupled, tightly controlled framework between the participants.
Think about the saving measured in Finland for the Tax Office, this was a result of a framework referred to as Katso.
Such established frameworks enabled interaction at the organisation level to automate transactions, but they are all private or closed frameworks, essentially proprietary. Like all proprietary frameworks there are limitations on scale and more importantly interoperability.
Now, imagine if such a B2B framework existed globally that enabled organisations to interact, legal intent defined by the framework itself, automations occurring on the basis of risk management from a standardised, highly assured organisation identity. This is the inflection point we are at today.
Moving Towards Global Transactional Frameworks
We already see several points of recognition of the value of highly assured organisation identity – vLEI (verifiable credentials), GAIN and eIDAS2 will all be using LEI. But these are not transactional frameworks, they are identity conduits or containers. The transactional frameworks are emerging separately.
The World Trade Organisation is pushing WTO members to adopt digital trade systems and bring in regulations to enable that automation. Considerable effort has been expended in work on Paperless Trade and here the organisation identity is as important as any individual identity.
The UK is implementing regulation to enable Paperless Trade internationally and is expected to save £1.14B over 10 years and reduce B2B transaction processing time from a week to 20 seconds.
Moving towards a True B2B Framework
While we may be increasingly familiar with B2B IAM, which allows one organisation to delegate administration rights over users to another organisation, this approach does not fully address one key aspect: organisation identity. True B2B IAM must encompass the complete lifecycle management, validation, and mediation of organisation identities. Only by doing so can we create a global, scalable, and interoperable framework that fully unlocks the value of both individual and organisation identity.
If you want to learn more, join Ubisecure at the Gartner IAM Summit on the 7th March 2023 and listen to our session at 14:45 on True B2B IAM, or meet us in exhibition hall, we’d be only too happy to exchange thoughts around this important trend.