Let’s talk about digital identity with Diane Joyce, Identity Evangelist and Executive at Women in Identity.

In episode 12, Diane and Oscar explore all manner of digital identity topics – including self-sovereign identity, digital wallets, GDPR, CIAM and, importantly, what organisations should be doing to protect consumer identities. She also fills us in on her work with Women in Identity – a not-for-profit organisation promoting diversity in the identity industry.

[Scroll down for transcript]

“I want to use technology as the enabler to make a safe and frictionless journey – I don’t want to put technology in ‘because it’s fun’.”

Diane JoyceDiane has provided thought leadership, vision and innovation in the digital transformation of financial institutions. She has worked with blue chip corporations to implement the technology and service architectures required to become certified identity providers as part of the GOV.UK Verify identity scheme. Diane has also worked with government departments setting up a pan government identity community and worked with leading IDAM vendors to address the need for secure and scalable identity federation to enable collaboration between public and private sector organisations. She champions technology innovation to provide users with a frictionless and safe digital experience.

Find Diane on Twitter @kiwiIDgal and on LinkedIn.

Find out more about Women in Identity at womeninidentity.org or on social media – Twitter @womeninid, LinkedIn and Instagram.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

 

Subscribe to
Let's Talk About Digital Identity

Or subscribe with your favorite app by using the address below

 

[Podcast transcript]

Oscar Santolalla: Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Hello. More and more we hear phrases like “reclaim your identity”. Some people care, some people don’t, but reclaiming identity from who? Who owns my identity today? And there are better ways we can do this. For that, we have a very special guest today, Diane Joyce.

Diane has provided thought leadership, vision and innovation in the digital transformation of financial institutions. Diane has worked with blue chip corporations to implement the technology and service architectures required to become certified identity providers as part of the GOV.UK Verify identity scheme. Diane has worked with government departments setting up a pan government identity community and work with leading IDAM vendors to address the need for secure and scalable identity federation to enable collaboration between public and private sector organisations. Diane champions technology innovation to provide users with a frictionless and safe digital experience.

Hello Diane.

Diane Joyce: Hi Oscar.

Oscar: It’s great talking with you, Diane.

Diane: Thank you.

Oscar: I know you do many things and you have done many things, very interesting things. But I would like to hear first from you, what was your journey, your personal journey, to this work of digital identity?

Diane: I’ve worked in technology, I started as a programmer many, many years ago. I’ve worked in identity for some time now but I started out in integration and security. And I saw two catalysts that I thought were going to change the technology world. And alongside those, the problem with identity needed solving.

So the first was the internet. Suddenly we could connect to anyone, anywhere, but we didn’t really know who we were connected to and how do we know it’s them the next time we connected. And when you added to that the .com boom and the subsequent e-commerce boom it has become even more important to understand who it is we’re speaking to.

And second thing is cloud computing. Following the internet and e-commerce, cloud computing solved a problem that I don’t think most organisations knew that they had. Their identity model was within the walled fortress of the data centre and so therefore they control all the identity there. Cloud computing changed that and made the evolution of technology and services even faster. But now, identity had B2B and B2C and they were outside the control of the organisation at times. So that was quite a paradigm shift.

So, again, these are the two catalysts that I saw that needed some sort of identity providing. And not just for people but also for devices and of course the third one would be the internet of things. So, I spend a lot of time researching, reading, aligning with the emerging identity thought leaders before getting my first break at the UK Post Office, who were bidding to provide identity for a major government department. And this later moved into GOV.UK Verify.

And we were at the beginning of bringing together federated identity, so all the way through that I guess we were kind of making it up as we went along as technology has emerged, as threats emerged, as the way that consumers behave changed we started to get something more robust. But primarily, as I think you said on the beginning, I’m a technologist and I want to use technology as the enabler to make a safe and frictionless journey. I don’t want to put technology in because it’s fun.

Oscar: Sure. Yeah, I see you have seen the evolution of the internet and the services that came gradually, e-commerce you mentioned, and you mentioned the cloud services. In which moment there were already some tools for managing somewhere or another the identity, you felt that there were not enough tools or technology at some point. How you get involved in the identity?

Diane: Well, I think the way we solved identity was that we did it within the walled fortress. So each organisation managed its own identities and it tended to put you through a bit of a stringent process and you had to log in and be recognised and so each organisation did that independently.

Now when they push their services to the clouds, they could no longer do that in the same way. And I think technology did evolve where single sign-on and federated identity started to enable that but along with that came the threats. So, the identity management – that I set up an identity and I start to proliferate that among a number of organisations – the moment someone gets my identity they’ve now got access to all sorts of things. So, I think the model changed from the organisation keeping it within their fortress to suddenly the identity moved more towards the individual. Not quite there yet but we’re moving that way.

Oscar: Right. Yeah, as you said, very long time ago, the organisations could just build a database and have all the identities they needed inside, in-house build their own systems etc., that was possible long time ago. But when the services were exposed outside especially with the cloud services as you said, yeah, that’s a completely different story. You started already mentioning that the identity becoming more for the individual so and that is one of the things we want to discuss today is who owns your identity? Who owns my identity? And what would you say if the question is just who owns my identity?

Diane: Well, for me, actually it’s a really easy answer. I think the individual always owns their identity, digital or otherwise, because it uniquely identifies them. But I think owning their identity is different from managing their identity. And I think that’s what the real question is – who manages my identity? And who do I trust to be able to help me manage my identity? Because I don’t think most people really care about owning their identity. I think they realise they have to log on and identify themselves in order to do something. I want to buy the shoes. And if I really want those shoes, I’m pretty much going to do anything I need to get those shoes. So, I think the management of the identity is the real question here.

And I think the individual still owns that and that’s a big change from the data fortress model where each organisation owned my identity. They owned my credentials. They owned my assurances, all of that. But I had to do that with every single organisation. So now, all of my data is out there in multiple places.

Oscar: OK. So the individual owns their own identity but many organisations, and also the individual, are managing the identity.

Diane: I think there’s a little bit of a– we are moving a little bit to a hybrid model. And I think at the moment we’re not in a place where the individual really understands the value of their identity. But it’s getting more so, the more breaches we have and the more the individual is inconvenienced, the more they’ll start to value and protect their identity. But I’ve never ever heard anyone say “I’ve got to get myself a digital identity. You know I’ve got to get shoes, I’ve got to get on a plane, I’ve got to do these things. And I know I have to do things to do that.” So, I don’t think they really understand it at the moment. And I think this is where technology can enable things.

At the moment, as I say, we’ve moved from the walled garden where everyone has their own database. We morphed into a little bit into a federated service where we had identity providers. And that’s very much the space we played in, in some of the organisations I’ve worked in. So you could do a single sign-on, an identity provider would do all the assurance against your identity and say, “I’m certain to this level that it’s Diane and I’m certain that it’s actually Diane that’s come back again and again.” Because I think there’s one thing about establishing the identity. I think the second thing is really about is it the same person who owns the identity when they come back. So, the whole authentication in account takeover scenarios.

And I think we’re starting to morph into more of a hybrid model, particularly when I look at the mobile technologies, the digital wallets that I can have where I could carry a little credential that’s being minted by a trusted source that says “I know that Diane is over 18.” And if I could give that – if you think about it as a little digital card that I could give to someone and they go, “Oh yes, Diane was checked as over 18 by Post Office on this date”. That’s really what we want to be doing. I’m not giving my date of birth. I’m not giving any information about me but that relying party will go back to the assuring party and say, “Yes, it’s Diane”. But this is in my digital wallet so I can reuse this in multiple digital wallets in multiple places. So I think we’re morphing more to giving more responsibility to the individual but allowing them to choose who manages it.

Oscar: Also to clarify because the concept itself of ‘my identity’ and ‘I own my identity’ is that my identity relatively abstract because, for instance, the government might have a lot about myself more than just let’s say the movie theatre web shop that has some information about myself. So, what are all these identities that I have in the social media, I have in this web shop, I have in the government, each of them are my identity or what each of those are?

Diane: I think that’s an interesting– I see my identity as ‘I am Diane’ but I have multiple personas. And I think this is the model that having these little tokens that we can give is I can have a persona when I would interact with government. They need to know a little bit more about me and maybe I do exchange a little bit of data with them and they’re probably one of the greatest holders of data about me. But then I also have a healthcare persona who wants different information about me.

Oscar: Yes.

Diane: I have a banking and financial services [identity] and then I have a social profile where maybe I don’t want everyone really to know where I live, what my address is. And again, that’s the model of not having to have all of these identities managed by different people where I have to different credentials for every single identity. I would like one or more credentials that uniquely identify me. And then I can decide which persona I’m going to be for who I’m interacting with. So, if I’m buying alcohol in a bar, they just want to know I’m 18. They actually don’t really care that my name as Diane or anything about me but they just want to know that I’m 18. And that’s all I want them to know.

Oscar: Right. OK. And you also mentioned earlier about the breaches for instance, reasons to manage the identity and protect their identities in an appropriate way. Do you think that today the majority of people really care about protecting and owning their own identity? How do you feel about that?

Diane: Not yet. But I do think it’s starting to inconvenience people, so no. It was interesting I was at a fraud and payments conference recently and I asked everyone in the room how many people had reused passwords. And 50% said yes they reused passwords. And then I asked them how many use password managers and generators. And 50% of the room indicated they did. And these are people who understand fraud, people who understand how credential stuffing, all the attack vectors work and yet these are the people 50% of them are breaking some of the fundamental rules that we’re trying to get out there. So, I don’t know how we can expect the individual to really be able to respond in any other way either.

So, I think they’re not inconvenienced enough yet but as fraud rises, you’re going to find more and more of the organisations are going to push back to the consumer and say, “Actually you did this wrong or you didn’t follow our terms and conditions by having the appropriate software on your devices, you know, your device health”. And as they start to push back more and more, it’s going to hurt. And that’s when it’s going to start to become more and more the individual will start to look at different ways of doing things. And we in the industry need to be in a position where we can help them because I’m not sure at the moment we are.

Oscar: Well, actually that’s an interesting point you said, you asked your audience in a conference and half respond- half of people really don’t care or are very careless and the other yeah definite use password managers or really care about that. Do you think that in– there are already some organisations in which their terms and conditions tell explicitly you should use a password manager?

Diane: Not yet but I do see terms and conditions coming up where they say you can’t reuse passwords.

Oscar: Right. Right.

Diane: And the industry, it was interesting we had a big debate on if we need to move from the passwords. And I’m like of course we do but that’s some time off. So we need to solve the problem today because the amount of account takeover has really grown exponentially. And organisations can’t sustain the cost for much longer, I don’t think. And in fact some of the banking is already pushing back same or like you gave your credentials to someone, what can I do?

So, it is interesting that people are starting to become more aware and if you look at some of the campaigns particular in the UK, we’ve had a lot of campaigns about banking, about banks will never ask you for information. They will never do all of these things. So, we’re doing a lot of campaigning out there. However, the other day, I did an unusual transaction and my bank phoned me. And I asked them to authenticate themselves because I’m like “I have no idea who you are”.

Oscar: Yes.

Diane: And they said, “Well, we rang you about a transaction.” I said, “I understand that but you have to authenticate yourself to me because I don’t know who you are.” I said, “I’m going to hang up and I’m going to ring the bank back.” And I knew I had actually done the transaction that they said but ringing me up and asking me to authenticate myself and provide information. And I actually said to them, I said, “You just sent out an email saying we will never ask you for information and you’re asking me for information.” And so, I did actually send that back to the bank and said, “You sent me this email and then immediately you did this.” And I said, “If you put a safe and secure word there, something that you could tell me, I would have talked to you. But instead I had to go away and find another device to call back on so that I could be sure that it was you.” And we had quite a big discussion with it because I actually knew some of the security people in there. And I said, “Your literature needs to change but so does- organisations need to authenticate themselves as well because this is the biggest threat at the moment – the social engineering.”

Oscar: Yes.

Diane: And I’m really good at it. I could probably get password out of most people. So yeah, the threats are changing, it’s not all technology.

Oscar: Yeah, that’s also very good example, that the bank is advocating something that is in the right direction but the process are not aligned completely yet.

Diane: Yes.

Oscar: Yeah.

Diane: And then I do have a safe word on that bank for when I log in they show me it or they show me a picture so they could have easily used that.

Oscar: Right. Still a lot work to do in many organisations then definitely. But also, is this good what you said and it’s very interesting perspective that the companies, the organisation are pushing back towards the users and now the user should have more responsibility and more active in protecting the identity. And that’s also– because it’s in their organisation’s own interest, it’s actually a business value for them, for the organisations to keep the right ways for the individuals, for their users to protect their identity.

Diane: We’re in a much better position to help the users protect their identity. In cyber, we tend to understand some of the threat models and we are in the best position to do that but I think it just takes time and investment.

Oscar: And what about the idea of the ultimate responsibility for the individual to control their own identity and thinking of the self-sovereign identity for instance, what do you think?

Diane: I think long-term that would be the case and I think this is where technology does actually come in. So, I think, as I said I think there’s a halfway house where we have these verifiable credentials and an individual asks one or more organisations whether their identity providers, wallet providers to provide that for them. Because I think at the moment it’s a bit of a big leap and what we really need to educate consumers in is ‘don’t give your data away all the time because the more data you give away the number of breaches that are coming out there, we’re starting to see the rise of identity theft but also synthetic identities where they’re partially true and they may start to generate identities that it’s no longer their sure to come where they just go to and steal some like immediately. They’re building these identities for longer term use.’

So, I think that’s perhaps where we can help instead of having every organisation saying, you need to give me your name, your address, your date of birth, a picture of your passport and all of this so every organisation is holding this. We do need to go more into this – I’ll have those credentials in a trusted place. It’s a little bit like a federated model but with the technology you don’t always have to go to the identity provider to do the credentialing because I think most organisations want to do the credentialing themselves but they just need the assurance that it’s the right person on the end of the line.

Oscar: Yes.

Diane: So, I don’t think we can push that much onto the consumer. As I said, at a fraud seminar, half the room knew they were doing something wrong. And again, it comes down to the risk models. I also think that technology’s moved on so much that really the authentication space has really taken off and we have so much ability now to actually understand who’s on the end of the line by using the technology that we should be doing that. You know risk-based models, we should be collecting data. We know enough from the mobile phone devices to know is it the same device we’ve seen before. Is it on a network we recognise? Is it in a place that we recognise? What’s the health of the device? Is there any apps on the device that have just been loaded recently and what does that mean?

So we have enough to build up a picture of that individual. And if something is slightly wrong then let’s ask them to do something slightly differently. And maybe we take them through a couple of steps but don’t put the friction in place all the time, put it in when normal behaviour is- there’s something not quite right. And it may be quite valid that it’s not right. I maybe on a totally different network that no one’s seen. I have two SIMs on my phone so I swap one of the SIM cards out on a regular basis. And so, of course, I get the SIM swap which means I have to step up my authentication. So I think the authentication, the devices, the technology is there to take that friction from the user and we can do all of that in the background.

Oscar: That’s definitely good news that that has evolved so much.

Diane: Yeah.

Oscar: What about regulations such as the GDPR, how much are these helping?

Diane: I think GDPR is a great step in the right direction. And I think initially we’re all interested to see how much bite it would have. And I think the British Airways breach fines showed that it really does have teeth. But I think it possibly needs a few tweaks or maybe it’s just the initial processes. So, the 72-hour notification and engagement with the regulator is quite tough. When an organisation is breached, it really needs to focus on finding out what happened, how and fixing it. And I think maybe perhaps a lighter touch within the reporting 72 hours say, “Hey, we’ve been breached. We don’t know what it is yet.” And it takes generally more than 72 hours but the organisation should be focused on fixing it not preparing something for the regulator so that they can tell then regulator what happened. And I think it’s great because it does focus them on protecting data.

But if you think about a breach, an organisation has been breached and they’ve already incurred brand damage. And that’s quite a big one because we do tend to move away from breached organisations. They’ve obviously often incurred substantial cost to identify and fix the problem. And then they’ve also got the financial loss from the actual breach. So, they’re also a victim of crime. So, I’m not sure how the massive fines work. And maybe we need a little bit more leniency in some situations or you know your first strike, unless you’ve done something clearly really badly, that it’s a bit more lenient. Because I think if my house was broken into and someone stole belongings belonging to someone else, would the police then fine me because my house had been broken into? Because the organisations are actually a victim of crime. But the really great thing I think with GDPR is it has helped organisations move from the model where data has value and therefore we gather as much as we possibly can just in case we have some need in the future to use this.

Oscar: Yes.

Diane: Lots of organisations were building these enormous data lakes of information which they probably really didn’t have much idea how they were going to use them. Others of course did monetise the data lakes and understand how to use them. So the great thing is the explicit reason for capturing data and the fines for using that data in another way I think are great. So, I think that’s a great step towards privacy.

Oscar: Yes, yes, I agree organisations now they need really compelling reasons to collect unnecessary data.

Diane: Yes. I think so. And I think that’s part of you know what I talked before about the individual doesn’t need to get all the data away.

Oscar: What about CIAM, Customer Identity and Access Management, how this also help?

Diane: I’m kind of in two minds on this. Because when I think of CIAM, I tend to think of them as each organisation captures and manages an identity. So they capture all the customer information and they have different credentials although they can actually use single sign-on across the CIAMs. Again, I think it’s more burdensome for the customer. It’s almost a little bit backed down to the data fortress model where everyone had their identity systems. So I’d like to see it evolve into a more distributed model with the individual more in control. So, my ideal CIAM would be the ability to use one or more digital wallets and one or more different credentialing systems to access multiple organisations. So, that would be my ideal CIAM.

Oscar: What are today examples of wallets or are there already today?

Diane: They’re evolving and as self-sovereign is starting to come more to the front yes. But we’ve got new verifiable credential standards which have just been agreed which- those are the tokens, the little cards that I talked about we can pass around. So, organisations are starting to build wallets towards that. What we haven’t yet got as organisations that are sharing across the wallets yet. But I think that is the next evolution because no one is going to stick to a single digital wallet. I’m going to have – again, I might have different wallets according to my persona but I want to be able to share that one piece of information across all of them. I don’t want to have to prove myself time and time again. So I think we’re moving that way and that’s particularly where the self-sovereign model works. And I think with the concepts of verifiable credentials, self-sovereign, it’s starting to take shape and the big players like the Microsofts, the Mastercards are all moving in this direction at the moment as are Google. So, it’s starting.

Oscar: Yes, definitely great to know that is many, many companies, technology vendors and organisations are working on that today and so we are going to see more and more tools and resources. Yeah, very interesting discussion about who owns my identity and how to protect it. Changing a little bit off topic, I know you spend lately a lot of time on this organisation, Women in Identity, could you tell us a bit what are you doing there lately?

Diane: Yes, so Women on Identity is not-for-profit organisation. We’re looking at diversity and inclusion in the digital identity space. So, the name of our organisation is Women in Identity. It started as a bunch of women in identity but it’s about everyone. It’s about inclusion. So, we launched in June last year and we’re just getting the organisation set up now. So I’m the Events and Country Manager for Women in Identity so that means a lot of organisations or conferences come to us because they want diversity not only in their audiences but also in their speakers. So we’re starting to put together a speaker bank of women who can speak. And we also go out and we explain what Women in Identity is about. And it really is about making our industry think about diversity and avoiding bias and making sure that everyone can have an identity.

And the second thing I’m doing is setting the country chapters for that. So we have organisations in different countries at the moment. We’ve got the US, we’ve got Canada, we’ve got Germany, Netherland, UK and just starting up in Australia. So again, we can start to build a big community about making sure our industry recognises that we need that diversity. And it’s partially about supporting women in the industry and helping them but it’s also making sure that software vendors are building for diversity so you know there’s been quite a few issues recently with bias in AI and also bias in facial recognition. So the more the diverse our actual industry is the more we can bring that into the software so that it can work for everyone and we want it to work for everyone anywhere. So, it’s really exciting. It’s a not-for-profit and I’m a volunteer but we’ve got an amazing team of women who are just passionate about making this work.

Oscar: Excellent. And I can hear your passion.

Diane: Yeah. Well, I love it.

Oscar: Yeah, fabulous. My last question is a question for anybody, not only for people who are in the digital identity community. For anybody, give us a tip to protect our own digital identity.

Diane: I’m going to do two if I may.

Oscar: Yes.

Diane: The first one is passwords are not dead – we would love them to be but they’re not – use a password manager. And generate passwords. There are a number of great password managers out there now. They go across all your devices, so you’re never without your password and let it generate a password. If you can’t do that with your passwords, make them longer sentences that you will remember. Don’t reuse them. It takes two minutes for a credential stuffing to take a password and run it across the major organisations that you probably interact with.

And I think the second one is more UK-focused. And it’s more about identity theft. Sign up for a credit file service, there are a number of them that are free. And on a regular basis, have a look at your credit file and see who has pinged your credit file. So every time you do something in a financial institution, take out a credit card, give insurance, do something, you’ll end up with a marker against your credit file. If you see markers that you don’t know about, it tends to be that someone has got your identity and often what they do is they go to an insurance comparison website to see if they’ve got all the details right. And yes it comes back and yes they can get insurance. And then they tend to go to financial services products. All credit files have a list of your financial instruments. Check your bank account’s credit cards and make sure that you know them all and that they are balances are approximately what you would expect. And the third thing is check your addresses, make sure you recognise all the addresses that are against your credit file because again, change of address if I create a new credit card on your behalf I’ll probably send it to a new address. So, that I think in the UK and maybe in other countries, the States definitely, these are things you should do on a regular basis.

Oscar: Yeah, I’m not familiar with this way of doing. So, who manages this credit files? It’s the bank?

Diane: No. We have data aggregators called credit reference agencies, so Experian, Equifax, TransUnion, they all absorb all the information from the financial services and various organisations and bring it in as a data aggregator. And so when you open a bank account they tend to call a credit reference agency, first of all to check that it’s really you and are you credit worthy. And so, anyone who calls them leaves a marker against your account. And so, there are free services and there are paid for services as well, where you can actually go and look to see who has been looking at your credit file.

So, it’s quite valuable. And if you see something on your credit file you don’t recognise, the credit reference agencies can then help you by- you mark it as “I don’t know this” they’ll then investigate it further. That’s a great service in the UK and in the US. I’m not sure about other countries how the data aggregators work. But yeah, I’ve actually given that advice to someone and then they came back and say they’ve got five extra credit cards. I’m like, “Oh, you need to ping them.” So, and her identity had been compromised.

Oscar: OK. Yeah, definitely it’s a good advice where these systems are very widely used like you say in UK and US. Yeah. So this is very good that you share this advice.

Thanks a lot Diane. It was great talking with you. Please let us know how we can find you and also the organisations you work for.

Diane: So, my Twitter handle is @kiwiIDgal, also on LinkedIn as Diane Joyce. At the moment, I’m working for Women in Identity.

Oscar: Excellent. Again, thanks a lot Diane and all the best.

Diane: Thanks very much, Oscar.

Oscar: Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episodes at ubisecure.com/podcast or join us on Twitter @ubisecure and use #LTADI. Until next time.

[End of transcript]