Let’s talk about digital identity with Richard Bird, Chief Customer Information Officer at Ping Identity.

In episode 46, Oscar and Richard discuss how the Decentralized Identity Foundation is helping people gain control of their online identities and why an open-standards based approach to identity management is the key to better privacy, lower fraud, and a more ethical user experience.

[Scroll down for the transcript]

“Decentralised identity will create an empowerment framework for people to have a part to play in their digital identity.”

Richard BirdRichard Bird is the Chief Customer Information Officer for Ping Identity, a leading identity solution and access management platform. An internationally recognised data privacy and identity-centric security expert, Richard leverages his diverse experiences as a strategic advisor, solutions provider and former global head of identity for JP Morgan Chase’s consumer businesses to challenge current notions about cybersecurity. He is a Forbes Tech council member and has been interviewed by the Wall Street Journal, Bloomberg, The Financial Times, Business Insider, and the NYSE on topics ranging from data protection regulations to cybersecurity enabled consumer protection.

The Decentralized Identity Foundation aims to develop an open ecosystem for decentralised management of digital identities and ensure interoperability between all participants. Find out more at identity.foundation.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

 

Subscribe to
Let's Talk About Digital Identity

Or subscribe with your favorite app by using the address below

 

Podcast transcript

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: Hello and thanks for listening. Today we are going to have a discussion about a group of companies, individuals and organisations who are joining forces for solving very important problems today and particularly we’re going to talk about the Decentralized Identity Foundation and for that we have a guest who is from one of these members. The guest today is Richard Bird who is Chief Customer Information Officer at Ping Identity.

An internationally recognised data privacy and identity-centric security expert, Richard leverages his diverse experiences as a strategic advisor and solutions provider to challenge current notions about cybersecurity and identity. He is a Forbes Tech council member and has been interviewed by the Wall Street Journal, Bloomberg, The Financial Times, Business Insider, and the New York Stock Exchange on topics ranging from data protection regulations to cybersecurity-enabled consumer protection.

Hello Richard.

Richard Bird: Oscar, how are you?

Oscar: Very good. It’s great having you.

Richard: I appreciate the opportunity to be with you.

Oscar: Yeah, fantastic. It’s great having this conversation. I’m really intrigued to hear more about the Decentralized Identity Foundation. But before that, I would like to hear a little bit about you. So please tell us about yourself and how you joined this world of digital identity.

Richard: Absolutely. It’s a – I think it’s really interesting. It’s always strange to hear anybody read my bio. I feel like, you know, a bit of imposter syndrome. All these opportunities in the last couple of years to talk with all of these different media outlets and one thing that’s interesting, the consistent theme there is just – it’s all business side media outlets.

You know, the journal and CNBC and all of those different organisations and I think a lot of that is because my experience and background has given me the opportunity to be able to translate the complexities, the challenges, the issues in digital identity in a way that the business side of the house can consume and understand.

I spent 20 plus years in corporate and I worked at companies like JP Morgan Chase for many years, Accenture, smaller banks in the Midwest. I also held a Chief Information Officer position and gravitated into information security. Also became a Chief Information Security Officer and a large part of that information security timeframe was spent in identity, working it from an operational perspective.

When I left the corporate fold, I spent a couple of years in strategic advising and then joined Ping Identity about three years ago and almost all of my effort and energy has been focused on consumer identities, digital identities, citizen identities. Really the space that has proven to be one of our greatest weaknesses and challenges. Not just in national cybersecurity infrastructure for things like election and healthcare and vaccinations and all of that, but it has also been an extremely problematic area in terms of creating a much bigger digital divide where people– human beings don’t have the ability to exercise their rights to prove that they are who they say they are in the digital the way that they do in the analogue.

So I went from a long time of being a corporate resource that really didn’t care about those subjects because my job was to protect my company. And I always like to say I wore the soccer football jersey of the company that I worked for.

But as I left those industries and saw really the disparities and the challenges that we’re facing because we don’t have a notion of decentralised identity, we don’t have a notion of true digital identity, we just continue to have a accounts and passwords. We just really saw an opportunity with the Decentralized Identity Foundation as well as other organisations to help create a framework for a world where digital identity isn’t just a thing but it’s operationalised.

It has interoperability. It can be recognised most importantly so that people – human beings can be empowered to have some part to play in identifying themselves in a digital world. So that’s kind of a – you know, how did you get here? But that really – my background is just lots and lots of years of getting identity – well mostly right, more right than wrong. Of course with my time in doing it and learning a lot about identity along the way.

Oscar: Yeah, excellent and so many things that you have said resonate with me. For instance, bringing the complexity of identity problems, concepts and approaches to outside people who are not technical. So bringing to the business decision makers is very important. It’s very important not only for the ones who bring the solutions but for the ones who are going – the ones who need the solutions.

So a lot of your work as you said came from corporate – has been corporate. The problem now is – it sounds like you’re focusing more into consumer, citizen, right? And as you have mentioned already decentralised identity, please explain to us in a simple way as I’m sure you know very well. What is that and what are the top challenges?

Richard: Yeah. You know decentralised identity, it’s kind of interesting because we have historical precedence for it in the analogue, in the real world, where pieces of our identity are distributed across – we call it an ecosystem or different locations, right?

So in the analogue, we had to bring together those pieces, say a physical passport and the trusted authority for that is – you know, in the United States is the state department – and a driver’s license and maybe if we were signing up for a new service, we – or had to get something – you know, maybe we had to show up with some information about our current residence, a utility bill that had our current address on it.

That’s a very interesting analogue or analogy to compare to digital identity because we know in the analogue world, that process of bringing all those pieces of information together from these different sources to confirm that we are who we say we are is really frustrating.

So when we look at the digital space, when we look at decentralised identity, it’s somewhat the same notion. But it becomes an architecture that is relying on trust providers or a trusted layer to bring those different component pieces of information together to create a confirmation of identity.

So I like to think of all the digital capabilities that we have today. Maybe it’s device trust and you have information about your handset. You have information about your physical address. You have information about the different trustable pieces and you bring that together so that we can actually prove that you are who you say you are.

Here’s the thing that’s really fascinating about decentralised identity. It creates a framework that is extremely difficult to spoof or to commit fraud because no single source has all of the information. I think that’s the most important piece here because the ability for the bad guys to take advantage of identity, you know, which, you know, organisations like Gartner and those – and the Verizon data breach incident report have for years called out the fact that identity is the single largest contributor to exploits and breaches.

The ability for them to be able to steal an identity has been way too easy in the digital world and it’s mainly because all that information is housed in one location. One database, you know, and this notion of decentralisation creates again a framework where you have to put all the pieces together to be able to steal somebody’s identity and this notion of trust and credibility and assurance is really what creates a model for me, and I will leave off with this, for me to be able to have a part to play in my identity in the digital world and be able to choose who I share that information with and when, which is not possible in most cases today.

In most cases today, those decisions are made for me as a consumer, a citizen or employee and Decentralized Identity will create an empowerment framework for people to have a part to play in their digital identity.

Oscar: And why is it important for individuals to have control over their own identities?

Richard: See, I kind of led right into the next question. This is what I’ve personally become passionate about. I’m excited. We will get to what the Decentralized Identity Foundation is but I’m always excited how standards organisations get established because it tends to be the thinkers, the architects, the people that understand that you have to have a great design before you build the house. It’s very much the case with the Decentralized Identity Foundation. But when we think about what they’re collectively and we collectively are trying to do, they’re trying to create a world where digital identity means something, right?

Today, like think about your own experience Oscar. You have – on average, you have something like 137 – I think it’s the number I remember – accounts or interfaces with ecommerce providers, healthcare providers, your whole digital experience.

Every one of those digital experiences, you are a different identity. You are 137 different identities. You don’t have a core identity that you have some control over, which makes it virtually impossible to do things like delegate my rights and privileges to say a family member in the healthcare space because the healthcare space, I’ve got another 30 accounts and maybe I need to delegate my care to somebody because I can’t take care of myself.

But I don’t have the ability to do that in an elegant way. The real reason that controlling our own identities is important is because for 30 years in the digital space, at least, we had no control and we know what the consequences are.

I work with an organisation in San Diego, the Identity Theft Resource Center and when you see the numbers of how many cases of identity theft and fraud are committed every year against individual human beings, the impact is getting to the point where we can no longer just shrug it off.

We can no longer just say it’s a victimless crime. I’ve seen situations where people have – there’s a great story from my own podcast that was shared with me by the director where she said that somebody had stolen a young woman’s identity while she was a minor. Synthetic fraud, a very common practice now amongst the bad guys.

First child to ever have the opportunity to go to a college in her family and then when she went to go apply for college, she couldn’t get everything covered with scholarships. So she needed a loan. When she went to go apply for a loan, she found out that her entire credit history was destroyed and she was not 18 years old yet.

It took her three years. She was forced to fix that problem herself. It took her three years to finally get to a point where her credit was made whole again and in that three years, she couldn’t go to college. So she wasn’t with her cohort anymore. She lost three earning years.

So the damage that’s happening to people because of the inability to have control over some aspect of their digital identity is real, is tangible, is painful and frankly, I think for the most part, we’re no longer as people weary about it. We’re angry, right? We’re tired of not being able to have a say in our digital lives and having the consequences of these breaches and exploits weighing on top of us personally.

So it all begins with identity, right? This is why we want to create a world where people have some control over their own identity.

Oscar: Yes. Well, that example you told me that – it’s hard to imagine actually for me. Yeah. That case where the person had to lose three years to recover her identity. Yeah, I can understand with cases like that, especially the magnitude of this problem. So please tell us about the – a bit more about the Decentralized Identity Foundation.

Richard: As I mentioned, I always enjoy seeing the rise of standards bodies and the Decentralized Identity Foundation is definitely in the young stage and age of its growth. We at Ping Identity have been founders and participants in every single identity standard since the company was founded. In many cases, we’ve actually been the originators, right? You know, the original founders of those standards.

In the case of Decentralized Identity Foundation though, we connected because we have a vision of a world where a decentralised identity becomes the standard method for identity authentication authorisation.

Our interest in the Decentralized Identity Foundation definitely was driven by our own experiences on the development of the Colorado digital driver’s license. It is a decentralised form of identification. We worked closely with another company and the State of Colorado and those three companies, ourselves and then ID Data Web and then the State of Colorado represent different stores of information about this digital driver’s license and I’m able to manifest that application at driver’s license on my phone.

It took about a year before the Colorado State Police would even agree to acknowledge the digital driver’s license as a valid form of identification. Not because there’s anything wrong with the Colorado State Police but because all of their processes were built around the use of a plastic physical driver’s license. This is where the Decentralized Identity Foundation is doing these beginning component pieces of architecture and framework necessary for us to have a strong amount of assurance and trust that a decentralised identity, when it’s manifested, is who they say they are and that that resource or that digital identity, decentralised identity, has access to the resources and assets that it should. Nothing more, nothing less.

This whole basis of trust is really what I see when I look at the charter for the Decentralized Identity Foundation when I look at the frameworks and the technical documents that they’re publishing. They’re building a very, very thorough model. All of the different component pieces that are necessary to achieve that magic word – to achieve trust in a digital identity.

They’re doing so in a way where the expectation is, is that the source information that is brought together to establish that confirmed digital identity, is coming from multiple sources that are again trusted at their root but are able to be brought together in such a way that they can be – we can be confident as a reliant party as somebody who needs to be able to trust that final credential.

Being brought together in such a way that it’s extremely difficult to hack, break, crack and it’s also very difficult to simply duplicate and now we get to this level of assurance that is so lacking in the digital world.

Like I said, it is a heavily engineering-focused effort in the Decentralized Identity Foundation and I think that that’s extremely important because the – in this case, the standards need to be really precise and frankly, probably prescriptive in order to be able to achieve the degree of trust necessary for interoperability.

I will just say that’s really the biggest problem. All things are easy until we get to operationalisation. Once we get to operationalisation, it’s where we find our biggest challenges. You know, concept is good. Architecture is great. Operationalisation is challenging.

Oscar: And yeah, I understand the interoperability problems being in some other organisations about standards and we feel that we follow the same paradigm. But at the end of it, trying the solutions together. It’s like oops. But actually my architecture is different and so my conception of this concept is this. But let’s put the pieces together and not so ready. So I understand of course the challenges.

About that, how – tell us a bit about the type of organisations that are working already there and also how much has been – you got members from let’s say different type of organisations, public, software vendors and private and NGOs and also for – by countries. Tell me a bit how it’s done.

Richard: Oh, sure. Yeah. You know, it’s really a very diverse landscape for a frontier that is relatively new. Three years ago, I can remember I went to a number of different sessions at Identiverse that were focused on self-sovereign identity, digital identity and decentralised identity.

When we look at the enterprise solution space where companies like Ping Identity reside, there is this operationalisation problem. So we go, oh man, like blockchain for identity. That’s really, really cool. How do we figure out how to incorporate it into an enterprise-grade solution? Because blockchain for identity or decentralised identity in isolation, the overall framework is so new.

The ability to actually move it into production is challenging, right? You have to find the use cases. You have to find the pieces and components where the buying public on the solution side is willing to absorb that tech. They’re willing to change their business processes and they’re willing to adopt these new standards.

That takes a lot of time. So three years ago, a lot of what we’re talking about in this discussion, and a lot of what the Decentralized Identity Foundation was frankly probably not yet even quite dreaming about, was considered to be whiteboard focused.

But in the last couple of years, we’ve seen a huge shift. So this notion of digital identity and some organisations and nations are attacking it from a decentralised standpoint, some are not. But they’re all pursuing a goal of a digital identity, which is- I need to be real precise about that because we’re already in a space over the last couple of years where there are arguments about terminology.

Digital identity is really this notion of creating a digital version of the analogue you. So digital identity is not an accumulation, a summation, a federation of all of your accounts and passwords. It’s this rich representation of an aggregation of data that is out there, about all of us.

Now that opens up for another conversation that you and I can have Oscar one day. It opens up concerns about how much of this point information about my location, about velocity, about what network I’m writing on, all these different pieces, how much of that has to be aggregated before we start to go over the line relative to privacy concerns and security concerns.

We’re just all exploring that space now and that’s a big piece of that interoperability challenge. But the companies and nations that are coming together are attacking the problem in much the same way, which is create a digital identity that can be highly trusted. So in Australia we see a tremendous amount of work in the space.

In the EU, we see that the digital and marketplace initiative which is what created GDPR, it created open banking, PSD2. We’re seeing the beginnings of the last stage of that, which is the mandate for creating a digital identity for the citizens of the EU.

So the Nordics have actually created a model or they call it the bank ID. They’ve created a digital identity that has been well-received and well-adopted by the population within the Nordics. So we’re seeing lots of this and we see like social media company with Facebook. It’s like we’re going to create a digital identity standard because that’s part of our cryptocurrency focus, right?

So we’re seeing a world where digital identity was barely a topic a couple of years ago to now it is a huge topic and companies around the world like Ping Identity as well as organisations like the Better Identity Coalition and Washington DC who are pushing legislators here in the United States to acknowledge the importance of digital identity for cyber-security infrastructure have really expanded the conversation.

The big thing is, is that brings us back to the decentralised identity notion. One of the most common patterns that we’re seeing is, is that a drive to put – you know, the term most frequently used is the digital identity wallet. But the drive to put the – some of the key components of identity into a user’s hands and the tech that they use, which is going beyond mobile handsets now, right?

I like to point out that my fitness watch actually is more powerful than my cell phone was three years ago, whether it be home automation devices, tablets. You know, all these pieces are now available to us to give a human being the power to have that core piece of their identity and the decentralised identity capability then aggregates the information that’s necessary to establish the digital identity in the moment that is needed for the persona or relationship that I have in that transaction, right?

So I don’t show up with a social media digital identity to do my banking, right? Because my bank is not going to acknowledge login with social media, right? It’s too risky.

I would say that there are multiple different parts of society and the business world that are focused on digital identity and the notion of decentralised identity. This is why it’s so important to have an organisation like the Decentralized Identity Foundation because we have a lot of people that are attacking this problem with a lot of great thinking but a lot of different approaches.

When we get to a point where digital identity is a necessity for us to be able to do business in the digital as well as the physical world, if there’s not reconciliation of those efforts to – and tying those efforts to a set of standards, we will have a lot of difficulty. We will have cross-border difficulties. We will have say business entity difficulties because we will find that organisations and nations are arguing about whether they will acknowledge that digital identity – again, you know, really emphasising the importance of the standards focus that the Decentralized Identity Foundation is working from.

Oscar: Yeah, definitely. I couldn’t agree more that it’s important to make sure that all these efforts that some of them – of course they have started from different motivations but are towards the same goal to join together and join forces together.

I understand that a big part of the work that standardisations of that foundation, the Decentralized Identity Foundation, is creating a standard. That’s one big part of the goal that’s pretty clear. Let’s say – I would like to hear now how the foundation is already helping some use cases, some people, communities. Could you give some examples? Because I would guess that some – there are already products that are tackling specific use cases.

Richard: Yeah. You know, it has been really cool to – in my case, I actually use the source materials that are available at the Decentralized Identity Foundation’s website to really kind of keep up with everything that’s going on.

I think that in the services space currently that are giving companies the beginning pieces to consider how they can incorporate decentralised identity into their own application base as well as their own processes. You know, there’s a universal resolver that the Digital Identity Foundation has brought to the table in two parts. They have a focus on – you know, for the lack of a better term, a sandbox so that you can see how these pieces come together and you’re looking at interoperability across ledgers and digital identity methods so that you can see how those start to work.

You know, the – yeah, I’m actually looking at the blog post right now that was put up by Markus Sabadello last year about how this universal resolver is currently presented to the marketplace saying hey, you know, here’s an opportunity for you to use a foundational piece. But we’re in early days. So this is not intended to be used for your production use cases. But it is definitely a set of tools for you to be able to test your use cases.

The resolver – the universal resolver is in two viable pieces – an experimental piece and a stable piece. One that’s oriented towards IBM cloud, the other to AWS and it’s giving people – I think this is the most important part of these types of resources to the market.

It’s giving organisations, it’s giving technologists the ability to see how these components can work basically on a subject that kind of goes back to what I said earlier. Basically on a subject that really didn’t exist from a technical execution standpoint three years ago, barely even two years ago.

So one of the things that we’ve got to provide as a toolset to this population of interested parties in Decentralized Identity is a method to be able to take it from this level of abstraction, this conceptual level and to get hands dirty a bit, right? Dig into the soil and see how these components work.

I actually think when we talk about how the Decentralized Identity Foundation is enabling or empowering businesses today, I think this is the most important service that they can be providing to the market because we all know that the biggest challenge that we face in identity and in many social spaces as well is the instant that one of these identity terms, one of these technology terms becomes a marketing banner, we see a tremendous amount of business side interest and expectation. I will use Zero Trust as a great example. Zero Trust is a methodology. But because of the way that marketing has taken overseas the Zero Trust message, we have a large contingent of business leaders that think now, you know, Zero Trust is a solution. I just need to go buy it and I can have zero trust.

This foundational work is important because once decentralised identity becomes a much bigger part of the conversation, we have to have equipped people with knowledge, information and standards to be able to be successful on the execution of it because once again, once it becomes the term of the day, our business colleagues will be super interested in executing. If we’re still talking at the conceptual level, we will struggle to meet the need to solve those business problems.

So I think that’s – you know, when I think about how businesses or organisations are currently being empowered by the Decentralized Identity Foundation, it is the body of work that they’ve developed, which is extensive and I highly recommend for folks that have that type of technical interest, you know, go to the website. And then also this ability for companies to see how it can actually work in a real setting as opposed to conceptual diagrams. I think that’s really the value that they’re providing.

Oscar: Yeah, excellent to know there’s a – among all the great job you are doing in the foundation, there’s already for – as you said for the ones who want to get their hands dirty, well, there’s a sandbox and yeah, for you to play around. Fantastic.

We are leading the end of this very interesting conversation with you Richard. But I would like to ask you a final question for all the business leaders listening to this. What is the one actionable idea that they should write on their agenda now?

Richard: Well, I think that the actionable idea begins with a truth, right? And we have to acknowledge that much of our concerns about the future tend to be driven by assumptions or presumptions that we make about what we think it’s going to look like.

The difference here is that digital identity is already a thing. That’s the truth, right? So for business leaders, you know, when I’m talking to organisations that are still struggling with say the basic fundamentals of identity and you start talking about digital identity, the initial reaction is, is oh my gosh, you’re talking – you know, I’m in a Fred Flintstone world and you’re talking about Star Trek and the problem is, is that that causes us to resist change, right? We’re stuck with our legacy debt of not just technology but processes and we go, “Oh, I can’t talk about something so advanced.”

It’s already here, right? I always like to use the example of Apple in that case, right? Apple is building a digital identity ecosystem. Now it’s dependent upon Apple devices and the Apple universe. But the truth is, is that they’ve come out and said if you use our products, you will have more privacy and more safety as an individual. They’re making a digital identity statement, right?

So the importance there is that for businesses is that Apple made a competitive differentiation statement based on security and privacy. Tied explicitly to a strong identity model for the consumer. That’s going to drive change way faster than any compliance or regulation demands and that’s the real message here is to business leaders, is this isn’t future speak. This is not a utopian state. This is here and it’s really important to consider how you’re going to absorb, incorporate and work in a world where digital identity and decentralised identity are a key component of the overall structure and how you service customers, how you work with your employees.

The great news is, is that business leaders, last nugget that I will leave you with, don’t be afraid, right? The changes that can come from this, everything from operational efficiency and improvements to a reduction and lost reserves. You know, there are so many different pieces to this because identity in the digital world has been broken for so long. There are so many different pieces of this that will improve embracing this change and also being a leader to drive the business process change that’s necessary.

Technology only fixed part of the problem. You have to change your processes to maximise and optimise that technology solution. Embracing that change as leaders is really going to change the world in the digital space and that would be the most important thing I think that business leaders need to hear. Help is on the way. Cool things are happening. The ability to create differentiated customer experiences, the ability to create secure customer experiences is right here and it’s being driven by decentralised identity and digital identity.

Oscar: Yeah, well-said. Thanks a lot Richard for this interview. Please let us know how people would like to find more about the Decentralized Identity Foundation and also if they would like to get in touch with you.

Richard: Yeah, absolutely. The Decentralized Identity Foundation is out there in the websphere. I definitely encourage people to go to the link. I am pulling it up right now, https://identity.foundation. It will take you right to the Digital Identity Foundation.

I mentioned some other resources if you really are eager to understand the challenges within identity, the Identity Theft Resource Center. I have certainly one, the Better Identity Coalition and certainly another and if we dimension the size and scale of the business problems that we’re facing, it can do nothing but motivate us even more to pursue knowledge that we can get from the Digital Identity Foundation or from the Decentralized Identity Foundation to hopefully make progress much quicker in fixing the digital world.

Oscar: Yes, excellent. Again thanks a lot Richard. It was a pleasure talking with you and all the best.

Richard: Oscar, thank you for having me on. I truly appreciate it.

Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episodes at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

[End of transcript]