In the final part of this Q&A series with CA Technologies director of security solutions in EMEA Paul Ferron, I talk with him about the balancing privacy rights with providing a positive customer experience. Paul also answers my question on how social logins could be used in various industries – even in finance. And why executives are paying attention to data breaches more than ever before.
Paul spoke last week at a digital identities press event in Milan, where he shared his insights into identity and access management in the application economy. I caught up with him beforehand for a chat about security. Here’s the final part of the interview.
If you missed the previous posts, catch up on them here:
How can identity providers help businesses meet the customers’ needs for simplicity, security and a positive experience?
When I’m buying something online such as on Amazon, I need to create an Amazon identity. When it’s time for me to pay, I’m going to be linked back to a credit card company or my bank, which needs to be linked back to Amazon to tell them I paid so they can ship the goods.
Imagine the bank is an identity provider. Rather than creating a new identity on Amazon, what if I used my bank identity on Amazon? First of all I don’t need to create another profile.
Secondly, because the bank an identity provider that is trusted by most people, for Amazon there’s also a benefit of trust. In order to get bank account, I need to provide identity at least once.
My credit worthiness can be communicated in a privacy observant way towards Amazon. If I then put something into my card, I can say, “Ship it.” At the back end because there’s the trust between Amazon and my bank, they can handle the payment channel offline.
That’s an example of where identity providers can provide services that make it easier for people to do business so they can generate more business.
Is BYOID appropriate for all industries? How would social logins be used in finance or healthcare where there are regulations that strictly govern how information is accessed and used?
In reality there are already companies that are looking into whether they can leverage social media logins and some are in banking. The end result, it’s all about trust. Depending on the risk of what you want to do, there’s a trust level. With that trust level there’s an identity provider that goes with that trust level.
You don’t always carry your passport with you. Your driver’s license is sufficient for proving your age if you’re buying alcohol. The risk of buying alcohol and need to prove you’re over 21 in most US states doesn’t warrant the high-level trust identity of carrying your passport. If I go to a bank and I want to apply for a loan, they will probably want a little more trusted identity like a government issued identity such as a passport.
In the digital world there will be many different providers that will service a different need. For example, social media can be used in a banking situation where the risk isn’t as big. If the risk is increased, then you can ask for another identity provider to validate your identity again.
There will be several different identity providers and each will have their own value and marketplace they will address and what will happen I think is the interoperability of those identities across marketplaces will become very efficient so that for me as a user I can start with a social media identity and go up to a digital identity from the government.
With data breaches routinely in the headlines, how can businesses gain the trust from customers to be able to use digital identities to their full benefit?
Data breaches are very often in the headlines in the last few months. There are two aspects.
That’s why the digital identity and the app economy create an opportunity to do things from the start. It will allow us to do things that today are very hard to do. We started years ago when the types of breaches we see today weren’t an issue. Adding security on top is never as good as from the start as a secure service. The transition to the app economy is opportunity for us as an industry to do it right.
Because of breaches, companies are starting to pay attention – it’s no longer just being discussed by security people in the data center – it’s on the board’s table and they realize that it’s something they need to do better. There’s a momentum that goes towards more secure services.
But human nature being human nature there’s still a ways to go and there will still be things that go wrong. But what I see is that consumers are becoming more privacy conscious.
There’s a misconception that young people don’t care about privacy online. Young people care about privacy they just have a very different perception of what privacy is. Privacy and the security will become a critical deciding factor as to whether customers want to go for your services or not.
How can governments balance the economic potential of digital identities with the need to create powerful safeguards to keep information private?
The best thing governments can do is provide guidelines around privacy. There are initiatives in Europe and startups in America where companies are taking a privacy-led approach. They’re designing systems that are inherently private. If governments are supporting those companies and are putting regulation in place that forces companies to start dealing with this in a privacy conscious way, that makes a lot of sense.