First the big question — what is identity?
In simple terms, identity is ‘being who or what a person or thing is’ — an attribute or set of attributes a person ascribes to themselves or a thing. Identity can also be understood as the fact of being who or what a person wants to be seen as.
For example, any device with a bitten apple logo can be identified as a product of Apple inc. A man is identified as a man until he puts on a marine corps uniform; then he is identified as a male marine officer. The logo on his uniform further identifies his country, the shoulder ranks go even further to identify his rank in office. A flag serves as an identity for a country… and so on.
In this digital age, the idea of identity has transitioned to include ‘Digital Identity’ — an equivalent of the real identity, designed for the modern web, to gain access to, or authorization within, systems.
From signing up to email, to setting up a social media profile, to making payments on your Netflix account, your digital identity can vouch for your claim to access any digital space.
Just like real identity, digital identity proves an entity’s history, possession, and authority. It is one thing to have an identity in all its forms, but it is another for the entity to prove ownership of that identity.
We can’t talk about identity without talking about ‘proof of identity’
Proof of identity is any document that can prove a person’s identity. It is useful for us individuals/entities, wherever and whenever, to have proof of identification — either a photo ID, birth certificate, or our digital identity in our digital wallet.
The general rule of thumb here is that government-approved proofs of identity carry more weight than their unofficial counterparts. However, in a lot of developing countries, a large number of citizens do not have a single government-approved proof of identity. This can limit or even completely block them from receiving certain basic rights and services, such as healthcare, economic opportunities, and financial inclusion.
Why do we need our identity?
It should be noted that our identity is, in some ways, more important to other entities than it is to us (the owners), as we already know who and what we are. The identity construct is necessary for other entities to see and place us accordingly.
So why do we need our identity - digital or otherwise?
The most obvious of all reasons is Identification - identifying a person by their name, country, state, and so on. Identifying a product by its logo. Basically, recognizing a person or thing as who and what they present as.
Another reason is Authentication - to prove that the identity attributed to the entity or thing is owned by them. This usually would need a physical presence like matching a photo ID with the face of the person presenting it, or authenticating a digital ID against an existing database.
And finally Authorization - to gain access to any service, be it a location, health services, travel services, web, systems, or to determine the level of access we get. Like gaining access into a building using an RFID code tied to our digital identity, viewing our results after an exam by using a unique number tied to our identity, or Role-Based Access Control (RBAC) for enterprise systems.
But with the growth of digital identity we’ve also seen the emergence of new kinds of identity issues. The need to solve these identity-related issues birthed the concept of identity security: something that can only be achieved through Identity Management.
So let’s talk identity management
In essence, identity management is the authentication and authorization of an entity to gain access to certain services and systems using an established identity.
Identity management in ancient times was as easy as someone having to vouch for another through word of mouth. This method served as the approved means of identification and authentication, while authorization was just based on status.
Now, with the rise in the use of digital technologies and the interconnectivity that the Internet of Things promises, the identity environment is becoming increasingly complex, which means identity management will have to keep up with the changes.
Some such changes include blockchain technology, digital wallets, decentralized identities, self-sovereign identities and distributed identity — all aimed at strengthening identity management and mitigating against the increasing issues with identity and access control.
Now, identification requires proof, authorization requires passwords and other predefined Access Control List (ACL), and authentication requires verifying against a stored database.
Since identity in all its forms is a key, identity management is necessary - not just to protect the key - but also to determine where the key can be used and how. Issues of privacy and identity theft have driven companies all over the world to consider the use of identity management solutions to address these concerns.
Identity management as a whole sits on a foundation of Data Management. This is the process of creating and managing a database for identities. Digital identity management, especially, is only possible with a capture process that first collects and collates these identities in a database to be queried for authorization and to be matched side by side for authentication.
It is safe to say that data capture is the cornerstone of identity management.
On the other hand, there is Identity Validation. Normally, unless an organization’s offerings are directly connected to, or necessitate, Identity and Access Management (IAM), identity validation should not come up. However, with the increasing risk of identity fraud and data breaches, identity validation has become a bigger issue than ever before.
In a world where digital identities serve as access to almost everything — an act of fraud using just a few pieces of critical information can wreak devastating havoc. Ultimately, validation is a necessary factor in identity management.
Conclusively, identity management, data management, and validation are all trends that are sure to stay as long as people still care about security, either in terms of identity or data. When the care stops, the chaos begins.