The Enterprise Conversation We’re Afraid to Have

 [originally published in Enterprise Conversation, a UBM/DeusM publication ]

If we’re being honest, the sweeping change that is supposedly transforming our workplace, our lives, and our society through the dissemination of smaller, more mobile, more connected devices has hit a stone wall.  We can kid ourselves into believing there’s still a huge wave of forward momentum, mainly because big waves are what marketing campaigns are based upon.  But until we face our greatest fear and, more specifically, stop attaching euphemisms to it like characters in “Harry Potter” and call it by its name, the development of secure, mobile computing will stagnate and die.

The problem is identity.  While more than 9 of 10 executives say they’re afraid of how cloud architectures will impact security, according to a poll our Hailey McKeefry cited last week, the truth is that we are reluctant to cross that line and enter the era where we trust our online identity to any outside institution.  I’ve been told that online identity is a social issue, not a business issue.  This is the crux of our denial: that who we are in public and how we work in business are not just separate issues but separate identities.

There are many businesses that have solved the problem of employees being able to validate that they are who they say they are, within the domain of those businesses.  Meanwhile, most every analysis of the problem of identity theft is treated as a social, rather than a business, issue.  But the identity system that validates the users of Android phones is the same system that powers Hangouts through Google+.  Facebook and Microsoft would both seek to enter the ubiquitous identity business based on the strength of passwords alone.  And corporations are taking action against their employees for what they tweet “in public,” as if there were such a thing as “tweeting in private” — all while Twitter’s lack of strong security is being blamed on China.  The identity dichotomy we think we’re facing is really a duplicity, an exercise in fooling ourselves.

The technology already exists for the validation of personal identity, both in one’s private and professional lives:

  • Ultimately, the identity of individuals will need to be secured through devices that are independent of employers and governments, that are kept on our persons.  When stolen (inevitably) they will be rendered useless.  Such devices will probably need to be tracked using GPS.
  • The authenticity of the bearer of these devices will need to be supplemented by a system stronger than a password, probably biometric.
  • Both of these factors will still need to be supplemented by an independent digital certificate.  The authenticity of this certificate will need to be vouched for by more than one authority simultaneously.
  • The privileges that a business gives an employee to access confidential resources should be dispensed in the form of grants, which are associated with all of the above factors independently.  These grants, rather than any combination of the above factors, should be what identifies the user of a business network.  Consider the power of an authentication system that only grants access based on a pre-existing record of explicit transactions which collectively serve to vouch for the user’s authority.  Consider how extremely difficult it would be for anyone to forge such a grant.
  • Grants should be revocable by a business without damaging the integrity of the user’s identity.  We have yet to face a wellspring of problems with Office 2013 users unable to read the documents they created at work because their Microsoft Accounts were secured with their revoked, at-work e-mail addresses.  But just wait for it.
  • The privileges a user grants to any outside agent — a financial institution, a government agency, an advertising network, a social network, an e-mail contact — to access any of the user’s personal resources, including mobile devices and browsers, should be dispensed in the same form of grants.  This way, the user is never faced with a situation where she failed to see the “opt-out” warning.  If I want an outside firm to render content on my system, it will be because I said yes.
  • Users who are people and users who are not people should be separate.  If you think this sounds like a superfluous suggestion, consider all the Web apps that may or may not be running on your device right now which have already authenticated themselves as you.
This is the crux of our denial: that who we are in public and how we work in business are not just separate issues but separate identities.

The slate of services which collectively serve to authenticate users and grant access privileges, is the user’s portfolio.  All of the technology that can make this possible today, already exists — none of these ideas are new.  We tell ourselves we’re afraid of creating a “national ID card,” or some similar thing, that we may lose what remains of our privacy.  And yet what we claim to hold precious is leaking from our grasp like a sieve, because the stopgap measures upon which we rely today are just too convenient.

All of the “But What If?” questions that arise from this issue, deserve to be asked.  None of them are beyond being answered.