November 15, 2016 By Denis Kennelly 3 min read

The dawn of the third wave of the internet demands a new approach to identity management that recognizes the dramatic ways in which our use of the web has evolved and the importance of identity as both an asset and a risk.

Making Waves

During the first wave (1995–2005), identity management was basically done at the account level. People recreated profiles on each website they accessed and had little control over how that information was used. Each site typically required a different authentication process. The site owners held all the cards.

In the second wave (2005–2015), the arrival of social networks and software-as-a-service (SaaS) applications gave service providers ways to build much richer digital identities by aggregating information from multiple sources. However, this process was often clunky and opaque. Users didn’t know what information was collected about them or how it was used. Concerns about privacy violations sparked suspicion and even legislation.

Federated identity models from social networks like Google and Facebook enabled users to traverse services quickly and to control aspects of what they divulged, but many people didn’t understand the process. Technology was developed to give IT organizations the ability to manage authentication to cloud services behind the firewall, but these identities weren’t integrated with the ones people used outside the workplace.

Three New Assumptions About Identity Management

The third wave of identity management must be built upon a set of three new assumptions: hyperconnectivity, data-driven business platforms and contextually driven interactions.

1. Hyperconnectivity

All kinds of devices will be connected in a constantly changing mesh with few boundaries. Users will access the network not only from their PCs and mobile devices, but also from their automobiles, refrigerators, ATMs and home security systems. Maintaining individual logons for each entry point is impractical. Intelligence must move into the network so that authentication is simple and transparent.

2. Data-Driven Business

Data-driven business platforms provide value through the application of big data to individual needs. For example, a travel company may automatically suggest flights, hotel reservations, restaurants and airport transportation based solely on the knowledge that the user must be in Houston at 2 p.m. on Wednesday, along with that person’s known preferences. Or a retailer could suggest anniversary gifts for a spouse based on known likes and dislikes derived from activities across numerous other sites. In all cases, the individual controls what information is revealed and how it is used.

3. Contextually Driven Interactions

Contextually driven interactions simplify processes by using identity information within context. For example, the process of buying a car could be cut from hours to minutes by combining necessary information from credit, insurance and government databases into on-the-spot approval. Or health care providers could exchange patient information with each other that would help them provide safer and more effective treatments.

The Next Wave

Underlying all these applications is full user permissions in a form that is both easy to understand and quick to apply. This recognizes an important development of the third wave of the web: Personal information is now an asset. People understand that details about their identities and their actions have value, but they don’t know how to govern its use.

Legislation like the General Data Protection Regulation (GDPR) in Europe and the Health Insurance Portability and Accountability Act (HIPAA) in the U.S. came about because people didn’t have enough control over their personally identifiable information (PII). An identity management architecture that gives them that control at a fine-grained level would eliminate much of the need for further legislation. The success of the third wave will depend upon technology solutions that protect PII data and anonymize users while still offering latitude for safe data sharing with the consent of all parties.

According to the Accenture report “Digital disruption: The growth multiplier,” about one-third of the U.S. economy is now digital, and other developed nations are close behind. Even greater opportunity exists in extending digital identities to the estimated 1.5 billion people worldwide who don’t currently have one. Secure, flexible identity management is essential to unlocking this potential.

Read the white paper: The GDPR is coming — and sooner than you think

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today