The dawn of the third wave of the internet demands a new approach to identity management that recognizes the dramatic ways in which our use of the web has evolved and the importance of identity as both an asset and a risk.

Making Waves

During the first wave (1995–2005), identity management was basically done at the account level. People recreated profiles on each website they accessed and had little control over how that information was used. Each site typically required a different authentication process. The site owners held all the cards.

In the second wave (2005–2015), the arrival of social networks and software-as-a-service (SaaS) applications gave service providers ways to build much richer digital identities by aggregating information from multiple sources. However, this process was often clunky and opaque. Users didn’t know what information was collected about them or how it was used. Concerns about privacy violations sparked suspicion and even legislation.

Federated identity models from social networks like Google and Facebook enabled users to traverse services quickly and to control aspects of what they divulged, but many people didn’t understand the process. Technology was developed to give IT organizations the ability to manage authentication to cloud services behind the firewall, but these identities weren’t integrated with the ones people used outside the workplace.

Three New Assumptions About Identity Management

The third wave of identity management must be built upon a set of three new assumptions: hyperconnectivity, data-driven business platforms and contextually driven interactions.

1. Hyperconnectivity

All kinds of devices will be connected in a constantly changing mesh with few boundaries. Users will access the network not only from their PCs and mobile devices, but also from their automobiles, refrigerators, ATMs and home security systems. Maintaining individual logons for each entry point is impractical. Intelligence must move into the network so that authentication is simple and transparent.

2. Data-Driven Business

Data-driven business platforms provide value through the application of big data to individual needs. For example, a travel company may automatically suggest flights, hotel reservations, restaurants and airport transportation based solely on the knowledge that the user must be in Houston at 2 p.m. on Wednesday, along with that person’s known preferences. Or a retailer could suggest anniversary gifts for a spouse based on known likes and dislikes derived from activities across numerous other sites. In all cases, the individual controls what information is revealed and how it is used.

3. Contextually Driven Interactions

Contextually driven interactions simplify processes by using identity information within context. For example, the process of buying a car could be cut from hours to minutes by combining necessary information from credit, insurance and government databases into on-the-spot approval. Or health care providers could exchange patient information with each other that would help them provide safer and more effective treatments.

The Next Wave

Underlying all these applications is full user permissions in a form that is both easy to understand and quick to apply. This recognizes an important development of the third wave of the web: Personal information is now an asset. People understand that details about their identities and their actions have value, but they don’t know how to govern its use.

Legislation like the General Data Protection Regulation (GDPR) in Europe and the Health Insurance Portability and Accountability Act (HIPAA) in the U.S. came about because people didn’t have enough control over their personally identifiable information (PII). An identity management architecture that gives them that control at a fine-grained level would eliminate much of the need for further legislation. The success of the third wave will depend upon technology solutions that protect PII data and anonymize users while still offering latitude for safe data sharing with the consent of all parties.

According to the Accenture report “Digital disruption: The growth multiplier,” about one-third of the U.S. economy is now digital, and other developed nations are close behind. Even greater opportunity exists in extending digital identities to the estimated 1.5 billion people worldwide who don’t currently have one. Secure, flexible identity management is essential to unlocking this potential.

Read the white paper: The GDPR is coming — and sooner than you think

More from Identity & Access

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

CISA, NSA issue new IAM best practice guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…