How the Facebook privacy debacle is connected to the movement of IAM to containers

Trust by Design can help us to build better and safer IAM platforms where the privacy of personal data is respected.

facial recognition - biometric security identification - binary face

Personal data privacy and Facebook have never been comfortable bedfellows. This latest Facebook privacy debacle, where the data of 50 million users was shared without consent, with political marketing consultancy, Cambridge Analytica, may be the final straw. That seemingly little thing, that most people don’t really think too much about, consent, is raising its head above the virtual parapet and making people sit up and take notice. But why is capturing consent such a big deal anyway? I mean, if you don’t have anything to hide why does it matter who uses your personal data?

Why consent is a big deal

Consent is part of a wider act that human beings rely on to keep our daily lives and relationships ticking along - this being, trust. Trust is something that identity systems, in particular, need to use as part of the design remit of the system. You may well have heard of Privacy by Design and Security by Design, but we now need to consider including Trust by Design (TbD). Using a TbD ethos will be highly beneficial to an organization that embraces the tenets of trust. When your design remit includes trust, you design to add in respect; and, relationships that are respectful are much more likely to build (brand) loyalty.

Consent is an integral part of building a relationship based on trust. When you design a system that has consent at the heart of data sharing, you are signaling to the user “I respect you and your personal data enough to ask your permission to use it.”

This sentiment is also at the heart of the GDPR which states from the outset that:

“The processing of personal data should be designed to serve mankind.“ Recital 4 GDPR

This is a grand statement, but one that should be echoed in our choices of how we deliver modern IAM.

CIAM is not a monolith – containers, privacy and mass adopted identity systems

The practical implications of building a system based on trust means that you need to look at the architecture of the solution. IAM and solution architects are at a juncture. We need to focus on building effective and robust environments that service and secure mass adopted digital identities of customers and employees alike. But, this new world order of Identity Access Management and Customer IAM (CIAM) relies heavily on personal data and the subset of Personally Identifiable Information (PII) to perform tasks including targeted marketing. Large scale CIAM systems are complex. They require a massive amount of upfront work to choose the right environment that can handle a complex mix of variables:

  • Mass scalability
  • Improved performance, especially in systems where loads are difficult to predict
  • Efficient resource utilization
  • Wide-demographic challenges
  • Authentication challenges
  • DevSecOps friendly
  • Security across all of the layers of the platform
  • Privacy enhancement and minimal disclosure/data capture

To name but a few...

Container technology is one of the fastest emerging technologies that could hold the key to better performance and scalable identity systems, as well as being DevOps friendly.

However, container technology uptake has been slower than hoped with only 25% of organizations implementing containers in 2017. Gartner placed container security as one of the top ten technologies in 2017, indicating that security of data may be the hurdle to container adoption.

This security concern may be holding back an important leap forward in application deployment. In large-scale systems like social platforms and CIAM; containers are a very attractive way of handling mass scalability, performance, and responsiveness but without security they fall short of the mark. Containers, for example, can persist vulnerabilities in images as they are deployed.

Another area that needs close attention is the secure use of credentials when provisioning containers. Facebook, has their own blend of container known as ‘Tupperware’; however, the most popular container technology is Docker.

Treating systems like social media and identity platforms as monoliths constrains their capability. Container technology, like Docker and Tupperware, within a micro-services architecture, offer the type of responsiveness that CIAM platforms need. But in the light of raised awareness of data privacy, created by the Facebook/Cambridge Analytica revelations, and the earlier Snowden/NSA case, we have to build container-based architectures that fold security and privacy into the solution architecture as a whole. Getting your head around containers, and then how to secure container-based data, is something IAM architects will need to figure out.

Some useful guidance on container best practices has been developed by NIST in the “Application Container Security Guide”. There is also a rich suite of content on the architecture of a Docker container based system at the Aqua wiki Docker section.

And then there was the General Data Protection Regulation (GDPR)

Getting the solution architecture correct for a mass adopted system such as a Customer IAM platform, will also give you GDPR kudos. The GDPR places consent as the pivot upon which data subject rights turn. If you can start off by designing trust into your architecture, it will naturally enable user journeys based on consent. By creating a solution architecture where trust is your basis, you will tick many GDPR compliance boxes and help to enable the adherence of many more.

Modern IAM and CIAM platforms need to be highly responsive and scalable. Containers are a solution to this. But containers need to be part of an overall ethos of trust, that filters through from design to architecture to implementation. Facebook may have dropped the baton of privacy, but we can all learn from this and create identity platforms that are trustworthy and build relationships, not destroy them.

Copyright © 2018 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)