The cloud’s the limit for secure, compliant identity storage and personal data

Back in 2009, I gave a talk about cloud identity. It went down, less like a fluffy cloud and more like a lead balloon. It was too early – way too early. But as we reach peak cloud adoption, with rates of uptake reaching 93 percent, the sky’s the limit for digital identity. Cloud computing has given digital identity, particularly IAM for citizens and consumers, a real boost. Without cloud storage and cloud elasticity, for example, we would be hard-pressed to accommodate the identity of a mass-demographic audience. When I talk here about digital identity, what I am actually talking about is the data that makes up that identity, which is often termed Personally Identifiable Information (PII) or personal data.

The clouds in a data sky

I referred to data in a previous post as being a “smart superstructure” in its own right. I stand by this. Data is, in fact, an overarching infrastructure that ties all other infrastructures together. As digital identity becomes more intrinsic in the operational matrix of the Internet of Things devices and smart city components, we will experience this “data sky” in its true form – as the glue that holds our world together.

As we look up into this data sky (bear with my analogies) we will see clouds. These clouds represent the storage areas of our PII. This is where things do start to get “cloudy.” If the world were a simple place, we could just store these data anywhere. But it isn’t, and regulations such as the U.S.-EU Privacy Shield, Gramm-Leach-Bliley Act, and GDPR set out rules which mean we have to really think about things like jurisdiction-based storage, secure access, consent to process, and all that stuff. 

Citizen data and cloud services: a complex triangle

A number of governments are exploring or implementing citizen identity services. They are doing so as our compliance requirements and frameworks are becoming stricter and often onerous. This includes threats of massive fines and data breach notification requirements to “name and shame” organizations. It is understandable that this level of control has arisen. In 2017, there were over ten and half million data records lost or stolen every day. This leaves organizations that need to transform how they manage PII and other data to create identity ecosystems, in a bad place. We need to do it to service customers and clients, but we are hampered by security threats and compliance requirements. With the ethos of a data superstructure in mind, I give you three criteria that are fundamental to the creation of secure, compliant, digital identity-driven ecosystems: understand data, store it well and control its access:

1. Understand – The overarching structure of data: We need to accept and understand that data is an infrastructure in its own right and apply design criteria to the application of PII and other data. This is across global ecosystems.
2. Store well – Secure storage within jurisdictional rules: However, this has the added complexity of ensuring the right security policies are in place to store data under the restrictions of regulatory compliance. Cloud services like AWS GovCloud services have been built to accommodate regulations for Government-related data storage. They offer a way to isolate PII. However, they have been at odds with other ecosystem needs such as disaster recovery. There has to be a balance of jurisdiction-restricted storage vs. security and disaster recovery. Extensions to the service mean that you can “have your cake and eat it” by using separate allowed “regions” for storage which can be used as backups for disaster recovery.
3. Control access – Access control of PII: We have learned this lesson the hard way. 2017, saw some of the worst, access control-based breaches. Uber, for example, had login credentials to the AWS storage service compromised with 57 million personal data accounts compromised. This is not acceptable when robust authentication options are available such as multi-factor authentication and risk-based access control. “Credential stuffing” practices are now also reaching the spotlight, and regulators are clamping down. Indirect credential exposure is no protection from the law. If company A has access control measures breached, and then subsequently company B also suffers a data exposure, then company B will be as liable as company A – so say the FTC in their ruling on the TaxSlayer LLC breach.

There is much talk of digital transformation at the moment. It’s exciting times for organizations because we are being given a valuable commodity to play with – data. But we cannot and should not go forward into an identity-driven ecosystem without understanding how to get the triangle of needs right. Compliant and secure data-based systems start by accepting the fundamental nature of data as the oil of the identity engine. How we store that oil and conserve it, will give us the basis to create truly empowering identity systems where data is respected, protected, and can be put to good use.