• United States




The costs, the privacy and the security of IAM and personal data sharing

Jun 19, 20185 mins
Data and Information SecurityIdentity Management SolutionsPrivacy

Resolving the issues of data storage and security when implementing life management platforms,

The concept of some component (usually software) that manages your personal data is not new. The idea is often associated with Doc Searls, who developed ProjectVRM, which advocates that customers take control of their data in the form of “Vendor Relationship Management” tools.

In my dealings in the consumer IAM space, I’ve become increasingly aware that digital identity and its applications, needs to be opened up – to do “jobs.” That is, the identity that says, I am who I say I am is more of a conduit to transfer data between me and some entity I want something from, than a statement of my digital self. Our digital lives are now so much more than using login credentials; equating Facebook with a digital identity now seems naive. Instead, services that allow us to perform dynamic identity-based transactions are setting the stage for a new era in personal data.

Doc Searls has been pushing this concept for many years, but I believe that the time is now because of improvements in technologies such as storage and security.

Data doing jobs

The platforms that provide the mechanisms for data management and transactions are often called Life Management Platforms or sometimes Personal Data Stores – personally, I prefer Personal Data Transaction Tools (PDTT). These tools have the ability to build services that can create lasting relationships between the customer (identity data owner) and any service that taps into the platform. Transactions that are traditionally done offline, and that consequently take time to enact, can be done online. Some examples of the use of such platforms include:

  • Online processes, such as applications for passports, driver’s licenses, etc. A customer could use their verified identity and use the data associated with that identity to go through an online application process. The process would allow the user to share relevant data, photos, and so on to complete the process.
  • Relationship building and product offerings. The tools can create a two-way traffic between the customer and services. Companies can offer products to users in exchange for information. For example, a banking product could be made available to a customer if they can show they earn over $$ amount per year.
  • Attribute enrichment can be handled using these platforms, building up user profiles, over time, improving their status and ability to perform online transactions that require higher levels of proof.

The issues and the resolutions

The hosting and management of these platforms is one area that needs to have thought and discussion applied. There is a massive amount of potential in utilizing these systems, but how they are used effectively and optimally requires the resolution of certain issues, namely:

The costs

These platforms/services are for mass-adoption by consumers. And, big platforms need big storage. Although there is not a prerequisite to actually store data, you could call the data during a transfer, or use a blockchain registration – generally, there has to be a facility to do so. For example, such a platform may store basic attributes, like name, address, etc. But an advanced version, that handles more complex services, is likely to need to store images of passport photos, degree certificates, and so on. This creates a cost hurdle. Advances in storage solutions are lowering this hurdle but you have to balance this with availability and reliability of the storage choice. And, there are a lot of choices in storage now; storage options from Amazon and Azure, for example, can be daunting, so careful attention to design details is needed. The crucial thing to set out before even looking at which storage option to pick, is to understand what types of data you will be storing and what options there are in reducing the overhead of these data – can you call some data on-the-fly as needed?  Without understanding your data needs you cannot do a return on investment analysis.

Privacy and GDPR

Collecting, storing, and sharing personal data, means lots of compliance headaches. Folks are still reeling from the impact of GDPR and now we hear murmurings from other places, such as California which is looking to bring the “California Consumer Privacy Act of 2018” into force later this year. A platform or app which is specifically designed to share personal data has to tick the privacy boxes in a most emphatic way. This means that such tools have to bake privacy right in from the design stage through to execution. The GDPR has the concept of “Privacy by Design and Default” as an underlying ethos. Building this ideology around personal data transactions is helped by ensuring you have incorporated consent models. The Kantara Initiative has been working on “Consent Receipts” for use in such scenarios. Also, look at methods that allow you to minimally disclose data when sharing with services.

The security

Ultimately, any service that manages a person’s personal data is like a golden carrot to a cybercriminal, so you need to apply robust security. Building on the work to determine what type of data you need to collect/store will help in minimizing data storage needs. This, in turn, reduces the security overhead in data storage security and encryption.  Other considerations include API security, open source security, and credential options which are vital to harden. However, getting the balance between effective authentication and usability across a wide-demographic is not easy.

The next evolution of Identity and Access Management (IAM) is data sharing. This move will breathe new life into our personal data and make it work for its living, doing jobs for us online, and building relationships with services. We must cross a number of hurdles in terms of return on investment, security, and privacy to prepare for this new world order. We also need to build new business models that can make these personal data transaction platforms central to a larger network of services. If we get this right, we will open up a multitude of services that can benefit from the streamlining and efficiency that sharing personal data online offers.


Formerly a scientist working in the field of chemistry, Susan Morrow moved into the tech sector, co-founding an information security company in the early 1990s. She have worked in the field of cybersecurity and digital identity since then and helped to create award winning security solutions used by enterprises across the world.

Susan currently works on large scale, citizen and consumer identity systems. Her focus is on balancing usability with security. She has helped to build identity solutions that are cutting edge and expanding the boundaries of how identity ecosystems are designed. She has worked on a number of government based projects in the EU and UK. She is also interested in the human side of cybersecurity and how our own behavior influences the cybercriminal.

The opinions expressed in this blog are those of Susan Morrow and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author