These were the words of Kim Cameron, architect of identity at Microsoft and opening keynote speaker at ISSE Conference 2016 in Paris today.
Cameron discussed how, if you look back at the state of identity technology on the internet over the years, you would be well-advised to be concerned.
“Basically the identity infrastructure of the internet is a ‘hodge-podge’ of ad-hoc responses to the need to have relationships,” he argued, “built by people who didn’t understand the threats, didn’t analyze them properly, and didn’t understand either the security or privacy implications of what they were doing – so we saw they were operating outside of any formal governance situation and it’s just basically a mess that we have inherited.”
On the other hand, he continued, the positive thing that has happened in more recent times is that the CEO has begun to understand the cost of this – both in terms of the reputation of their organization and the financial liabilities – and regulation has been introduced.
“It’s clear we had an unsupervised playground that needed to be regulated and professionalized,” Cameron said.
The other key element here is that we are now in the cloud era, and it is possible to harness the power of the cloud to solve the cloud era problems and the problems of amateurism in the identity infrastructure.
The withering away of the enterprise boundary in the cloud period, Cameron added, means also that identity technology must evolve.
“In the closed-off world of independent silo enterprises [of the past], the applications being run only had to deal with their own identity provider, which they could trust. It was a simple situation. As the world becomes interconnected and the model becomes one of enterprises interacting with each other, the ‘app to domain’ federation model has to be replaced by an ‘app to world’ federation model.”
Organizations need a way to be able to have their applications navigate a whole series of information sources about identity; about the identity of their partners, customers and employees, and those are not necessarily within their domain boundary.
“That’s a complicated thing to manage, it’s a complicated thing to set up, even managing the legal relationships in that is very difficult. So you really require a different kind of technology that operates on behalf of the enterprise and manages its relationships with its customers and partners in a professionalized way.
To conclude, Cameron said: “if all enterprises were to clean up their game and manage their relationships with their own customers in a more professionalized way, that would be an immense change in the quality of the internet.”