Use a decentralized identity framework to reduce enterprise risk
To reduce the risk of identity theft for customers, partners and employees, companies should look at integrating a decentralized identity framework into existing infrastructure.
The Federal Trade Commission reported that identity theft reached an all-time high in 2020, surpassing 1.4 million reported cases in the United States -- roughly twice as many thefts as were reported in 2019. Even more worrisome, more data was stolen in January 2021 than all of 2017, with personally identifiable information constituting 75.9% of data stolen.
While some enterprise IT leaders see identity theft as a consumer-focused problem, it's important to understand there is significant overlap around identity theft concerns stemming from the workplace. After all, businesses maintain PII on customers, employees and others that can be used to steal their identities.
To mitigate identity theft risk, many organizations are considering using a decentralized identity framework. Let's look at this new identity and access management trend and why enterprises should consider integrating it within their IAM program.
What is decentralized identity?
In short, a decentralized identity framework gives individuals the ability to manage their own identities, regardless of who the issuer is.
The goal of decentralized identity is to remove the need for organizations to collect and store personal data in the first place. For example, federal agencies, organizations and businesses regularly collect PII. If companies and their associated databases get hacked, customer and employee PII falls into criminal hands. In turn, criminals use this data to steal identities -- and there's relatively little individuals can do about it beyond notifying the FTC, credit reporting agencies and associated insurance companies.
With a decentralized identity framework, individuals maintain full control over their private information and dictate when and how their data can be shared with others. Additionally, PII is never copied or stored with a decentralized identity model. Instead, a trusted source verifies the required information without sharing PII. This reduces the impact that hacked corporations have on individual customers and employees, as well as eliminates the ability for these same organizations to monetize the use of personal data.
How does decentralized identity work?
While there are several technologies that can be used to create a decentralized identity sharing framework, blockchain has emerged as an ideal method for the protection and safe data exchange between individuals and third parties requesting authentication. This gives individuals complete control over their personal information, permitting and revoking access to whomever they choose.
All PII data in a decentralized identity framework must have a verification mechanism in place to ensure the personal data presented by the individual is accurate. On the back end, PII must be endorsed or verified from the institution that originally issued it. Thus, mechanisms required to verify personal data need to tap into governments; financial, insurance and healthcare institutions; and other businesses in such a way that the requester can be assured that the presented information is valid. The verification mechanism forms the "decentralized" portion of a decentralized identity that is ultimately centrally controlled by each individual.
Why should businesses care about decentralized identity?
Many businesses collect PII of their customers, business partners and employees. Commonly collected PII includes:
- full name
- address
- Social Security number
- phone number(s)
- business and personal email address(es)
- education history
- financial data
- medical insurance information
- biometrics
Smart business leaders realize now the risk they put their company in should the business suffer a data breach. A decentralized identity framework can help reduce this risk, as it removes the need to collect and store PII. The required information is simply presented by the individual and verified by a trusted source. In place of the actual PII data, the business can institute various self-owned and independent identities without having to ever see or store an individual's PII.
Is there an open, standards-based decentralized identity framework available?
While no open standard for decentralized identity exists yet, organizations such as the Decentralized Identity Foundation (DIF) and the World Wide Web Consortium (W3C) are working to build an open framework with which individuals, businesses and governments can shift control of PII back to the individual. Once these standards are put in place, expect decentralized identity to become a hot topic in world of enterprise IT as business leaders will be eager to reduce their liability risk.