Arbitrage

Phil Windley picked up on a comment I made on a panel at Digital ID World in October on the current state of digital identity. I was describing the possibility that federated identity could have a significant impact on privacy by driving change in standard application architectures.  The basic idea is that the most serious threat to the privacy (and security) of my digital identity is the fact that aspects of my digital identity are currently and often permanently stored in numerous application repsitories all over the network.

Try to add up the number of databases on the network that contain  a row with your social security number and you get a sense for the distributed and redundant nature of the storage of your digital identity.

The integrity of these identity repositories is a factor of the competence (and trustworthiness) of any number of dba's +/- the level of process and enforcement of access control within each organization that stores my credentials and attributes +/- the quality of the software that runs the systems that house the applications and repositories. That matrix is the current state of identity on the network. It is short on accountability and chock full of risk - yet we trust it implicitly. The point to consider is that federated identity standards open the possibility that applications could access attributes of your identity in discrete, disposable, events (e.g. SAML Assertions) - as opposed to accessing attributes stored in a local database.

Yes, a federated identity model does require a significant evolution in application architecture and yes, it does require trust between systems at scale, but the payoff in reducing the substantial risk posed by the sheer number of databases that store identity will move industry in this direction.