The recent batch identity theft at George Mason drew a predictable reaction. Jamie Lewis used the occasion to point out that aggregating data aggregates risk. This view leads many to see centralization of digital identity information as a move in the wrong direction. I have a different interpretation.
The break in at George Mason shows the value of higher degrees of centralization - if a centralized user store is more secure, more accountable, more regulated, more trustworthy, more interoperable - in short, held to higher standards - than the distributed user stores that represent the status quo - then why fear centralization? In the current identity regime, user data is stored in any number of databases managed and protected using methods very similar to those at George Mason - this is the real threat. Roll that data up into better designed aggregation points and you will have made identity more secure.
The argument that aggregated user data creates attractive targets for attacks is true. It is true in the same way that aggregating cash in a bank makes the bank an attractive target for attacks. The solution to the bank problem is not to withdraw all your cash and walk around with it in your wallet - the solution is to regulate, insure, standardize, and secure banks to high standards. The same holds true for digital identity information. It should be stored in aggregation points that we can trust.
More on how aggregation relates to personal digital identity schemes such as LID in an upcoming post...
Comments