Security is the central challenge of the digital age. Our digital lives have moved into the cloud. People now use multiple devices to connect to multiple applications through many different networks. Just about everything is connected to the internet, where threats remain constant and evolving. In this distributed, heterogeneous environment, however, there’s still only one “you.” That’s why identity is the best path to security.
The identity technologies my team at Microsoft builds serve as the frontline of our enterprise-class security solutions. Whether it’s a customer using biometrics to log in with Windows Hello, or enterprises relying on us to deliver risk-based conditional access through Azure Active Directory, identity is the front door to our customers’ content and experiences.
Identity can also be a key enabler to something that’s as important to our customers as security—privacy. With identity as the control plane, we’ve made security solutions more sophisticated, which is a good thing for both organizations and individuals. But when it comes to privacy, the needs of individuals and organizations are still out of balance. This week, I’m in Munich, Germany, at the European Identity and Cloud Conference to talk about how mechanisms like decentralized identity can help us address this imbalance.
Anyone who reads the news knows that many individuals feel organizations have way too much control over their personal information. Organizations are rightfully being asked to take more responsibility for protecting the information of their customers. Even the best security isn’t enough, however, if we don’t give people greater control and privacy as well.
That control begins with identity, because in your digital life, everything starts with you. Your identity is who you are. It’s everything you say, do, and experience in your everyday life. Identity can provide the same control plane for privacy that it has for security.
At Microsoft, we envision a world where technology facilitates respect for privacy. In this world, organizations no longer need to issue new identities. Instead, they embrace the digital identities that individuals bring with them. Each person’s digital identity belongs to them. They control it.
In this world, organizations are more intentional about the type of data they collect, how much they collect, where it comes from, and where it is stored. They accept information from individuals that an independent authority has verified, like citizenship verified by a government agency or education level verified by a university. Using verifiable credentials or claims that are digital, individuals can prove who they are, and they can exchange digital information, or what they are, with each organization. In other words, individuals and organizations can establish a mutual trust relationship.
Verifiable information is stored with the individual. The organization doesn’t have to collect or protect this sensitive information—less liability for them, and more control for the individual. When people control their own identity, they can set constraints and control their digital data, sharing only the information necessary to conduct business with organizations, and no more.
Organizations, for their part, can decide to store information with individuals rather than storing it themselves. This allows them to collaborate with anyone, confident that the information exchanged can be trusted, while reducing their liability and improving compliance. The individual, in essence, becomes a data controller. This changes the relationship—and the balance of power—with organizations.
We’re already seeing industry support for this paradigm shift, spearheaded by the work the Decentralized Identity Foundation (DIF) is doing. Microsoft, along with other companies, is contributing open source code to DIF so developers can take advantage of decentralized identities. Soon, DIF will have everything necessary for individuals and organizations to start using them. We’re working with the community to build support for decentralized identity into the Microsoft platform so we can enable innovation, and so we can bring individuals and organizations together for stronger security and privacy.
As part of our goal to empower everyone with a self-owned identity, we’re contributing technologies to a system that can support all kinds of entities, including millions of organizations, billions of people, and trillions of devices. One example of this is our collaboration with members of DIF, notably ConsenSys and Transmute, to develop a blockchain-agnostic protocol for creating scalable DID networks, called Sidetree.
As part of that collaboration, earlier this week we announced an early preview of a Sidetree-based DID network that runs atop the Bitcoin blockchain, called ION (Identity Overlay Network). ION is designed to deliver the scale required for a world of DIDs, while inheriting and preserving the attributes of decentralization present in the Bitcoin blockchain. As with previously announced efforts, we’re sharing our work as early as possible, rough edges and all, to start a conversation with the community and encourage further collaboration.
These examples are only the beginning of our efforts to champion digital privacy through identity. The privacy conversation requires constant engagement and collaboration. In addition to industry partners, we’re calling on organizations everywhere to join us in this effort:
- Instead of issuing new digital identities for external parties like partners and customers, accept existing ones that users bring.
- Limit the data you’re collecting to only what’s necessary and accept independently verified information from individuals.
- Based on your business model, decide where you will balance control over data between your organization and the individuals who do business with you.
Privacy is a human right. To protect that right, individuals must be empowered to control their own digital identities. Many members of the identity community, including Microsoft, are committed to making this real.