teissTalk: Building an effective digital trust framework

On 8 December, teissTalk host Geoff White was joined by Kevin Fielder, Chief Information Security Officer, FNZ Group; Rolf Von Rossing, Partner / CEO, FORFA Consulting AG; Laurie Gibbett, Cyber Risk Quantification Manager, KPMG UK South Coast; and Mark Thomas, Founder & President of Escoute Consulting, ISACA.

 

Views on news

 

The EU is moving closer to rolling out a continent-wide digital identity system, but the ambitious project still faces technical and legislative hurdles.

 

The digital wallet would serve as proof of identity to, for instance, open a bank account, enrol in a university, rent a car or file tax documents. Although a digital wallet would certainly simplify identification online, there is a lot of unease around governments controlling their citizens identities.

 

What may make or break the project is how much control it will give to data owners and whether it enables them to share a relevant selection of personal data with authorities and vendors without giving away every aspect of their digital identity.

 

A digital wallet containing the digital versions of major documents such as driving license, passport, medical records may, however, become the number one target of bad actors. The danger is that different EU members have various levels of data protection regimes, but with a federated system, the digital wallet can be only as secure as the weakest national ID system in the EU. Digital identity also ties in with concerns about online child protection.

 

Could, for example, digital wallets be misused to falsify children’s identities?

 

Harmonising disconnected trust frameworks

 

There are lots of trust frameworks around from ISAC to McKinsey to that of the World Economic Forum, which came out a month ago. Consumers certainly want more transparency regarding what happens with their data. Digital trust is and should be a golden thread that runs across all stakeholders and touchpoints of a business. It’s about how an organisation weaves security and data protection into its operation.

 

When we exchange messages and data online, we trust providers with our personal data. Some may stick with a provider even if they have been breached because they trust them nonetheless, but these trust relationships are not just about two people trusting each other but also the so called proxy technology that enables communication.

 

Different data security frameworks share some common themes (references to privacy, transparency etc) but they have different approaches, and an organisation must choose the one that fits it best. As for the supply chain aspect of data security, at the moment, it’s a broken system and scores companies based on how they look externally, while they can have some rather unsafe processes internally.

 

The test to supply chain transparency is how far back in the lineage a company can control its suppliers. Frameworks for employees, suppliers and customers, which are sometimes radically different, need to be harmonised so that organisations have a dynamically changing digital ecosystem rather than a collection of different frameworks with discrepancies and blind spots.

 

The panel’s advice

 

Trust frameworks need to be fully transparent and easily understood to be trusted by users and to prove that those who created it are competent and personal data is safe in their hands.

 

Any digital identity project needs to provide guarantees that it can’t ever be used as a surveillance tool.

Supply chain security must become much more genuine, and data driven.