As companies, businesses, governments and consumers grapple with the challenges of security and identity management, the world is swiftly moving towards global standards for data protection and regulation, epitomised by the EU’s General Data Protection Regulations (or GDPR for short) which comes into effect today, effecting its 28 member states, and companies the world over that do business with European companies.
Regardless of where they are based, GDPR applies to any business that serves or monitors EU-based customers. Experts believe it will become the de facto global privacy standard and serve as a rule for other countries in developing their own data protection rules and regulations.
Similarly, the world is fast moving towards the development of universal identity management standards, says Okta CEO, Todd McKinnon.
McKinnon today announced an ambitious plan to be the company that leads the charge, developing de facto protocols with industry that eventually become the global standard.
“There are currently no technical specifications for universal identification,” he told the international press corp at a roundtable discussion at the company’s annual Oktane conference in Las Vegas, Nevada.
“We’re not going to have technical or precise specifications on what that should look like, unless you first have a de facto standard, meaning something that is so prevalent and pervasive it shows and leads the way, and then develop some formal standard procedures around that.”
The CEO described the company’s plan to develop a universal standard for identity and data management as a multi-phase process which he likened to Tesla’s approach to popularising the electric car which enticed early adopters with high-end models like the Roadster, (priced at around $300,000), which then provided the R&D funding to develop the ‘mid-range’ Model S, (priced around $150,000) which in turn funded the development of the Model X.
“Now they’re using that R&D, market share, brand awareness, and some government loans to get the Model 3 to market,” McKinnon said. “The mass appeal of the electric vehicle is a result of a 15-16 year multi-phase development process. Though you can still see the challenges of the Model 3. I imagine it will also have multi-phase process of its own, take some time to get the specifications out, to become a success in and of itself, inspire other people and eventually become the de facto standard for electric cars.”
McKinnon likewise sees his company’s move towards global authentication standards as a multi-phase project.
Phase one involved accumulating a diverse and growing range of industry players, expanding Okta’s range of identification features and building capabilities for use cases that made their enterprise customers successful.
Phase two is what McKinnon calls ‘connecting the network’, doubling down on B2B integrations.
“Because so many other companies are using Okta, it’s easier to connect those instances of Okta more easily, creating a single point of sign-in across a range of different companies that are all using our technology,” he says.
Phase three will emphasise creating more standards for authentication.
“Now the de facto standard is set, then we can really begin working with other companies in a way to set formal standards,” he said. “I can imagine that the next generations of OpenID Connect will be really informed by the experiences we have over the next five years.”
If McKinnon’s vision is successful, it will have significant implications for consumer tech and services. Instead of forcing the proverbial horse to water, (how many people do you know use password managers?), its plan is to significantly improve user privacy even on a consumer level, by forcing the companies whose tech and services consumers use to become compliant with strict identity verification, security and data management protocols.
Graham Pearson, Vice President of APAC at Okta told Which-50 that he ‘welcomes’ the introduction of regulations like the GDPR and Australia’s recent Data Privacy legislation which he described as the first steps towards creating global standards for security and privacy.
“Without a doubt,” he said.
“We are closer to it in Australia than ever before. There are some rules now in Australia coming out the Data Privacy and Prevention Act that are fairly close to the GDPR regulations. But I think with this on the top of it, they’ve only got to change a few things and they’re right.”
“As a consumer, I want to know that my information is stored correctly and securely and can only be accessed by the right people.”
President of Okta’s Worldwide Field Operations, Charles Race told Which-50 that a global standard has the potential to be mandated through something like the GDPR, though unlike his CEO, he expressed skepticism that Okta could become the standard.
“It’s not likely anywhere where people can make money,” he said. “It’s very hard for one company to do it justice and that’s not how life works.”
(Allowing for the possibility that Race did not want to overstep his bounds, or overshadow McKinnon’s explicit announcement which was just a day away at the time of interview).
“The next phase is to make all customer facing applications adopt this standard for identity management. If your vendor doesn’t support that, there’s a problem,” he said. “We want to be the people and the company that helps”.
Race revealed that even relatively new web applications and portals developed over the last few years have completely left identity management from its protocols, and in some cases, not even employing any standards at all.
“We’ve seen instances where personal or identifying information has been put in free and open databases containing usernames and password in free format text,” he says.
“That’s just nuts. So we got to get rid of that and if legislation can help I’m all for it.”