Summary
In this episode of “Status Go,” host Jeff Ton and guest Jason Gzym dive into the fascinating world of decentralized identity. They explore how the power dynamic is shifting from organizations to individuals, allowing people to take ownership and control of their personal data. From the growing desire among millennials to own their digital identities to the potential applications in business-to-business relationships, this episode uncovers the benefits and challenges of this revolutionary concept. Join Jeff and Jason as they explore the future of digital passports and the significance of decentralized identity in our hyperconnected world.
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | Spotify | Email | RSS
About Jason Gzym
Jason Gzym is the former Director of Product Management at Saviynt. In this role, he supported the product vision and roadmap for Saviynt’s identity solutions, worked closely with customers, partnered with internal teams to deliver innovative products that meet the evolving needs of the market. Jason has over 20 years of experience in the identity and access management (IAM) field.
Episode Highlights
[00:00:00]: The Long Tail
[00:00:45]: Identify Management to Decentralized Identity
[00:02:48]: Jason Gzym’s Career in Identity
[00:05:15]: Challenges with Identity Management
[00:07:32]: What is Decentralized Identity?
[00:10:56]: How Does It Work?
[00:13:14]: If I Own It, I Can Turn It Off
[00:14:13]: Getting From Here to There
[00:16:21]: Who’s Leading the Charge?
[00:19:16]: Is Global Entry an Example?
[00:20:42]: Fixing Bad Information
[00:22:08]: Why Should IT Care?
[00:24:26]: Data Sovereignty and Identity
[00:26:05]: Why Should My Suppliers Care?
[00:27:06]: Why Should I Care?
[00:29:05]: Orange and Marketing
[00:31:02]: Actions for Tomorrow
[00:33:46]: Thank You and Close
Transcript
Jason Gzym [00:00:00]:
You can’t go from where we’re at today with organizations having our data overnight to coming back into your control, your power. So, it’s going to take multiple decades for that to shift if there is a critical mass of us humans that want to own, control, and consent to how their data is shared with whatever you.
Voice Over – Ben Miller [00:00:28]:
Technology is transforming. How we think, how we lead, and how we win from InterVision. This is Status Go. The show helping IT leaders move beyond the status quo, master their craft, and propel their IT vision.
Jeff Ton [00:00:45]:
Welcome IT pros to another episode of Status Go! Today, we’re delving into a concept that’s been making waves in the digital world: decentralized identity. Now, if you’re like me, you may not be familiar with these concepts. This was something new to me when I met and talked with our guest, so I’m looking forward to this conversation.
Basically, it’s a cutting-edge approach to identity access and privacy, and it’s poised to redefine how we control and protect our digital identities in this hyperconnected world.
Now, you might be wondering, what’s wrong with the way things work today, and how does It work with other identity solutions? And how will this technology change the way identity functions in the digital economy? Well, the truth is, traditional centralized identity has its limitations. Enter decentralized identity, a game changer in the realm of digital identity. Think of it as a digital passport that you hold in control, eliminating the need to entrust your sensitive information to third parties.
In this episode, we’re joined by Jason Gzym. Jason is the director of Product Management at Saviynt. He supports the product vision and roadmap for their identity solutions, working closely with customers, partners, and internal teams to deliver innovative products that meet the evolving needs of the market. Jason’s going to guide us through the fundamental concepts of decentralized identity and verifiable credentials and help us understand how this decentralized paradigm can empower individuals and organizations to take back control of their digital identities.
With that.
Welcome to Status Go, Jason.
Jason Gzym [00:02:45]:
Thank you, Jeff. Appreciate it.
Jeff Ton [00:02:48]:
I am so looking forward to this conversation. First of all, because I spent several years of my career in a similar role. I was director of Product Management for InterVision Systems, which hosts this podcast. So, I feel like we’re a little bit of kindred spirits, but I was wondering if you would start out by just sharing your career journey a little bit about your background with our listeners.
Jason Gzym [00:03:12]:
Yeah, happy to share that, Jeff. Thanks.
Early in my career, started out with file systems and networking in general with a company some might know called Novell, and early I would say late 90s, they came out with our early identity product called Directory XML. But that led me on my identity journey throughout the years, led me to manage services, move to New York City, where I helped a variety of verticals across finance, manufacturing, and healthcare.
But in the past decade or two prior to joining, Saviynt had been concentrating on the healthcare realm. And as I moved, having children and growing up throughout the country, I realized the medical records that I had everywhere around the world were scattered at different healthcare providers. And I always wondered, oh, I have to go get that physical PHI, I have to own it.
Jason Gzym [00:04:20]:
But it’s really hard to do that. So it made me think, how can a human own all of their personal health records and consent to give that access to the healthcare organizations instead of it being scattered throughout the different healthcare? So that’s what led my passion to decentralized identity. Some blockchain technologies but it’s expanded beyond just healthcare because there are applications throughout many different verticals.
Jeff Ton [00:04:53]:
So you’ve really been deep into identity management identity issues most of your career, it sounds like.
Jason Gzym [00:05:04]:
Yeah, it’s going on 25 plus years now. And with everything, technology evolves, we as humans evolve. And identity, digital identity has evolved as well.
Jeff Ton [00:05:15]:
Yeah, it really has. There was a time when, hey, your Social Security number was enough. Right? And that was kind of the way that you identified yourself. And then people started using that nefariously. So, we have to evolve with the changes in that.
I kind of teased this out in the introduction a little bit, but we’ve had identity management systems now for several years. What are some of the challenges that you see with those traditional approaches to identity?
Jason Gzym [00:05:51]:
Yeah, so we really concentrate on why identity was born to secure and govern. Typically, it was for organizations to have their employees govern and secure their access to the applications that that organization uses. And we all know the story of Enron and having toxic combinations leading to internal fraud and the regulations that’s led to, but if you think about what we see today with the consumer identity, it’s the organizations that still own that data.
That identity data is the new oil because it’s been mined to advertise or targeted towards you. And there are some security concerns with those organizations owning that data. So, there’s this millennial shift of, hey, I want to own my personally identifiable information and decide who I share it with. There’s two problems with that that is going to take that time to overcome. That is a critical mass of individuals wanting to own their own identity instead of, it’s so easy for others to mine that information for you and then provide services for free.
Jeff Ton [00:07:12]:
Right.
Jason Gzym [00:07:12]:
You mentioned Gmail. A lot of people use Gmail because it’s free, but they’re learning about you through that system.
Jeff Ton [00:07:22]:
Yes, that’s right. The adage is if it’s free, you’re not the customer; you’re the product.
Jason Gzym [00:07:30]:
Absolutely.
Jeff Ton [00:07:32]:
Well, the other thing that strikes me in this is as a consumer today, I don’t own my digital identity. And we’re going to talk more about what that means. And I’ve kind of given it to other people to manage and I don’t even know who in many cases they’ve given it to. My wife and I both got letters from a large insurance company that will remain nameless about a breach that they’ve had. But it was really a third party of a third party that got breached, and they had my data, and it’s like, well, how did they even get that? So, it has become convoluted. So, what is this concept of decentralized identity? What is that, Jason?
Jason Gzym [00:08:24]:
Yeah, so think about the relationship through the years has been that organization relationship to an identity. If you flip that script and the relationship becomes the user is in charge of the central hub with a device, with a car, with a retailer, with an employer, with a contractor. So that’s one way to look at decentralized identity. It’s not the organization that’s the hub of all of the access; it’s the user first. And what relationships do they have with a variety of things within this world on that digital plane. Right?
And in the consumer market also, you think about when you join an organization, there’s background checks and what is that doing? It’s verifying the person is who they are and they haven’t done bad deeds that would make higher insurance rates for that employer and higher risk categories.
And so, when the market had went through a tech layoff the past year, I saw something and it was somebody that was applying for all of these different jobs and they had to reenter this data multiple times every time they submitted a job application. And the amount of lack of efficiency and the time that takes that individual to manually do the data entry.
Think if you had a Verifiable Credential, and we can get into what levels of assurance, who’s verifying it? Is our government, is it a third-party security vendor, or is it both? And that goes back to the level of assurance. But if you have that wallet, if you will, that bundle that is accepted anywhere you go, then you don’t have to worry about the inefficiency of time to enter manually your data in that specific scenario. So that’s the business side.
You look at the consumer side. I have a whole litany of identity data about myself. What do I want to share and with whom? Maybe I have a trusted relationship with one of my favorite retailers and pairs of jeans. So I’m going to give them information about myself, and they’re going to give me discounts, and I can control what part of that Verifiable Credential I share with that particular retailer.
So, there’s a lot of different approaches and use cases, and I have a few more to share as well.
But I’ll pause there for now.
Jeff Ton [00:10:56]:
No, I like that. I especially like your use case about applying to jobs, right? Because it is so frustrating. You even upload your resume and then many times have to retype the data that’s on the resume that you just uploaded, and the concept of having a digital wallet maybe on my phone that’s got that information and okay, send employment information to XYZ Corporation because I’m applying for a job. That sounds pretty nice, actually, for anybody that’s been through that.
Let’s dig underneath the covers a little bit. How does decentralized identity work? What’s the technology behind it, the verifiable credentials that you’re talking about?
Jason Gzym [00:11:50]:
So, it is evolving rapidly. I’d say decentralized identity has been around in some form or another. I mean, I’ll just go back to the Novell days. There was a thing called digitalme back in the late nineties. I don’t think the world, the market was ready for it yet. But it’s evolved because I think some of the millennials, the younger, they want to control their data, right? Because of breaches that you see across the realm. And they’re worried that…I saw a stat, I forgot where, that every person has over 1000 identities, digital identities, throughout the ecosphere, the internet, and they don’t know where they are, like who they’re being shared with. So, the technology to enable this is rapidly evolving.
There are some Ideologists that say, oh, it should be blockchain. There are those who say, oh, it should be self sovereign identity with a wallet, and that’s what it is. But then there’s so many wallets. I mean, we all have them on our phones nowadays that are exploding as well. And so, it’s like, well, hold on, decentralized identity, you want that explosion because you don’t want it to be centralized in one wallet. But from a consumer level, if there’s three, four, 5100 different wallets where my identity lives, well, then we’re back to the same problem of it just identity proliferating throughout those wallets.
Jeff Ton [00:13:14]:
Yeah. So, if I’m sharing my digital information, I assume the other side of it, maybe this is not a great assumption. The other side of it is I can turn that off, right? If I no longer want to share that information.
Jason Gzym [00:13:34]:
One of the core tenets of decentralized identity is that the user themselves is in control of what they consent about themselves and who it’s being shared with, not with the control being in the organization’s power by having to write to them in a cryptic snail mail letter that they must write to forget. And that exists in the EU with GDPR.
Jeff Ton [00:13:58]:
GDPR, yeah.
Jason Gzym [00:13:59]:
But that’s not a global regulation. Not all companies have to abide by regulations that don’t apply to them. So, if you don’t know where your identity lives, then how do you know who to contact to have them forget you?
Jeff Ton [00:14:13]:
Yeah, I know we haven’t really touched on this, but how do we get from this scattered identity all over the place where we are today? How do we get to that? How do we get to decentralized identity where I’m controlling it?
Jason Gzym [00:14:33]:
So, one, it requires again, the human, the carbon-based life form, to accept that they are in control and they need to be in control of their data. It is so easy for us to allow others to control our data, and then you get services for that. But that’s where the misuse can come into play. So first, it’s the on us of we have to want to own and control. And the management of that data can be somewhat time consuming. If there’s multiple relationships, you’re determining, should they have it still, should they take it away? So that’s number one.
Number two, you can’t go from where we’re at today with organizations having our data overnight to them all coming back into your control, your power. So, it’s going to take multiple decades for that to shift.
If there is a critical mass of us humans that want to own, control, and consent to how their data is shared with whatever, I mean, it could be, how is our data shared with our self-driving cars in the future? Oh yeah, that self-driving car goes through a toll booth. How does the state with that toll booth know who the owner of that car is or who’s the driver? They may not own it, but who’s the driver driving that car?
So that linkage that relationship. In order to have self-driving cars, you must share something about yourself, being in that driver’s seat or in that passenger not passenger, but the driver’s seat. And that goes back to the monetization, the liability of these models going forward.
Jeff Ton [00:16:21]:
This is incredibly complex as I just sit here and imagine all of these different pieces and parts that are coming together. Are there organizations that are trying to do this today? Is someone using this concept today? You talked about you had some other use cases. Where do you see this going or being right now?
Jason Gzym [00:16:50]:
Yes, absolutely. And primarily, it’s in the consumer market. So, we see retailers looking at how they can monetize this model for loyalty programs that provide even deeper discounts than what they would be getting today. And that brand loyalty keeping them. The other use cases that I see outside of that consumer world is when you think about supply chain and vendor management. So, every organization does business with other businesses, B2B relationships. We don’t have a workforce that’s all employees. There’s contractors, there’s students.
You can call them a lot of different things, non employees. So when you are in that model, which exists today, how do you trust the employee of a vendor you’re doing business with that has access to your suite of applications? Well, today, it’s identity proofing solutions. There’s plenty of them out there. The cutting edge of identity proofing is hold your phone up and take a picture of your driver’s license. And that proves but there’s so many flaws with some of these methods.
If you had an assured verifiable credential that was guaranteed to be who you are, that your vendor that you do business with and their employees can share with your organization to give access to the applications. So example is like inventory management. In that healthcare realm where you have durable goods that’s provided by somebody that obviously you’re not the business providing durable goods.
You’re in the business of providing healthcare, good healthcare. That vendor might have access to your physical system, your inventory, but they don’t work for you. They’re not an employee. So, how do you verify Jeff? Is Jeff working for this business partner that can look in my inventory, my durable goods to make sure you order enough masks when that healthcare provider gets low on inventory?
In that world of B2B, I see it shifting from more of a consumer to that extended workforce within those external identity use cases.
Jeff Ton [00:19:16]:
Yeah. What came to mind as you were talking about that, Jason is the concept of a Global Entry number. Now, with TSA and all that, and I now have this global number that all the airlines recognize, hopefully a lot of the airports recognize, and I can just use that and they know who I am to some assurance. Is that at a really high-level kind of the thing we’re talking about?
Jason Gzym [00:19:50]:
Yes and no. Who owns that global Identifier…TSA? That’s an American construct. And you have Clear. And I don’t know honestly if Clear is global or not, but again, it lives with a government or it lives with a service provider. Clear in that Global Identifier, us humans don’t own it.
Jeff Ton [00:20:17]:
Got you.
Jason Gzym [00:20:19]:
You want to have a Global Identifier for all identities on this Earth, human and non-human. But because of regulations, competing countries, I would highly doubt North Korea would ever accept a United States verified.
Jeff Ton [00:20:42]:
Probably not. And I guess part of what plays into this is, again, using the Global Entry number as an example. If wrong information got associated with my Global Entry number, I don’t have the ability to fix it. I’ve got to go to the government, to a government agency, and say, hey, that Jeff Ton that just robbed a bank is not me. Right. And you’ve got this crime associated with the wrong thing.
Jason Gzym [00:21:15]:
Yeah, absolutely. And then this goes back to the concept of who has assured the verifiable credential. And there can be multiple layers of that. It could be the United States Government. It could be Germany. It could be a private organization. The evolution of that assurance model, which is still not 100% in place when you get to that point where you can say, I want to have multiple verifiers of who I am in that digital wallet. And the level of assurance, I mean, if you think about our classification, sensitive documents, there’s multiple classifications of sensitive documents.
So that’s the level of assurance on who should have access to those different classifications of documents.
Jeff Ton [00:22:08]:
I love that analogy of linking it to the classification of documents because that helps me visualize that, here’s my identity, and here’s some information that, hey, I’m going to share with Kohl’s Department Store, but they’re not getting this health information that I’m sharing with my healthcare provider.
A lot of our listeners, Jason, as you know, are information technology professionals, usually in leadership positions, but not always. What’s in it for them? Why should they be interested in this concept of decentralized identity?
Jason Gzym [00:22:51]:
Yeah. So, for any organization that is looking for a digital identity transformation for their consumers, the current trend has been for them to collect all of the data if they find out that their consumer base doesn’t want to share or allow them to collect data about them and maybe be collecting data about them even without them knowing. That’s how advertising works.
But if organizations want to build a loyalty program where they reverse the model and say, we can give you deeper discounts for the products that you like, and you are in control of when and where and how you share the data with us. And that keeps those organizations, those retailers, honest, because if they have bad service or they misuse that trust that that customer has given them, then the customer can turn it off. It’s a decision for retailers in the consumer market.
But absolutely. I see it shifting from that B2C space into that B2B space as organizations are looking to secure those third-party identities that are external to their HR systems to make sure that individuals they do business with are who they say they are so that they can determine the right level of access into the organization’s application.
Jeff Ton [00:24:26]:
Well, I was talking earlier this week with Brian Jackson of Infotech Research, and to our listeners, if you haven’t listened to that episode, we’re talking about the 2024 Trends Report. And first of all, let me say, I can’t believe we’re talking about 2024 already. It seems like yesterday we were doing predictions for 2023, but one of the things that Brian identifies in that report as a trend for information technology leaders CIOs CTOs to be cognizant of is this concept of data sovereignty.
And on some layers, is that part of what we’re talking about, Jason? Data sovereignty?
Jason Gzym [00:25:10]:
Yeah, you think about where the person lives, so the data must stay on the soil in which they live. So, if we’re talking about somebody’s identity, well, we don’t always live in the same place as humans, right?
Jeff Ton [00:25:25]:
Yeah.
Jason Gzym [00:25:26]:
We move within different states in the United States, but we also move across theworld. I had to make a trip to Singapore a month ago, and in order to enter, I had to fill out their identity wallet information about myself. So, if you have to fill that out for every country you visit, it goes back to the job application scenario, entering the same data, and I could mess it up. So how can you, a global citizen, be mobile throughout this world and not have to go through the inefficiency of proving over and over and over who they are.
Jeff Ton [00:26:05]:
Yeah, well, and you mentioned supply chain and people that are not in your HRIS system that are interacting with your business. Let’s look at what’s in it for me concept from the perspective of the supplier.
So, you mentioned, I think your example in healthcare were the masks and my inventory was getting low. As a mask provider, why should I care about decentralized identity? How does it help me?
Jason Gzym [00:26:41]:
Yeah. So, if you’re a provider in that scenario and you have the ability to assure the business you’re doing business with that your house is in order and secure and your own employees are vetted and have those background checks, and that level of assurance can be easily provided to the businesses you’re doing, then you’re attractive to every healthcare organization because you’re easier to do business with.
Jeff Ton [00:27:06]:
Yeah. And I think you start looking at some of the compliance frameworks and the way a lot of those work, right, is they push the risk down. And this is a way to say, hey, I’m risk worthy, I’ve done my due diligence, and so maybe you should do business with me. And maybe there’s financial incentive or maybe it’s just the incentive that, hey, I get approved to provide information.
You talked earlier about the need to really get this idea to catch hold. It’s going to take you and I and everybody to say, yes, I want to do this. It seems like we’re in this age, especially when you look at the data that social media collects on us and our kids; we were always afraid about using some of this technology. And our kids are like, who cares? Why should individuals care about this concept and why should they buy into the concept of decentralized identity?
Jason Gzym [00:28:17]:
So, looking at human behavior, I would say that the number one driver to get humans to change behavior is what’s in it for them? How is it financially incentivized for them? Are they getting goods at a cheaper price? Doing business with a company that your information doesn’t leak out, I don’t think is as big of an incentive as financial incentives.
Jeff Ton [00:28:49]:
Incentive individuals.
Jason Gzym [00:28:51]:
So, there has to be a financial incentive that’s greater than what exists today for us to make a choice. We’re going to control our identity, digital identity, and who has access to what.
Jeff Ton [00:29:05]:
Parts of it this reminds me of…there’s a telecom company, or used to be. I haven’t even looked them up recently in France…Orange, and they were experimenting with if I signed up for their program and gave them permission and you’re a friend of mine, Jason, and you sign up, or I get you to sign up, then whenever I call you, instead of a ringtone, you’re hearing an ad. Right? So, they’re selling advertising this way, and for that, we both get a reduced rate on our cell phone bill. Now I realize that’s kind of the marketing side, but you’ve talked about financial incentives. That’s kind of the thing you’re talking about, right, is that I sign up, and I say, here’s my digital identity; now I want a discount.
Jason Gzym [00:29:59]:
Yeah, in the consumer space, absolutely. In the B2B space it’s all about is that company less risky to do business with? So again, it goes back to it’s always the bottom line. If that third party somehow that employee leaves but still has access and I’m not aware of it, my applications and it leaks PHI, I now have a regulatory obligation to report that breach from that third party. There’s finger-pointing going on there, but your brand is tarnished in those cases. How much? That is yet to be seen. How big was the breach? Who did it affect? Are those consumers concerned about the breach? Are they aware of it? So, it all comes back to the bottom line, whether it’s consumer or that business to business use case. What’s it mean for the financial incentives and the risk appetite for the consumer or the third parties?
Jeff Ton [00:31:02]:
It really comes down to those two things a lot, doesn’t it? The financial incentive and the risk appetite, balancing between those two.
Well, as you know, here on Status Go, we are all about action. And hopefully, I warned you about this, Jason. If not, I’ll beg forgiveness. I would love for you to share with our listeners what are one or two things they should do tomorrow because they listen to our conversation.
Jason Gzym [00:31:32]:
One, you know, try to inventory where you think all of your identities are, and that is a very time-consuming effort in this age where we’re all very busy with our lives. What’s the risk of not doing that? There’s some help in there. You have passwords that get saved and that’ll tell you, hey, that’s not very secure, or we now know it’s part of a breach, so go change it. But yeah, the inventory of your identities.
if you really want to get into it, is one, if you’re an organization doing business with third parties and they have access to your applications, think about the relationship with those third parties, with those organizations. Make sure that there’s one person on each side of that B2B relationship and have that conversation about, hey, how do we make sure that your employees are still employed? They are who they say they are, and you have a risk policy and control policy that you can share with us. So, we know that we’re doing business with somebody who’s taking care of the digital identity risk that would be subject to us.
Jeff Ton [00:32:48]:
I love those two actions, and I think on the consumer side, a place for me to start, I was personalizing this, is I’ve got a password vault that I use that’s at least identified a couple of hundred people that have my identity in some way, shape, or form. Maybe I start there and find out what information they have about me and then the B2B. I think that’s a great step, especially as maybe you’re going through a compliance cycle or even a procurement cycle where you’re renewing contracts. That’s kind of the time to reach out and maybe solidify some of those things.
Jason Gzym [00:33:34]:
The relationship is best when you have procurement and your contracting involved. When those are being renewed, it’s an absolute gem of an idea there, Jeff.
Jeff Ton [00:33:46]:
Yeah, it’s incentive, right? You’ve got some leverage.
Jason, I want to thank you for taking the time to sit down and talk with us today. As I mentioned at the outset, this was a brand-new concept to me. It’s something that I’ve been thinking about personally and where my data is and all those things, but didn’t really know that there was a…I’ll call it a field of study where people like yourself are engaged in this, trying to figure out this very complex problem. Thank you for carving out time to talk with us.
Jason Gzym [00:34:20]:
Greatly appreciate the opportunity. Jeff, thank you very much.
Jeff Ton [00:34:24]:
Maybe we have you back on in a few months and see how things have progressed. That would be an interesting follow-up conversation.
Jason Gzym [00:34:32]:
It absolutely would be!
Jeff Ton [00:34:35]:
To our listeners, if you have a question or want to learn more, be sure to visit intervision.com. The show notes will provide links and contact information. We’ll have Jason’s contact information. We’ll have a link to Saviynt, if you want to check out some of what they’re doing in the identity space.
This is Jeff Ton for Jason Gzym. Thank you very much for listening.
Voice Over – Ben Miller [00:35:00]:
You’ve been listening to the Status Go podcast. You can subscribe on iTunes or get more information at intervision.com. If you’d like to contribute to the conversation, find InterVision on Facebook, LinkedIn, or Twitter. Thank you for listening. Until next time.