What you need to know about... taking control of your identity

What is this episode about?

In this episode you will hear, among other things:

• Why digital identity is not built into the internet by default.
• What recent developments around DigiD show about dependency.
• Why identity and access are an institution's crown jewels.
• How SURF organises autonomy with SURFconext and other IAM services.
• Why risks are weighed differently by geopolitical developments.
• What institutions can do concretely, without immediately starting a major migration.

What is Identity & Access Management?

Identity & Access Management (IAM) revolves around one key question: how do you know for sure who is on the other side of the digital line, and what they are allowed to do? For educational and research institutions, that means, for example:

• Giving only students access to their own grades.
• Giving only employees access to their own HR data.
• Giving researchers access to specific datasets.
• Secure access to financial systems and educational environments.

IAM is thus not a supporting IT service, but a fundamental infrastructure layer under almost all digital processes.

Why is this so topical now?

Recently, there was discussion around the possible acquisition of a party (Solvinity) within the DigiD infrastructure. This made visible what can happen when crucial parts of digital infrastructure depend on foreign technology companies.

According to Arnout Terpstra, the risk is not only technical, but also geopolitical. Where risks were previously considered theoretical, they are now weighed more concretely. And with identity, if you no longer have access to your identities, your education and research are at a standstill. Risk is always a combination of chance × impact. And with IAM, the impact is maximum.

How does SURF organise this for education and research?

For years, SURF has been building its own federated identity infrastructure together with the sector. Well-known services include:

• SURFconext
• eduID
• SURFsecureID
• Access Management services

Characteristic features are:

• Open standards are used.
• The infrastructure runs in-house.
• Institutions retain freedom of choice in their own IAM software.

This creates a shared infrastructure, while institutions retain control over their own set-up.

Does this make us completely independent?

No, and that is also an important nuance, according to Arnout Terpstra. There is no such thing as complete independence. Digital infrastructure is always part of a chain of dependencies. The goal is therefore not total independence, but:

• Be less vulnerable to one dominant supplier.
• Developing alternatives.
• Create a stronger negotiating position.
• Maintain control over crucial components.

Especially with identity, this is essential.

What does this mean for institutions?

IAM sits deep in an organisation's infrastructure. It touches virtually every digital transaction. Therefore, change is complex and cannot be paused for a while. Autonomy you build step by step.

The advice in the episode:

• Start small: look at software that will soon be re-tendered
• Start with new use cases.
• Experiment at the edges of the landscape.
• Learn from other institutions

What can you do right now?

Institutions that want to get started can, among other things:

• Participate in the annual IAM Unconference (usually in October).
• Join working afternoons on specific IAM topics.
• Participate in the open fortnightly consultation on open source IAM alternatives (Midpoint).
• Become active on the community platform: iam.surf.nl