David Goodman, D.Phil, Principal Consulting Analyst
David has over 25 years experience in senior identity management positions in Europe and the US. He led two prominent pioneering EC-funded identity/security projects while working for IBM, firstly with Lotus in the Notes/Domino product management team and later with Tivoli’s security division. He has led several start-ups in the identity space and spent eight years in senior product management roles for telecom providers Apertio, Nokia Siemens Networks and Ericsson.
His work has included database and directory services technologies and architecture, meta-directory services, role management and role-based access controls, digital certificates and PKI. More recently he has been engaged in privacy and trust services, cloud services, big data analytics and the Internet of Things.
He has worked as a technology analyst and consulted with some of the largest companies in Europe and the US. He has particular insights in the European privacy/regulatory environment, European clients and vendors. For 13 years he was chairman of EEMA, the leading European identity and security membership association.
David, who is based in Scotland, graduated from the University of Manchester and completed a doctorate at Oxford University’s Oriental Institute.
- Identity and Access Management (IAM)
- Governance, Risk and Compliance (GRC)
- Information security
- European privacy and risk regulations
- EU Identity and Privacy Regulation Workshop
Recently Published Research
The Future of Identity Management
Despite the decades of investment and hard work, many organizations face greater identity management challenges today than they did 15 years ago. Today, many organizations struggle with a hodge-podge of silo’d, poorly or non-interoperable IAM functions that are impossible to govern properly and are hindering proper risk management.
This highly actionable report supports our clients as they develop five-year technology infrastructure plans. In this report we make specific projections as to where we believe Identity Management will be going over the next five years and we describe a model for identity abstraction that provides an extensible services oriented architecture.
To provide our clients with the most comprehensive view of Identity Management, we augment our own expertise with the insights of what we consider to be the top thought leaders and industry experts to deliver the most comprehensive perspective on the Future of Identity Management.
Opportunities in Europe with Electronic Identification and Trust Services
The EU is introducing a slew of new legislation that will provide opportunities as well as pitfalls for businesses based in the EU as well as the US. Core to these regulatory changes are those associated with identity and trust services that are vital for ensuring not only cross-border e-Government services (which is the focus of eIDAS), but also contain many features beneficial in the B2B and B2C domains.
“Imagine yourself in 2018, where the use of electronic identification, electronic signatures and the other trust services is a daily reality and where citizens, companies and public administrations safely access services and can do every kind of transaction online and across borders in just “one click”. Wow, do you think this is science fiction? It most definitely is not.”
Today there is no legal certainty in the EU about the recognition of trust services, so the major impact of the eIDAS regulation will be to enable businesses:
- to securely complete cross-border electronic transactions such as signing contracts, tenders, or submitting annual reports online with ease;
- to fulfil legal or procedural obligations, like sign, time stamp, and seal bids electronically instead of printing and sending multiple paper copies by courier.
Updates to the rules relating to data protection and privacy in Europe are also long overdue and will replace the current chaos, in which each EU Member State has its own separate directives, with one which will mandate one law across all of the EU with stiff penalties for infringement.
The new legislative landscape has the potential to bring about dramatic changes for any business operating in Europe, including US multinationals, within the next two to three years. A set of identity and trust services standards vouchsafed across the 28 Member States of the EU primarily benefits government contractors as well as potential trendsetters within key industry verticals.
New European Privacy and Data Protection Regulations
Updates to the rules relating to data protection and privacy in Europe are long overdue, and are even more so in the rest of the world. New European legislation will replace the current chaos in which each EU Member State has its own separate directive with a brave new world in which there will be one law across all of the EU, implementing stiff penalties for violations. The new legislative landscape will require any business operating in Europe including US multinationals to make considerable changes to their data protection policies and strategies within the next two years in advance of the legislation coming into full force in 2018.
To complicate matters, in October 2015 the European Court of Justice ruled in a landmark case against Facebook that the 15-year-old Safe Harbour agreement between the EU and the US is no longer valid because it does not offer sufficient protection to the fundamental rights of Europeans. Consequently, every national data protection authority is currently empowered to examine any US-bound data transfers on a case-by-case basis.
In the absence of clarity about the proposed EU-US Privacy Shield, the current limbo — whereby the old rules have been torn up and data monitoring and enforcement is in the hands of individual national data protection authorities — is a potential minefield for US multinationals as well as US-based cloud service providers who are seen to not be supporting European privacy laws.
This document examines the current set of rules, the proposed new legislation and what this will entail for European and US businesses responsible for any data relating to EU citizens. In it we present a five step process to best position organizations to address both rapidly evolving European data protection and privacy directives and the ever growing challenges of protecting enterprise data assets. These steps include:
- Getting started and understanding what is new including the need for data protection or privacy impact assessments (DPIA/PIA) and a data protection officer (DPO)
- What data subjects will expect of data controllers including assessing and defining valid consent, limited right to erasure and data portability
- Being prepared for when something goes wrong and how best to position for a data breach
- What to do next including conducting a formal PIA in the brave new world of the General Data Protection Directive (GDPR)
- Informing stakeholders and raising awareness including employees, business partners, suppliers, technology partners, cloud service providers and supervisory authorities
Context-based Identity Management
As Identity Management matures, context becomes the means by which Identity becomes more useful in assessing risk, management, threat detection and business system integration. Almost every SaaS and premise-based identity vendor and most security vendors TechVision Research has interviewed are investing heavily in context-based (also know as relationship-based) Identity Management. Simply put, an identity with context (even minimal context) is far more valuable and useful to an organization than raw identity information. In this report, we will dig deep to clearly define what context-based Identity Management is, who the major players are, the impact on infrastructure technologies, the future direction and prescriptive recommendations and next steps for TechVision Research clients. This report covers:
- The reality of context-based Identity Management for the enterprise
- The context-based Identity Management ecosystem: today and tomorrow
- Five steps the enterprise must take to position for context-based Identity Management
Banking, Identity and the Regulators
Over the last few years policy makers, service providers and software vendors have come to realise, data is a business asset that would not be out of place on a company balance sheet. It is also apparent to individuals that the data held about them by governments and businesses has both value and is increasingly at risk from being mishandled, deliberately or otherwise. Ironically, as the volume of online social and commercial transactions increases exponentially day by day, the level of trust in sharing personal data online is falling equally fast due to concerns about privacy intrusions and potential consequences of identity theft.
With the emergence of data protection and related regulations that will go a long way to safeguarding the privacy and rights of individuals on the Internet, opportunities will arise for trustworthy organizations to act as identity service providers or identity brokers. And, despite the bad press bankers have received over the last ten years, most people still instinctively – and demonstrably – , albeit often through gritted teeth, trust banks to hold their most valuable financial assets. So why not their personal data as well, particularly as the banks already have, and are required to have, the most up to date sensitive information about their customers?
The answer is that some forward-looking banks have already recognized the possibilities in leveraging the cocktail of regulation, customer trust and competitive advantage, and have taken steps towards to advance early experiments. However, for the majority of banks, the idea are still dormant and have not convinced senior management to explore further.
This document looks at the confluence of the new slew of regulations as they impact the banking community from a holistic perspective and demonstrates how this can be transformed into a new set of business opportunities as well as what should be the next steps for TechVision Research clients.
This report covers:
- The emerging regulatory landscape as it impacts the banks
- The opportunities for banks to become identity service providers
- Six steps a bank should take to best leverage this potential
The Rise of Machine Learning in the Enterprise: Managing the Opportunities, Handling the Threats
Artificial Intelligence has gained massive traction over the last two-three years in the business world as well as through popular media. The expression covers a wide range of application areas and impacts at a multitude of levels. Today, with a few exceptions, the application of artificial intelligence for the enterprise translates to machine learning. Although covering a broad range of technical approaches itself, machine learning in general provides a great business opportunity to streamline and automate complex processes improving efficiency and operational costs. Not surprisingly, not everyone is as thrilled about the potential impact that ‘intelligent machines’ will have, with concerned managers and employees worried that they might eventually lose their jobs. Nevertheless, the appropriate application of machine learning is increasingly becoming a necessity for the management and analysis of big data and as a vital extension to cyber security measures such as fraud prevention. Knowing how, when and where to adopt a machine learning strategy over the coming two-three years will be key to the successful running of any organization, large or small.
In this report, we investigate this emerging trend, and what should be the next steps for TechVision Research clients.
This report covers:
- The value proposition and business rationale for the enterprise associated with machine learning
- Applications and uses, present and future, of machine learning
- Six steps an enterprise should start to take to best leverage machine learning