David Goodman, D.Phil, Principal Consulting Analyst
David has over 25 years experience in senior identity management positions in Europe and the US. He led two prominent pioneering EC-funded identity/security projects while working for IBM, firstly with Lotus in the Notes/Domino product management team and later with Tivoli’s security division. He has led several start-ups in the identity space and spent eight years in senior product management roles for telecom providers Apertio, Nokia Siemens Networks and Ericsson.
His work has included database and directory services technologies and architecture, meta-directory services, role management and role-based access controls, digital certificates and PKI. More recently he has been engaged in privacy and trust services, cloud services, big data analytics and the Internet of Things.
He has worked as a technology analyst and consulted with some of the largest companies in Europe and the US. He has particular insights in the European privacy/regulatory environment, European clients and vendors. For 13 years he was chairman of EEMA, the leading European identity and security membership association.
David, who is based in Scotland, graduated from the University of Manchester and completed a doctorate at Oxford University’s Oriental Institute.
- Identity and Access Management (IAM)
- Governance, Risk and Compliance (GRC)
- Information security
- European privacy and risk regulations
- EU Identity and Privacy Regulation Workshop
Recently Published Research
The Future of Identity Management
Despite the decades of investment and hard work, many organizations face greater identity management challenges today than they did 15 years ago. Today, many organizations struggle with a hodge-podge of silo’d, poorly or non-interoperable IAM functions that are impossible to govern properly and are hindering proper risk management.
This highly actionable report supports our clients as they develop five-year technology infrastructure plans. In this report we make specific projections as to where we believe Identity Management will be going over the next five years and we describe a model for identity abstraction that provides an extensible services oriented architecture.
To provide our clients with the most comprehensive view of Identity Management, we augment our own expertise with the insights of what we consider to be the top thought leaders and industry experts to deliver the most comprehensive perspective on the Future of Identity Management.
Opportunities in Europe with Electronic Identification and Trust Services
The EU is introducing a slew of new legislation that will provide opportunities as well as pitfalls for businesses based in the EU as well as the US. Core to these regulatory changes are those associated with identity and trust services that are vital for ensuring not only cross-border e-Government services (which is the focus of eIDAS), but also contain many features beneficial in the B2B and B2C domains.
“Imagine yourself in 2018, where the use of electronic identification, electronic signatures and the other trust services is a daily reality and where citizens, companies and public administrations safely access services and can do every kind of transaction online and across borders in just “one click”. Wow, do you think this is science fiction? It most definitely is not.”
Today there is no legal certainty in the EU about the recognition of trust services, so the major impact of the eIDAS regulation will be to enable businesses:
- to securely complete cross-border electronic transactions such as signing contracts, tenders, or submitting annual reports online with ease;
- to fulfil legal or procedural obligations, like sign, time stamp, and seal bids electronically instead of printing and sending multiple paper copies by courier.
Updates to the rules relating to data protection and privacy in Europe are also long overdue and will replace the current chaos, in which each EU Member State has its own separate directives, with one which will mandate one law across all of the EU with stiff penalties for infringement.
The new legislative landscape has the potential to bring about dramatic changes for any business operating in Europe, including US multinationals, within the next two to three years. A set of identity and trust services standards vouchsafed across the 28 Member States of the EU primarily benefits government contractors as well as potential trendsetters within key industry verticals.
New European Privacy and Data Protection Regulations
Updates to the rules relating to data protection and privacy in Europe are long overdue, and are even more so in the rest of the world. New European legislation will replace the current chaos in which each EU Member State has its own separate directive with a brave new world in which there will be one law across all of the EU, implementing stiff penalties for violations. The new legislative landscape will require any business operating in Europe including US multinationals to make considerable changes to their data protection policies and strategies within the next two years in advance of the legislation coming into full force in 2018.
To complicate matters, in October 2015 the European Court of Justice ruled in a landmark case against Facebook that the 15-year-old Safe Harbour agreement between the EU and the US is no longer valid because it does not offer sufficient protection to the fundamental rights of Europeans. Consequently, every national data protection authority is currently empowered to examine any US-bound data transfers on a case-by-case basis.
In the absence of clarity about the proposed EU-US Privacy Shield, the current limbo — whereby the old rules have been torn up and data monitoring and enforcement is in the hands of individual national data protection authorities — is a potential minefield for US multinationals as well as US-based cloud service providers who are seen to not be supporting European privacy laws.
This document examines the current set of rules, the proposed new legislation and what this will entail for European and US businesses responsible for any data relating to EU citizens. In it we present a five step process to best position organizations to address both rapidly evolving European data protection and privacy directives and the ever growing challenges of protecting enterprise data assets. These steps include:
- Getting started and understanding what is new including the need for data protection or privacy impact assessments (DPIA/PIA) and a data protection officer (DPO)
- What data subjects will expect of data controllers including assessing and defining valid consent, limited right to erasure and data portability
- Being prepared for when something goes wrong and how best to position for a data breach
- What to do next including conducting a formal PIA in the brave new world of the General Data Protection Directive (GDPR)
- Informing stakeholders and raising awareness including employees, business partners, suppliers, technology partners, cloud service providers and supervisory authorities
Context-based Identity Management
- The reality of context-based Identity Management for the enterprise
- The context-based Identity Management ecosystem: today and tomorrow
- Five steps the enterprise must take to position for context-based Identity Management
Banking, Identity and the Regulators
With the emergence of data protection and related regulations that will go a long way to safeguarding the privacy and rights of individuals on the Internet, opportunities will arise for trustworthy organizations to act as identity service providers or identity brokers. And, despite the bad press bankers have received over the last ten years, most people still instinctively – and demonstrably – , albeit often through gritted teeth, trust banks to hold their most valuable financial assets. So why not their personal data as well, particularly as the banks already have, and are required to have, the most up to date sensitive information about their customers?
The answer is that some forward-looking banks have already recognized the possibilities in leveraging the cocktail of regulation, customer trust and competitive advantage, and have taken steps towards to advance early experiments. However, for the majority of banks, the idea are still dormant and have not convinced senior management to explore further.
This document looks at the confluence of the new slew of regulations as they impact the banking community from a holistic perspective and demonstrates how this can be transformed into a new set of business opportunities as well as what should be the next steps for TechVision Research clients.
This report covers:
- The emerging regulatory landscape as it impacts the banks
- The opportunities for banks to become identity service providers
- Six steps a bank should take to best leverage this potential
The Rise of Machine Learning in the Enterprise: Managing the Opportunities, Handling the Threats
In this report, we investigate this emerging trend, and what should be the next steps for TechVision Research clients.
This report covers:
- The value proposition and business rationale for the enterprise associated with machine learning
- Applications and uses, present and future, of machine learning
- Six steps an enterprise should start to take to best leverage machine learning