Wider’s High Assurance Digital Identity Maturity Model

Wider Team is presenting this rough sketch of a maturity model at Identiverse 2021 this week.

We posted last week on how maturity models work, and don’t work.

Best Advice: Agree On Why. That you’re optimizing for the right things. That you chose dimensions that matter to you. In this case, you’d commit to build your competence and capacity in High Assurance Digital Identity of Things in Healthcare. You’re having that conversation, right? 

So, when your leadership agrees with you that you want all the goodness of HADI for Healthcare IoT, how do you get your institution to a higher degree of HADI competence, capacity, and commitment? 

You climb for maturity. Step by step. More or less. 

Our maturity model sequences some of these competencies, so you build and prioritize. 

First…

“What’s Identity of Things?”

It starts with IdentityOps embracing high assurance for connected devices. You’re bringing together internal stakeholders from your network management, security, procurement, legal, and device care teams. You’re bringing in clinical outcome quality professionals concerned with data provenance, from clinicians who touch your devices and authenticate through them and authorize them to provide services. 

Snapshot Inventory

Then, not just knowing all the devices in your world but understanding what identity systems they have in place, what fills their identity stacks, and which identity systems have vulnerabilities or room to grow. 

IAM and Governance

While most of you have IAM and governance in hand (you do, right?), few security or identity professionals have the tools, policy, and practices for these things that outnumber the humans in your world.

Even more evident in healthcare. 

Strategic Alignment & Advancing Identity Science

When you’ve made your identity practices informed, trustworthy, repeatable, and compliant, you’re ready for leadership. 

For using device identity to create new opportunities in healthcare. 

From extending the reach of hospitals and providers into the home, to reducing patient stays in the hospital, to more tightly integrating emergency services into patient teams. 

Our Identiverse slide shows it like this:

So you bring your organization from awareness to self-knowledge, from operational control to a tool for leadership. 

So far this is introspective, looking at the Identity of Medical Things from an OpsTech or IT perspective. 

But we know this is a league sport. And even while we grow our Identity of Medical Things internal competencies and capacity, we must also climb an Ecosystem ladder. 

First…

Vendor & Stakeholder Relations

Right now healthcare delivery organizations have vendor relations programs. The first level of identity ecosystem maturity is making those top notch.

And doing the same with other outside stakeholders in your IoT identity ecosystem. Like other healthcare providers in your community. Like insurers who pay for clinical and home devices. Like regulatory bodies that govern your systems. Maybe even patients. 

Who is upstream, downstream, and in community with our identity? 

Expanding the ecosystem circle is the next rung. 

Identifying those in your IoT identity ecosystem who are one or more steps removed from your vendors and your immediate stakeholders. 

For example, the companies your vendors use to cache identity, the standards groups designing the next generation of the IoT identity layer, the regulatory bodies who specify or approve your identity protocols and practices. 

Convening the ecosystem

Identity ecosystems have work to do. Policy and language harmonization, technical interop, stress tests, information sharing. So you engage your ecosystem, working together to shore up the least of you and to move all of you in common directions. 

Community engagement in common initiatives

And as your ecosystem works together to create a more seamless, antifragile, identity layer for your things, you’ll start engaging on strategic issues with deep and long term impact. 

Together, you can define technical standards and shape regulatory policy. Together, you can research better identity user experiences for the next generation of wearable and implanted devices. 

You’ll leverage your internal competencies for greater capability in concert with your identity ecosystem.

So this is what the model looks like. Two paths, climbed side-by-side:  

So how do we get to HADI for healthcare IDoT and bring order to complexity? 

We look at it through two lenses. 

First, IdentityOps. You’re familiar with this. Establishing sound practices to ensure security and integrity of operations. Making sure every device in your ecosystem is known and those who access them are known. Most people working in digital identity today are making identity practices trustworthy, repeatable, and compliant.

The other lens: Identity Science. Moving Identity from a cost of operations to an enabler of new products and services. (If that sounds odd to you, we observe that with confidence in your device ecosystem, new opportunities arise.) 

With Identity Science, you expand identity from the bottom line to the top line. By leveraging digital identity for operations improvement and strategic advantage. By exploiting new opportunities created by trillions of things in the world. By helping both sides of the maturity model to co-evolve and adapt. 

When casting these over the maturity model, at first glance: 

  • IdentityOps people often lead the first layers of the model 
  • Identity Science folks more at the third and fourth levels.

There is a lot of overlap and work enough to go around. IdentityOps and Identity Science is not an either/or model but a both/and.

So, there you have it. Our very imperfect, first rough draft of a doctrine, a maturity model, and two complementary specializations among identity practice.

P.S. We walked through this and a few other ideas at Identiverse 2021. IoMT At Risk. A Wider Team Critique of Digital Identity Threats to the Internet of Medical Things. Read all the posts from our Identiverse talk.

P.P.S. We’re calling this model the “Wider HADI IoT Maturity model” to distinguish it from the vastly superior forks that are sure to follow. Please let us know the many ways this model is not the thing. Or just grab coffee to tell us to our face.

1 thought on “Wider’s High Assurance Digital Identity Maturity Model

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this:
search previous next tag category expand menu location phone mail time cart zoom edit close