With breach becoming common place is the cost (tangible and intangible) of protecting identity assets within the enterprise going to outweigh the benefits of hosting this data.
Will breach become the nudge that advances a decentralised self sovereign identity. If so how will such a move impact existing business models and security.
It's a good question. For some orgs it can't be avoided because of the nature of the business. But our identity protection costs and PCI/CPNI/PII compliance costs have gone up dramatically year to year. At some point it's just going to make more sense to simply divest ourselves of as much of that data as possible; only maintaining bare minimum needed for regulatory purposes.
The social security number is a terrible model for personal identification. A massive portion of the population already has their information being sold on the dark web. The problems that we will run into is that the most secure methods to identify people are intrusive to their privacy and will most likely never get implemented, due to peoples desire to hide their bad habits. The entire identity protection model is very fragile. We put 14 locks on the front door, but we have the door placed between two 6 foot windows and the sliding back door is secured by a tiny latch.
I don't know if business needs to hold all the identity information that they claim.
I think business may have to get used to a new operational environment where identity isn't sticky. Business will have to adapt and build services that people want to use and are not trapped into using.
I've been thinking the same thing too, especially with GDPR on the horizon.
And we're not the only ones... http://www.wired.co.uk/article/wetherspoons-email-database-gdpr