Managing Risk at Scale

{% hint style=“success” %} Most relevant for 💭 Visionaries and 🔥 Advisors {% endhint %}

Success is dependent upon comprehensive understanding of user needs, threat models and system architectures available within the context of the target beneficiary communities.

While many organizations who work in the privacy and security field we are considered to be a part of might balk at the idea of a government deploying a “100 per cent continuous, compulsory, and permanent registration” through digital identity or vital statistics tracking, we do not. Through our deep experience with exile communities, diasporas, refugees, and other communities in great need of services, but lacking core infrastructure and sufficient centralized services, we understand the clear values and benefits that a unified, managed identity service can provide. The challenge then is ensuring it is designed correctly, implemented appropriately, operated securely, and maintained effectively. This challenge is whether to unify a solution into a single, silo’d monoculture, or to embrace a more diverse, federated approach.

Avoiding Monoculture Pitfalls

With the goal of creating a standardized solution that can be easily replicated, an additional burden is added. Any flaw, weakness, or vulnerability in the core implementation, resulting templates and technical recommendation documents, then makes its way into subsequent implementations. Cost savings and standardization are valuable, yes, but in other cases diversity of implementations around a common standard or API can be better than one homogenous monoculture.

Any audit or assessment must not only consider problems that may arise from one instance with one codebase, but also from 20 or 200 instances, in aggregate, sharing that codebase. This also includes not just the cost, time, and skill of deployment, but also maintenance over time, and handling of emergency situations, patching of vulnerabilities, defending against denial of service attacks, and other common cyber security threats.

Packaging Success

Returning to our deep experience working with communities at risk, especially those facing advanced cyber attacks, we see great value in providing robust, packaged, vetted solutions. This package should also include technical assistance through helpful documentation and best practices forms. This allows the communities themselves to understand how to adopt, nurture, support, and sustain these systems, all while building up their own in-house and local capacity.

It is in this aspect that the helpful diversity returns - each organization and local deployment team understands their own unique threats, constraints, vulnerabilities, and requirements that they must tune the deployment for, while still benefiting from the core reusable package.