identity as the new perimeter - techvision research...enterprise security, risk mitigation, and has...

Identity as the New Perimeter

Abstract

Digital transformation, mobility and the proliferation of applications and networks have made traditional forms of information protection increasingly difficult to manage and enforce. Information is everywhere, access is widely distributed, but most security programs are still largely based on archaic, static security models that just don’t work anymore…and it is getting worse. The latest evidence of this is recent breach disclosed by Equifax that has exposed identity information for over 140 million individuals. Enterprises continue to take on enormous risk by aggregating unnecessary personal data while customers can’t manage the massive number of IDs, passwords and data required to interact with every on-line connection. TechVision believes that the common denominator across most aspects of information protection is identity. An identity inextricably linked to a person, device, application, system or network is today the most dependable ‘perimeter’ we can rely upon to determine what and how to make information available properly and securely. Identity management will soon have to make the leap from our age-old approaches of multiple user IDs and passwords to a new, secure, privacy-centric means of identification. The good news is that the bulk of the underpinnings for this more flexible, scalable and secure user-centric identity model can leverage existing technologies...but there are a few pieces such as blockchain and verifiable claims that can be added to accelerate the movement to self-sovereign identity and access management. This new, user-centric identity model leverages personas related to verifiable claims that can both protect privacy (and reduced liability for the enterprise) and provide distributed access to authorized services. In such a way, we boil it down to identity as being the primary security perimeter that is applicable in enterprise, banking, commerce, social networks and other forms interaction. The lowest common denominator becomes identity and we recommend CIOs, CISOs and Line of Business (LOB) leaders carefully evaluate this new approach for distributed identity .

Identity is the New Perimeter Simmons, Nikols, Rowe, Zimmerman

2 © 2017 TechVision Research, all rights reserved www.techvisionresearch.com

This report covers: • The new definition of identity • The concept of a persona • Verifiable claims (digitally signed attributes) that can comprise various

personas • The rise of reputation as a deciding factor • The way forward into the new world of identity-centric security and

risk management. Authors: Doug Simmons Nick Nikols Principal Consulting Analyst Principal Consulting Analyst [email protected] [email protected] Gary Rowe Gary Zimmerman CEO, Principal Consulting Analyst CMO, Principal Consulting Analyst [email protected] [email protected]

http://www.techvisionresearch.com/

mailto:[email protected]






Table of Contents

Abstract .................................................................................................................................................................................. 1

Table of Contents ............................................................................................................................................................... 3

Executive Summary .......................................................................................................................................................... 4

Introduction ......................................................................................................................................................................... 5

The Starting Point - Moving from Fixed to Flexible Identities ..................................................................... 7

Better Leverage the Building Blocks We Already Have .................................................................................. 9

Mobile Devices ............................................................................................................................................................... 9

Privacy and Security Momentum ....................................................................................................................... 10

The Cloud ....................................................................................................................................................................... 11

Public Key Infrastructure ....................................................................................................................................... 12

Federation ..................................................................................................................................................................... 12

Orchestration and Virtualization ....................................................................................................................... 13

Contextual Awareness ............................................................................................................................................. 14

A Look Ahead – Crafting A New Digital Foundation ...................................................................................... 14

Blockchain and Verifiable Claims ....................................................................................................................... 15

Reputation Systems Support this Model ........................................................................................................ 17

Advancing the ‘AI’ in IAM ....................................................................................................................................... 19

Non-repudiated Decentralized Identifiers .................................................................................................... 20

Changing Relationships .......................................................................................................................................... 22

Open Minds ................................................................................................................................................................... 22

The Way Forward ........................................................................................................................................................... 23

Putting the Pieces Together: An Example ...................................................................................................... 24

What You Should Be Doing to Prepare ............................................................................................................ 25

Solutions to Watch ......................................................................................................................................................... 26

Blockstack...................................................................................................................................................................... 27

Cambridge Blockchain ............................................................................................................................................. 28

Evernym/Sovrin ......................................................................................................................................................... 29

IBM .................................................................................................................................................................................... 32

Microsoft ........................................................................................................................................................................ 34

ShoCard........................................................................................................................................................................... 36

UPort ................................................................................................................................................................................ 37

Summary and Conclusion ........................................................................................................................................... 38

About TechVision ............................................................................................................................................................ 40

About the Authors .......................................................................................................................................................... 41


Identity is the New Perimeter

Simmons, Nikols, Rowe, Zimmerman


Executive Summary TechVision Research believes the current identity services approach in the business to consumer (B2C) space is at a tipping point. The unmanageable and accelerating proliferation of identities and associated identifiers (user IDs) and passwords that need to be individually established and managed for every B2C connection is a model that is already collapsing under its own weight. From an enterprise perspective, collecting all this data and protecting it is a tremendous expense and a significant risk. From an individual perspective it is difficult to manage, invasive, and increasingly limits open engagement with potential business partners. This report describes a future state solution TechVision sees as a fundamentally better approach to managing and leveraging external identities within an enterprise. Identity is the new perimeter, but that doesn’t mean that the enterprise needs to own all of these identifiers and PII; they simply need to incorporate, support and use distributed identities based on the level of trust and the specific supporting data that is needed for a particular use case. This report describes a new approach with Identity as this new perimeter with benefits in enterprise security, risk mitigation, and has the potential of better positioning the organization with those individuals or organizations digitally connecting. We describe a roadmap toward achieving this distributed, self-sovereign identity model that starts with better leveraging existing technologies and adds a few new ingredients to achieve enterprise and customer goals. The good news is that we can start by repurposing many existing components including mobile devices, existing privacy-centric initiatives (like GDPR), cloud/SaaS services, and existing security and identity technologies such as PKI, federation, identity aggregation and orchestration, and contextual identity as a basis for this this new, self-sovereign, distributed identity model. But the secret sauce is to build on this foundation with a few new and evolving components; starting with blockchain, verifiable claims, and reputation systems. What we are describing in this report isn’t a “quick fix” IT program; it is a fundamental shift in how enterprises engage customers, trading partners and the general public. We recommend enterprises use this as a foundation for providing better security, limiting liability based on retaining unnecessary PII and use this to provide a better, more open, more trusting, customer friendly engagement platform.




Introduction

The proliferation of applications, devices (personal and at work) and networks (social, work, service provider, etc.) have made traditional forms of information protection increasingly difficult to enforce. Firewalls, for example, have so many holes opened in them that the properly managing and monitoring network and system access has become nearly impossible. The notion of the ‘disappearing security perimeter’ concept is not new. In fact, we introduced this over fifteen years ago when we were at Burton Group. What is becoming evident, however, is that the common denominator across most aspects of information protection is identity. An identity inextricably linked to a person, device, application, system or network is today the most dependable ‘perimeter’ we can rely upon to determine what and how to make information available properly and securely. Identity is the new perimeter and that concept is the focus of this research report. Security is really about determining and enforcing appropriate access to information, assets and resources. Often this has taken on a very physical mindset, protecting these elements by locking them up in a vault, or behind a firewall. In fact, the very concept of a lock and key underscores a more fundamental relationship - that the key is the means by which the possessor can demonstrate that he/she is the appropriate person to be able to open the lock. In this example, the means by which this relationship is expressed is far from foolproof, but by providing a deeper focus on the nature of this relationship it becomes clear that a better understanding of the context of the identity that is attempting access will lead to much more dynamic, pervasive, and effective security models. Establishing identity as the new perimeter starts, of course, by understanding what an identity is and how it might be used to establish this security foundation. The concept of identity is fairly simple in that it is a representation of real world objects. It can apply to people, organizations, devices, buildings, conference rooms, policies and all sorts of “things”. So, even a collection of identifiers and attributes that describe these identities have the potential of being a flexible and pervasive means of protecting and securing business and personal assets. Security based on physical locations and well-defined perimeters breaks down when devices and identities can emerge anywhere and everywhere. While establishing identity as the new perimeter is a noble goal and is inevitable, the mechanisms and models for the handling of identities, personas, identity management and personal control need to be modified to make this concept a reality. So, what does this new individual identity model look like? It starts with a focus on personal data privacy as this is critical in protecting against identity theft and fraud. This protection is critical for both individuals and for enterprises. The pervasive sharing of so many individual attributes with service providers--whether commercial, employment-related, personal, governmental or social media-related is at the root of the privacy challenge and should be addressed in the




new individual identity model. This has led to the notion of a persona as a way to better address a balance between identifiers and individual privacy and control. Personas become snapshots of individuals, allowing a person to invoke pseudonyms to be appropriately identified in a specific context online. With pseudonymity, individuals are empowered to develop a relationship with various services by sharing a small number of attributes (or no attributes at all) that help define identities and a persona in a particular plane of existence, but this purposely falls short of sharing unnecessary or undesired attributes. In a way, we’ve transcended anonymity as the only form of non-personal interaction with online services by upping the ante to pseudonymity. With this in mind, the concept being introduced here - identity as the new security perimeter, might be better stated as ‘persona is the new perimeter’. That may be splitting hairs at this point, but it is important to understand that identity in the journey we are embarking upon here is more than just a single user ID and password. An understanding of pseudonymity and personas establish a conceptual foundation for identity as the new perimeter is a good first step, but only a first step. There is still a missing ingredient that limits the value of pseudonymity in our new identity model: trust. Establishing trust revolves around determining how a service provider (or employer network) knows that the endpoint identified as batman678 (or (908) 555-1212, or http://210.01.55.48) is the actual person they claim to be. Does the service provider trust this association to the degree they need to for the type of relationship they are engaging in? This is where definitive attributes that identify a person in terms of capability or verifiable historical transactions become most important. A pseudonymous persona should be able to transmit and share one or more selected attributes with the service provider that vouch for this person’s ‘identity’ in a way that does not share his or her entire identity and preserves and protects personal identifiable information (PII). These attributes - though ‘opaque’, must be trusted. How well the shared attributes are trusted is dependent on how well the entity or entities that vouched for the authenticity of these attributes is trusted. That is the notion behind the long-standing principle of transitive trust. This is the model for identity federation that has been in existence for nearly two decades, so is nothing new in and of itself. What has been lacking over the years is a workable mechanism for individuals,

How well the shared attributes are trusted is dependent on how

well the entity or entities that vouched for the authenticity

of these attributes is trusted.




organizations or devices to accumulate and share trusted attributes about themselves on a case-by-case basis. This is what is meant by ‘user centricity’ and the concept of ‘user consent’. The underpinnings for a more flexible, scalable and secure means of enabling user centricity and consent in the digital world are gradually becoming available but are still falling short of a new, much-needed user-centric form of authentication and authorization. Once these building blocks are more fully established, we’ll be able to safely migrate to a world where ‘bring your identity’ (BYOI) is standard, desirable and secure for authenticating ourselves to virtually every form of digital service; whether it is commerce, employment, health care or financial-related. In this paper, we’ll identify the requirements more specifically for a user-centric identity model, which exposes identity as the new perimeter. Following that, we’ll look at current and emerging technology and social advances that may make this a reality given that many of the necessary building blocks are already in place or taking shape.

The Starting Point - Moving from Fixed to Flexible Identities Throughout history there have been hardwired forms of identification that pertain to very specific expectations. For instance, at birth there is often some form of national identifier (e.g., social security number, birth certificate) attached to us. An individual's physical attributes such as height, weight, eye and hair color are later published on drivers’ licenses for virtually anyone to see. Pictures are on our passports and ID cards, along with home or work addresses. In many ways, society has been functioning by using physical, fixed attributes as the primary form of identification for centuries, if not millennia. The movement from fixed, static models to more flexible, open models isn’t, of course, limited to Identity Management; virtually every infrastructure area is moving to a more adaptive, flexible and inclusive model. And the need for this type of flexibility will accelerate as enterprises move more aggressively towards DevOps, microservices, cloud computing and digital transformation. And it isn’t just flexibility we need to aspire towards, it is the protection of personal information that may be stored anywhere, but is under the control of the enterprise that acquired that information. In a digital world, sharing unnecessary sensitive information for each transaction should no longer be required. Sharing more information than required for a transaction increases the liability of the organization collecting that information and can be viewed negatively by customers and regulators. But to do this we need to move towards this flexible identity foundation. A great example of fixed, single purpose identities with more information than should be conveyed can be found with credit cards. Individual names are emblazoned on credit cards, and an individual’s name along with the associated credit card number is traditionally




needed to purchase goods or services with credit cards whether online or at point-of-sale. Individuals are starting to question why merchants, service providers or even employers need more data than is necessary to conduct a transaction. Isn’t the fact that the credit card has available credit for the merchant to receive funds from a customer’s account the only important piece of information the merchant really cares about? The same is true with taxi drivers, hotel clerks and hundreds or thousands of transactions that individuals conduct every year. A name is emblazoned on the card for ‘identification purposes’, but it is apparent that in today’s digital world, that information (personal name) is a rather meaningless form of verification, and in fact only puts the individual at risk identity fraud. Historically speaking, it was more important to have multiple attributes available to merchants, service providers and employers so that they could theoretically “triage” this information into some form of assurance that we are who we say we are. Coupled with these shared attributes has been the concept of ‘reputation’. Questions like “who knows this person?”, “has he or she successfully performed a similar transaction in the past?”, etc. are factored in the decision-making process as to whether to trust the individual. How well this pile of personal information – including reputation, was actually triaged (and protected from misuse) has always been suspect. And, with the onset of global digital transformation, the sharing of this information and its subsequent proliferation has radically increased the opportunity for and pervasiveness of identity theft and fraud. Continuing this analysis, once some level of acceptable triage was performed a person was instructed to create a user ID and password specific for the intended purpose (e.g., online bank access, employer network access, etc.). It is generally understood at this point how problematic the proliferation of user IDs and passwords has become – each pair used as a form of rigid persona that is only usable or recognizable by a single entity/service provider. Let’s just say this system is broken in that the vast majority of people either use the same user ID and password everywhere or write them down somewhere that can be easily compromised—both practices are represent high risk for the individual and the systems to which the individual connects and trusts. As we stitch together more and more of these user IDs and passwords across tens or hundreds of individual sites, personal information becomes exponentially less secure. This is the unfortunate mess that individuals and organizations are in today. TechVision believes there is a better way and it starts with the transition from fixed to flexible identities. This is critical in walking the fine line of providing secure identities when needed without sharing data that isn’t necessary for a particular use case. While we’ll introduce some new technologies (at least to some readers) and new approaches in this report, we can start by considering how some of the existing technologies and processes can be intelligently orchestrated to move us towards our goal of establishing Identity as the new perimeter.




Better Leverage the Building Blocks We Already Have There are actually many existing and evolving pieces that can be very useful in moving to this new user-centric, privacy-respecting identity model. Our starting point is to leverage and harmonize key infrastructure elements and technical approaches and then add a few new, more disruptive pieces that we’ll describe in the next section. We want to start by building from existing technology and infrastructure as foundation for moving forward. In this section, we identify these technologies and explore their potential utility in helping us transform digitally and establish identity as the new perimeter. We’ll describe how mobile devices, privacy-centric programs, the pervasive movement to the cloud, and existing security and identity technologies such as PKI, federation, identity aggregation and orchestration, as well as contextual identity can be leveraged as a solid building blocks for this this new, self-sovereign, distributed identity model.

Mobile Devices Mobile devices have become globally pervasive. From an identity management standpoint, smartphones have become powerful tokens for authentication and providing greater identity assurance. The ability of IOS and Android devices to enable multi-factor authentication (MFA) using fingerprint, voice recognition and other biometric forms has made them a very usable authentication tool on the path to BYOI. Authenticating to the device becomes the first step to identity proofing on the continuum of performing digital transactions. Already in the past few years we have seen an immense increase in deployment of MFA around the globe. Vendors such as DUO, Authy, Twilio, RSA, Microsoft, Google, ForgeRock and many more have sourced the market with very user-friendly and affordable means of implementing MFA for enterprises, education institutions, banks, online merchants and so forth. With such an improvement in usability and capability, it is becoming increasingly popular and in many cases expected from the end user point of view. Quickly fading are the old ‘resistance to change’ attitudes among end users of all walks of life. The risks of identity theft and resulting financial or privacy loss are just too great for most of us to ignore, so the adoption of MFA technology is getting right where it needs to be. In this emerging landscape, mobile devices are well-positioned to become our primary identity/persona management and transaction tools. One of the key ingredients for identity centricity in the digital world is now rapidly falling into place.

Authenticating to the device becomes the first step to identity

proofing on the continuum of

performing digital transactions.




Privacy and Security Momentum Individual’s personal data is being exposed an alarming rate. Privacy has largely been a follower rather than a leader in application design principles. Because of this, a great deal of effort has been going into protecting personal information, especially in the online world. This crisis in privacy protection has continued to kindle ever-changing privacy regulations across the country and around the globe. One great example is the European Union’s General Data Protection Regulation (GDPR), which defines very specific rules that protect an individual’s rights over their personal data, as these rules apply to whether the processing takes place in the EU or not. GDPR is intended to allow individuals to exercise new rights to exert control over their personal data. This control includes the ability to:

• Access and review their data • Assign how their data may be used (e.g.,

restricting automated processing, managing the use of website cookies especially for social media and cloud based services)

• Invoke objections • Recertification • Blocking and erasure • Portability (including a physical copy) • Transparency regarding how an

organization uses their information • Grant and withdraw consent • Right to be forgotten (e.g., erasure of

links to data and copies) • Disclosure of breaches when they occur

TechVision Research has done a great deal of investigation and helped our customers determine how best to comply with GDPR as it becomes ‘the rule of the land’ across the EU in mid-2018. In part, this ongoing effort has left us with a solidifying viewpoint as to how personal identifiable information (PII) should be handled across the global IAM ecosystem - and that viewpoint can crystalize the postulation that a user centric IAM model such as we are defining here, must emerge. The Identity as the New Perimeter model, if implemented correctly, will be a major step towards better privacy and GDPR compliance.

The Identity as the New Perimeter

model, if implemented

correctly, will be a major step towards better privacy and GDPR compliance.




The Cloud When an individual is securely authenticated using a mobile device via MFA, the next step is to manage their personas. Multiple personas may exist in relation to the same person in the form of accounts with an employer, financial institutions, social media sites like LinkedIn and Facebook, e-commerce sites like Amazon, Google, eBay and government entities such as the Department of Motor Vehicles and so forth. In fact, identity is much more than the sum of its attributes. Identity is a multi-faceted set of relationships between the individual and the entities that the individual is interacting with. Each relationship should be maintained on its own terms, whether it is a relationship between employee and employer, between customer and vendor, between citizen and government, or between peers. Personas are a way to embody these relationships. The key here is that there should only be specific, necessary attributes associated with each of these entities, not a complete list of all identifying attributes available to all of them. This is one of the fundamental differences between the ages-old carbon (or, ‘brick-and-mortar’) world and the emerging digital world. The cloud, as amorphous as it sounds, is the place to securely manage and maintain these unique, trusted, non-repudiable attributes. It provides the distribution necessary for enabling easy access from anywhere, and the device independence required for this model to become pervasive. If we were to only maintain these persona-centric attributes on mobile devices themselves, we’d limit our ability to transact to only that device. By maintaining these personas in the cloud, we open up the ability to share specific attributes with third parties from other devices, such as our laptops, workstations, kiosks, etc. It is imperative, of course, that we continue to authenticate to the cloud provider(s) where these attributes are stored via MFA, which may require the person’s mobile device be available for that aspect of the transaction. This model is identical to the MFA model used for many service providers where authentication to the web-based application on your laptop or kiosk still requires the mobile device be available to accept a ‘push’ authentication notification or one-time password. It bears mentioning that cloud-centric IAM environments such as Okta, Ping,

The cloud is the place to securely manage and maintain these

unique, trusted, non-repudiableattributes.

It provides the distribution

necessary for enabling easy access from anywhere, and

the device independence.

required.




Janrain and other cloud IAM providers, are in fact forming this cloud of Identity Providers (IDPs), and are gradually positioning themselves to be the best places to maintain a large pool of identities and their associated personas and ‘verified claims’ (see below) - though this last bit may not yet appear on some of their radars.

Public Key Infrastructure If attributes are to be used to maintain our personas in cyberspace, they must be wholly non-reputable. In other words, if a person shares an attribute with a financial institution that vouches for his or her annual income, that attribute must not be able to be spoofed in any way. Thankfully, we’ve had at our fingertips for a few decades the very useable and scalable public key infrastructure (PKI). Every one of us interacts with PKI typically every day – principally in the form of secure sockets layer (SSL) or transport layer security (TLS) encrypted communication between our web browsers and mobile apps and online services. So, there already exists a pervasive public key infrastructure supporting secure electronic communication (SSL and TLS) and digital signatures at the institutional level (e.g., banks, employer networks, etc.). This PKI infrastructure is the archetype of a globally pervasive trust network. PKI has become the de facto Internet trust fabric - and we should leverage this to its fullest capability in this emerging IAM approach. For instance, PKI plays a key role in the following:

1. Signing and encrypting individual blocks in the form of verified claims so that individual claims of identity can be shared securely with service providers needing various levels of assurance that one is who he says he is and can prove this through verifiable claims.

2. Signing and encrypting federation assertions between the Identity Provider (IDP) and the service provider.

Federation Federation technology has become a very important connective technology that enables efficient distributed identity management and enhanced convenience for users, such as cross-domain single sign-on (SSO). As such, federation allows companies to provide access to applications and share resources without the need to adopt the same technologies for authentication, access control, directory services and account provisioning.

PKI has become the de facto Internet

trust fabric - and we should leverage this

to its fullest capability in this

emerging IAM approach.




Federation will continue to play a key role in this emerging identity management approach, as it already fully leverages the trust and security capabilities of PKI. This is because today federation assertions are typically encrypted and signed by the identity providers’ (IDP) federation modules before being redirected. t. Assertions are therefore trusted and non-repudiable thanks to PKI. Federation is widely used because it simply works. Currently, SAML 2.0, OAuth 2.0 and OpenID Connect support ready-made federation token formats that allow federation to work and set the stage for a more BYOI-centric capability on a much broader basis.

Orchestration and Virtualization The future of Identity Management will be built on a flexible, accessible foundation that integrates data from many environments and provides access for many identity consumers. There are a couple of very useful techniques that facilitate the handling of data that is either shared or broken up and distributed across disparate environments and facilitate the assembly of this data into dynamically formatted views that make for easy consumption by other applications and services. Identity Orchestration Services provide the means by which data that may be shared and maintained in a consistent fashion across multiple disparate environments by orchestrating the changes between them and allowing for the shared information to be managed as a common whole. Virtual directory services provide the means to dynamically aggregate and structure a virtualized view by taking the shared identity data that an orchestration service manages and combining it with additional, non-shared identity attributes that may exist in various disparate repositories. This facilitates the dynamic creation of easy to consume, on-demand, logical views of the whole of this data, and allowing for the tailoring of these views to meet the requirements of the consuming applications or services. Orchestration services are often found as part of identity provisioning and identity governance and administration offerings from vendors such as Micro Focus and One Identity. Virtual directory solutions can be found as part of solutions from vendors such as Oracle. Radiant Logic is an example of a vendor that provides an offering that combines both orchestration and virtualization services. For a better understanding of how these elements operate and can work together in concert to provide a more comprehensive set of identity services, please refer to TechVision’s Identity and Access Management Reference Architecture. In our emerging IAM model, these techniques play a key role in stitching together and maintaining this identity information across multiple Identity Providers (IDPs) to create a single, unified set of attributes that the user can choose from to share with service providers as proof-of-identity, typically in the form of verifiable claims.


https://techvisionresearch.com/iam-reference-architecture/



Contextual Awareness Contextual awareness pertains to the ability of the identity management system to determine certain characteristics about a user during runtime authentication and authorization and then using this information to both:

• Measure the risk associated with the device, location, information sensitivity and the like during the authentication and authorization request and

• Enforce specific policies regarding the type of authentication and identity information required to access the desired resource to better combat fraud.

For instance, if an end user wants to access her employer network, contextual awareness provides more detail about the current circumstances beyond simply identifying the user by enabling the IAM infrastructure to determine what device is being used and whether it is trusted or managed by the enterprise, what location she is attempting to authenticate from and maybe what level of sensitivity exists for the employer IT resource she wants to access. Taken together, this is contextual information that can determine the level of risk involved and can step up the level of authentication strength (e.g., password or MFA) to meet the required level of identity assurance. In our emerging model, contextual awareness becomes a service enabled by the IDP that is transmitted on secure assertions, along with any specific verifiable claims. To reiterate, we are advocating an access control risk framework that triages multiple data points during runtime to better establish the credibility of the identity being presented. Leveraging the capabilities described above are great first steps towards the foundational changes needed in Internet-based IAM. PKI, storing identities in the cloud, maintaining consistency of identity information, generating easily accessible, on-demand views of this information, leveraging greater contextual awareness and achieving stronger authentication via MFA are all ingredients that will contribute to the new identity model. But it isn’t enough to achieve the broad changes we seek; for that there needs to be some additional secret sauce and we’ll describe the additional ingredients in the next section.

A Look Ahead – Crafting A New Digital Foundation TechVision believes that there needs to be and will be a new digital foundation that supports a pervasive set of services that supports the sharing of only the necessary and relevant bits of verifiable information necessary to perform specific transactions. These new models can apply to a diverse set of services ranging from logging on to an employer’s network, accessing services from a healthcare provider network or leveraging the services of Amazon, eBay, Bank of America, or eTrade. In accessing any of the services the goal is to develop mechanisms to gain explicit consent to easily share specific information with specific entities.




The goal is to maintain a digital satchel of non-repudiable and verifiable attributes that can be shared individually with the entity engaged in the transaction or communication. In fact, some of these attributes can and should be based on reputation – the ongoing establishment of authenticity over time, vouched for by third parties that the service provider recognizes as verifiable and accurate. These services can start with a foundation, based on leveraging existing services as described in the previous section, but this isn’t enough to meet the goals we have described. We’ll now consider the value and roles that blockchain, verifiable claims, reputation, distributed identifiers and Artificial Intelligence (AI) play in building out the desired future state of Identity as the new perimeter. We’ll start with blockchain and verifiable claims.

Blockchain and Verifiable Claims While many of the pieces are already here, the way we manage and use these pieces need to be redefined. And we are moving towards this redefinition. In this light, we bring the reader back to some of our earlier research this past year or so, which focuses on blockchain and its utility in a user centric, global IAM environment. An excerpt from our October 2016 report titled “Blockchain-based Identity Management” by Doug Simmons and Gary Rowe reads as follows: “Blockchain-based identity and access management services (IAM) have the potential to dramatically change the IAM space. Application and web service environments now involve a distributed network of computers executing decentralized applications, i.e. “blockchain technology”, and the deployment model is evolving from rapid innovation coinciding with a fundamental shift to the cloud, big data processing, Internet of Things (IoT), mobile device integration, and artificial intelligence. Each of these environmental changes contributes to a disappearing security perimeter further driving the need for a flexible, adaptable and inclusive IAM infrastructure. Blockchain-based IAM has the potential to support this emerging model, but, as discussed in this report, it requires some maturity in blockchain identity services, and careful migration planning.” So blockchain can be an important part of this new identity model, but what role does it play and, perhaps more importantly, what role doesn’t it play in supporting self-sovereign identity? Blockchain or distributed ledgers can provide greater discoverability of an identity and secure connections to the data needed to support a transaction. Daniel Bucher, the head of distributed identity at Microsoft said it well at a recent conference in describing

The goal is to maintain a digital

satchel of non-repudiable and

verifiable attributes that can be shared

individually with the entity engaged in the

transaction or communication.


https://techvisionresearch.com/project/blockchain-identity/



how blockchain might support IAM. He said “ Blockchain-anchored identifiers linked to identity hubs, encoded with semantic data, are the agar upon which apps and services will grow”. So blockchain can provide the identity anchor, allow for discovery and be the immutable unforgeable record to link an identifier to an object. But what it can’t do without help is to determine what is needed for a particular transaction to be satisfied: am I old enough to purchase alcohol, am I credit worthy, do I live in Finland…for this we need an extension something more. This is the other part of this new identity puzzle called a verifiable claim. In particular, each block in one’s blockchain may contain “pointers” to encrypted and signed verifiable claims. A verifiable claim is a qualification, achievement, quality, or piece of information about an entity's background such as a name, government ID, payment provider, home address, or university degree. Such a claim describes a quality or qualities, property or properties of an entity which establish its existence and uniqueness. Entities (people, organizations, devices) need to make many kinds of claims as part of their everyday activities. As organizations progress towards digital transformation, entities need to be able to transmit instantly verifiable claims (e.g., about their location, accomplishments, value and so forth) providing electronic proof that the claim is valid. These claims can support the next generation of web applications as they provide the basis for authorizing entities to perform actions based on rich sets of credentials issued by trusted parties. Human- and machine-mediated decisions about job applications, account access, collaboration, and professional development will depend on filtering and analyzing growing amounts of data. It is essential that data be verifiable. Therefore, standardization of digital claim technologies makes it possible for us to issue, earn, and trust these essential records about their counterparties, without being locked into proprietary platforms. In the IAM model presented in this report, a user (or device) selects which verifiable claims to share with specific service provider entities to enable the triaging of ‘identity proofing’ artifacts necessary to properly register, authenticate and authorize access. In some ways, the use of verifiable claims within a blockchain-based ecosystem is similar to the model promoted by the User Managed Access (UMA) specification. UMA is an OAuth-

“Blockchain-anchored identifiers

linked to identity hubs, encoded with semantic data, are

the agar upon which apps and services will

grow”.




based access management federation protocol standard whose purpose is to enable an end user to control the authorization of data sharing and other protected-resource access made between online services on the user’s behalf. Note that UMA is early in its life cycle and the jury is out as to its long-term prospects. However, we are taking it one secure step further by advocating user consent-driven sharing of verifiable claims rather than the PII itself. A very good overview of verified claims and typical use cases can be found in the W3C’s Verifiable Claims Use Cases document: https://www.w3.org/TR/verifiable-claims-use-cases/. We are starting to see this gel as privacy regulations such as GDPR are a forcing function towards better ways of enabling a scalable and secure user centric means of identity management. Taken together with contextual awareness, IAM systems and service providers become much more security and privacy-focused, while the true spirit of regulations such as GDPR become imminently attainable within this model.

Reputation Systems Support this Model A reputation in the digital sense is not the same as it is in the carbon sense. In the physical world, context is often visible. In the digital world, we have to explicitly define the context and determine what is necessary for the specific use-case. Whether Bob is a ‘nice guy’ or a ‘team player’ doesn’t make any difference when identifying himself to support a large financial transaction. Whether Bob is able to pay for or actually provide the item/service being transacted is what matters. Vouching, or leveraging reputation data is a way of assuring Bob is ‘entitled’ to do business, whether that business is purchasing a TV, securing a loan or applying for a job. But being a nice guy and having a strong community reputation may be critical if Bob is coaching your youth football team. It is all about the context and the information needed to make an informed decision. So, reputation in the digital world is becoming inextricably linked to entitlements associated with the person to which that reputation pertains. Reputation may be supported by a verifiable claim or even entries on the blockchain itself as means of establishing relevant trust in support of a specific transaction. We see this today in almost every transaction: Alice has a credit card (possibly too many actually) that vouches for her ability to pay for something. She received the credit card based on her reputation as being someone who pays her bills when due (mostly), among other reputational aspects (she has a job, she earns $X annually, she has a co-signer, etc.). Possession of the credit card allows the merchant or provider of services to know she is financially entitled to acquire said goods or services at the agreed upon price. The key to

We are taking it one secure step further by advocating user

consent-driven sharing of verifiable claims rather than

the PII itself.


https://www.w3.org/TR/verifiable-claims-use-cases/

https://www.w3.org/TR/verifiable-claims-use-cases/



this is that merchant in no way needs to know her name, address, email address or any other PII that traditionally was thought necessary to vouch for the transaction. PayPal introduced this concept way back in 1998 and it has continued to thrive because of its adherence to these basic principles of pseudonymity and consent. Reputation is, of course, just as important when hiring for employment. It is conceivable that there are very few recruiters or interviewers who do not use LinkedIn today to see what Alice is ‘all about’. They likely scan her work history and maybe even education background, but what they really look at is her network: do we have anyone in common in our networks? Is there somebody the recruiter knows and trusts in their network that is also in her network? Have any of these people vouched for her skillset? That is the true gold, because the road is littered with new hires that were mistakes because one really doesn’t know a person until they work together, and if one’s (bad) reputation had been somewhat discernable by examining her personal network reputation, such mistakes might be more avoidable. Microsoft, has, in fact indicated that they see an opportunity to provide greater value to LinkedIn users by offering some level of validation of key data they store. Validating employment, education, and certain accomplishments increases the value for the prospective employer and the candidate. But this type of linkage doesn’t require a central repository or service provider Reputation data is also key to the business model and value proposition for eBay, AirBnB and many Internet-enabled services. Answering questions as to what others have others said about someone’s capabilities or the ratings received (five star vs one star) are critical in helping customers make informed decisions. Make no mistake, in the digital world, reputation carries real weight and this trend is accelerating. But back to our new identity model; reputation data can and should become a cornerstone of transitive trust: If you trust Alice, and Alice trusts Bob, you can theoretically trust Bob, too. The more Alices there are to trust (vouch for) Bob, the more assured you should be that you can trust Bob – in fact, really trust him because of his solid reputation. In many ways, this is really no different than your financial reputation for historically paying all your bills on time (which is analogous to a history of Alices vouching for you) leading a bank or lending institution to feel comfortable lending you more money.

Reputation may be supported by a

verifiable claim or even entries on the blockchain itself as

means of establishing relevant trust in support of a specific transaction.




Where this really leads to is a dramatically improving data privacy landscape coupled with a bullet-proof means of identification that does not require ‘proof’ in the form of sharing sensitive PII: Reputation is the perception of what an individual or entity (business) is capable of in a particular context. By this, we mean that with other trusted parties (to the degree necessary in relation to the value of the transaction) vouching for an entity, reputation is established and as a result, another 3rd party can trust you, too. If, for example the banks an individual has done business with along with credit agencies state (vouch) that this person is an acceptable risk for the transaction you wish to perform, then that reputation should be acceptable as the amount of identity verification needed. The bank really doesn’t need to know additional information about the individual, just that the transaction should be accepted. One’s identification, therefore, should be a token that represents this level of trust and reputation, which are vouched for by trusted 3rd parties. If an individual has a token, in the form of a digitally-signed-by-the-bank attribute that the merchant trusts (e.g., ‘verifiable claims’), then that is all the merchant needs to know about that person and that is all the information that should be required to share. In the carbon world, this is sort of like having a chip-and-pin credit card without your name on it. In this case the merchant doesn’t need to know the customer’s real name; they may want it, but don’t need it. Reputation, therefore becomes a crucial risk measurement factor as we move forward. Just as most of us today triage many reviews (which taken together establish a form of reputation) about a product or service we are considering, identity management systems will triage multiple reputational aspects (e.g., verifiable claims) about an individual or device to determine whether they fit into the risk analysis heuristics acting as the determining factor to let someone or something ‘in’ (i.e., to grant access or not). Artificial Intelligence (AI) and machine learning become prevalent components as we move to improve the efficiency and efficacy of access control.

Advancing the ‘AI’ in IAM Having discussed the merits of using reputation as an important determinant in the plausibility of someone’s claim to be who they say they are, it will become increasingly necessary to develop risk calculations based on reputation that will hasten the emergence of more AI in contextual authentication and authorization. As we discussed earlier in the document, the continuing emergence of contextual awareness

We recommend enterprise IAM

architects begin adding contextual

awareness capabilities to their

environments in preparation.




capabilities within runtime access control systems will encourage the further development of artificial intelligence and machine learning across the IAM ecosystem. Providing a better understanding of the user’s behavior over time in addition to evaluating the broader circumstances at the time of access enriches the context even further, allowing for better continuous recognition and more reliable reputation. The heuristics and algorithms that currently exist within contextual awareness access management systems will need to expand their capabilities to evaluate data such as verifiable claims and reputation-supporting attributes, but that should be considered normal evolution of these existing solutions. Over the next 2-3 years, we expect this level of maturity to become commonplace, and we recommend enterprise IAM architects begin adding contextual awareness capabilities to their environments in preparation.

Non-repudiated Decentralized Identifiers In support of identity as the new security perimeter at scale, we need a built-in trust fabric as a pervasive service that doesn’t exclude any entity from joining – building upon reputation and level of identity proof as described earlier. The good news is that there are active efforts to establish a global IAM fabric that fosters user centricity and data privacy. In particular, we reviewed the W3C Draft Specification titled “Decentralized Identifiers (DIDS) 1.0 - Data Model and Syntaxes for Decentralized Identifiers”, published in August, 2017, which is foundational to this advancement. While this isn’t the only approach it is a good representation of how these core distributed identifiers will work and support self-sovereign identities. In this initial specification, DIDs (decentralized identifiers) are defined as a new type of identifier such that:

• DIDs are intended for verifiable digital identity that is "self-sovereign" and therefore fully under the control of the identity owner and not dependent on a centralized registry, identity provider, or certificate authority.

• DIDs resolve to DDOs (DID “descriptor objects”), which are simple JSON documents that contain the metadata needed to prove ownership and control of a DID. Specifically, a DDO contains a set of key descriptions, which are machine-readable descriptions of the identity owner’s public keys, and a set of service endpoints, which are resource pointers necessary to initiate trusted interactions with the identity owner.

• The foundation of the DID architecture is the concept of the decentralized identifier. This concept is not new: UUIDs (Universally Unique IDentifiers) were first developed in the 1980s and later became a standard feature of the Open Software Foundation’s Distributed Computing Environment. UUIDs achieve global uniqueness without a centralized registry service by using an algorithm that generates 128-bit values with sufficient entropy that the chances of collision are infinitesimally small. A DID is similar to a UUID except:

• It can be resolved or dereferenced to a standard resource describing the identity owner, and




• the DDO may contain public key descriptions that enable cryptographic verification of DID ownership.

Each identity owner can be identified on a distributed ledger with a key-value pair. The index key is a DID (decentralized identifier) and the value is its associated DDO (DID description object). Together these form a DID record. Each DID record is cryptographically secured by private keys under the control of an identity owner (in the case of an owner-managed identity) or a guardian (in the case of a guardian-managed identity). A corresponding public key is published in the DDO using a key description. A DDO may also contain a set of service endpoints for interacting with the identity owner. Following the principles of Privacy by Design (which TechVision supports), each identity owner may have as many DID records as necessary, to respect the identity owner’s desired separation of identities, personas, and contexts. This design eliminates dependence on centralized registries for identifiers as well as centralized certificate authorities for key management—the standard pattern in hierarchical PKI. Because DID records are on a distributed ledger, each identity owner may serve as its own root authority—an architecture referred to as DPKI (decentralized PKI). Note that DID methods may also be developed for identities registered in federated identity management systems. For their part, federated identity systems may add support for DIDs. This creates an interoperability bridge between the worlds of centralized, federated, and decentralized identity. It is very important to understand that a DID and DDO do not inherently carry any PII, and this is a key design principle that TechVision strongly urges vendors to adhere to. As defined in the specification, a DID must be persistent and immutable (i.e., bound to an identity owner once and never changed (forever)). Ideally, a DID would be a completely abstract decentralized identifier (like a UUID) that could be bound to multiple underlying distributed ledgers or networks over time, thus maintaining its persistence independent of any particular ledger or network. TechVision sees this as a particular opportunity for virtual directory services to map DID records across multiple ledgers/networks. To review this specification in more detail, please see the documents in the github repository

It is very important to understand that a DID and DDO do not inherently carry any PII, and this is a key design principle that TechVision strongly

urges vendors to adhere to.


https://w3c-ccg.github.io/did-spec/?t=1&cn=ZmxleGlibGVfcmVjcw%3D%3D&refsrc=email&iid=33a0125ecb6b4c5a99535295118a9107&uid=3248350981&nid=244+272699400%20.

https://w3c-ccg.github.io/did-spec/?t=1&cn=ZmxleGlibGVfcmVjcw%3D%3D&refsrc=email&iid=33a0125ecb6b4c5a99535295118a9107&uid=3248350981&nid=244+272699400%20.



Changing Relationships The whole notion of self-sovereign identity sounds like a solution to many of the Internet’s security and privacy problems. However, there is a lot of inertia built into how people and enterprises view their responsibilities around data ownership and control. If an individual desires consent and control of personal attribute exchange, the individual has to understand the efforts involved the decision-making process and participate in defining the rules as the relationship between individual and enterprise evolves. Enterprises need to let go of the notion that they own and control all of the information that crosses the transom and begin to specify the attributes necessary to complete a particular transaction or exchange; no more, no less. The risks of keeping this information continue to grow and the regulations limiting the collection of excessive PII are increasingly onerous. A prime example of how an enterprise needs to rethink its data strategy has been highlighted by recent events at Equifax. Equifax’s business is to collect many financial records and correlate them against the personal permanent identifiers of US, Canadian, and UK citizens. They use advanced algorithms to corroborate the correlated data and create a verifiable credit score. These credit scores generated over $3.1 billion in revenues for Equifax. However, as valuable these scores are, the criminals were not after the credit scores, they were after permanent personal identifiers. The centralized identity information accumulated by Equifax was too valuable not be a target. Equifax reported that as many as 143 million identities have been stolen in the latest breach. Dell Secure Technologies has published the fact the going rate on the dark web for a fullz (a stolen live ID) is about $30. That means the theft is worth up to $4.3 billion to the thieves. Permanent personal identifiers (SSN, Passport, Driver’s License, Name, Address) are more desirable and valuable to criminals because they cannot be deactivated the way a stolen credit card number can be. A way to prevent this kind of theft is to use a decentralized ID (DID) and verifiable claims architecture. Equifax could temporarily use an individual’s PII to create a DID specific to the Equifax relationship and then post the transactions and scores to their ID only. The individual can consent to sharing that information to other enterprises as necessary to complete transactions. But, the bad guys can no longer get the PII because Equifax doesn't have it and is no longer as valuable a target.

Open Minds We must continue to increase awareness among society in general and identerrati technologists in particular - that we are already far along this journey, and that completing the journey will in fact have immense positive effects on our data privacy while presenting significant enterprise business benefits. That said, enterprise leaders need to keep an open mind to consider the overall value of developing trusted, two-way relationships with customers and prospects/suspects. It may seem counter-intuitive that collecting less data without explicit consent is a good thing, but the combination of stricter privacy laws, the




poor data that is often resultant from these broad collection efforts and the negative customer perception is changing the mindset for many enterprises. In order for digital transformation to continue at its current pace, innovation across all aspects of Information Technology must ensue. The inertia created by massive digital transformation within all forms of commerce begs for an evolutionary – if not revolutionary, means for managing identities. With this in mind, it is incumbent upon IAM architects to eschew the ‘party line’ often dictated by certain vendors and systems integrators who may be more interested in selling you what they currently have, rather than helping you deploy what you really need. Perhaps this is just a function of Economics 101: there are plenty of solutions and deployment experts that are less mindful of loose-coupling, open standards, federation and virtualization and more about the short-term big bucks associated with selling you the ‘comprehensive (often proprietary) solution’ that they already have ‘on the shelf’ - both in terms of software and expertise. Open mindedness conveys seizing the opportunity to eschew the expensive yet short-term IAM improvements and instead acquire a ‘re-architecting for the future’ mindset. In other words, clean your slate and recognize vendor influence for what it is: a set of data points to be taken into context with your bigger picture. But enterprises are increasingly empowered to define their own paths and allow the vendors that fit within your reference architecture to participate.

The Way Forward The difference between evolutionary and revolutionary may only be a single letter, but when considering how impactful the tsunami of digital transformation has ensued, our identity management vision should lean more toward revolutionary. That said, TechVision presents below a r/evolutionary example of a high-level architecture that highlights some of the key aspects of how we should integrate the existing, working tools we use today, such as mobile phones, the cloud, federation, etc. - with emerging technical approaches that have begun to show that they can deliver at scale, such as blockchain and verifiable claims. We believe this illustrates how a good balance can be struck between what is needed today and where organizations will want to be over the next 5 years.

Enterprise leaders need to keep an open mind to consider the

overall value of developing trusted,

two-way relationships with

customers and prospects/suspects.




Figure 1: TechVision’s Example Future State Model

Below, we describe the flow and interactions depicted in Figure 1. Following that, here is some more tactical details as to what enterprise planners can do to prepare your organizations for the coming IAM revolution. We’ll start by describing how these pieces we’ve described can fit together and we’ll then we’ll look at how to prepare for this transformational change.

Putting the Pieces Together: An Example 1. The user navigates to a service provider,

such as her corporate network, eBay, Facebook, etc., is told what user data in the form of verifiable claims is necessary to interact, and is then redirected to Step 1 to authenticate with their cloud-based identity broker, or, if not already done, register with the identity broker.

2. The identity broker sends an MFA notification in the form of a Push or one-time password (OTP) code to the user’s mobile device, and the user authenticates.

3. The user tells the identity broker what verifiable claim(s) in the form of signed,

this new user centric identity ecosystem is not only possible, but a necessary evolution

from the way we protect information and identify users

today.




encrypted blocks are required by the service provider to authorize access, and if all is in order, the user consents. In this step, the identity broker communicates with the distributed ledger, such as Ethereum to request the desired DIDs and DDOs that correspond with (point to) the corresponding verifiable claims, which are maintained on the identity broker or anywhere else.

4. The identity broker redirects the user’s session to the service provider with a federation assertion that contains the user’s chosen pseudonym and requested/consented to verifiable claims. The user is now strongly authenticated and authorized to access the system.

5. In instances where the user does not or is not allowed to store verifiable claims with the cloud-based identity provider, the identity provider uses a dynamically generated, virtualized view of identity information aggregated from multiple sources to retrieve the verifiable claim from the locations where it is stored (e.g., the IRS ‘account database’, the eTrade account, etc.).

This is an intentionally simple illustration of how these components can interoperate to achieve a user centric identity model, globally and across all industries. With nearly all of these components already, or, soon-to-be in place, we can see how achieving this new user centric identity ecosystem is not only possible, but a necessary evolution from the way we protect information and identify users today. But since all the pieces are not yet in place and the emerging pieces are, emerging, many organizations need to at least prepare to move in this direction expeditiously when the time is right. The following set of guidelines can be used to help you prepare for this foundational change.

What You Should Be Doing to Prepare There are many architectural and procedural activities enterprises should be undertaking to be ready for the next wave of IAM. In our 2016 report titled “The Future of Identity Management”, we highlighted several areas of focus, and we continue to beat that drum here. There are foundational changes that every organization should make in updating and upgrading their IAM programs and while not specific to the decentralized model we are describing in this report, the core concepts will support any major change with less friction than most of the more static IAM deployments we see with the majority of our customers. The IAM architecture principles we recommend include leveraging identity data services, federation, loose-coupling and standards-based integration as fundamental keys for

Implementing a services-oriented,

loosely-coupled IAM architecture that provides greater

flexibility for adoption of emerging

services and technologies .


https://techvisionresearch.com/project/the-future-of-identity-management/

https://techvisionresearch.com/project/the-future-of-identity-management/



successfully addressing the IAM burden so prevalent today. We describe each principle briefly below:

1. Implementing a services-oriented, loosely-coupled IAM architecture that provides greater flexibility for adoption of emerging services and technologies and reduces the amount of enterprise churn currently associated with adoption of emerging authentication and authorization approaches.

2. By adopting federated identity standards, you will allow the enterprise to decouple identities from existing applications and systems.

3. By building an attribute-based access control that leverages authoritative identity information regarding a person’s current affiliation with the enterprise in order to enable more fine-grained authorization capabilities in concert with a verifiable claims-based identity. This will enable you to clearly separate the authentication (via distributed ledgers and blockchain) from authorization functions more granularly and securely.

4. An architecture built on these principles will help you become ready to quickly integrate emerging BYOI approaches, including the blockchain, OpenID Connect and OAuth.

5. Additionally, such an architecture will give you the scalability and elasticity to quickly add more and more identities in the form of Things, by eliminating the monolithic, single-purpose approaches to incorporating specific groups of Things as one-off solutions.

6. Embrace the cloud – it is here to stay. These architecture principles will help you become cloud-ready, and may in fact allow you to soon forklift your IAM infrastructure into the cloud.

The above principles fit into the direction many of our clients take and fits in within our reference architecture model for Identity and Access Management. Let’s now look at where some of the key vendors are supporting IAM as the new perimeter.

Solutions to Watch There are a number of vendors – big and small, working diligently to advance IAM in the digital transformation age. We chose a relatively small number of these vendors to highlight the work being done and various approaches being considered. As with all such analyses of vendor solutions to address a rapidly moving target, the reader should understand that no single vendor supports an end-to-end architecture as illustrated in Figure 1 previously. Instead, each vendor is positioning itself to provide one or more key pieces in support of the architecture, and that the very nature of the principles of loose-coupling and federation dictate quite clearly that this should be expected and desired. To be clear, however, these brief overviews of some of the vendor activity in this space should leave the reader with a good sense of just how serious this IAM revolution is becoming. It can also give you a starting point in considering vendors for meetings, information collection, pilots or early deployments.




Blockstack Blockstack is positioning itself as a “new, decentralized internet” where customers own their data and apps run locally without central servers. Blockstack is an open source project, it is developing an architecture designed to remove trust points from the middle of the network and it uses blockchains to secure critical data bindings. They implement services for identity, discovery, and storage and is being built to survive failures of underlying blockchains. Blockstack describes their design goals as follows:

1. Use Decentralized Naming & Discovery to support end-users to: a. Register and use human-readable names b. Discover network resources mapped to human-readable names

2. Provide Decentralized Storage. End-users should be able to use decentralized storage systems where they can store their data without revealing it to any remote parties.

3. Comparable Performance. The end-to-end performance of the new architecture (including name/resource lookups, storage access, etc.) should be comparable to the traditional internet with centralized services

To instantiate these design goals, Blockstack’s architecture has three primary components:

1. A blockchain, implemented using virtual chains, is used to bind digital property, like domain names, to public keys.

2. A peer network, called Atlas, gives a global index for discovery information. 3. A decentralized storage system, called Gaia, provides support for high-performance

storage back-ends without requiring a central trusted party. Blockstack’s three-layer architecture is shown below in Figure 2, with one layer (the blockchain layer) in the control plane and two layers (the peer network and data-storage) in the data plane. The control plane deals with smaller volumes of data and is mostly concerned with bootstrapping trust and defining the mapping between human readable names and network resources. The data plane contains information on how to discover data (routes/pointers to data) and the actual storage back-ends. Data is widely replicated and it doesn’t matter from what source clients read data; clients can independently verify from the control plane if they received the correct data or not.




Figure 2: Blockstack’s Three-Layer Architecture

Blockstack is deployed in production and, to date, 72,000 new domains have been registered on it with several companies and open-source contributors actively developing new services using Blockstack. An informative white paper on Blockstack’s architecture described in reasonably good detail can be found here on their website. Blockstack has a $25M fund aimed at growing an ecosystem of decentralized applications on their platform. They have a network of VCs supporting the development of a supporting ecosystem.

Cambridge Blockchain Cambridge Blockchain provides digital identity enterprise software for financial institutions facing growing compliance challenges related to identity with an early focus on know-your-customer (KYC). This is a major consideration and expense for banks. Cambridge Blockchain has a distributed architecture with the goal of directly addressing the competing challenges we’ve described of transparency, privacy and trust and are working to provide a consistent view of customer reference data.


https://blockstack.org/whitepaper.pdf



Cambridge Blockchain views Identity management is one of the biggest challenges to get enterprise blockchain technology out of the labs and into production environments which we agree with. They are building an asset agnostic, KYC-compliant control layer for blockchain transactions. The goal is to enable faster settlement times, reduced capital charges, lower costs and new product opportunities. Their architecture is designed for integration with public or private blockchain systems, allowing system participants to validate identity information about counterparties in a selective and context-aware fashion.

Evernym/Sovrin A vendor that fits within the basic framework we are describing in this report is Evernym, a U.S.-based technology company founded in 2016. Evernym is building what they describe as a self-sovereign identity platform and are leveraging verifiable claims as a core part of their service offering. The ledger portion of their solution is called Sovrin, and Evernym has donated their code-base to the Hyperledger Indy project, an open source blockchain framework and one of the Hyperledger efforts hosted by The Linux Foundation. The Sovrin code-base is also used by the Sovrin Foundation, a non-profit organization chartered to provide a human governance and trust framework that will be needed to establish ground rules and ensure the integrity of the network. The Sovrin Foundation isn’t owned by anyone so that everyone can use it and improve it. At Sovrin’s core is a distributed ledger engineered specifically for identity and intended to support:

• True self-sovereignty where any person, organization, or thing can own their digital identity independent from any identity management silo.

• Trust, so that any person, organization, or thing can verify the authenticity of “claims,” including who (or what) something claims to be in real-time.

• Privacy, affording complete control of how, what and when information is shared, without added risk of correlation and without creating databases of breachable data.

With Sovrin, trust is established using verifiable claims. This is the concept we described earlier and TechVision believes, is key to building this new identity ecosystem. Verifiable claims along with private data (PII) are stored off-ledger by each self-sovereign identity owner, wherever the owner decides (e.g., cloud-based identity as a service provider). No private information is ever stored on the ledger, in any form. The combination of self-sovereign identity and verifiable claims enables highly advanced privacy-enhancing techniques, such as zero-knowledge proofs (for selective disclosure) and anonymous revocation. Take for instance the following high-level example illustrated below in Figure 3, where a medical student becomes a doctor through formal accreditation via her medical licensing




authority. By creating an identity persona on the Sovrin network that contains a non-repudiable block confirming her official licensing by the Licensing Authority, she can then identify herself to any medical institution as a licensed doctor by sharing her verifiable claim(s) with the institution, which then validates the claim(s) via Sovrin. No PII is shared and the engagement or transaction may commence without further delay. Key to note is that the medical institutions themselves never need to communicate directly with individual regional License Authorities, only Sovrin, in order to validate claims.

Figure 3: Sovrin and Verifiable Claims

Evernym characterizes Sovrin as a global self-sovereign identity system having two primary qualities—high trust and high performance—while being open for public use. Sovrin is designed to scale like DNS—with orders of magnitude more reads than writes—so it can handle billions of identities. They are looking to position Sovrin as the first public, permissioned ledger/identity utility. They are in the process of establishing a non-profit foundation to drive this initiative, called the “Sovrin Foundation.” Pertinent to the establishment of this global infrastructure is the notion of decentralized key management, as we discussed earlier in this document. In Evernym’s view (and TechVision concurs), people (and organizations) can only be “self-sovereign” if they can manage their own public/private keys. In this light, Evernym has been working with the U.S. Department of Homeland Security to establish a DKMS (Decentralized Key Management System) based on NIST Special Publication 800-130—A Framework for Designing Key Management Systems. Working with DHS, an infrastructure similar to the one we have been describing in this report emerges following these steps:

1. Standardize registration of decentralized identifiers (DIDs) and public keys on a




distributed ledger 2. Standardize DKMS wallets for generating, storing, and managing private keys for

DIDs 3. Standardize DKMS agents for encrypted backup, sync, and exchange of keys

This architecture is illustrated in Figure 4, below.

Figure 4: DKMS and Self-Sovereign Identities

At Layer 1, distributed ledgers (public or private) solve the problem of highly available, highly secure access to public keys, while at Layers 2 and 3, DKMS and verifiable claims wallets will solve the problem of standardized, secure access to private keys. DKMS and verifiable claims agents will solve the problem of multi-device synchronization, backup, and key recovery—plus the exchange of verifiable claims for trust establishment. Consider Layer 2 to be analogous to our description of a cloud Identity Broker interacting with distributed ledgers at Layer 1. Also consider Layer 3 – the edge layer to be analogous to our description of end users’ (identity owners’) mobile devices supporting MFA, and theoretically could be a solution provided by an edge-based blockchain IAM solution providers such as ShoCard, described below. Further extending this model, Evernym/Sovrin is currently working with the State of Illinois to develop a working blockchain-based verifiable claims infrastructure to manage birth certificates. This very forward-looking and far-reaching initiative is a bellwether in terms of governments (finally) becoming proactive within a digital, decentralized economy. As shown in Figure 5 below, the infrastructure harmonizes the process of generating digital




birth certificates in the form of verifiable claims.

Figure 5: State of Illinois Birth Certificates and Verifiable Claims

From here, it is conceivable to envision a prospective motorist obtaining a drivers’ license from the California DMV to present his Illinois birth certificate in the form of a verifiable claim, vouched for by his home state, Illinois.

IBM At one level we have several early stage, VC/Angel funded companies driving blockchain-based innovation; but we also have IBM, Microsoft, GE, the big consulting firms and everyone that can spell blockchain joining the fray. IBM is making a major investment in blockchain and has a hard to count number of initiatives across the organization. TechVision had the opportunity to engage Jai Arun, IBM’s blockchain research program director several times over the past year. We also had a joint meeting that included IBMs Identity team led by Ravi Srinivasan. In early September of 2017 we had, a briefing with IBM’s VP of Blockchain, Gennaro (Jerry) Cuomo and IBM’s Director of Blockchain Identity Offerings, Adam Gunther just before publishing this report to get the latest insights into IBM’s efforts. Jerry Cuomo explained that this is a strategic, global, heavily funded IBM initiative. . There are literally hundreds of associated projects and many of them revolve around IBMs Blockchain as a Service (BaaS) platform.


https://www.ibm.com/blockchain/platform/



According to Cuomo, IBM is focused on three key initiatives for blockchain. 1. Core technology development in conjunction with Hyperledger fabric (the open-

sourced permissioned blockchain network architecture for regulated environments) and IBM “blockchain as a service” platform. Targeted at ecosystems, not company specific use cases.

2. Delivery of composer capabilities to be used to create ecosystems, including shared development, governance and operations tools.

3. Direct investment in blockchain technology companies and networks. There are 10 active networks on the IBM blockchain platform as of the publication of this report.

With this bigger picture as a backdrop, IBM does have some identity-focused blockchain programs we’ll primarily concentrate on in this report. In March 2017, IBM announced it had partnered with SecureKey Technologies to build a digital identity network in Canada with banks such as Bank of Montreal, Canadian Imperial Bank of Commerce, Desjardins Group, Royal Bank of Canada, Scotiabank and TD Bank. Adam Gunther explained that IBM’s design includes both advanced federated identity technology and blockchain technology specifically designed for regulated industries. The collaborative effort with SecureKey and IBM is focused on developing a digital identity and attribute-sharing network using IBM's BaaS built on top of the Linux Foundation's open source Hyperledger Fabric. As a permissioned blockchain, IBM sees the Hyperledger Fabric as an essential component in delivering services that comply with regulations where data protection and confidentiality matter. According to Cuomo, IBM is very excited about the partnership with SecureKey as the delivery of a digital identity ecosystem is the first horizontal use case that applies across verticals and vertical networks. Identity and personal attribute exchange among enterprises is a complex problem to solve due to the data protection and confidentiality requirements noted above. In addition to the needs of personal consent and control over the exchange of personal data, the resulting exchange network had to have these additional attributes.

• That no data is visible to the operator of the network • That there is no central database or “honeypot” of data • That there is no central point of failure • That there is privacy so that an Identity Provider cannot tell where an identity claim

is being used. • That there is no way to track an individual across relying parties

SecureKey, as a participant and board member in Hyperledger, helped build these horizontal identity verification and attribute exchange features into the Hyperledger fabric. Smart contracts are memorializing consent and control components within the Hyperledger fabric as well. The network is currently in the testing phase in Canada, and once it goes live later in 2017,




Canadian consumers will be able to opt-in to the new blockchain-based service using a mobile application. Consumers – or network members – will be able to control what identifying information they share from trusted credentials (verifiable claims) to the organizations of their choice, to allow those organizations to validate the consumer’s identity and arrange new services. For example, if a consumer has proven their identity with their bank and a credit agency, they can grant permission to share their data with a utility to create a new account. Since the bank and the credit agency have already gone through extensive verification of the consumer’s identity, the utility can choose to rely on the fact that the information is verified, and the consumer can be approved for new services without the overhead and delay of an identity credentials recheck.

Key concept: Digital Asset Providers make available to the individual (Me) a set of digital assets (or verifiable claims) that the individual can share with attribute consumers. The attributes are not

themselves stored on the blockchain, but are revealed by the individual under the consent and control parameters that are stored on the blockchain.

Canadian banks, including BMO, CIBC, Desjardins, RBC, Scotiabank and TD joined their digital identity ecosystem in October, 2016, and invested $27M collectively in SecureKey. SecureKey is a privately-held company with backing from leading technology, payments and mobile network operators. SecureKey’s influence in identity is evidenced by its association with industry leaders and regulators such as DIACC, Privacy By Design, NIST, FIDO, OIX, Kantara and the Linux Foundation. This joint IBM initiative can be a major proof point for blockchain-based IAM. TechVision Research believes the key to adoption is simplicity for user. We will continue to follow up with IBM and SecureKey on the success of this effort.

Microsoft Microsoft is making serious investment in blockchain-based identity management. In June 2017, Microsoft announced a partnership with Blockstack Labs, ConsenSys and independent developers to build an open-source, blockchain-based identity system,




interoperable across blockchains, cloud providers and organizations. The initiative aims to move beyond the informal identity systems operated by the major social media companies, and develop globally recognized identity systems for the enterprise and e-commerce use. In August 2017, the Brazilian Ministry of Planning, Budget and Management announced it had partnered with Microsoft and ConsenSys to conduct a pilot to verify the legitimacy of personal documents. The project will leverage the technology supplied by ConsenSys affiliate uPort, which is a “self-sovereign” identity system that is built on the digital currency Ethereum. The system enables its users to have access and control over their own data. The pilot project is intended to test potential applications of Blockchain technologies that will create a new trust model between the government and the public. Also in 2017, Microsoft announced Project Bletchley, dubbed as Microsoft’s architectural approach to building an Enterprise Consortium Blockchain Ecosystem. Bletchley is Microsoft’s attempt to bring distributed ledger (blockchain) platforms into the enterprise to build solutions addressing real-world business problems while keeping the platform open. Bletchley establishes a “Blockchain Fabric”, which is essentially an “Enterprise Consortium Distributed Ledger Fabric” that would look and feel like traditional middleware, except it would span the globe functioning largely as APIs or Platform as a Service (PaaS). This Fabric would provide the following core services:

1. Identity and Certificate Services - functionality found in both Azure Active Directory and Key Vault to provide PaaS services for authentication, authorization, key issuance, storage, access and lifecycle management. Providing Cryptlet registration and policy as well as establishing identity for people, organizations, key transactions and contracts and things, this service can be a platform for others to build vertical services like a KYC service, asset registration and federation, etc.

2. Encryption Services – partial payload encryption, or field level encryption for blockchain transactions with various encryption schemes to make secret those values that should only be seen by the owner and counter parties or regulators.

3. Cryptlet Services - attested hosting for cryptlets that enable services like location, trust validation. As defined in Bletchley, cryptlets are off-chain code components that are written in any language, execute within a secure, trusted container and communicated with using secure channels.

4. Blockchain Gateway Services - Interledger-like services to allow for SmartContracts and tokenized objects to be passed between different ledger systems. This service can provide transactional integrity to inter ledger transactions like transfer of financial instruments in a supply chain that spans several blockchains.

5. Data Services - key data services like distributed file systems (IPFS, Storj, etc.) of off-chain data referenced by public keys.

6. Management and Operations - tools for deployment, management and operations of enterprise consortia distributed ledgers will bring the enterprise maturity lacking in the market today.


https://interledger.org/



In addition to announcing Project Bletchley, Microsoft has recently unveiled its Blockchain as a Service on Azure, which provides a set of solution templates that deploy and configure a blockchain network with minimal Azure and blockchain knowledge. Microsoft is also partnering with Accenture Plc to build a digital ID network using blockchain technology, as part of a United Nations-supported ID2020 project to provide legal identification to 1.1 billion people worldwide with no official documents. Microsoft is clearly showing an ‘all in’ attitude toward blockchain, distributed ledgers, IAM and smart contracts. On the one hand, this shows just how serious the move toward blockchain-based solutions is becoming to Microsoft. On the other hand, it will be very interesting to watch how well open standards unfold and are promulgated by a company that traditionally has made interoperability with its key products more challenging than many would like. Nevertheless, our intent in this report is to illustrate just how important blockchain and distributed ledgers will be in our not-too-distant IAM future.

ShoCard In concert with the theme of this report, ShoCard firmly believes in user centric IAM. ShoCard creates a digital identity card, using an application optimized for mobile phones, based on a cryptographically signed scan of the person’s identity document. ShoCard is a digital identity that intends to protect end user privacy and is meant to be as easy to understand and use as showing one’s driver’s license. ShoCard encrypts and hashes the identity data and stores the hash (not the PII) on bitcoin’s blockchain using an application that operates on top of the distributed database infrastructure. The information can be retrieved through the ShoCard application for businesses and web-based services are available to verify an identity by users sharing their public key. TechVision has the opportunity to interview ShoCard’s CEO/Founder Armin Ebrahimi and he summarized their goal as “providing digital IDs for the mobile world”. They started last year with a POC with SITA using various forms of identity “proof” (passport, visa, biometrics) and writing them to a single token on the blockchain that can be presented on a mobile device and authenticated via the blockchain. ShoCard is also working directly with several airlines to provide “premium” travelers rapid check-in services leveraging their technology. SITA characterized the program on their website as follows: “The emergence of a single travel token over the next few years is probably the most exciting development for passengers hoping to fast track through the airport. This could eliminate the need for multiple travel documents without passengers having to share their personal data.” Earlier in 2017 ShoCard introduced an enterprise-focused solution called ShoBadge – also using blockchain technology. ShoBadge’s aim is to invert identity management to be controlled by each user and shared with the enterprise workplace. In this model, all




identification information is stored on each employee or contractor’s mobile device, which can securely share their personally identifiable information (PII) with their employer. Their information is independently verified with one-way digital signatures of hashes of their data on the blockchain. Again, the blockchain holds no PII data, but instead only verification signatures that cannot be reverse engineered. The enterprise offering is a click-on mobile multi-factor authentication solution without usernames and passwords by leveraging TouchID/PIN and non-reusable (per ShoCard) biometrics via facial recognition on the device itself, as well as further authentication via secure private and public key verification. It can work stand-alone or be integrated with SSO solutions from Okta and Microsoft, per Armin. ShoCard’s initial focus to help establish identity proof as leading to their development of a mobile-based self-certification process – including enterprise access. TechVision views this as a first step toward a more scalable ecosystem that would incorporate a global infrastructure where ShoCard plays a key role as the edge device ‘wallet and agent’ interacting with identity brokers and distributed ledgers for device agnostic management and sharing of verifiable claims.

UPort Uport is designed to be a secure, easy-to-use system for self-sovereign identity, built on Ethereum. The uPort technology consists of three main components: smart contracts, developer libraries, and a mobile app.

1. The mobile app holds the user’s keys. 2. Ethereum smart contracts form the core of the identity and contain logic that lets

the user recover their identity if their mobile device is lost. 3. The developer libraries are how third party app developers would integrate support

for uPort into their apps. uPort identities can take many forms: individuals, devices, entities, or institutions.

Uport identities are self-sovereign, meaning they are fully owned and controlled by the creator, and don't rely on centralized third-parties for creation or validation. A core function of a uPort identity is that it can digitally sign and verify a claim, action, or transaction - which covers a wide range of use cases. An identity can be cryptographically linked to off-chain data stores. Each identity is capable of storing the hash of an attributed data blob, whether on Azure, AWS, Dropbox, etc., which is theoretically where all data associated with that identity is securely stored. Identities are capable of updating this file themselves, such as adding a profile photo or a friend, or they can also grant others temporary permission to read or write specific files. Since they can interact with blockchains, uPort identities can also control digital bearer assets such as cryptocurrencies or other tokenized assets. The efforts highlighted above are meant to exemplify some of the work being done today to




move society into the digital age, identity-wise. Granted, there are differences in opinion as to what model(s) may emerge as de facto, but it should be apparent to the reader that something major is afoot, and it all builds on blockchain, distributed ledgers and verifiable claims. There is also a major feeding frenzy to gain early market share and mindshare in this space that includes many of the biggest technology players and a hungry group of early-stage organizations. We are seeing the coalescence of these various approaches that should be considered as a natural process leading us toward an eventual breakthrough how individuals and organizations identify themselves in the 21st century. We are sure that it will be a much more flexible, dynamic, contextual model than the more rigid approach we’ve seen for the past several decades.

Summary and Conclusion In this age where cloud computing and mobility are driving digital transformation at an ever-increasing rate, enabling organizations to reach further, respond faster, and achieve better quality of service and customer engagement, we also struggle with our reach often exceeding our grasp. We find ourselves under siege from the seemingly constant threat of attack on our intellectual property, our credit and reputation, the information that we rely on, and on the very elements that we use to uniquely identify ourselves and utilize to establish trust. For far too long, security has been left as an afterthought, leaving us exposed and vulnerable as we stretch to take advantage of all of the opportunities that this new age has to offer. Security must become an intrinsic part of everything we do. Traditional security approaches, like network security and endpoint security, tend to approach the problem from a physical perspective, protecting what we value by locking it up in a vault, or hiding it behind a firewall. These approaches ignore the more fundamental nature of security, that it is really about the relationship between the entity that is trying to access a resource or perform an operation and the decision as to whether that activity is appropriate or not. It is through better understanding of this relationship that we can provide a more flexible and enduring model of security. Identity is key to understanding this relationship and to making and enforcing decisions about what is appropriate. But in order to do this at scale and to provide the seamless experience necessary for this type of security to become pervasive, we have to take what we have learned from managing identity and simplify and extend these capabilities to new heights. Identity management will soon have to make the leap from our age-old approaches of multiple user IDs and passwords along with mostly unbridled proliferation of our PII across the globe. What is needed is a new, secure, privacy-centric means of identification and sharing identity information to a myriad of services, whether online or brick-and-mortar such that we can exert explicit control regarding how we (and things) identify ourselves. Facilitating the many different facets of the relationships we engage in through the emergence of personas and leveraging verifiable claims offers the most advanced and workable approach to crossing this chasm. In such a way, we boil it down to identity as being the primary security




perimeter that is applicable in enterprise, banking, commerce, social and other forms interaction. Identity becomes the fundamental element in defining the relationships on which we base all of security. Make yourselves aware of the sea-change about to occur. Address your current identity management strategy and architecture to ensure it can support a loosely coupled, federated, orchestrated, and virtualized identity ecosystem by replacing proprietary, monolithic, and hard-coded ‘20th century’ approaches with architectures that are better able to make this leap. It will save you considerable money in a relatively short time frame and can dramatically reduce the cost and overhead currently required to authenticate, authorize and manage users or things that access your systems and applications.




About TechVision World-class research requires world-class consulting analysts and our team is just that. Gaining value from research also means having access to research. All TechVision Research licenses are enterprise licenses; this means everyone that needs access to content can have it. We know major technology initiatives involve many different skill sets across an organization and limiting content to a few can compromise the effectiveness of the team and the success of the initiative. Our research leverages our team’s in-depth knowledge as well as their real-world consulting experience. We combine great analyst skills with real world client experiences to provide a deep and balanced perspective. TechVision Consulting builds off our research with specific projects to help organizations better understand, architect, select, build, and deploy infrastructure technologies. Our well-rounded experience and strong analytical skills help us separate the hype from the reality. This provides organizations with a deeper understanding of the full scope of vendor capabilities, product life cycles, and a basis for making more informed decisions. We also support vendors when they carry out a product and strategy review and assessment, a requirement analysis, a target market assessment, a technology trend analysis, a go-to-market plan assessment, or a gap analysis. TechVision Updates will provide regular updates on the latest developments with respect to the issues addressed in this report.




About the Authors

Doug Simmons brings more than 25 years of experience in IT security, risk management and identity and access management (IAM). He focuses on IT security, risk management and IAM. Doug holds a double major in Computer Science and Business Administration.

While leading consulting at Burton Group for 10 years and security, and identity management consulting at Gartner for 5 years, Doug has performed hundreds of engagements for large enterprise clients in multiple vertical industries including financial services, health care, higher education, federal and state government, manufacturing, aerospace, energy, utilities and critical infrastructure.

Nick Nikols has more than 25 years of experience in the software industry, architecting solutions and developing innovative products for identity, security and compliance management, as well as directory services and directory/application integration.

Before working with TechVision Research, Nick was Senior Vice President of Product Management and CTO of Cybersecurity at CA Technologies, where he was responsible for CA’s Cybersecurity Product Strategy and Roadmap. At CA, he was particularly focused on modernizing CA’s Identity-centric Security portfolio and successfully promoted CA’s Identity Manager and Access Governance solution into a leadership position within Gartner’s Magic Quadrant for Identity Governance and Administration.

Gary Rowe is a seasoned technology analyst, consultant, advisor, executive and entrepreneur. Mr. Rowe helped architect, build and sell two companies and has been on the forefront the standardization and business application of core infrastructure technologies over the past 35 years. He was President of Burton Group from 1999 to

2010, the leading technology infrastructure research and consulting firm through the sale of Burton to Gartner. Mr. Rowe has personally led over 100 consulting engagements, 50+ educational seminars, published over 50 research reports/articles and led three significant technology industry initiatives. His combination of business skills and his deep understanding of technology provide a balanced perspective for clients. Core areas of focus include identity and access management, directory integration, cloud computing, security/risk management, digital transformation, IT business model changes, privacy and blockchain/distributed ledger."

Gary Zimmerman is an experienced executive known for helping companies deliver new offers and expand markets. Accomplishments include launching four companies, 20+ products, building high-performance organizations, and generating millions in sales.

His experience at Neustar, Respect Network, and Sovrin allows him to provide a broad perspective on a variety of subjects including self-sovereign identity, blockchain, enterprise data management, and the data brokerage industry.


identity as the new perimeter - techvision research...enterprise security, risk mitigation, and has...

Documents