Blog posts by Ivan Niccolai
What is a strong online identity? A strong online identity can be defined as a combination of identification, authentication technologies along with personal identity data store capabilities which enables a strong and resilient correlation of digital identities to a physical person, entity or organisation, thus enabling trusted interaction and communication between individuals and organisations. Strong online identities with full user identity sovereignty can be considered as providing a subset functionality that a fully-fledged Life Management Platform would provide.
While this definition immediately brings social networks and social authentication to mind, such as Google, Facebook and Linkedin to name the most popular, the concept of data sovereignty further strengthens the concept of strong online identities and eliminates these popular services as potential contenders. The principle of data sovereignty can be summed up by the foundational belief that individuals and organisations should be the ultimate owners and have total control of their personal information.
As with any definition of sovereignty today, sovereignty and custodianship are often treated separately. For example, a patient might have a legally-defined sovereignty of over their bodies in as far as their freedom to choose which medical treatments to undergo is concerned, yet once under treatment, the custodianship of their bodies to a large degree falls under the responsibility of the medical professionals performing the medical treatment.
How does the above example apply to strong online identities? Let’s take the revised EU General Data Protection Regulation (GDPR2) as an example. The GDPR2 provides the legal principle of personal information sovereignty, and then proceeds to define the custodianship responsibilities of all organisations which store and/or process this personal data.
While the social networking giants will assure users that they remain in control (sovereign) of their personal information, and that they will not misuse this personal information (custodianship), users must simply trust that these statements are true. The upcoming GDPR2 provides ulterior legal protection in regards to personal information, but again this comes down to how effective the EU and its member states will be at enforcing this regulation.
So how can a sovereign, strong online identity solution or vendor provide proof of trustworthiness rather than simple assurances of trust? The goal of many blockchain-based identity solutions is to allow an individual or organisation better control over the custodianship of their digital identity, by using consensus algorithms to provide mathematical proof of custodianship, as well as eliminate – as much as possible – centralised, trusted third parties.
Ultimately these projects aim to eliminate the distinction between sovereignty and custodianship. These are ambitious goals and arguably more to be considered as ideals or design standards than non-negotiable requirements. This is due to the difficulty of entirely doing away with trust in third parties in favour of fully decentralised systems based on consensus algorithms.
How can the individual become the sovereign over her/his identity and why is that of growing importance?
The concerns that have driven the upcoming GDPR2 have been noted for some time now by technologists and customers. These are largely due to the recognition that most personal online identity information is not actually owned by the users themselves. The internet giants today own and control most of this information, and this is cause for privacy and security concerns. One’s personal identity information is only as safe third party custodian is.
Which forms exist today?
An interesting initiative is ID3 (ID cubed), a non-profit which aims to establish new trust frameworks and digital ecosystems in order to enable the use of sovereign online identities. Evernym is a project which uses its own permissioned blockchain to create an open source sovereign identity platform. Microsoft Azure’s blockchain initiatives also are focusing on using blockchains to provide sovereign identity, along with humanitarian ambitions to assist the problem of under-identification in the developing world.
While these are all great initiatives, there are still a number of challenges which tend to plague all emerging technologies and mostly come down to standardisation and adoption. Also, given how complex and multi-faceted the digital identity dilemma is, so far there is no single solution that can meet all the requirements of a strong digital identity store whilst also remaining fully user-sovereign.
What does the future look like?
It is highly unlikely we will ever see a single identity solution, even if it is completely user-controlled. This is simply down to the complexity of human identity and contexts, as well as the conflict between national legislation and the international nature of the online world. For example, many national governments today have online digital identity services for access to government services, and it is highly unlikely that in the near future we will see these national schemes integrate with say, blockchain-based solutions which primarily focus on decentralised social login replacements and secure digital communication between individuals.
Yet it remains highly likely that we will see a proliferation of competing standards and approaches to strong online identification and authentication/authorisation. The determinant success factor will be usability and adoption by mainstream online services. Usability has been the key success factor of the internet giants, and we have signed away our privacy to many of these organisations simply due to how easy it is to use their services. Unless sovereign alternatives to online identity can provide similar ease of use as well as convince popular services to integrate with them, their use will remain limited to technology-savvy power users, not the public at large.
KuppingerCole has long noted the importance of blockchain technologies, whilst also noting that the key challenges to the adoption of blockchain technologies remained standardisation, privacy & security, as well as dilemmas regarding the types of blockchain technologies to adopt. In regards to these final two points, the main arguments have centred around the use of permissioned vs unpermissioned blockchains, as well as anonymous, pseudonymous or identified blockchains.
Microsoft made some wise decisions in response to these challenges. Initially, by announcing Blockchain as a service (BaaS) offerings on Azure last November, and subsequently announcing many new partnerships with various blockchain technology start-ups and consortiums, it gave organisations the opportunity to quickly begin experimenting with various blockchain tools easily and without the need to make decisions about which specific technology to use at this early stage of maturity of blockchain technologies.
Microsoft now has further progressed its BaaS offering with Project Bletchley. Finally, organisations can begin to make use of concrete benefits of blockchains whilst still remaining agnostic in regards to which specific blockchain used to deliver these benefits.
In short, Project Bletchley enables the use of blockchains-powered middleware solutions. The first of the two major tools offered by this latest announcement are called “Cryptlets”. This blockchain and development-language agnostic tool allows an organisation to leverage the power of time-stamped decentralised ledgers (blockchains) to secure organisational data without compromising the confidentiality of this data. For example, non-repudiation of a transaction between systems which process confidential data can be ensured by referencing some encrypted, time-stamped information stored on an external blockchain, while ensuring that this information remains completely useless to any other third party not engaged in the original transaction.
Cryptlets thus enable a whole new category of Project Bletchley middleware tools that can provide additional security, scalability and performance to typical middleware use cases even if the blockchains used to provide these features do not natively allow such types of features. Some key examples of this toolset include identity, encryption and key management features. This new blockchain-powered middleware stack will work with existing Azure services such as Key Vault and Active Directory.
By using this combination of centralised, authoritative systems such as middleware, public key infrastructure and authentication stores along with features of decentralised, algorithmic consensus-based technologies such as blockchains, it becomes possible to overcome the limitations of both types of technologies whilst also providing new hybrid technologies with better security and performance characteristics.
Centralised systems are necessary to most organisations, yet the authoritative management nodes of these systems often become the targets of malicious actors. Once these key root nodes are compromised, it is often very difficult to recover from a successful attack as it is very difficult to establish the ‘last known good state’ of the sensitive data. By decentralising this information on time-stamped blockchains, it becomes much harder for an attacker to manipulate the information on a compromised authoritative node.
Project Bletchley finally provides some concrete tools for enabling these hybrid centralised/decentralised secure systems which up until now have mostly only been theoretically discussed. What is important again here is that this project is blockchain technology agnostic. Just like TCP/IP, the value from blockchains (or networking for that matter) does not come from the use of a specific blockchain implementation, but how it can support a given use case.
There is a lot of talk about the impact blockchains will have on the finance industry. The same holds true for FinTechs. However, what will be the real impact? Will we still have the same banking system in five or ten years from now? Or will some groups of banks (the small community banks such as Volksbanken, the large banks such as Deutsche Bank) disappear and becoming replaced by new players? Or will the banks absorb the FinTechs?
Before approaching this question, a brief overview of the fundamental characteristics of blockchains and key concepts is useful. A blockchain is a distributed data structure, brought to worldwide attention by the bitcoin cryptocurrency, that maintains a growing list of transaction records in a way that is extremely resistant to tampering. Algorithmic consensus is the key defining feature of a blockchain. While a public blockchain such as bitcoin’s is completely decentralised as well as distributed, the bitcoin blockchain’s is better defined as a specific type of blockchain: a distributed ledger. Consensus is key, as blockchains replace implicit trust with a consensus algorithm share by all participating nodes, be they public or “permissioned”. A permissioned blockchain is a restricted-access blockchain where, unlike bitcoin, only authorised node may perform or validate transactions on the blockchain.
Consensus is the mechanism by which all the participating nodes reach agreement about the integrity of the existing distributed transaction log and allow new entries to be written to this append-only, linear data structure. The only way that nodes participating in a blockchain can attain consensus is by the use of a published mathematical algorithm. The consensus mechanism is termed sometimes termed “trustless” – though not all blockchains only operate with completely anonymous/pseudoanonymous nodes – as the nodes do not need to trust whatever the other nodes state as truth, they only need to all share the same consensus algorithm which is used to verify blockchain integrity and permit new transactions onto the distributed log after a majority of nodes can perform the same algorithmic checks.
Another key feature is independently-verifiable tamper-evidence. It is trust mechanism for consensus that allows the other key feature of and independently-verifiable distributed log integrity. Just as the nodes make use of the algorithm for achieving consensus, a third party can audit a blockchain and be able to attest to its integrity.
Figure 1: Example of how a Blockchain works (Source: World Economic Forum)
While blockchains are seen by many as having the potential to be a key enabler for a wide range of applications, from the Internet of Things to Life Management Platforms, here the focus will be on key use cases in the Financial sector. With the above core concepts in mind, it is possible to examine some possible blockchain use cases in the financial sector.
Blockchain technology asset registries could be deployed to manage virtually any asset class (e.g. ships, aircraft, automobiles etc.) and provide a complete unalterable audit trail of ownership, maintenance and valuation.
By its nature the Blockchain is an unaltered chronological record of transaction history, delivered in a fully transparent and accessible form.
Many regulatory processes require a document to have gone through certain states before any given state (e.g. AML, KYC processes). Recording these state changes in the Blockchain conclusively demonstrates compliance with these processes without the need of an intermediary. This could be extended to include proof-of-audit/control whereby each new version of a document could be denoted to have changed according to a defined set of rules. The result of these rules-based processes could potentially dramatically reduce the cost of governing regulatory compliance
International Funds Transfer
The current process for cross-border payments, SWIFT, relies on intermediaries (correspondent banks) before reaching the ultimate physical location. The process is slow with expensive customer fees and bank risks due to weaker banking standards in some jurisdictions. Blockchain offers a new approach, with no geographical borders, middlemen or opacity that has plagued legacy cross-border payments with the added benefits of fast processing and no correspondent fees.
Also, as the recent breach of the Bangladeshi Reserve Bank demonstrates, centralised systems for the processing of electronic payments are a key target for well-funded attacks by cyber criminals. The SWIFT system is geographically distributed, but it depends on trusted, centralised control nodes maintained by all banks participating in the payment network. By compromising a single node, the criminals were able to fraudulently make transfers of almost a billion US dollars. A decentralised system with a trustless consensus mechanism such a blockchain instead would require 51% of all the participating nodes to be compromised in order to be able to add fraudulent transactions to its distributed ledger.
Securities Issuance and Settlement
The Securities Exchange Commission has approved the issue of public securities via Blockchain-based technology. This is often termed-post trade processing, allowing complex security agreement between multiple parties to be agreed to and stored in a distributed ledger, thus reducing administration costs and the risks of a party reneging on a trade.
Blockchain can facilitate the setup and management of insurance contracts using Smart Contracts technology to ensure data accuracy, correct payment and settlement of premiums, brokerage, commissions and claims. All parties to a contract will have access to identical exposure data which will resolve existing data quality issues and help to leverage better modelling models to measure aggregate exposures and to make capital allocation decisions.
While the potential for blockhain technology to have disruptive effect on the finance sector, and rattle the up until now comfortable market position of the largest players in this market such as global banks and insurance companies, some researchers think it is too early to hail the demise of traditional financial services providers. They cite a number of challenges to mainstream blockchain adoption, the greatest of these is regulatory resistance to the use of blockchains. This position is understandable, not necessarily due to any inherent technical limitations, but largely due to a perception of blockchains that has been dominated by the bitcoin cryptocurrency and the difficulties of non-technical regulators to grasp the core concepts behind blockchains. A fundamental paradigm shift in thinking is required when examining algorithmic consensus systems and approaches to insuring information confidentiality. Blockchains, permissioned or public, can easily make use of hashing and cryptographic algorithms to store confidential data, and the very nature of consensus only works if the consensus algorithm is known by all the participating nodes and all third-party auditors.
Another key hurdle is standardisation. Blockchains must be seen as platforms, over which applications and ecosystems can be built to leverage its key strengths, and platforms, more than any other technology require the adoption of standards to provide business benefits. The blockchain landscape today is still very new, and quite far off from widespread agreement over the adoption of some of the many standards proposed.
KuppingCole has written previously on the benefits of adaptive authentication and authorization, and the need for authentication challenges that go beyond the password. These benefits fall largely under the categories of an improved user experience, since the user only gets challenged for multiple authentication challenges based on risk and context, as well as improved security precisely due to the use of multi-factor, multi-channel authentication challenges.
However, these multi-factor authentication challenges only offer additional security if the multiple challenges used for these authentication challenges are sufficiently separated. Some examples of common approaches to multi-factor authentication include the use of one-time passwords sent via an SMS message, or smartphone applications which function as soft tokens for time-limited passwords. These are generally a good idea, and do offer additional security benefits. But, if the application that depends on multi-factor authentication as an additional security measure is itself a mobile application then the lack of separation between the channels used for multi-factor authentication vitiates the possible security benefits of MFA.
Security researchers have recently proven how both a compromised Android or iOS smartphone can be manipulated by attackers in order to enable them to capture the additional step-up authentication password from the smartphone itself. This is one of the outstanding challenges of anywhere computing. Another attack that that is immune to the additional security provided by multi-factor authentication is the man-in-the-browser-attack MITB. With this type of attack, a malicious actor gains control of a user’s browser via a browser exploit. The user then logs into, for example, online banking, and successfully completes all necessary, multi-factor authentication challenges perform a high risk action such as performing an electronic fund transfer, the hijacked browser can be used by the attacker to substitute form data the the user is imputing. In this example the sum could be redirected to a strangers bank account.
With the MITB attack, the user is seen by the accessed service as fully authenticated, but since the browser itself has been compromised, any action the user could have done legitimately can also appear to have been done by the attacker.
With a user’s smartphone already receiving emails and being used for browsing, the additional use of smartphones for multi-factor authentication must be carefully considered. Otherwise, it only provides the illusion of security. These attacks do not make adaptive, multi-factor authentication useless, but they do show that there is no single mitigation approach that allows an organization to ignore the ever-evolving cybersecurity threat landscape.
Tactical security approaches here include careful selection and separation of authentication channels when MFA is used, as well as the use of additional web service and browser scripting protection approaches which have been developed to mitigate MITB attacks.
Yet the strategic solution remains an approach that is not solely focused on prevention. With the digital transformation well underway, it is difficult to employee endpoints, and almost impossible to control consumer endpoints. A strategic, holistic security approach should focus on prevention, detection and response, an approach known as Real-Time Security Intelligence. It should focus on the data governance, regardless of the location of the information asset, an approach known as Information Rights Management.
Unknown and sophisticated attack vectors will persist, and balancing security and user experience does remain a challenge, but the RTSI approach recognizes this and does not ever assume that a system or approach can be 100% immune to vulnerabilities.
As more and more traditional services move online as part of the digital transformation trend, consumer-centric identity management is becoming increasingly vital business success factor. Customers aren’t just physical persons, they are also the devices used by customers, they are also intermediate organisations and systems which operate together to enable the provisioning of the service.
While traditionally the identity and access management (IAM) discipline has focused on employee use cases, consumer-centric identity management is an approach to identification, authentication and authorisation of the consumers of services by customers, devices and organisations who are external to the organisation providing the product or service. It is more than just external user IAM, it is an approach which, as the name implies, recognises that consumer interaction with services from businesses and government is predominantly via online channels. So when planning and designing IAM capabilities, the customer must be the starting point, not technology, not standards, not products – these are key factors too, but user experience, along with security and scalability must be at the forefront.
While usability and security are typically seen as objective in conflict with each other, it is possible today to offer a better user experience which is also more secure. An example of this is seen with identification, by making use of federation standards to leverage social logins, thus externalising the risks associated with passwords. If social logins are not appropriate, adaptive authentication, which for some time now being used by almost all online banking services, offers better security and user experience by reducing the reliance on passwords for securing both authentication and authorisation through the use of multi-factor authentication challenges. Dynamic, adaptive authentication will also improve the user experience by stepping up or down the authentication challenge depending on the action the user is requesting as well as the risk profile of the user. Here we can see how consumer-centricity, coupled with a holistic approach to security and risk management can leverage adaptive authentication and authorisation to understand what it is that a user is trying to do, linking that action to the risks examined in the risk management exercise, to ensure that low-risk actions do not entail an excessively onerous user experience as well as ensuring appropriate security controls are in place for high-risk actions. Dynamic, adaptive authorisation and authentication will also be able to flag anomalous user activity and respond with accordingly.
Scalability is also a key factor in consumer-centric IAM, consumer IAM generally has much higher performance and throughput requirements which must not be neglected during the planning and design phases. A good functional user experience will be fail if the underlying systems cannot support the performance stresses of production use. Performance and capacity planning is often a big unknown and prone to large variations in line with consumer demand. As with security, performance tuning is a process, not a project, and consumer IAM systems must be designed to scale up or down as required.
Consumer-centric IAM must also be threat-centric. With the loss of the traditional network perimeter, IAM becomes the key common denominator for determining appropriate access to resources, regardless of where they reside (cloud, on-premise) or the device used to access them. Consumer-centric IAM becomes a key component of a Real-Time Security Intelligence strategy.
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.
How can we help you