Event Recording

Don Thibeau - Trust Frameworks: Their Critical Role in Governing Identity Systems


Session at the Consumer Identity World 2017 APAC in Singapore

Well, we'll have a fewers coming back. Guess there's some spirited discussions going on, but thank you. We should go ahead and get started. And our first speaker of the a will be Don Tebo open ID foundation to talk about the great standards work they're doing there and how bias to consumer identity and PS two and various other regulations. So done. Thank you. So the, if there is any one notion that I can suggest to you, it's the notion of from the CMA to the MAs from the UK to Singapore, and I'll start out with an outrageous proposition that if you want to understand identity and banking and blockchain, there is no better place to be than Singapore. And I'll make that argument. So what I'd like to do is to take you on a journey of where the identity system ecosystem, as we understand that is its most active, and there's a lot of topics to talk about identity, but I'm gonna talk about one particular aspect of identity and I'm gonna use one way of prioritizing it, which is called in the us, the Willie Sutton world. So Willie Sutton was a great bank robber. And one day someone said, really, why do you Rob banks? And he said, that's where the money is. So if you say to yourself, why should I think about identity or blockchain? The answer is that's where the money is. So let's take a journey together.
Okay, let's try this. This is, so what I'd like to do is to take you on a journey of where open banking is reshaping the identity ecosystem and where banking itself is changing. So we'll go from beginning to end using what's called open banking in the us. So bankers hate change. I'm sure there's some bankers here. The only reason that bankers make changes is when they're forced to a year ago at this time, the competition markets authority in the United Kingdom said to the banking community. If you don't regulate yourself, we will. If you don't open up banking to thin competition from FinTech startups, from UN, from non-traditional banks, et cetera, will create a new set of regulations that will require you to do so. The UK government wants to have a much richer ecosystem of banking and financial services and the UK government, like the Singapore government knows that its most valuable economic asset is its financial services industry. And the thing that is most characteristic about the United Kingdom and Singapore is that that financial services industry is both a creature of and dependent on a global banking infrastructure.
So changes in London affect Singapore as it does New York, et cetera. So what I'd like to do is to talk about how those changes are occurring from an identity perspective, the identity standard of choice, the most agile standard for how we build a stack of technologies is now clearly the open ID connect standard. It used to be Sam and many installed industries still operate on SAML, but SAML is a, an oil tanker open ID. Connected is a speed mode. What it does is that it provides an open standard for identity so that you can reshape your identity system in order to meet new privacy requirements in order to combat new security threats. And most importantly, to maintain a level of interoperability that is required in financial services and for identity systems that are anything that crosses a boundary really requires the use of open standards. So the open standard of choice and identity is open ID connect. If you're a Google user, if you're a Microsoft user or a Yahoo, et cetera, you're using open ID connect. Let's interesting about standard is that they result from a team of rivals from competitive pressure. So if we think about open standards, we should think about the exception to the rule.
There are two primary exceptions to the rule of open standards in our ecosystem today. One is apple. Steve jobs famously said, standards are for losers. So his vision for apple was a completely integrated vertical stack, a walled garden. Same thing is true on Facebook. So if you have tremendous market power, you don't need standards. But if you are going to interoperate, if what you do is highly dependent upon what others do, you need open standards. If you are Google, you know that you have to interoperate with Microsoft, etcetera, et cetera. If you are in a post UK or you live in Singapore, you're part of a highly interdependent economic financial services infrastructure. So if you live in Singapore and if you work in banking or financial services, standards are really important because they provide the, the basis for interoperability. Open idea connect came about as a result of almost six and a half years of debate among technology teams from all of these companies, none of these companies wanted to work together. Many of them hate each other, but in order to increase the addressable market to introduce new products and services to adjacent markets, you need to build on standards. As a matter of fact, Facebook was part of this effort until the very last moment they decided to tweak the standard. So they would become a proprietary one. So Facebook connect is a lot like open ID connect only. It's not interoperable.
So the effort that created this community was based on the interest in building something that they could not build by themselves. The power of the open ID connect standard is it allows for innovation and evolution in different industries. So we have today powerful work groups that are using this base standard for mobile connect. So we're taking the identity standard choice and we're applying it to the platform of choice, the mobile device, we're taking governments, assignment of citizen identity and building it on a basis. We're working with the most difficult problems set in the us, which is our healthcare system. But we're building that on the top of open ID. I'll be spending a lot of time in this presentation talking about the financial API, which is built on top nine. So standard is only as good as its adoption and its adoption is only as good as its trustworthiness. We live in an increasingly less trustworthy internet where best practice is you trust no one that's the world we live in. So how can we build trustworthiness into the work that we do? And by trust here, I don't mean the feeling you get from your grandmother. What trust here is the reliability and repeatability of an experience.
So how do we know in this global ecosystem with hundreds of thousands of organizations using the standard, how do we trust that a company in Singapore is implementing the standard in a consistent way as a company in Japan or a company in the states or a company in south America? How do we enforce that trustworthy? How do we ensure that that reliability and repeatability and experience occurs? So we created the open ID foundation, a notion called self-certification. Now many of you will look at that as kind of an oxymoron. Wait a minute, how do we do self-certification why do we do self certification? Traditionally, we've looked at, at the big four at auditors and different auditing regimes to provide back. But if we want a trusted ecosystem that scales on a global basis, that crosses boundaries, we need something that is lightweight, low cost, but highly reliable. So self-certification is a tool that provides for that trust. How does that happen? How is it that we now have 300 companies and several thousand implementations of open ID connect, be trusted. We can't call the blue helmets in from the UN, if somebody's not correctly implementing the standard, we do three things.
We ask every implementer, every developer of open ID connect to look at the standards and take a test. The standards are, the test is available to anyone at any time at no cost. So companies all over the world are taking this test and looking at their results. If they pass the test, we ask them to post the results of their test, how their deployment uses this technical standard in a correct way. We have the test, we have the results of the test. And that does two things. You can imagine that the very first time that for drop posted the results of its open ID connect, self certification, that it's competitors went through line by line of that code, making sure that their competitor correctly implemented ID connect. Second thing, a global crowdsource of developers looked at the, for rock and the pain and the Google and the Microsoft results to make sure that they were correctly implementing the standard.
So we have a peer review, we have a crowdsource review. And then we asked one last thing. We asked the company that was self certified to put online the most valuable asset that they had their brand. So we have a officer of a company publicly testifying that those results that their company, that their company has posted reflect that company's accurate statement, peer review crowdsource, and this legal self manifestation it's turned out that it works really well, that it's a trusted tool, an increasingly untrustworthy internet environment. So the notion of having a standard, having it wildly adopted is great to want to have it highly trusted. So we came up with this new trust world to come to the standard. It's not to say that self certification is replacing traditional third party certification. Clearly they complement each other, but increasingly if we have internet scale deployments, we need to come up with tools that provide trust high integrity at a low cost and low overhead. So the open standard with self certification is beginning to give us the kind of interoperability that highly independent systems require for this global ecosystem of financial services and identity management systems. So again, there are two different tool sets now for trust in the environment.
So as I mentioned, this notion of self certification is now being adopted by different industry sectors. So if you go to the GSMA mobile connect, mobile connect is built on top of open ID connect. So 850 mobile operators around the world use global connect, which is a profile of open ID connect. They use that because the reliability and repeatability, the trustworthiness of the standard can be proven by self certification test. Again, we're looking at trust tools in an increasingly zero trust environment. So what's another trust tool. So we have a trust framework and what's a trust framework. Well, it turns out that for many of you that are developing identity systems at scale, it's not enough to build the technology. You have to build the governance that goes with that technology. Why is that? Because technology today and the kinds of systems that you're building, whether you're in financial services or identity management by definition, cross borders.
So if we have a system that crosses borders, we need to have a legal agreement that sets out the rules of the road, because we want everybody involved in the system to be using the same set of rules, both technical code, but also legal code. And the job that you have before you, as developers, as architects and, and business managers, is that while you are developing your technology, the software code that drives the systems, centering financial services, or in other in government systems, you have to align the legal code with the technical code because only then do you have a system that can scale a system that can be truly trustworth? So a trust framework is a very simple thing. It's a contract and like all contracts, it sets out steps of requirements, the business requirements, the technical requirements and the legal requirements, and like any contract.
My friend Ellen was saying at lunch contracts anticipate the day when things go wrong, all big systems, we all know it will go wrong in some way. So we have to protect ourselves so that we can understand that each element of the framework understands what they, they are to do how they are to do it. And what happens if things go wrong, if you want to start an identity, stop an identity system project in its tracks, raise your hand and say, what about liability? Because we need to have build into the system. A pre-negotiate set of understandings about who's responsible fraud. And if things break who's liable. So by setting out in advance in a trust framework, we do several things. We guarantee functionality and interoperability because the trust framework will specify what are the standards that are to be used by the participants. In the framework.
We allow ourselves for the system to scale because if we have a contract where the terms and conditions, the business technical and legal requirements are well known and available to everyone, that means that you can scale that contract. So a contract that starts on a bilateral basis between Google and Microsoft can be extended by anybody else. That's willing to take on the same liabilities, willing to build with the same standards and willing to understand what the business rules and the roads are. The other thing that that does that provides trust. Again, there's that word trust. I'm not talking about grandma, I'm talking about business and what business means, this context is the reliability and repeatability of an experience at a high volume, a high velocity and a variety of applications. So if you're in Singapore, you have to build highly trustworthy systems because your market is the globe and the globe has all different kinds of actors.
But what Singapore has to do in the same way that the post Brexit UK has stated is be seen as a highly trusted place. Transact. And the most sensitive transactions are financial services transactions. And the most sensitive of those are international financial services. The other thing is if we want to be able to get products out fast and the way to move products out fast is that you negotiate the contract once and then have many people join the contract rather than do bilateral contracts. So a trust framework gives you these four benefits that are critical for international systems to be deployed and to be trustworth. Again, all a trust framework is it's a contract, it's a multi-party contract. So it exists within three sets of rules. So just as software engineers are coding the system. So too, are your lawyers looking at the applicable, applicable legal code for the trust framework to exist?
So what we can do is we can map liability and if we can map liability, we can do business together. Because what we've done is we've said how we're gonna inter operate from a technical point of view, what the rules of the roads are and what happens when things go on. So open standards and a trust framework, and a self certification regime are the constituent parts of the kinds of systems that we're talking about in identity and access management, and are particularly important when it comes to financial services on a global scale, and I'll submit even more. So we begin to talk about blockchain and technologies. So again, we've talked about liability, we've talked about the importance of what Steve jobs used to call concurrent engineering is that while we're building a system, we're having the engineers talk to the lawyers and the lawyers talk to the marketers so that when we're deploying a system, it can move to the market quickly and it can cover a global market.
What we do at O I X is very simple. We try and help our members understand this new way of doing business. We have a member called the open banking, implementation entity. These are the nine major banks in the UK. They have two jobs to do. They need to create a new technical standard, an API for open banking, and they need to wrap around that open banking standard, a trust framework. Now I began by saying, how do we get from the competition markets authority in the UK pushing its facts to go first? Why do they have to go first? Because the UK post Brexit anticipates that they have to be interoperable with PST two in Europe, honor, bankers hate this stuff. What they want to do is give me my standards, give my, give me my requirements. And let me do that. Once around the world, don't make me go to every single country and come up with an answer specific or dispo to every different regulator.
So the nine major banks forced by the competition levels authority have joined OIS to create a trust framework that will describe how open ID connect in a financial API profile will be the basis for a new way of thinking about identity and banking in the UK. It will allow more control for the user to take its a banking relationship from Barclays to mint.com or from Barclays to HSBC. So by government action, pushing the banks into this new way of thinking, the banks are trying to do two things at the same time, which trying to provide better choices for its citizens. It's trying to incentivize innovation by new fintechs and other entrepreneurs in this space. And it's trying to maintain its place in a global ecosystem for financial services. So a whole bunch of ideas not boiling the ocean, but boiling different ponds that represented each of these white papers.
We're fortunate enough to have a number of EU grants where the EU in trying to build a common market, a common digital framework wants to be able to look at what they see as an emerging market of cross border trust services. So the EU like the post Brexit UK, and like Singapore led by the MAs is looking in reimagining a global ecosystem that this identity plumbing that's going to be serving financial. It's gonna be the basis for financial services of the future registration. So we've done a lot of analysis about how we, again, introduce another trust tool into the system. Traditionally, people have used trust marks and trust marks are really useful. If you are selling a toaster, toaster is here, it has a mark. It says it's been tested by a lab. And that it's a good toaster. The problem with trust marks at internet scale is that the first thing the bad guys do is they fake the trust mark.
So as we saw with trustee trustee's business case evaporated, because each time the trustee trust mark was on a webpage, the bad guys would replicate that trust mark on the fishing site. So how do we have trustworthiness at internet scale so that different actors in different jurisdictions can trust an environment? So we've created a registry. It can be as simple as here's a white list of good guys. And in that white list of good guys, we can find in this case, what Google deployment of open ID connect for Gmail at what time was tested by these folks in this way. So we can have with a high level of granularity, a centralized place where trust frameworks from many different industries can be collaborate, can be centralized so that we can go to one place and see what companies, what organizations are part of, which trust frameworks and what kind of certifications part of that framework. So we have an experimental basis, a oy X net, which is simply a trusted place for trust frameworks. We don't have our own, we let the market decide. We let our members go. So here we have an example of all, some of the companies, we, you can click on each of these and find out how they've implemented open ID connect, what their sales certification results were and how they can be trusted. Let's do a use case, open banking. We've talked about it. We have to move from a traditional banking environment to an internet scale.
We have talked about that governments and industry are driving these standards and that we have talked about a global domino effect. What starts in the UK and open banking is deliberately front running. What's happening in the PSD two directive in the, in the EU, which will be adopted by the Japanese banking authorities. As soon as PSD two is, is done, what's happening in Singapore is that your government is anticipating these new standards and then adding the third element blockchain. So uniquely here in, in Singapore, your government through the MAs is understanding this global interdependency of identity systems and banking systems. And beginning to look at how this is happening. So what we do at O IX is open these learnings up to the world. White papers projects, different tests, as parts of these systems are all available to anyone at any time at no cost on our website, we will be publishing the test case of open banking in the UK so that it can inform European decision papers.
So the Japanese banking authorities and the government here in Singapore can begin to understand how blockchain and DLT technologies can be applied as another trust tool in this environment. So this is what we do. We're really important in that we are all about identity across industries. So we work with not only the banks, HSSBC environments on our board, but we also worked with the international airline travel association. We work with British air. We have a project here in the Che new airport, where you have a fascinating identity experiment. We're in one place, you have a shopping mall, you have a casino, you have a hotel, you have an airport. Think about the identity management access issues there. So these are our members. This is what we do. And I would be happy to take questions so we can time for question, sir. So the opening that sign, do you think that is something that the healthcare, I see a lot of mismatch between the standards in healthcare and doctors, healthcare is by definition, highly regionalized, highly nationalized. Our healthcare system in the United States is not something that anyone wants to be part of, but by definition, financial services, as they meet identity management is by definition of global community effort. So that's why you have different profiles for government, for healthcare, from the mobile network operators and for the banks.
I'm just that use case you suspension right at the end. Sure is that January, 2018 publication, the, the backing one start 29.
We are gonna publish that at the end of January, right? Because the deadline for submission nine major banks to her majesty government's competition markets authority is due on January 13th.
Right? Okay. And then there's no conflict or anything
For, oh, there'll be conflict forever. Don't think it's not gonna be this easy what's gonna happen is the Europeans are gonna begin to try and influence the Brits and the Japanese are gonna be trying to front run. What happens in PST two? So 2018, it's gonna be a circus of politics and programming when it comes to open banking on a
Global basis, but end month. Yeah.
The great thing we have and why it's such an interesting time to be in this world and to be in Singapore is that you have action forcing events. You have the UK paranoid about interoperability on a global basis. You have the PSD two directive coming from the EU. And you have bankers here in Singapore, in Japan, knowing that they have to interoperate. And lastly, in my own country, you have a curious thing anymore, which is you can't hear anything. So the secretary of treasury gave a keynote at an identity conference, which is a big news. He said, look, the Trump administration is still sorting out its environment, but here's what we care about. We care about identity. We think trust frameworks are a really good idea. We think open standards are a good idea, but we want to change KYC, AML and Lei. What does that mean? No, one's quite sure, but that's why 2018 would be so interesting because for once on a global conversation, the voice in Washington will be diminished, not power. It remains to be seen. It's true. Thanks for your time. And.

Video Links

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00