Event Recording

Dr. André Kudra: Integrating Decentralized Identity Into Your Existing Infrastructure: Do's and Don'ts


Log in and watch the full video!

In this keynote we are looking at practically moving existing infrastructures towards the Decentralized Identity world – widely known as Self-Sovereign Identity (SSI). Leveraging the Credential-based Access Control (CrBAC) paradigm, implementing SSI in an enterprise is easier than most people think. We will learn why and how SSI is such a bright way out of the complex and interwoven IAM world still predominant today, more than 11 years after “Dos and Dont´s when Introducing a Compliance Management Tool” in a Role-based Access Control (RBAC) context at EIC 2009.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Excellent. So thank you again for inviting me to the session. I will give you a brief intro into the topic and particularly focus on dos and don'ts in that space. So you can expect five dos and five, which are in conjunction. So let's see what you say about this, and I'm keen on getting your use as questions afterwards. So what we do, I already briefly outlined we are informed security consulting company now also with technology development in, in house and yeah, identity and access is one of our key focus points. So when you talk, SSI, usually have to do with lots of players in, in the global ecosystem. And I've just brought your attention here on that slide, what our ecosystem is. So you see things like sovereign in the center, which is basically the pioneer in the sovereign identity and these centralized identity world.
And we have been with ING for many years now. And we also are operating a note in this, in this identity network. And this is still the, the productive network, which is based on hyper Indy and a technology. And many people are using it already today. And we base our attention on this currently, but there is others which is coming up and I will come to that in a second. So SSI for Germany is a project launched by my incubator in which is a subsidiary company of commerce bank. And you see here, the consortium members, so SSI for Germany is the project that is under the umbrella of secure digital identities in Germany. And this is a project by the ministry of economic affairs. So the federal ministry is sponsoring this project. And this is currently in the competition phase, which means that from 11 projects, which are in the competition phase three, or maybe four will be selected for being executed for three more years.
And we are very hopeful with all the partners that you see here, that we will be able to continue this for the next three years. So the first dos and dons is basically believe it, many people worldwide are already working on and with self sovereign identity and Germany is currently one of the powerhouses in the space. So we have a couple of very interesting projects dealing with self sovereign identity, but obviously this is a very global topic. So Germany is, is now on, on a well on a, on a rush and, and on a free to actually implement self-sovereign identity, but believe it many worldwide working on it and with SSI. So don't underestimate the momentum self-sovereign identity has gained so far. So we are, we are eagerly working with everyone in the space globally, but Germany and also broader Europe are, are on embarking on rolling out SSI.
So lots of projects and don't underestimate the momentum SSI has already gained. And we'll see how that, what role that does play for you going forward. So actually we are undergoing an evolution of digital identity and you see here that we have, we have traversed through a path of centralized identity with vendors in that space. We have moved to federated identity, which is still very much at large at this stage in the, in the whole enterprise industry. And we are moving towards more user-centric identity, which has worked out for some quite nicely. However, the future is, is there with a self sovereign identity and the players that you are, you're seeing here like, like sovereign and Newport and others, which are in that space show that we have technology at hand to make decentralized identity really happen in the world and being ready for broad adoption.
So the, the next dos and dons combinations is you should embrace the future it's already there. So the technology is there, even if you are still having a rolled out certain other solutions in your, in your organization, be aware the technology is coming. So it's, it's there and you can already get in touch with it today. So meaning you can in fact, leverage it already for your, for your processes, impact and tools. So don't think it's just fashion and it'll go away. It, it won't. So this is the, the future of digital identity. And as you all probably are aware in the identity and access space, this has been an, a clunky and cumbersome world for, for enterprise organizations. So with self-sovereign identity, we have a great way of going into the future and do some good stuff with that.
So the key takeaway that you always have to keep in mind when you talk about self-sovereign identity is what you're seeing on the picture here. Now, the trust triangle and verifiable potentials. So if you have never heard about this before, you probably are well aware of many processes, which are based on an issuer and an owner and the fire construct. So what does that mean? You usually have as a, as an identity holder, the situation that you need to prove certain facts about you and these usually are not self attest effects, but they come from some kind of issuer who says that you are something or you have something, or you have a certain capability. And then when you use it, you need to present it to the verifying party, because he wants to see some certain proof of attributes about you. And he trusts the issue already because of this existing trust relationship.
So, very, very simple example is you have a driver's license, which is issued by the driver driver's license agency. And you come into a, a police control and police officer asks you to show your driver's license and you show it. And he sees that it has been issued by the right issuer, and you are the eligible holder of it. And he believes that you are able and licensed to drive a car. So you see that we have many, many situations globally, where you have such a triangle. So someone attest certain effects about you. You need them to, to prove that you are eligible to have these facts and the verify needs them for, for doing an assessment for himself. So there's many examples worldwide, where exactly this trust triangle comes into play. And in the self-sovereign identity world, we work exactly with this trust triangle, meaning that we have a method, a method, which is called very viable credential, which is holding this facts.
So the issuer is not just giving you a document as a PDF or an email or whatever, but he's giving you a very viable credential, which holds this information. And this is cryptographically assured that you are, that you cannot for it. And the issuer is the right issuer, and you can always tie it back to the issuer. And this is the, the key piece in, in the self sovereign identity world. We don't work on, on just documents and, and data sets. We work on cryptographic trust, and this is exactly the advantage that we having with self of identity. So it's not trust identity, but it's about secure data exchange as well. And to see on the right hand side, we have a zero knowledge proof capability, which means you can selectively disclose attributes from such a credential. And you can also disclose only deriv of the information.
So for example, if you want to prove that you're over 21, you don't have to disclose your, you know, birth date. You can just disclose through or false as an answer. So this is the basic construct that you always have to keep in mind. This is SSI, and this is cryptographic trust in a digitalized world. So what should you do? You should look for use cases in your organization and or in your, your own personal real. There are a lot of opportunities to work with such a trust triangle. So if you keep your eyes open and have this in, in the back of your head, you will always see, oh, this is an issue or own verified relationship. So this is something for SSI. So what actually is, is a, is the position to that. So don't believe SSI is just for others, not for you, because you, you will see when you walk the world with open eyes, there's tons of use cases with exactly this triangle relationship where you can benefit from SSI.
So how do you now employ SSI? This is what's now more or less a theoretical debate, but there is a way to build a bridge between self sovereign identity and the legacy world. Well, legacy is maybe a bit hard. So it's the classic identity and access world. You will, you, you will have tons of different applications and data source, which, which work with certain protocols and standards today. So what you can do with self-sovereign identity is you can build a bridge between self-sovereign identity and this classic and existing world. And this is quite easy to achieve because you can talk to the standard authentication authorization protocols that applications leverage today, like Sam or tool or myd connect, or for authorization the same, and also up type directories, like an Azure active directory or active directory, or just some open source held up system. So you can build a bridge between this SSI world and this classic world by building a bridge between them with a technology gateway.
So to say, and this is something that we have created as, as a piece of software, which is here called self in the, in the, in the, in the diagram. The, the key thing is you have to have some kind of institutional agent, which talks to the lecturer and this agent can in fact, add this value, add functionality that I've just described, that you can translate between self-sovereign identity attributes from credentials and translate them into protocols that your applications already talk today. So if you have identity and access management in your enterprise, you have an existing problem. So the do is start with the problem that you already have and integrate SSI. So what, what this doesn't mean is what you don't have to do, that you have to throw out all your old technology it's not necessary, and also not wise because you can just seamlessly integrate bits and pieces with a self-sovereign identity.
And if you traverse through your own investment cycle, you can roll out SSI to many more applications as you move along. So you don't have to throw it all out, but you can start easily with a problem that you already have today. And then know, from my, my experiences in large scale projects, that big enterprise organizations have an identity and complexity and investment there. So this is something that you can start with certain areas. This is what you, and don't, what's the paradigm we are talking about here. So it's a little bit provocative SSI rules. What do the rules mean? I will come to in a second? What it, what it basically means is, is that you don't have to have dedicated access concepts, join a move lever, processes, and approval workflows anymore because you can't just work with a fact based identity and access management, which means that authentication and authorization decisions are based on facts.
So this means that you, as the, as the SSI person, you have a digital wallet where all this data about is in your, your digital wallet. You can have it on your smartphone, which is the common way today, but it could also be some kind of cloud agent that you control. And we define a rule set, which determines if you're eligible to access a certain data store or application with the, the facts that you have in your wallet. So for example, we could say everyone who works at coping a call is eligible to work at the, to access the, a call Vicky system, which may be an ATLA conference or something like that. So you can easily derive based on the facts that someone is working at, coping a call he's eligible to access the coping a Vicky system. So that's a, that's a, a very interesting use case already and shows that you can work with the very fiber credential attested facts that someone is eligible to authenticate.
So this is a very, very common and, and broadly used use case today that you have to authenticate. And this usually relies on user and password or a single sign on solution, but now you can transform this into effect based authentication mechanism, which relies on credentials that the user has in his wallet. So copy a call would issue a credential to the person who is working for, for the company and with this credential, which is a proven fact, you can derive access decision and the same way it works for authorization decisions. And you also see here, we are moving away from role based access control to more something like attributes based access control, or you could also call it policy based access control in the credential world, we call it credential based access control, which is based on the rule engine that you can put in the middle and in front of your, your applications.
So the final set of dos and dons is cut complexity. Now the SSI technology is ready, so you can move away from excess concept, join, move lever, and approvals. You can definitely reduce the complexities significantly here and, and work with, with a set of rules, which allow you to perform access control based on facts. And you don't have to prolong the suffering. The nightmare was too long, already in the identity and access world. So if you want to move ahead, now, the technology is there. So you have a way out of the complexity nightmare that current IM systems usually are. So this is basically the, the five dos and Don's I wanted to offer to you. And I'm, I'm keen on listening to your comments. And if you're further questions, I'm looking forward to answer them. So thank you.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00