Event Recording

Trust is a Team Sport, and Like all Good Sports it has Rules

Log in and watch the full video!

Trust is not just technical, and it’s not just derived from a process or an organisation. The need for Trust is also variable based on the risk involved in a transaction or the risk appetite of the service provider. Sometimes trust is almost irrelevant. Digital doesn’t make things any easier as we often have multiple parties involved in the communication of trust from issuer to holder of credentials, and on to a relying service not to mention requirements for onboarding, verification, issuance, and authentication to name but a few along the way.

Emerging standards and relentless innovation make many things better, but they also introduce challenges when we want multiple systems to work together and for trust to be largely independent of the underlying technical stacks.

To make Trust work in diverse ecosystems we need clear rules of engagement that champion the needs of all participants and clearly define their responsibilities to one another, and to the wider legal and business ecosystems they ultimately interact with. Efforts in multiple jurisdictions in both the public and private sector are developing these rule sets right now – this is what we can learn from the rise of the Trust Framework.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Good morning, everyone. So yeah, I'm gonna talk about a few things that I've experienced around trust frameworks and how that keys into things like privacy and data protection and how it affects the way things should work and what I think we need to do for the future as well. And hopefully at the end, I'll give you some examples as well of where these things are actually happening for real. I just wanna start by saying a few words about why I do this stuff and I don't do it cuz I love technology and I don't do it cause I work for governments and things like that. I, I do it because I actually have a, a deep belief that if we can make things better with technology, we can actually save people's lives. We can create better transactions for people. This little boy is called Kais from Vietnam and a foundation that I work with actually saved his life effectively by bringing him from Vietnam to Italy first.
And then the us, he has a immunodeficiency syndrome called whi Alco Alcott syndrome, which is really big immunodeficiency problem. He was not diagnosed. He was six years old, which has made a issue for him. But a lot of the work that I do with children like this, he's all done manually at the moment. What we were trying to do is scale that out. So how do we do that? When there's such sensitive data involved, when we have to get him and his family into other countries, lots of this involves trust and data and, and lots of technology can help us accelerate that and help more children. So this that's my driver in all of this. So we all know about identity. We're an identity and cloud conference. Identity's only part of the equation though. So just authenticating, just knowing it's Adam is okay, it's good.
It's useful. You know, I'm definitely me, but you don't know anything about me because of that. And real transactions actually need us to share trusted data about who and what we are. And alongside that, we need to understand the quality of that data as well. Cause it's all very well for me to assert to you that I'm a British citizen, but how much do you trust that? If I tell you I've got two children, how much do you trust that? And that's the important thing I want to talk about today. It's how we trust the data. It's not just that we've got the data. It's what does it mean?
And trust is also a risk based decision and I'll explain why. So this is a very trustworthy chat here. You might have met him. I don't know. See somebody doesn't trust me. So, so I have one of these things. I have a passport, you've probably all got one and it's a lovely document. It has a photograph of me and we use it anecdotally all the time. I can show it to people. I went to sing karaoke the other evening and I had to hand over in that case, my driving license. Why? Because there was a need to understand that I was a real individual. There was no checks done to make sure that that was a real document. It's just a piece of card that went in a drawer. I even nearly forgot to take it home with me.
Yeah. Yeah. Johnny made sure I took it, but this is what we do. Normally we just show somebody stuff and that's great. But when we think about a passport, there's some lovely standards in this. This has a chip in it that has ICO standards that dictate how the machine readable elements to the document work, what data's on there really good, strong document. And in the correct hands can be checked to very well. But unless you've got some means of doing that, we're getting, seeing smartphone apps. Now that can do some work to do that, to read the chip and check it against the sources. But unless you've got that capability, in most cases, you're taking it on face value. You're saying, oh yeah, I've got the thing. And because I've got the thing that looks like it's important, I probably trust you. So that's what we do generally.
But trust is all about the reliant party. So it's about the individual I'm showing that to, or the service I'm sharing that data with. They're really setting the rules here because it's, it's that entity that has to trust me. If I'm gonna give you my pen, I'm gonna lend you my pen. That's fine. Risk is low. I can buy a new pen. You're not gonna get any data out of a pen. Really. I can forget and walk away. It doesn't matter if I want you to mind to look after my son the afternoon, I'm gonna wanna know a little bit more about you. Yeah, yeah. You know, if you've got any convictions, you know, do I know where you live? You know, all these kind of things, because I'm gonna need to trust that transaction much more strongly. So I'm gonna want some kind of interplay between me and that individual. And these are the risk driven questions that we need to solve for trust. So if we need to think about the reliant party, unfortunately, many systems, what happens is, and, and identity setups that we have today, think more centrally. Even the, even the decentralized wants to be fair and think about setting levels of trust for things and trying to preempt what the reliant party wants, but it's actually different in every case and often for every transaction. And that's a complicated factor that we haven't solved for yet.
So we need to think about these risk based decisions from the perspective of those reliant party services, cuz they're gonna set the rules for this. And that's the most important thing we can think of, I think at the moment, but we've got a problem because the digital world generally splits things into two. You've got trust in the technical part of a transaction. So how do I get the data to you? That's one thing we've also got the trust in what is the actual data? So where did it come from? How new is it? When was the last time it was verified? Was it even checked to make sure it belongs to me in the first place? And those are very important questions about trust that Ryan party needs to know. I can't just send you some information about me. I can't just send you the fact that this is my date of birth.
For example, without you knowing where did that come from? Did I just make that up? I'm a 17 year old girl. It doesn't work like to be, but, but this is the problem I can assert whatever I like, but unless you've got some framework to check that that works or not, that's a problem. And again, that depends on the service. Some services might not mind if I'm only telling you how old I am, because you want to target some kind of marketing towards me. Then that's one thing. If I'm trying to access something, that's an age restricted product, that's much different.
So on the communication side, we have lots of things that we can do here. So there are lots of technologies out there that can give us really good privacy, protecting transmission of data, making sure that there's no tampering going on in transit. And it's all very well known. We've had this for decades and that's great, but can we trust the payload? So what's inside that packet of data that we get, and this is where things like metadata become very important. Now there's not much out there at the moment about metadata. There's some interesting work that nest did a while ago. They did an internal report, 8 1 1 12, which was very good. That looked about how you could put metadata around government data. Largely we've tried to profile that and other things into other trust frameworks because it's very important to know where the data's come from, what quality it is, how it was actually bound to me as an individual. All very important. If you want to know that I studied at university of burn and got a master's degree in astrophysics, then you probably wanna know to reasonable level of trust. That that's true. If I'm gonna work at MIT, if I'm not gonna work at MIT and I'm just gonna work in the supermarket and it's probably okay, you probably don't care. So again, the reliant party setting that level of trust, but the metadata needs to be there to support answering that question. And in many ways, it's not at the moment.
So as I say, sometimes though we're gonna be flexible. Sometimes as I said before, you might not care too much. The transaction might be very low cost, low risk might be fine, but if I'm gonna cross a border or I'm gonna apply for a financial product, I probably need to show some more information about myself. That's at a higher trusted level and that should be disclosed by me on a need basis. There are also access to different types of service that might need more trust in the first place as well. So access to health records, for example, might wanna restrict that so I can see my health records, but others may only see certain aspects that I want to share with them. We also need to think about interoperability here. So it's not interoperability just at the technical levels. So having lovely standards for creating verifiable credentials and having DIDs and all these kind of things are fantastically useful,
We also need to think about the data layer. So what's it holding, trying to make sure that there's an ability for reliant parties to make sense of credentials in their, their payload when they receive them. And at the moment, there's not enough work being done in my opinion, and making sure that that's gonna happen reliably. So that's another area of, of work. It's very easy to put data into something it's a little bit harder to make sense of it when it's a relying party that hasn't interacted with you that often. So trust frameworks, try and bring together lots of these different things. And as you'll know, a trust framework is largely not technical. There are technical specifications often in there, but they're usually business and operational rules that help us put together the rules of the road. If you like so that the different entities can work together. What we need to be careful of with these trust frameworks though, is that they allow themselves for interoperability. There are gonna be many, many, many trust works trust frameworks, and that already are. So it's how they interact is also gonna be very useful too. We've got some great standards, as I said before, and they help us a lot because they help us assure different elements of the solutions. They can help us assure the issuance process, for example, to make sure that the metadata is assigned correctly to the payload, et cetera, they can help us to assure the transmission of data. So they're kind of useful and they exist and they're there. And they're great.
But what we also need to do is make sure that we are building these things. So they appreciate the wider governance aspects as well, without governance. All of this is gonna be a problem. And we'll maybe talk about some of that on the panel later as well. So just to give you some quick examples of things that are currently happening. So in my country, in the UK and the national health service, we have digital staff passports that we've been working on,
But digital staff passports themselves rely on lots of different trust frameworks because what we're trying to do here is counter the fact that there are 250,000 new staff in the NHS every year. There are tens of thousands of people moving around the NHS every day from hospital to hospital to trust, to trust. And how do we make sure that when they're moving around that they have the right skills, that they've been on the right training courses, that they have got the right, the right immunizations for the setting they're going into. So all of these things in themselves, individually, each one of those employments checks, core skills, all these kind of things are separate trust frameworks in actual fact that talk very little actually about technology, but all about process and have people been on the right courses and what, how do they obtain different things? What we're trying to do now is to take those and say, well, actually let's give somebody a digital credential that represents a lot of this. And that's what the digital staff passport is. And part of that will be identity as well, which also allows us to bring all this together so that you can know that it's definitely Adam who's, who's got the particular course in nursing. For example,
We've got some technical challenges here as well though, cause we wanna open this up so that multiple different wallets can interact in the ecosystem and the trouble we have there is that there are lots of different wallet stacks out there. The good news is that the wallet providers are working very closely with us and we're getting interoperability. We've already tried some of this out at the technical level and it means that you can pick your own wallet effectively or the different trusts in the ecosystem can have different wallets with different stacks, but still be able to receive credentials and to share them effectively with verifiers. And that's really important and that's ongoing work and it's very promising. And I think that's gonna be really important certainly in the next few years, while we have different stacks,
I'm also working with European commission, the EU digital ID, and it's still at a very early stage. And, but what we're moving away from here is from interoperability and trying to get more to harmonization and creating a digital identity across that sits on top of national ID systems. And that's a challenge in itself. We also have lots of used cases that are very important. Like we want to encompass their mobile driving license standards, for example, so that we can present documents through, through the phone that way, but hold them in the wallet. So there's, this is gonna be an important piece of work, I think. And we'll figure out some of the government's problems, cuz thankfully here in DEU we have lots of legislation that drives this kind of work.
And one that you will under ly heard about a few times this, this week is gain, which has been around for a little while. Now, the one thing I, I like about this and I was talking to Jon about it earlier is I, I don't think it's gonna change the world in any particular way. What I do like about it is it's trying to challenge some of the problems by looking at what we have existing trust and trying to figure out how it can interate. I think that's really useful, cuz that will feed into the trust framework work and help us to break down some of the barriers where policy internally in certain organizations and regimes actually stops us into operating. So it's challenging those issues at the business and operational level. I hope that's been informative. Thank you very much. And if you have any questions, happy to talk.

Stay Connected

KuppingerCole on social media

Related Videos

Analyst Chat

Analyst Chat #152: How to Measure a Market

Research Analyst Marina Iantorno works on determining market sizing data as a service for vendors, service providers, but especially for investors. She joins Matthias to explain key terms and metrics and how this information can be leveraged for a variety of decision-making processes.

Event Recording

Cyber Hygiene Is the Backbone of an IAM Strategy

When speaking about cybersecurity, Hollywood has made us think of hooded figures in a dark alley and real-time cyber defense while typing at the speed of light. However, proper cyber security means, above all, good, clean and clear security practices that happen before-hand and all day,…

Event Recording

The Blueprint for a Cyber-Safe Society: How Denmark provided eIDs to citizens and business

Implementing digital solutions enabling only using validated digital identities as the foundation for all other IAM and cybersecurity measures is the prerequisite to establish an agile ecosystem of commerce and corporation governed by security, protection, management of…

Event Recording

Effects of Malware Hunting in Cloud Environments

Webinar Recording

Advanced Authorization in a Web 3.0 World

Business and just about every other kind of interaction is moving online, with billions of people, connected devices, machines, and bots sharing data via the internet. Consequently, managing who and what has access to what in what context, is extremely challenging. Business success depends…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00