Event Recording

Global Trust Frameworks Interoperability


Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
So, oh, what's the, the clicker, whatnot. There we go. Thank you. Brilliant. Thank you. Good afternoon. You all had had a lovely lunch. I'm gonna take you through what the open identity exchange is doing in its part in gain. So we're looking at trust frameworks. So that's what we do. We're all about trust frameworks. And so we've picked up the probably somewhat thorny area of the kind of rules, not the technical area, but the we're looking at the rules, the procedures, the, the legal elements that we need to make happen for interoperability to be a success. And we've just started on that journey. So, so gain's been going since September, we started off with a workshop in October around our conference, which is one of the listening sessions. We ran over all for gain. We then established a working group, which we kicked off in January.
So I think we've had three meetings so far, so we're not very, we're not very far into this work, but what we've done so far has been fascinating. And we've got some really interesting debates and kinda hypotheses to challenge coming out in terms of the work we've done so far, but this is all working progress. So it's free. Anything I'm presenting here, please don't take in any way, is any final statements of where we're gonna go. I'm sharing with you almost initial thoughts of what we are looking at in this particular working group. And we are looking for your input, any questions today gratefully received. So what this working groups, overarching objective is, is to determine what we need to do to make one trust framework IDs work in another one. So that's the, that's the simple objective we've got and working group members include those listed here. There's got a lot of other members who are getting involved in an ad hoc basis or looking at particular topics as well. So it's been a popular working group so far.
Interestingly in February, it might have been late January. This paper came out and it talks about digital identity response to COVID 19, but actually when you drill into it, it talks about eight governments experience during that time. And then goes on to reflect in quite a lot of detail about interoperability and how those governments, which include Canada, UK, Australia, New Zealand, Singapore, may then go on to look at interoperability between their respective frameworks in due course. And the reason I really like this report, cause it really endorsed what we are trying to do here in gain absolutely UN denying the need because in their conversations around achieving interoperability, what was noted was that actually the fundamentals, the foundational activities haven't been done yet to work out how interoperability works and that's what we're trying to do and gain. And that's what we're trying to do in the trust framework area in this particular working group. So this was, you know, a really timely report and I've drawn out just some of the text here and highlighting. It's talking about common language, it's talking about respective policies and frameworks, appropriate technical models and infrastructure, all of which are foundational in order to make interoperability happen. So
We've been tracking, you know, we've tracked this report, I'll come onto frameworks in a moment, but in order to make this success, we need to engage with trust frameworks and we need to have them as part of the dialogue. If you haven't read that, please do find it. We can provide you with a link to it from our, but it's, it's a fascinating report, not just on the COVID angle, but really where it goes in terms of what next and how do we make interoperability happen? Just stop to clicking forward. If I broke it, there we go. Then just a note. So one of the first things we did first working group was talking about what, what are we trying to achieve here? And you that our objective was framework to framework. So
Are we trying to make IDP in OneTrust framework, work with a single relying party and another, no, it's at a higher level than that. We need to make that possible, but to do that, we need to make that happen at a framework to framework level so that everyone in one framework can trust everyone in another framework. So that's the, that's the, the approach we're taking in this working group. So I just wanted to make that, that, that clear as we go in there, cuz that's quite fundamental to, to some of the, the hypothesis we're coming up with. So what we did over on this side here is the ax trust framework. So we published a guide to trust frameworks on our website. It's been up there nearly two years now. We iterated that back in January, made it more embracive of distributed identity. It talks a lot about smart digital ID. It talks a lot about rules coming into the, the rules engine for interpretation,
All the block, all the boxes represent something that needs to be done to make a trust framework, success. The blue ones are drilling on the, on the yellow ones. If you count them up, they're around 30 things in here, you need to do 30 areas that should be titles in your trust framework and need policies and procedures, not just one, sometimes many underneath them. And we went through that and we said, okay, what's important in here for interoperability. A lot of it's important for, you know, usability for, you know, for, for security. We're not looking at the security layer by the way, on a technical layer. So above that, what was important for usability? And we drew out to start with these kinda six areas. And in our conversations, our seventh came along. Are we gonna need some kind of new role in the ecosystem, working title, interoperability agent, not read to it, but we think there may need to be some, you know, some role or some governance function that makes this happen.
So we start with principles, all good frameworks for principles. We have our own principles at OUX. The DGX paper had a set of principles in it. We've merged those together into a set of interoperability principles and we continue to work on those identity, trust assurance, proofing evidence. This is the key area that we're focusing on. How do we interpret identity trust, establishing OneTrust framework in another? Well, how is that gonna work? And we've got a number of thoughts on that data standards. Some of you may have seen the presentation I gave this morning on data standards. We've got a separate working group working on this, but we believe that we need, we don't need, if we have data standards that are consistently used across frameworks, won't inter probability to be so much easier. We also remove the need for data translation and fiddling with it, which is a risk.
And you know, we don't want to introduce any more risks and security elements into the ecosystem ecosystem, role trust. How do we trust the role in one ecosystem is equivalent to one and another and a person is playing that role. Then there's a whole plethora of things that we just started looking at. But this is where we'll go to much more depth around legal, the liability issues, data management, permitted uses around data. And then how would this be governed? How would you govern, govern such a framework? And we, we for now we've kind of parked that until we know what we need to do other than the principles around governance, which would be, it needs to be, yes, there may need to be some standards and policies on a global basis. But after that, this needs to be distributed. No central hub spoke, certainly no one central Haven spoke approach.
We need to be creating a ecosystem and a market that enables interoperability. So that's where we've got to so far in a global interoperability framework. So there that's a new, a new new term. Do we need a global interoperability framework? We started off with a framework of frameworks that meta framework we're currently calling, getting global interoperability framework that enables one framework to interact with another again, work of the working group to be expanded and explored. Here are the principles I don't intend to go through them and they should be very familiar to you. The points of principles in this context, the two points one we had about half an hour on this, in the working group. And we said, okay, are we all broad? Okay with this? Yes. Okay. Let's park it until we explored more. Because if you spend oodles of time doing principles up front, you never get beyond that to the meat of, you know, how are you gonna do that?
We will go back and look at them later. There are probably some missing, but what we did was map them to the DGX principles to make sure including what those eight governments thought was important in the interoperability principles they've already discussed. And we have that mapping and they're all in there. So around principles, we'll continue to evolve this. There's some principles, technical ones that have coming outta the I F work. We're gonna map those in as well to make sure we, we get that over. Actually principle set. The point of principles here is the test of principles between frameworks. If I'm a framework again, to trust another framework, I need to know it has the same principles as me. I certainly need to know it. Hasn't got a major principle missing the principles, drop down into the framework rules. The rules drop down into policies.
But if that principle level something fundamentals missing, that's a warning sign day one for us on framework interoperability. So if we can get these set of principles and map to them, we think that's a good starting point. You've seen this before you saw it this morning, the gain vision, the gain vision is interoperability across trust networks. And there are already, you know, a lot of trust networks in place. There are many more emerging embracing of those that are already there. And those that are coming embracing of distributed approaches. The reason I wanted show this, cuz we're kind building on this diagram and this, this way of exploring things in what we're looking at in terms of level of assurance. And we're looking at the currency of identity. When we move around the world, as many of us have, we find, we need to use different currencies here, we use the Euro.
It goes to the us to use the dollar. We understand those as different representations of money. There are actually representations of trust. There are a bond that someone will pay you that amount of money. What's the currency of identity. What's the equivalent of that. With those money currencies, we, we deal with, we know there's an exchange rate and it fluctuates actually it's a market, but we know how that worked. I don't think we can have a fluctuating exchange rate for identity. The level of trust in one country's ID, can't go up one day and none other's down another, you know, we need that sort of fixed. We have the concepts of level of assurance, lots of frameworks have that. We're very pleased that ORX, that we've probably helped define that, that, that term.
So we've already got some consistency there, but they do it differently. So I've got three frameworks. EU has got substantial. UK's got medium. Us has got IOLs and AALS come together to levels of assurance. We've done a brief analysis of the different levels of assurance so far. They don't map. You may have three, but you can't say the three are all at the same level. Generally the high ones are all very, very good and very robust. But below that, it's, it's more difficult. So is this the currency of identity? Are we going to be able to get equivalence and get acceptance of one level of assurance in another trust framework? So we will explore that we've already got some methodology to do that, that we defined about two years ago, our and published. We're going to exercise that methodology. We need some trust framework partners to do that.
So that's one level of the currency of identity, but what if that doesn't work? And I think a lot of us are looking and say, we're skeptical. We can get that working. And certainly we could probably do it on a peer-to-peer basis for a few frameworks, but it will be hard. We're not gonna do it on a peer-to-peer end times, end times end basis. It's going to take too long. Do we need a, a benchmark level of assurance or some benchmarks? So if people can benchmarks themselves. And so actually I, I, my, my substantial equivalence of, of bronze or silver do we need that? Is that something that will enable I offer probability again, will explore that concept onset. If neither of those things work, we need to drop a level. We need to go to the commodities. Our currencies represent countries, making promises C's wealth is represented by commodities, how much older they have, how much gold do they have the commodities in ID or the credentials?
They're the gold, they're the oil that sits within our identity. So do we need to drop a level? So within trust framework, C I, as a user might have a driving license in a bank account that have been verified to a, to a level, into a proofing standard. When I go to trust framework a they may be REAT reinterpreted into a level of assurance by that trust framework and the same interest framework be. So is the way we actually trade our, our identity at the proofed proof level, the evidence level, rather than at levels of assurance. Because if I know these proofs are all done to a standard, which don't exist at the moment. So one of the things we're making it maybe recommending outta this is there needs to be standards for proofing across the globe. If they're done to a standard, then I can interpret that within my own context.
And that's important cuz countries work in different risk levels for different use cases, and that's not gonna change. You're never gonna get countries to harmonize on that. So maybe we do have to trade at this lower level. We don't know yet. This is all what we're exploring in the working group at the moment. And does that mean that for those you familiar with O these latest stuff, this is where everything looks these days. We have a digital ID with the rules, engine authenticators, digitized credentials and derived credentials. If I derive credential of LOA, a isn't acceptable over here, because trust framework B works on a different one. I can take the base credentials, the driving license, some data, put it through a local rules agent. And that spits out a new level of assurance as another credential, which goes back into the original digital ID. So I don't end it with a new digital ID, end it with a new credential that's relevant in the other trust framework. So is this one of the ways that this unfolds, because what I don't want is to have to have digital IDs in lots of different places. I want one digital ID that works everywhere. So is this the way or one of the ways that we might achieve this? So
That then sorts takes us into conversation about what are the values of these credentials relatively across frameworks. And that's really difficult and you can shoot this down. So I put this arrow going this way around credential value, but you can yeah. Shuffle these around like cups. And it's a database ID proof, not as good as a national ID card issue digitally pretty much. That's probably I've got the ends, right? I think
If you've got a national ID card issue digitally by the government in a secure way, that's pretty good. That's a very strong, digitized credential. If I've got a passport or a driving license, passports are issued by governments, that's pretty good. Driving licenses are issued by by agencies. That's pretty good, but not to a standard for proofing an issue. The standard is there for the credential, not how it's proofed and issued bank accounts are all done to AML. So that's another area we're exploring. I've been talked to wrap up data. I talked about this morning, so I'll skip that roles. We need consistency. The final area I'll just, just look at is data protection and liability. This isn't gonna work unless OneTrust framework's liability is exposed to another. And this is very, it gets really interesting legally. So I might accept that there's a different liability model in another framework because I don't get that many IDs from there so I can accept the risk.
So that may be one way of dealing with this. Well, what I can't accept is things around data protection. If the data's gonna be misused where I'm sending it, I cannot accept that. That's a no, no. If the data hasn't been gathered with the right consent for my country, I cannot accept it. That's a no-no. So there's areas here. We're just starting to explore around. Some of them will be probably legal and agreements between frameworks. Others will be much more difficult to, to resolve, but examples here, this is the working groups work and thinking so far, there may be big areas we're missing.
So we've only just begun. There's a song in there somewhere. We need to bring frameworks together to make this a success. So for anyone who's involved in the framework, I want to talk to you and get you involved in this work. We need to dive deeper into frameworks to see what you're doing in terms of proofing, what you're doing in terms of liabilities, to do an, do this analysis and determine what we need to do for a global interoperability framework. So, yeah, please, if you're not part of it already do join what we're doing here. Sorry. If I ever run,
First of all, thank you. Okay.

Stay Connected

KuppingerCole on social media

Related Videos

Event Recording

Cyber Hygiene Is the Backbone of an IAM Strategy

When speaking about cybersecurity, Hollywood has made us think of hooded figures in a dark alley and real-time cyber defense while typing at the speed of light. However, proper cyber security means, above all, good, clean and clear security practices that happen before-hand and all day,…

Event Recording

The Blueprint for a Cyber-Safe Society: How Denmark provided eIDs to citizens and business

Implementing digital solutions enabling only using validated digital identities as the foundation for all other IAM and cybersecurity measures is the prerequisite to establish an agile ecosystem of commerce and corporation governed by security, protection, management of…

Event Recording

Effects of Malware Hunting in Cloud Environments

Webinar Recording

Advanced Authorization in a Web 3.0 World

Business and just about every other kind of interaction is moving online, with billions of people, connected devices, machines, and bots sharing data via the internet. Consequently, managing who and what has access to what in what context, is extremely challenging. Business success depends…

Webinar Recording

A Winning Strategy for Consumer Identity & Access Management

Success in digital business depends largely on meeting customers’ ever-increasing expectations of convenience and security at every touchpoint. Finding the best strategy to achieve the optimal balance between security and convenience without compromising on either is crucial, but can…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00