Event Recording

Joni Brennan: Verifying Assurance for Blockchain Enterprise Scenarios with a Pan-Canadian Trust Framework


Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
This is certainly a, a, an important key event. And, and I'm really glad to listen to the talks through today. And I think this talk is going to line up with the previous talk very nicely. So just a little bit about myself, I'm Jonie Brennan, president of the digital ID and authentication council of Canada. And I'll share with you some of our experiences from the Canadian side, but keep that into a global context, as we are focusing on global digital economy growth through these approaches. So we can go to the next slide, please. So let's start with a little bit about who we are, which is the DIAC or the C C I N, which is our French translation. Next slide, please. What DIAC is, is we are an acceleration adopt. We are an adoption accelerator. And so this means what we do is we are an association that brings together organizations who add perspective to the digital identity ecosystem and help to inform what investments should be made strategies and tactics offer the benefit of people in the global digital economy. Next slide please. And DIAC is also what we call a trust framework provider. And in this case, this, we are an entity who is responsible for responsible for the development and the compliance verification for particular information assurance framework. So we'll talk a bit about that as we move forward. Next slide please.
Now, I think it's important when we're talking about the digital identity space, we always take a view from the DIAC perspective that technology alone will not solve the challenges. And so we look at four key pillars when we're looking at how to move this space forward for information assurance around digital identity and the enterprise. And that is around particularly the technologies that are used, the public policy, alignments regulation, legal considerations, the standards that are developing in the space and all of this moving forward for adoption for the community. Next slide please. So I think through our day, we've heard through different types of use cases. We don't need to go through all of these, but if we think about the banking sector, finance food, safety, supply chain, retail, healthcare, many, many enterprise use cases where blockchain and digital identity for blockchain fits. And I think similar to the last speaker I've pulled out as I was pulling developing these slides, it became very apparent to me that there were at least three, three functionalities from blockchain and specifically modeling and process perspective that are important in this space. And one is credentials. And so is this the right organization that I'm dealing with? Is this the right person that I'm dealing with, that I should be working with and is this the right organization that I should be working with? So that was something that came to came very clear as common across all of these different industries and, and use cases within next slide, please.
So we will talk a bit about, more about how these fit together and what that commonality is. Next slide, please. Now navigating this space does require the ability to understand what the requirements are. And by defining these requirements for information assurance, we reduce uncertainty guide strategy and ultimately accelerate adoption. Next slide please. So we'll walk through, we've done a paper at the DICOM a few years back, and the content has held really well. And so the, if we look at we'll look at some key concepts, some key requirements around blockchain networks and enterprise use cases and where they fit. And so the first would be participation. So if we're looking at our blockchain or our network based approach for all of these types of enterprise, whether it's banking, supply chain or other, really making sure that we understand the participation and the rules that govern the participation for the subject, for the provider and the relying party.
So while you're reviewing your blockchain network approach for your enterprise use case, focus on the participation and review that in detail. Next slide, please. Now transparency, if we're evaluating which type of blockchain network and which approach works best for us, transparency is an important requirement from a governance perspective. And transparency really ensures that the users of this blockchain network have the confidence that the sensitive data that and this network is protected. And they know that that data is processed in line with the appropriate laws. And that explicit consent has been gained from the data subject within that. So our second piece of requirements, advice to review when you're this space for information assurances within that blockchain approach slide, please now accountability where accountability, accountability is really concerned to ensure that all of the parties are acting responsibly. And that if, if there is one that is not acting responsibly, that, that the loss that incurred there is some sort of recourse there.
So when you're reviewing the world of blockchain networks and the different types of technologies that can underpin here, be sure to look at what the accountability under the governance requirement, be sure to review what the accountability is, because that's gonna tell you how much you can trust or what your recourse will be. If there is something that goes wrong within that network, next slide, please. Now moving from governance requirements, we're going to move more to operational requirements. And so confidentiality is absolutely an operational requirements with regard to the credentials for people and verified organizations that would be moving within this blockchain network in here. I'm, I'm really thinking about self-sovereign identity type models. And so knowing that the credentials are protected from unauthorized or inappropriate disclosure, this will really help to ensure that you've got the right consent, that you can trust this system. And that information will be fully confidential for the subject of provider and the relying party in this context. Next slide, please.
Now next operational requirement is around integrity. And so ensuring that your blockchain network protects the integrity of credentials is really vital to maintaining that confidence across the service. Your users need to be sure that credentials are transmitted reliably, and they're not somehow maliciously altered within the process with how they're shared. And so from a subject perspective, we know that the system is protecting against identity theft from, for providers. We know that credentials cannot be altered downstream. Blockchain is very good for this and relying parties. We know that they credentials that would be received from the provider. The service here is able to, to detect and prevent fraud within this system. So blockchain is a great approach from regard to operational integrity. Next slide, please. Now our next operational requirement is around availability. And so really the blockchain network must be available for people when they need those services at all times.
And we must ensure that the network and the inputs and outputs to the network are available for all of our users. If we don't have this level of availability, then we won't be able to use this system for solutions that require, let's say infrastructure or really the underpinning of the backbone of the economy. So this is important from the subject perspective, the provider perspective, as well as the relying parties. Next slide please. And those are our top six requirements. Now let's look at the comparison with regards to these requirements versus other models. And so we've got our requirements again on the left participation, transparency, accountability, confidentiality, integrity, and availability. And we took these requirements and we looked at them across different types of models. So platform based model, Google, Google, apple, Facebook, Amazon, we looked at operator networks, trusted operator, like payment networks, phone networks.
We looked at self-sovereign identity and we looked at models such as open API. And if we think about the space that the economy and the marketplace really has influence over, can shape and change and innovate with regard to these kinds of approaches and have meet those requirements in the best way. We really see that, that there are kind of two winners here. One of the winners are the operator networks and the next winner is the self sovereign identity model. And so we see these, these two models as really being from a network perspective, the best approaches. And so there's a, there's a good view here that self sovereign identity has an opportunity to, to provide a lot of utility in this space. Next slide, please.
Now let's make a comparison and look at blockchain networks versus those other models as well. And we can see that there are a number of challenges in this space. We don't need to go through all of the different models, but from a self-sovereign identity perspective. Some of the challenges that we see in the space is that when you're looking at FSI models, the governance is often evolving in a different path than the technology is evolving. And so you can have a, a blockchain SSI based implementation using a, using a registry, a trusted registry, for example, but the way that those governance requirements are met can be overlaid by different communities and interests and different organizations. So this needs to be reviewed in detail. The commercial and sustainable liabilities are unclear at this point. So there is work to be done in the blockchain and SSI space to, to bring clarity to the commercial and sustainability in that space, further, the work around standards in the, in the SSI space, there is work to be done.
I know that we have a number of technical standards for things like a verifiable credentials that we're seeing moving forward. And so there are a number of communities working on this space. So, so seeing where and how the data model standardization evolution takes place is, is something to watch for also understanding how the actual assurance, the processes that verifies the data and those verifiable credential data, data models. How is that assurance achieved? And again, that is separate from the technology perspective. So much to review in that space. Also, when we look at these networks, parti an SSI network, for example, understanding the availability of data sources. And one thing that we see in Canada is that the data sources, particularly from the government are limited at this time. So we would like to see more access to government data sources, and we would like to understand that space better.
So there are a number of challenges, all, all the ability to work through these in this space. Next slide, please. Now, when we look at those challenges from a, a scenario perspective, from a model perspective, blockchain versus platform form versus operator networks and versus API, there were actually some challenges that were very common across all four of those approaches. And so these are common to the blockchain network approach as well. And these challenges fall into what we see as two categories. One is creating the right market conditions. And so this area focuses on the standards development that we talked about. Adoption of standards across the economy is unclear at this point due to parallel efforts, as well as along the regulatory space. And so we do need regulations to enable these solutions to innovate and to move forward, including more controlled access to data further. What we're looking for here is the ability to promote market growth. And so, as we noted sustainability, how these models fund themselves or how they're commercialized is something that needs to be looked at more is something that is evolving over time and maybe most importantly inclusion. So back to the participation pillar participation requirement that we discussed earlier, ensuring that we have critical mass and that we have participation from all parties is a key factor that we do need to review. Next slide, please.
Now navigating this framework navigating this path is it's very useful to have a framework to reduce the uncertainty, to guide the strategy and to accelerate the adoption. Next slide please. And so here's where we come into the idea of a trust framework and identity trust framework, or the pan Canadian trust framework in this case, which which helps to provide that assurance layer across the common model of data requesters and data verifiers, so that you at the center of this equation can provide that verified data from the verifier of your choice to the data requester of your choice. And so the pack Canadian trust framework provides this assurance based utility to understand the processes for the information that gets into these verifiable credentials in this ecosystem. Next next slide please. And so we'll see our, our familiar faces from the beginning of the presentation, the pan Canadian trust framework is really a set of documents, a set of requirements that are auditable and repeatable for information assurance verification.
Our, our dark blue components here are non-normative pieces. They are informative. This is how the model works. The glossary, how the assessment program works. Our, our light blue components here are the areas that have conformance criteria specified for them. So we'll see the verified person, the verified organization and credentials are called out in this space for how, how can we verify operational assurance? Now, of course, privacy is paramount and, and all encompassing of all of these components. So this is all available in English and French. If you'd like the trust framework and we'd questions, next slide, please.
Now trust frameworks are a tool to help people understand. Can I trust this verified credential? Can I trust this person, this wallet, this network, it helps people on that education side, whether they're CIOs or average users to understand is this is privacy protected, or do I need more assurance when I'm working with this blockchain based network? Next slide please. And when we're looking at the Pan-Canadian trust framework, it's really about assurance interoperability. And so to go back to our pillars in the beginning, noting that we can have different governance overlaying these blockchain based networks, policy and governance must be verified. The technology, whether it's Ethereum or Hyperledger or other, the technology must be verified and having a neutral framework provides a mechanism to do that, verifying the standards, the people in the process implementation of the different standards in the space, whether you're looking back in history at SAML and open ID connect and, and piece is in use today around FPI, or if you're looking forward to the blockchain based networks and, and more that's to come in the space. And finally people when people have the ability to trust the, the solutions that are in the ecosystem, this helps to build the confidence of, of decision makers, people, and investors in this space. Next slide please.
So we are pleased to advise that over the next, in the beginning of 2022, we will be launching a pan Canadian trust framework program. This is called voila verified. So through this program, organizations can present a solution. This can be a blockchain based solution. This could be down to the detail of a wallet or a credential issuer, a credential provider, or this framework can be applied toward the verification of a network or the practices within a network. And so we look forward to launching this program early in 2022 for organizations who need to have the assurance along with the technology innovation that blockchain can provide for enterprises and particularly for important projects that are infrastructure based supply chain based and really underpinning our digital lives in the digital economy. Next slide please.
And we again are here to provide those tools, to educate people, to verify assurance across the people, policy and technology needs for the digital economy. Next slide, please. We're really thankful for your time, as I noticed, thanks for bearing with me through the technical difficulties. This is the first time this has happened through the whole pandemic. So I appreciate your flexibility. And I hope that you've had an opportunity to think through the information assurance practices that overlay and bind to different types of blockchain network technology in these systems. And so I'd be happy. I think we have a few minutes for questions and I'd take those questions.