ID & Access Management
Why It Doesn’t Fix Long-Running Access Management Problems
Technologists are wrangling with an identity puzzle: Is it possible to create a single digital identity that can be seamlessly and securely used at a bank, a hospital or consumer websites?
See Also: How to Scale Your Vendor Risk Management Program
It’s the holy grail of identity. The way identity information is collected and stored today is not only inefficient but risky: Hackers have had astounding success target centralized stores of personal data, as Equifax’s breach showed (see Equifax: Breach Exposed Data of 143 Million US Consumers).
“It’s unreal how careless we are with this stuff [data] that’s worth more than crude oil,” says Steve Wilson, vice president and principal analyst at Constellation Research in Sydney.
Many see the future of identity in the use of blockchain technology, the distributed computing network and ledger that verifies the transfer of a bitcoin from one computer to another.
“It’s unreal how careless we are with this stuff [data] that’s worth more than crude oil.”
—Steve Wilson, Constellation Research
Blockchain is the technology industry’s latest term du jour lately. That’s due to the meteoritic rise in the price of bitcoin, which has elevated a once-obscure distributed computing technology to a market mover.
When Kodak announced earlier this month a blockchain-centered digital rights platform and virtual coin, it’s stock price jumped three-fold. The Long Island Ice Tea company, whose drink sales have flagged, has renamed itself Long Blockchain, with plans to mine cryptocurrency. Its shares also dramatically jumped in price.
But blockchain has appealing traits for identity: Rather than lodging a virtual currency transfer, it’s possible to embed identity information in the ledger. The broad vision is a blockchain could be a tamper-proof reference point to verify personal data without having to expose the actual data to a service provider.
Consumers would be in control of their identity information, a concept referred to as self-sovereign identity. That reduces the chance that a data breach would spill their details all over the internet.
But many analysts contend that it will be years – if not decades – before blockchain-like technologies may be used for identity at scale.
“When I talk to people who really understand what blockchain-based technology is about, they will quite openly say we’re talking about 10- to 20-year time frames here,” says Martha Bennett, a principal analyst with Forrester who has been studying the area for three years.
Who Are You?
The blockchain behind bitcoin is aimed at solving one problem: ensuring that a bitcoin isn’t spent twice, or the “double spend” problem.
Bitcoin is based on public key cryptography. A bitcoin is essentially just a 32-character secret private key that is stored in a wallet, which is represented by a public key. Bitcoin’s blockchain cryptographically verifies transactions, preventing the same private key from being fraudulently spent.
Bitcoin’s blockchain doesn’t care which parties are exchanging virtual currency, where they live, when they were born and whether they’ve been convicted of fraud before.
That’s where using blockchain for identity gets sticky: It may be a virtual stone tablet to record data, but it doesn’t solve the main problem around identity: Are you who you say you are? It’s the age-old problem with identity.
For a blockchain-enabled system, entities would have to vet, say, someone’s passport to ensure it is legitimate. That information could then be put on a blockchain in an obfuscated format for other parties to check. But the parties checking the information also have to trust the entity that vetted it.
Who is responsible for vetting data and is liable if it’s fraudulent is where federated identity projects have become stuck in the past, says Avivah Litan, a vice president and distinguished analyst at Gartner.
“It’s never been a technology problem,” Litan says. “Federated identity management has always been a business issue.”
Technology and business issues aside, Bennett says regulatory frameworks may have to be revised to make it possible for a company to simply look at a hash in a blockchain as proof of ID, relying on another party to make a judgment on its authenticity.
“All you need is one money laundering case or fraud case and the whole thing blows up,” Bennett says.
Even if the business issues around blockchain trust are ironed out, there are long-running access management problems that blockchain doesn’t solve, such as key management.
Individuals need to prove they own identity information using some form of private digital signature, either embedded in an ID card or stored electronically. Many governments already have had successful digital ID programs that do this. But using a blockchain to store information doesn’t necessarily make the administration of those systems any easier.
“There would be too many cases where you would need an administrator to roll back some transaction or grant access to someone who has locked themselves out of their digital identity,” says Ivan Niccolai, a blockchain and identity management researcher who work as a senior security architect with the security consultancy Zimbani.
There’s also the task of explaining self-sovereign ID and blockchain to the public.
“You just go to a conference in Silicon Valley or to a blockchain meetup in Sydney and you talk about self-sovereign identity and everyone nods,” Bennett says. “You go to a Walmart somewhere in the Midwest on a Saturday afternoon and talk about self-sovereign identity, I’m not so sure.”