Identity and Access Management (IAM)

IdentityNEXT: Reaffirming IBM’s Decentralized Identity Strategy

By Dan Gisolfi posted 22 days ago

  

As we close out 2019 and reflect on recent industry activities, this is an opportune time to provide additional clarity around how and why IBM is participating in the decentralized identity movement.

In the Autumn of 2017, IBM joined the Decentralized Identity Foundation (DIF) and has since been a member of the DIF Steering Committee. In the Spring of 2018, IBM joined the Sovrin Foundation as a statement of our commitment towards the collaborative development of a new trust model that will allow individuals and organizations to securely share private information and credentials without a dependency on an intermediary. The only way society is going to resolve the shortcomings of our disparate approaches to physical and online identity interactions, we believed then as we do now, that a new trust model must give control back to the individual, who defines how and when personal information is shared and with whom. We recognized how disruptive this perspective and model might be, but we believe that the adoption of decentralized identity standards, designs, infrastructures, and solutions will produce tremendous net benefits for IBM customers and partners as well as society as a whole.

 

Decentralized Identity Adoption on the Rise


In recent months, attention to the decentralized identity movement has been very strong. As one example, NIST released a Cybersecurity White Paper (DRAFT) called A Taxonomic Approach to Understanding Emerging Blockchain Identity Management Systems. This paper highlighted the benefits of the decentralized identity movement as a distinctly new approach from traditional and federated Identity Access Management (IAM) models. Specifically, it referred to a trust model “that can remove the need for traditional credential service providers and enable direct user to relying party interactions with verified information”. Plain and simple: individuals can manage the acquisition, storage, sharing, and presentment of their digital credentials without reliance on a 3rd party middleman.

Then Gartner’s Hype Cycle for Identity and Access Management Technologies, 2019 highlighted how the next wave of IAM solution domains are reshaping and expanding the traditional scope of Enterprise IAM (EIAM). They specifically, called out:

  • Decentralized Identity, including Zero-knowledge proofs and Blockchain for IAM
  • Bring your own identity (BYOI)
  • Customer IAM (CIAM)
  • Identity and access management as a service (IDaaS)

 
The US Department of Defense demonstrated concurrence with Gartner as these IAM solution domains have recently been cited as general requirements in a Defense Information Systems Agency (DISA) Request for White Paper (DISA-OTA-20-R-ICAM) that is focused on Identity, Credentials, and Access Management (ICAM).

Meanwhile, traditional IAM experts and vendors are still debating if/when/why we will see Enterprise (EIAM), Customer (CIAM) and Device (DIAM) solutions merge. We believe they are failing to see a digital identity revolution emerging right under their noses much the same way many established local area networking (LAN) vendors failed to see the Internet taking off—and their market completely transformed in a few short years.

We have also seen the early tricklings of marketeers latching onto the hype and often derailing the message—which in fact is usually a sure signal that mindshare and awareness around an emerging technology is growing. The most notable recent example is the attempt of marketeers to rebrand a federated identity scheme, the Global Association for Digital Identity (GADI), as a decentralized identity model for trust. The supporters of this scheme have not participated in any of the open standards or open source community development of decentralized identity technology, and what’s worse they are promoting the notion of a single identifier (DID address) as a universal form of identity that is only issued by GADI providers. This is drastically different from our views on a reputation economy based on the exchange of trusted digital credentials.

The combination of these data points coupled with increased client interest and progress in the open standards and open source arenas has set the stage for this article. Today, IBM reaffirms its point-of-view and commitment to the decentralized identity initiative we call IdentityNEXT.

Vision Driven Point-of-View


Our Enterprise Customers need a way to provide a privacy aware experience to their users through a trusted information exchange so that they can thrive in a digital economy. In many cases, the employees and clients of our customers are Identity Holders (Individuals) that need a simple way to share and prove their reputation so that they can enjoy a safe digital lifestyle which protects their identity, gives them control in a fast, efficient manner, and enables the trusted exchange of permissioned data.

For this vision to be achieved, our customers do not need to forfeit control of their systems of record (SOR) for clients or modify their existing client onboarding processes. Instead, they need a new set of IdentityNEXT tools and infrastructure that will allow them to participate in existing and emerging identity interactions. This allows our customers to maintain trusted relationships with their clients without the risk of regulatory compliance and other privacy and financial risks associated with the exchange and protection of personal data. We also realize that a holder’s digital identity journey does not begin until the issuers and verifiers have enabled a new marketplace built for trusted, permissioned commerce. To this end, our IdentityNEXT portfolio must help issuers and verifiers down two pathways:

  • Embracing the integration of decentralized credentials with traditional IAM solutions while exploring new business opportunities and business policies that can leverage inter-organization digital credentials
  • Managing the lifecycles of digital credentials within their enterprise and their business ecosystems

 

Guiding Factors


As we work with the decentralized identity community to mature standards, open source code and governance frameworks, our strategy will be guided by three (3) key factors that shape our point of view.

1. Open by Design


In the spirit of Open by Design, IBM’s participation in the decentralized identity movement has been and continues to be grounded in standard initiatives. The lessons from our research in mobile identity concepts reach as far back as 2012. Our innovation and patents in cryptography and peer-to-peer identity interaction  protocols taught us the importance of cross industry standards and interoperability. While standards take time, we remain committed to the development of open source designs that strive to establish reference implementations and defacto standards through collaborative foundations that are managed by proven open governance models. 




This approach has already paid dividends with the introduction of the Trust over IP (ToIP) Stack that is an artifact of community collaboration. ToIP builds on a layering of standards along with design proposals and code repositories that help the maturation of a decentralized identity architecture that can be used today for the exchange of interoperable digital credentials.



IBM is a strong believer in the notion that the IdentityNEXT vision cannot be tackled by any single company, organization or government. Success in this arena will be defined by a new marketplace where digital commerce is enabled by the work of collaborative communities. 

 

2. Core Principles


Participants in the decentralized identity community are taking on the non-trivial problem of re-THINK-ing our approach to digital identity. We believe that society today is faced with a range of privacy issues that can no longer be resolved in centralized manners where the entity (person, organization or connected device) is not in control of its own personal data. This implies that entities must have sole responsibility of their digital and analog identities, and control over how their personal data is shared and used. A commitment to this vision demands a shift in thinking around identity management. This shift can be described as a disruption to identity control points whereby the new control point is moved to the edges of the network. Since identity is such a central part of society, we need to strive towards the development of decentralized identity solutions that adhere to a set of core principles that will ensure security and flexibility for all identity instrument interactions. IBM, as a Founding Steward of the Sovrin Foundation, aspires to participate in new trust models that are based on Core Principles such as those outlined in the Sovrin Governance Framework.

Given the emergence of geolocation specific privacy regulations (i.e.: GDPR, CCPA, and so on—including others not-yet-announced) that must be addressed by IBM and our customers, it is imperative that our solutions acknowledge and build on a set of privacy by design principles such as those outlined in the Ten Principles of Self-Sovereign Identity.



It is important to note that these guiding principles are not unique to IBM. Instead, they are shared by many of the contributors who are implementing ToIP Architecture.

We must also recognize that our IdentityNEXT solutions must allow for new levels of trust that will become possible as we shift control to the edges of the network. While a citizen may establish a strong reputation based on credentials from organizations that perform some degree of due diligence during a vetting process, the same citizen may augment her reputation from a range of self and peer attested credentials. Support for such capabilities implies that IBM will partake in trust models that allow for interoperability between a broad range of identity interactions types and credential schemas. IBM believes that new trust models that arise from ToIP Architecture will present new AI and data analytic opportunities for the scoring of trust and reputation.



3. Decentralized Identity for the Enterprise


Our emphasis to date on an interoperable, standards-based approach to decentralized identity has resonated with our clients. Some are already beginning their decentralized identity journey while others are contemplating their adoption roadmap. These early adopters have also helped us address some enterprise adoption concerns. For example, technology aside, many enterprises (including IBM) require ToIP Layer One Peer-Nets (DID Ledgers) to be tailored for enterprise participation and/or use. Some of these “enterprise tailored governance” requirements include: 

  1. Permissioned Writes: Not anyone and everyone can write to the ledger, only permissioned entities (trust anchors).
  2. Token Independence: Payments for write transactions must not require a utility token.
  3. Open Governance: No single organization owns the ledger.


These requirements are not enough. As depicted by ToIP Architecture, Layer One must support the notion of a network of ledgers with each ledger (Peer-Net) being associated with a unique governing body. Businesses and Governments around the world must be able to balance risk mitigation and technology adoption. Additionally, all stakeholders must accept the fact that a single network (DID ledger) cannot serve the global community. As an example, the Sovrin Network uses Hyperledger Indy, which like many consensus algorithms, carries an expected threshold of optimal validator nodes, thereby limiting the size and scalability of a single DID Ledger. We live in a heterogeneous world of networks where interoperability is paramount. Some Peer-Nets may be configured for permission-less writes while others restricted to permission only. Some may allow for utility tokens as a form of payment for write access and others may simply desire to deploy a governance model that is unique to a given industry with pre-existing and mandatory credential schemas.

IBM has been an advocate for the expansion of the Sovrin Foundation from a governing body for a single Peer-Net to a governing body for an identity metasystem. Phil Windley, Chair of Sovrin Foundation, describes an identity metasystem as a provider of “the building blocks and protocols necessary for others to build identity systems that meet the needs of any specific context or domain.”

IBM is helping the Sovrin Foundation transition into the governing body for the Sovrin ToIP Metasystem where Peer-Nets can co-exist to establish a community bound to a common vision but comprised of safe-spaces for each community segment to establish their own governance.

IBM and our clients will benefit from this transformation in the following ways:

1. Network flexibility, operation and management: An identity metasystem of trusted decentralized identity utilities (Peer-Nets) will serve as the foundation for the creation of a global trust framework. Each industry and business vertical can choose to establish new dedicated Peer-Nets or participate within existing Peer-Nets based on market demands and business requirements. This transformation also allows for new offerings and services to build and operate consortiums, manage ledgers, globally discover issuer/verifier entities, and more.

2. Participate in a world of many, heterogenous networks: The onramp for issuers, holders, and verifiers within decentralized identity ecosystems is critical. Because there will be a world of many networks, it is vital that all interaction types are rooted in standards for interoperability. This means that issuers have flexibility to anchor their credential issuance workflow on ledgers of their choice, and regardless of which ledger issuers anchors to, verifiers should be able to verify credentials presented by holders across multiple networks. The world of heterogenous networks is inevitable and to serve the needs of identity as the foundation to establishing trust, all roles must be able to participate within and across network ecosystems. 

3. Modernize business process workflows: Existing IAM systems (EIAM, CIAM, DIAM) can establish IdentityNEXT integration strategies that will allow for a co-existence between traditional IAM solutions and new digital economies. An identity metasystem will open up new channels for how we establish trust in a digital world as well as enhance trust in our physical interactions. This modernization activity may include better end user experience, end user privacy and control, and more. It will also allow us to rethink how existing process workflows operate today all the way from how we engage and interact with end users but also the legal, privacy and business “rules” behind each identity interaction.

Conclusion


Offering strategies tend to evolve as market dynamics change, and as we listen and work with customers, ours is no different. However, our approach to IdentityNEXT has not swayed from a consistent set of guiding factors. This consistency allows our customers to gauge our position as shifts and noise in the market arise. For example, we and other community members were able to quickly position the DID Alliance as a remote metasystem that is not in line with our identity metasystem and one that will place user privacy at risk.

Discussions around “identity” vary in complexity and context making conversations in this space difficult. Add the disruptive nature of the decentralized identity movement and discussions get even harder. IBM believes that no single organization can solve our identity challenges alone and that the path to a solution is paved by open and collaborative work within the community.

 

0 comments
32 views

Permalink