As we close out 2019 and reflect on recent industry activities, this is an opportune time to provide additional clarity around how and why IBM is participating in the decentralized identity movement.
In the Autumn of 2017, IBM joined the Decentralized Identity Foundation (DIF) and has since been a member of the DIF Steering Committee. In the Spring of 2018, IBM joined the Sovrin Foundation as a statement of our commitment towards the collaborative development of a new trust model that will allow individuals and organizations to securely share private information and credentials without a dependency on an intermediary. The only way society is going to resolve the shortcomings of our disparate approaches to physical and online identity interactions, we believed then as we do now, that a new trust model must give control back to the individual, who defines how and when personal information is shared and with whom. We recognized how disruptive this perspective and model might be, but we believe that the adoption of decentralized identity standards, designs, infrastructures, and solutions will produce tremendous net benefits for IBM customers and partners as well as society as a whole.
Decentralized Identity Adoption on the Rise
In recent months, attention to the decentralized identity movement has been very strong. As one example, NIST released a Cybersecurity White Paper (DRAFT) called A Taxonomic Approach to Understanding Emerging Blockchain Identity Management Systems. This paper highlighted the benefits of the decentralized identity movement as a distinctly new approach from traditional and federated Identity Access Management (IAM) models. Specifically, it referred to a trust model “that can remove the need for traditional credential service providers and enable direct user to relying party interactions with verified information”. Plain and simple: individuals can manage the acquisition, storage, sharing, and presentment of their digital credentials without reliance on a 3rd party middleman.
Then Gartner’s Hype Cycle for Identity and Access Management Technologies, 2019 highlighted how the next wave of IAM solution domains are reshaping and expanding the traditional scope of Enterprise IAM (EIAM). They specifically, called out:
- Decentralized Identity, including Zero-knowledge proofs and Blockchain for IAM
- Bring your own identity (BYOI)
- Customer IAM (CIAM)
- Identity and access management as a service (IDaaS)
The US Department of Defense demonstrated concurrence with Gartner as these IAM solution domains have recently been cited as general requirements in a Defense Information Systems Agency (DISA) Request for White Paper (DISA-OTA-20-R-ICAM) that is focused on Identity, Credentials, and Access Management (ICAM).
Meanwhile, traditional IAM experts and vendors are still debating if/when/why we will see Enterprise (EIAM), Customer (CIAM) and Device (DIAM) solutions merge. We believe they are failing to see a digital identity revolution emerging right under their noses much the same way many established local area networking (LAN) vendors failed to see the Internet taking off—and their market completely transformed in a few short years.
We have also seen the early tricklings of marketeers latching onto the hype and often derailing the message—which in fact is usually a sure signal that mindshare and awareness around an emerging technology is growing. The most notable recent example is the attempt of marketeers to rebrand a federated identity scheme, the Global Association for Digital Identity (GADI), as a decentralized identity model for trust. The supporters of this scheme have not participated in any of the open standards or open source community development of decentralized identity technology, and what’s worse they are promoting the notion of a single identifier (DID address) as a universal form of identity that is only issued by GADI providers. This is drastically different from our views on a reputation economy based on the exchange of trusted digital credentials.
The combination of these data points coupled with increased client interest and progress in the open standards and open source arenas has set the stage for this article. Today, IBM reaffirms its point-of-view and commitment to the decentralized identity initiative we call IdentityNEXT.
Vision Driven Point-of-View
Our Enterprise Customers need a way to provide a privacy aware experience to their users through a trusted information exchange so that they can thrive in a digital economy. In many cases, the employees and clients of our customers are Identity Holders (Individuals) that need a simple way to share and prove their reputation so that they can enjoy a safe digital lifestyle which protects their identity, gives them control in a fast, efficient manner, and enables the trusted exchange of permissioned data.
For this vision to be achieved, our customers do not need to forfeit control of their systems of record (SOR) for clients or modify their existing client onboarding processes. Instead, they need a new set of IdentityNEXT tools and infrastructure that will allow them to participate in existing and emerging identity interactions. This allows our customers to maintain trusted relationships with their clients without the risk of regulatory compliance and other privacy and financial risks associated with the exchange and protection of personal data. We also realize that a holder’s digital identity journey does not begin until the issuers and verifiers have enabled a new marketplace built for trusted, permissioned commerce. To this end, our IdentityNEXT portfolio must help issuers and verifiers down two pathways:
- Embracing the integration of decentralized credentials with traditional IAM solutions while exploring new business opportunities and business policies that can leverage inter-organization digital credentials
- Managing the lifecycles of digital credentials within their enterprise and their business ecosystems
As we work with the decentralized identity community to mature standards, open source code and governance frameworks, our strategy will be guided by three (3) key factors that shape our point of view.
1. Open by Design
In the spirit of Open by Design, IBM’s participation in the decentralized identity movement has been and continues to be grounded in standard initiatives. The lessons from our research in mobile identity concepts reach as far back as 2012. Our innovation and patents in cryptography and peer-to-peer identity interaction protocols taught us the importance of cross industry standards and interoperability. While standards take time, we remain committed to the development of open source designs that strive to establish reference implementations and defacto standards through collaborative foundations that are managed by proven open governance models.