Blockchain: the trust fabric for next generation digital identity management

EY Global Blockchain Summit

San Francisco, CA

April 26, 2017


BlockchainThe trust fabric for next-generation digital identity management


Identity and access management (IAM) overview

IAM client needs

► Cloud access governance

► Certification

► Automated provisioning

► Access request

► Role and rule management

► Password self-service

► Entitlement data

► Segregation of duties (SOD)

► Manual access administration

► Centralized user profile repository

► Elevated user repository

► Enterprise identity directory

► Utility directory service

► Identity data synchronization

► Access data warehouse

► Identity analytics and intelligence

► Customer identity registration and

proofing

► Third-party access

Human resources (HR) processes

Hiring

Onboard

Termination

Mobility

Nonemployee

processes

Other processes

Internet of Things

Customer portals

Mobile apps

Contingent

workers

Business

partners

and vendors

Employees

Customers Devices

► Central authentication and single sign-on

(enterprise/web)

► Privileged access management (PAM)

► Remote access

► Federation (cloud authentication)

► Device authentication

► Mobile authentication

► Database, network and operating system

management

► Strong authentication and public key

infrastructure (PKI)

► Location-aware authentication (risk-based

access management)

Access enforcement

Identity data services

Access administration


IAM terminology

Term Definition

Identity

administration

Identity administration is the process of handling access requests and approvals to grant and remove users’

access to applications and other resources available in an enterprise environment (including cloud apps, Internet

of Things).

Identity governance Over time, users may accumulate entitlements that are no longer needed or appropriate for their job function.

Identity governance is a process by which appropriate business stakeholders, such as users’ managers or

application owners, can periodically review entitlements and identify those that should be removed.

Authentication

(AuthN)

Authentication is the process or action of verifying the identity of a user before granting access to an

application or other resource within an enterprise environment. An analogy is the process of allowing a passenger

onto a plane.

Authorization (AuthZ) AuthZ is the process of granting a user permission to do or have something (e.g., entitlements to certain

screens within an application) based on attributes (e.g., HR job title, location) or the role (e.g., job function, peer

group) of a user. An analogy is telling the passenger in which seat (e.g., first class, business, economy plus or

economy) on a plane to sit.

Application

onboarding

This is the process of subscribing an application or other network resource onto one or more of the above

services, whether through automated, semiautomated (e.g., robotics process automation) or manual (e.g.,

workflow systems) fulfillment methods.


What are some common IAM pain points we are hearing from our clients?

Want a platform that can cater

to Internet of Things,

customers, third parties and

the workforce

Don’t want to manage and

store customer identities

anymore

Would like third-party and

business partner onboarding

to be seamless

PKI too costly to set up

and manage

Need an efficient way to

provide identity proofing

(customers and third parties)

Would like to use social media

(e.g., Facebook, Google+) as

primary form of customer

identity access management


What is a blockchain?

Shared ledger immutable database transferring data securelyand for

A shared book or

collection of entries in

which transactions

are recorded

A collection of

information organized

so it easily can be

accessed, managed

and updated, and

practically impossible

to change

Information that has

been translated into a

form more convenient

to move or process

(e.g., bits)

Preventing

unauthorized access,

use, disclosure,

disruption,

modification,

inspection, recording

or destruction of

information


Where does blockchain fit?

Physical Fiber-optic cables, servers, hardware security modules, computers and other hardware

NetworkCommunication between components at the physical level (to communicate, servers and

computers must agree on similar protocol

Applications End-user programs that rely on database to store identity information or a directory to provide

identity information.

Business processesActivities that leverage multiple applications to accomplish a particular goal. EY is leveraging

robotics to automate this layer.

Blockchain

Shared ledger and forimmutable database recording/transferring data securely


Example applications of blockchain today

► Bitcoin

► Know your customer (KYC)

► Insurance:

► Underwriting

► Processing claims

► Government:

► Public notary

► Electronic health records


How blockchain is transforming IAMEvolution of enforcement models (AuthN)

Ownership

Efficiency

Mainframe(direct AuthN)

Databases Directory services

Singlesign-on

Federation Identity as a service(IdaaS)

Trust-basednetwork

Next 18–24 months

“What others know”“What you know, what you have”


How blockchain is transforming IAMEvolution of enforcement models (AuthZ)

Ownership

Efficiency

Mainframe Databases Directory services

Role based Attributebased

Risk based Trust-basednetwork

Next 18–24 months


How blockchain identity works (in a nutshell)

Blockchain attributes: immutable, verifiable, auditable and resilient to attack

2020 and beyond

Identity services are provided by peers in the

network and the trust fabric (self-policing and

enforcement).

Centralized provider needs to provide

identity services.

Identities are

centrally managed

and administered

(whether in the

cloud or on the

premises).

Today

&

Each node within the

blockchain has a

copy of the identity

ledger.


Business benefits of blockchain-based IAM

Top five

business

drivers

Risk

reduction

Regulatory

compliance

User

experience

Operational

effectiveness

and

efficiency

Cost

containment

► Fewer passwords to remember

► Improved digital experience through unified

identity experience and improved app store

ratings

► Interoperability with Internet of Connected

Things

► Improve service-level agreements related

to user onboarding (days instead of months)

for third-party access

► Utilize payment networks to establish

identities

► Fault tolerance and elastic scaling because

each node in the blockchain can consume the

self-contained assertion

► Reduced time and effort to manage access

rights by reducing the need for centrally

managed identity governance and

administration solutions.

► Reduced need to maintain identities in

a directory or identity data warehouse

► Improved AuthN and AuthZ mechanism

(“what you have and are” + “what others know”)

► Trust score of identity ledger increases with quantity and

quality (e.g., credit bureaus, trusted authorities) of peers on

blockchain

► Improved auditability of identities due

to distributed, open nature of identity

ledgers


What blockchain is not

► Something that can be viable without a big enough ecosystem

► Not mature enough where it applies to every sector

► Revolutionize business and redefine companies immediately

► Something that is plug and play

► Application and blockchain layer needs to be bridged

► Smart contract logic need to be defined

► Nascent vendor ecosystem

► Nascent talent pool


How blockchain fits into the next-generation IAM reference architecture

Identity analytics

Operational reporting

Identity governance

and administration

Enterprise

applications

Access management

system (authentication)

Mainframe

Lightweight

directory access

protocol

Databases (Java database

connectivity/open database

connectivity)Flat file

Attributes-based access control

(fine-grained authorization)

PAM

Ticketing systemApplication

Identity

EntitlementRoles

Risk

Ownership

Internet of Things

Digital applications


How blockchain fits into the next-generation IAM reference architecture

Identity analytics

Operational reporting

Identity governance

and administration

Enterprise

applications

Access management

system (authentication)

Mainframe

Lightweight

directory access

protocol

Databases (Java database

connectivity/open database

connectivity)Flat file

Attributes based access control

(fine-grained authorization)

PAM

Ticketing systemApplication

Identity

EntitlementRoles

Risk

Ownership

Internet of Things

Digital applications

Blockchain

network


Why now? The adoption of blockchain is growing

Est. US$16.9b in

bitcoin in

circulation today

“CryptoCurrency Market Capitalizations,” www.coinmarketcap.com, CoinMarketCap


Cyber and blockchain service offerings

EY cyber service offering Description

Strategy Blockchain identity strategy and road map definition

► Third-party access

► Digital consumer identities:► KYC strategy

► Bitcoin strategy

► Internet of Connected Things

► Technology selection► Private vs. public blockchains

► Proof of concepts

Implementation and

transformation

► Identity ledger and smart contract definition

► Third-party access and digital customer architecture build-out:► Day one identity proofing

► Ongoing monitoring

Managed services ► Operate blockchain as a service► Provide clients a private blockchain for running smart contracts

► Leverage Microsoft alliance to host on Azure


Contacts

David ChanSenior Manager, Program Lead

Ernst & Young LLP

Mobile: +1 714 422 7092

[email protected]

Sam TangExecutive Director, Program Sponsor

Ernst & Young LLP

Mobile: +1 917 582 4872

[email protected]


Appendix ACase study


Blockchain-based authorization case study

► Auto finance customer registration

► Verify user via account, Social Security number or date of birth

► Bank linking is optional portion of registration flow

► Additional user information captured, such as mobile number and social

media (e.g., Twitter, LinkedIn) handles

► Design a data exchange architecture for identity proofing


Trust-based authorization case studyAuto finance customer registration (day one)

Authorization transactions

and events

► Authorize new user (create guest

profile within Virtual Directory

Service at 80% trust)

► Allow customer access to sensitive

transactions (e.g., fund transfers)

at 90%

Email address is verified ► Identity proofing

Ledger – 10% trust

Data

exchange

service

Social Security number

verification


Date of birth verification –

Equifax, Experian


Domestic phone and

Short Message Service

verification


Trusted bank account

linking


Aggregation of ledgers through

virtual directoryBlockchain network

Public Identity Data

Providers – Google,

Facebook, Yahoo!



Trust-based authorization case studyAuto finance customer (post day one)

Authorization transactions and events

► Send to “at-risk list” for special

processing when ledgers <60%

► Disable user (when ledgers drop

below 30% trust)

Data

exchange

service

Periodic verification of

bank account linking


Blockchain networkAggregation of ledgers through

virtual directory

Ongoing monitoring of

credit score – Equifax,

Experian


Ongoing monitoring of

Identity Data Providers –

Google, Facebook,

Yahoo!



Evolution of authorization modelsSummary

Model Characteristics

Centralized admin:

mainframe, database,

LDAP

► Applications and menus are tied to data sets, tables, access control lists

► Prone for “proliferation”

► Administratively assigned

Logical groupings of

access – roles and rules

► Movement toward centralization of data

► Entitlements are represented as “groups” and “group memberships”

► Prone to proliferation of groups

Advanced and risk

based

► Movement toward dynamic assignment of access

► Extends the richness of rule sets by allowing the inclusion of “actual use and behavior” data

► Allows for run-time enforcement

Trust based ► Decentralized ledgers that control the trust of any given block or transaction instead of applying ownership

to the model

► Relies on peers within the blockchain network to proof identities and control access to resources

► A true immutable information repository and service

EY | Assurance | Tax | Transactions | Advisory

About EY

EY is a global leader in assurance, tax, transaction and advisory

services. The insights and quality services we deliver help build trust

and confidence in the capital markets and in economies the world

over. We develop outstanding leaders who team to deliver on our

promises to all of our stakeholders. In so doing, we play a critical role

in building a better working world for our people, for our clients and

for our communities.

EY refers to the global organization, and may refer to one

or more, of the member firms of Ernst & Young Global Limited,

each of which is a separate legal entity. Ernst & Young

Global Limited, a UK company limited by guarantee, does not

provide services to clients. For more information about our

organization, please visit ey.com.

© 2017 EYGM Limited.

All Rights Reserved.

EYG no. 04033-173GBL

1705-2288253

ED None

This material has been prepared for general informational purposes

only and is not intended to be relied upon as accounting, tax or other

professional advice. Please refer to your advisors for specific advice.

ey.com

Blockchain: the trust fabric for next generation digital identity management

Business

Transcript of Blockchain: the trust fabric for next generation digital identity management