As more and more of our lives are spent online and the physical world grows ever more digital, the very notion of identity is changing dramatically. Authentication of who we are and how we are represented online has become paramount to both individuals and organizations. People want power over their identities and control over how and with whom their information is shared. Organizations face heightened security threats, alongside demands to compete in the digital economy, optimize workflows and improve customer and employee experiences. Constant retooling and uncertainty around identity only slows broader strategic innovations.
Identity and access management (IAM) has become a core building block for managing and authenticating digital identities. However, organizations face challenges with the design and security of IAM processes, prompting them to consider new technologies. Distributed ledger technologies (DLT), frequently referred to as blockchain, are different from existing IAM architectures as they are inherently decentralized. DLT enables shared recordkeeping, where transactions, authentications and interactions are recorded across and verified by a network rather than a single central authority.
With the surge in cybercrimes, threats, fraud and asset breaches, organizations play a crucial role in safeguarding sensitive data, securing IT and operational infrastructure (OT), and protecting peoples' identities. Many enterprise IAM leaders and IT professionals are questioning the relevant benefits and risks of DLT and consensus technologies:
- Can identity and access controls be securely managed on DLT?
- How does distributing consensus or user verification increase security?
- How are relationships verified across multiple parties?
- How do existing identity standards coexist with blockchain and industry regulations?
- How complex are we creating it, particularly across mobile devices and IoT environments?
- How do we encode trust without compromising privacy?
14 applications and implications to consider
The issues of using DLT in IAM processes span technical, legal, business and cultural implications. These implications should underlie the decision-making process for any architectural investments supporting IAM.
Consider the following 14 implications when evaluating where and how DLT can improve an organization's IAM infrastructure and end-user experience.
1. Centralized vs. decentralized
Companies are accustomed to central and proprietary data storage infrastructure, effectively creating a honeypot for theft, breach, hacking, fraud and loss. This model exacerbates the power imbalance between identity credential holders and those seeking to use them, including the end user. Distributing identity verification and governance promises several efficiencies and individual and institutional benefits, but runs counter to the status quo for centralization.
2. Public vs. private
Permissioned blockchain architectures are a key consideration, as few enterprise use cases can be fully public. Instead, the use cases require confidentiality and permissions for reading and writing to a managed blockchain with known participants. This distinction has several other implications for security, computation and scalability.
Levels of access, privilege and restrictions change, as do identifiable attributes. DLT must be able to handle the frequency and complexity of verifications accurately, with minimal latency, across various connectivity and IoT environments.
Consensus algorithms used for verification and distributed access affect the speed and computing power required to deliver service-level agreements in a scalable and sustainable way. These constraints drive R&D in blockchain for IAM and are integral to the scope of implementation.
Digital identity capabilities need to be portable. Blockchain designs can ensure personal information, verifiability and the proper controls follow users when they transition from one organization to another. These designs can be adapted to facilitate this process in a timely manner.
Organizations amassing huge amounts of personally identifiable information (PII) face new and evolving risks, regulations, privacy-focused competition and growing consumer distrust. Use cases enabled by DLT -- such as self-sovereign identity and data minimization -- via techniques such as zero-knowledge proofs offer stronger privacy protections. Rather than having PII replicated and stored across hundreds of organizations, information and sharing controls could remain with the end user.
Many identity and authentication standards exist, including roles, attributes, keys and entitlements. These must conform with often nonexistent standards for blockchain technologies and interoperability across chains.
Shifting from a centralized to distributed paradigm requires interconnectivity and coordination of data, APIs, systems and governance mechanisms. This not only occurs within large organizations with increasingly diverse IT and OT assets and environments, but across other organizations and ecosystem partners.
9. Regulatory compliance
Regulations surround individuals' data, from the patchwork of international, federal and state data protection laws to specific areas such as biometrics. These are all relevant to IAM and blockchain architectural decisions. For example, GDPR's right to be forgotten enables citizens to have their personal information erased -- a concept at odds with immutability registering PII to a database.
Immutability -- the inability to delete records on a ledger -- is beneficial to security, but it can affect the privacy of PII. Determining what information stays on-chain vs. off-chain is important for other criteria on this list. On-chain immutability must balance requirements and safeguards across parties.
11. Key lifecycle management
Ensuring an individual has the right cryptographic keys for any task at any particular time requires the ability to renew, revoke and update access. This is a unique IAM requirement that DLT must account for through design.
Distributed or centralized, IAM UX is the interface of digital identity, personal identification and control mechanisms for individuals' data. While successful IAM architectures obscure complexity from the end user, designers of IAM UX cannot overlook the importance of interface for education, consent, ease and accessibility.
13. Emerging data sets
As data sets are generated and used at greater scale -- for example, biometrics, emotion and genomics -- IAM leaders must consider the current and long-term risks and compliance questions. They should focus on data minimization and privacy engineering techniques.
14. Emerging technologies
New capabilities, designs and best practices are continuously shifting the IAM landscape -- not to mention breakthrough developments in blockchain, cryptography, AI, cybersecurity, cloud computing, quantum computing and critical concepts like digital wallets. These must all be considered when designing, and after implementation.
IAM plus DLT
As with any emerging technology, organizations should start by defining the problem. However, IAM-DLT decisions are not just another IT due diligence exercise. As questions of surveillance capitalism, power dynamics, geopolitical threats, sustainable business models and human rights underpin models for digital identity, the IAM-DLT opportunity carries implications for individuals, institutions and economics.