Marc Vanmaele, CEO of TrustBuilder considers whether blockchain will become an IAM game changer
From a niche cryptocurrency discussed only in the most technical and computing-focused circles, to an imagination-capturing marketplace featured in the mainstream press, bitcoin has undergone a transformative journey over the past decade. As part of this evolution, bitcoin’s public transaction ledger has gone mainstream too. We are talking, of course, about blockchain.
Across both the public and private sectors, multiple organisations believe that blockchain can add value to their operations. As reported in Forbes, ‘blockchain enables direct exchange of value between A and B without the need for the middlemen – be it a central authority, broker or notary’. It offers transparent visibility and an immutable, time-stamped record of contracts. Easy to see, then, how this efficiency, reliability and robustness can be a useful mechanism in various business applications.
The role of blockchain in IAM
Identity and access management (IAM) is one area in which various attempts have been made to harness blockchain technology. A blockchain-based identity management platform, for example, is using its mobile application to tackle identity theft and fraudulent activity on credit reports. Users select the information that they wish to share, submitting and verifying their personal details which are then locked and encrypted.
The city of Zug in Switzerland is creating digital identities that can used be government services. All applicants verify their information in person, which is then kept on the Ethereum blockchain and can then be used for proof-of-residency or e-voting. And meanwhile, a global photographic company has developed its own blockchain-based platform, an encrypted, digital ledger of image rights for photographers to license their work and collect instant payments for any online usage.
Multiple organisations, then, are developing blockchain-based identity management and authentication solutions for cross-industry applications.
Balancing privacy with security
There are, however, some challenges and restrictions in terms of blockchain’s role within IAM. Digital identity is, of course, closely linked with issues of privacy and data protection, particularly following the introduction of stricter data protection regulations such as GDPR. Yet privacy is in some ways at odds with the notion of an immutable ledger distributed to a significant number of parties.
As such, for blockchain to be of genuine value in the IAM space, a consensus has built that identities and private information should not be stored on public blockchain networks. Rather, only individuals’ unique cryptographic identifiers should be stored and referenced.
The security of the blockchain network is another challenging obstacle. Distributed security is generally far more difficult to achieve than centralised security, simply because of the broader attack surface. As such, cryptographic key security is a foundational element of the blockchain concept. This means that protecting the keys which allow access to the ledger and blockchain applications is paramount for blockchain solutions as a whole to be secure. Protection means not only securing keys as robustly as possible, but also the recovery of lost private keys without introducing an escrow agent. Such a third party would void the disintermediation concept of the blockchain.
All of these security concerns, then, need to be solved before concepts such as Self Sovereign Identity using blockchain can become genuinely mainstream.
Being selective: choosing the best applications for blockchain
Additionally, IAM encompasses a number of different functions. Whilst each couldpotentiallybenefit from blockchain, it is important to understand which are most primed and ready.
On the access control aspects, whilst distributed ledgers such as blockchain are good at storing and archiving information in an immutable manner, they are not fit for managing real-time access authorisation and real-time contextual enforcement.
On the other hand, solving the digital identity verification issue – in other words, performing authentication – is a potentially interesting field of application. Most of the current enterprise solutions for managing identities – whether those of employees, customers or suppliers – rely on some form of centralised identity store. Yet although these are centralised, most organisations still run multiple versions of those stores, each dedicated to their own function or community. Centralised stores are expensive to administer because they are under the ownership of a single corporate entity which bears all the costs – hardware, softwareanduser administration. The latter, being human labour, can rapidly rack up in expense. Automating the synchronisation of centralised identity data within and outside the corporation has proven inefficient from a cost perspective and unpractical with regards to identities outside of the corporation, whether consumers or employees of other organisations.
Blockchain technology, because it is based on the opposite concept to centralised stores – a distributed ledger – can therefore introduce significant value. Spare the costs of managing ‘external’ identities and use the identity data directly from the ‘source’, and not a local expensive replica under your own control.
Looking forward: hybrid blockchain
Predicting the future of technology is, of course, a precarious game. But it does seem likely that from 2019 onwards, we will see more projects that use blockchain being implemented in the enterprise context, but with some level of controls for the participants of the blockchain network.
This is what is called a hybrid blockchain, as opposed to public blockchain (that is, the ledger behind cryptocurrency transactions) or pure private blockchain, which is typically well addressed by existing identity federation concepts. These concepts were introduced in the early 2000s to overcome the problem of a single party administering identities of multiple parties, and essentially allow the same identification data to be used to gain access to many different systems or networks. The model relies on a restricted set of trusted parties, whereas blockchain opens up the number of parties to potentially huge numbers.
Hybrid blockchain is much better suited to commercial or highly regulated enterprises and governments as it enables them to maintain flexibility and control over which data is kept private versus shared on a public ledger. It also enables the guarantee of a suitable transaction time, as well as security and auditability features that are not possible on public blockchains.
As with so many emerging technologies before it, blockchain is still being discussed in breathless tones as the next big thing in enterprise technology, something which could shake up and transform everything that has gone before. In terms of identity and access management, it certainly has great potential, but it is important to contextualise that potential in terms of specific aspects of IAM, and a specific (hybrid) form of blockchain.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.