Presented by ThoughtWorks
In the digital world, identity is key to everything we do. Want to pick up from where you left off in your latest streaming TV series? Desperate to know when your impulse-bought top-of-the-range flight simulator rig is turning up? Whatever we do in the digital world, being able to prove who we are and what permissions we have to access information is critical.
The same is true in digital business.
Digital identity is the gateway for accessing the systems that your employees, your partners, and your customers rely on. But establishing who has what access rights is getting harder — at least if you’re stuck to using antiquated ideas about identity management.
Today’s any given business process might depend on a handful of interconnected systems, each of which may be running in different clouds. At every step across that process, your business reputation depends on ensuring that only those people with sufficient privileges are able to access specific information.
As Forrester Research notes: “Today’s digital identity frameworks are centralized, suffer from a lack of trust, aren’t portable, and don’t give consumers control.”
A new approach is needed. One of the most promising is around decentralized identity, where system entities — people, organizations, and things — gain control over their identities and allow trusted interactions.
The power of this approach is that it enables people to share different parts of their identity with different services as they see fit. When dealing with your health insurer there’s a level of detail that you might exchange that would be completely inappropriate for your mortgage provider to know. The promise of a centralized identity system is that you can have a single system that enables you to authenticate yourself with multiple entities.
It’s not just individuals that could gain from a decentralized approach to identity and authentication.
Today’s businesses are already dealing with incredible complexity when it comes to managing customer data. Customers might have a number of different ‘identities’ they adopt when dealing with a company. For instance, a single individual might be a long-standing, high-value client for your company, while also acting as treasurer to the local football team that also has an account for you. If you have decentralized identity as a deliberate architectural construct, it puts power back in the hands of the customer but in a way that makes it easy for organizations to provide services to the different identities that a customer chooses to adopt.
Building decentralized identity on solid foundations
Decentralized identity systems are fundamentally different from current approaches.
Today, most of the enterprise-level thinking around next-generation authentication is focused on initiatives such as SPIFFE, the Secure Production Identity Framework For Everyone, says Elliman.
SPIFEE aims to solve the problem of authentication across distributed cloud systems, without having to rely on APIs keys or passwords.
But these approaches put the onus on the enterprise to manage authentication. A true decentralized identity system puts the individual in control. And there is growing support for this type of user empowerment from regulators.
If you look at the General Data Protection Regulations from the EU or the California Consumer Privacy Act, they’re addressing questions of identity with a sharp focus on giving power back to the individual.
Notions such as the right to be forgotten or the principle that individuals can demand to know what data companies are holding about them are a real challenge for businesses today.
A decentralized identity system solves that by only sharing that data the individual wants to share; and if they change their minds about sharing it or decide an organization no longer needs it, they have the control to revoke access.
One core enabler for building a decentralized identity system is standards. Bodies such as the Decentralized Identity Foundation are leading the way here. Its mission is to develop the components of an open, standards-based, decentralized identity ecosystem for people, organizations, apps, and devices. Much of its focus is on the notion of open decentralized identifiers — something that is utterly unique, persistent, and can be managed by individuals.
Enter the blockchain
It’s at this point that many advocates for decentralized identity start to talk about blockchains. After all, we’re looking at verifiable credentials, decentralization, and cryptographically secured exchanges. That’s bread and butter stuff for blockchain.
While the COVID pandemic has hit IT investments across the globe, sectors such as banking, government, and healthcare are expected to continue to prioritize investments in blockchain-based identity management solutions, according to analyst group IDC. It estimates that identity management accounts for more than 7% of all blockchain spending. Clearly, there are enough businesses persuaded of blockchain’s viability to put some serious cash behind it.
Elsewhere, COVID has been the catalyst for early implementations of blockchain-based decentralized identity management systems. For instance, South Korea’s Jeju Island has begun rolling out a blockchain-based contact tracing system for tourists. Visitors will be required to download a mobile app upon arrival and issued a blockchain-based “credential” to identify themselves when visiting tourist destinations.
Currently, such blockchain-based approaches to decentralized identity are interesting proofs of concept but there’s still a long way to go before blockchain becomes a mainstream business technology.
As of today, blockchain isn’t really built for the speed and scale you’d normally associate with enterprise tech. But that’s not to say business leaders should be ignoring this stuff. There’s a real sense that consumer pressure is going to be a serious driving force around self-sovereign identity — where individuals demand that they control how their personal information is shared.
Today’s business leaders probably have enough headaches already when it comes to thinking about identity, so you could forgive them for not wanting to think about some massive change in direction. But as we know, it’s the businesses that aren’t focused on developing technology that get left floundering when all of a sudden, the world around them changes.
So you might not start deploying a decentralized identity management system today, but it won’t do any harm to start planning.
Dave Elliman is Global Head of Technology at ThoughtWorks. David Colls is Director of the Data and AI Practice and Danilo Sato is Principal Technology Consultant at ThoughtWorks.
Sponsored articles are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. Content produced by our editorial team is never influenced by advertisers or sponsors in any way. For more information, contact [email protected]