Self-Sovereign Identity Technology meets Identity & Access Management
Sebastian Weidenbach from esatus AG explores whether Self-Sovereign Identity can deliver what it promises for identity & access.
In a world of increasing regulatory requirements, it sounds too good to be true when a new technology promises to bring innovative functionality together with more out-of-the box compliance for security and privacy. Can Self-Sovereign Identity deliver what it promises for identity & access?
dotmagazine: Can you explain the concept or guiding principles of the self-sovereign identity?
SEBASTIAN WEIDENBACH: The term Self-Sovereign Identity (SSI) refers to a special form of User-Centric Identity that enables the identity itself (human or non-human) to be in full control of the identity and its associated data. This requires a decentralized identity ecosystem without administrative authorities.
In the world of SSI, identity-related data gets stored in a digital wallet that could be stored on a smartphone. Everyone in an SSI ecosystem can issue, receive, and validate credentials that contain individual claims. Serious SSI platforms are able to make this possible without storing any personal data outside of the personal wallet. Currently this is primarily done by using Distributed Ledger Technology (DLT), utilizing strong cryptography for building a global blockchain-like consensus network that provides trust for all participants.
A concrete use case is the issuing of a driver’s license. The appropriate agency (the issuer) certifies your permission to drive a car by issuing a credential with claims like the vehicle category that you (the owner) are allowed to operate. You store that credential in your digital wallet. Whenever someone (the verifier) asks for a specific claim, you can provide the necessary parts of your credential. The verifier can then use the SSI network to proof that your credential was issued by someone who is trustworthy (in the eyes of the verifier) and that it has not been revoked by the issuer in the meantime.
dot: Can you give some examples of different models for SSI?
WEIDENBACH: Existing SSI platforms differ in several ways:
Distributed Ledger Technology (the superordinate concept that includes blockchain technology) is the way to go, but it can be utilized for SSI in both a permissioned and a permissionless manner . Permissionless models allow anyone to participate in the consensus algorithm, but trust relies on the source code only. Permissioned models need a governance framework that takes care of participants that want to act in the network and regulates necessary rules.
Taking some exceptions out of the equation, it can be said that permissioned models are a lot more energy-efficient and faster because consent algorithms don’t need to rely on proof-of-work, and are easier to handle when it comes to maintenance activities like system updates.
Operating an SSI infrastructure means operating a technical platform, a decentralized network, a set of controls, and adequate processes. A good example for a holistic approach is the Sovrin Network . It facilitates not only the technology but a whole governance framework that addresses essential topics around diversity, rules, and regulations. Different productive SSI solutions with a missing governance framework show that user acceptance can be very difficult to get if you don’t have meaningful and comprehensive controls in place that take care of important legal and compliance-related questions.
3. Use of standards
Several SSI platforms are competing, and technology diversification is a nice-to-have. The use of open standards like the DID specification  or the Verifiable Credentials Data Model  of the W3C is a good idea to foster interoperability between decentralized identities and credentials. Blockchain standardization is also progressing in a formal way via ISO TC 307 .
Nevertheless, not every platform has integrated those standards yet.
dot: What are the pros and cons of SSI over other forms of identity management?
WEIDENBACH: Identity management aims to cover the whole lifecycle of an identity in a specific context. Giving the identity all necessary access in that context is linked to at least these critical considerations:
- The identity should have the least privileges that are needed to cover the expected activities of the individual.
- Joiner, mover, and leaver processes should be fulfilled as fast as possible.
- Toxic combinations of privileges need to be avoided.
- A full and up-to-date overview of the whole access inventory across all data silos is necessary to monitor and to intervene, if needed.
In regulated areas like the financial sector, compliance with these considerations is often being audited on a regular basis.
Therefore, we see large enterprise IAM systems in these businesses that have been built over many years and still demand continuous enhancements due to new applications, new interfaces, and new regulations. Some of the most expensive elements are approval workflows and access reviews that often struggle with the challenge to identify the responsible person who is authorized to approve whether access can be granted or if it needs to be revoked.
A widespread mechanism is role-based access control (RBAC). Identities get mapped to global business roles that lead to specific access entitlements in several target systems. These additional role objects help to build a more understandable meta-layer above technical entitlements, but need a lot of conceptional and maintenance work as well.
Self-Sovereign Identity technology allows that problem to be tackled from another direction. The identity comes with a set of credentials that represent real-world facts like licenses, passports, and other certificates. These credentials can easily be extended when an organization allows the certification of more organization-related facts that may also lead to access entitlements.
- Employee credential (with legal entity, business unit, and position)
- Project participation credential
- Responsibility credentials (project lead, supervisor, …)
- Credentials for special clearances (level of confidentiality, …)
These credentials can be issued and revoked by the ultimately responsible person for these facts, whereas application or information owners are able to specify which credentials qualify to get authentication and authorization privileges in their application.
This can be referred to as credential-based access control (CrBAC6), a special variation of attribute-based access control.
The goal is to derive every privilege from a fact to gain major IAM process simplification: Approvals can be skipped because the ultimately responsible person has already issued the credential, and access reviews are no longer needed because every access is based on facts that would be revoked if they no longer applied.
Furthermore, access is no longer context-specific and can be used beyond organizational and regional borders.
Together with all the power that the identity owners receive over their identity data, there come further responsibilities that require adequate awareness of the process and due diligence. One example is the need for regular wallet backups. Losing a device must be equated with losing the identity, and can lead to identity theft if no appropriate action is triggered.
dot: What impact does an SSI solution have on data security?
WEIDENBACH: SSI comes with both security and privacy by design across all three aspects of data security:
Confidential data remains with the owner and can be exclusively revealed whenever necessary. There is no central data storage which would be attractive for attackers and the likelihood of an attack is very low.
It is also possible to build zero-knowledge proofs that attest something without revealing the underlying data (i.e. proving to be over 18 without showing the date of birth).
The authenticity and integrity of the data can always be checked by verifying digital signatures against DLT functions, which should rely on strong cryptography.
DLT networks rely on decentralization and nodes are often spread around the globe. Even if single nodes are unresponsive, the network is still able to build consensus so that it is very unlikely to suffer major downtimes.
dot: What are common business-related use cases for SSI, and what are the challenges when implementing SSI in a company for identity and access management?
WEIDENBACH: Innovative SSI technology can help to replace common IAM systems and is utilized best when it acts as a golden source for business facts.
This way, IAM processes can be simplified and accelerated. Working across companies is made possible without relying on time-intensive onboarding processes.
Users can benefit from being in control over their own identity and by using it securely and privately for different purposes.
This can pose a challenge for companies with structures that have grown more organically, as they will have to rethink their existing processes to use SSI to their advantage. Those who are willing can strongly benefit from the game-changing technology, which represents a revolution of the digital identity, and may very well become indispensable in the near future.
1 Dr. André Kudra et al.: TeleTrusT-Positionspapier “Blockchain”: https://www.teletrust.de/fileadmin/docs/publikationen/broschueren/Blockchain/2017_TeleTrusT-Positionspapier_Blockchain__.pdf
2 Sovrin Foundation: https://sovrin.org
3 Drummond Reed et al.: Decentralized Identifiers (DIDs) v0.13: https://w3c-ccg.github.io/did-spec/
4 Manu Sporny et al.: Verifiable Credentials Data Model 1.0: https://www.w3.org/TR/vc-data-model/
5 ISO/TC 307: https://www.iso.org/committee/6266604.html
6 esatus SeLF: https://self-ssi.com/
Sebastian Weidenbach studied computer science at the Technische Hochschule Mittelhessen and strengthened his information security know-how with a CISSP certification. For over 10 years he has been working in large-scale IT projects with a focus on identity & access, mostly in the financial industry. Aside from his role as the Head of Technical Consulting & Solutions at esatus AG, he is working as a project manager for the SSI-based IAM solution SeLF.
Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.