By Jim Hietala and Ian Dobson, The Open Group
- Video #1 explained the “Identity First Principles” – about people (or any entity) having a core identity and how we all operate with a number of personas.
- Video #2 “Operating with Personas” explained how we use a digital core identifier to create digital personas –as many as we like – to mirror the way we use personas in our daily lives.
- Video #3 described how “Trust and Privacy” interact to provide a trusted privacy-enhanced identity ecosystem.
- Video #4 “Entities and Entitlement” explained why identity is not just about people – we must include all entities that we want to identify in our digital world, and how “entitlement” rules control access to resources.
In this fifth video – Building a Global Identity Ecosystem – we highlight what we need to change and develop to build a viable identity ecosystem.
The Internet is global, so any identity ecosystem similarly must be capable of being adopted and implemented globally.
This means that establishing a trust ecosystem is essential to widespread adoption of an identity ecosystem. To achieve this, an identity ecosystem must demonstrate its architecture is sufficiently robust to scale to handle the many billions of entities that people all over the world will want, not only to be able to assert their identities and attributes, but also to handle the identities they will also want for all their other types of entities.
It also means that we need to develop an open implementation reference model, so that anyone in the world can develop and implement interoperable identity ecosystem identifiers, personas, and supporting services.
In addition, the trust ecosystem for asserting identities and attributes must be robust, to allow entities to make assertions that relying parties can be confident to consume and therefore use to make risk-based decisions. Agile roots of trust are vital if the identity ecosystem is to have the necessary levels of trust in entities, personas and attributes.
Key to the trust in this whole identity ecosystem is being able to immutably (enduringly and changelessly) link an entity to a digital Core Identifier, so that we can place full trust in knowing that only the person (or other type of entity) holding that Core Identifier can be the person (or other type of entity) it was created from, and no-one or thing can impersonate it. This immutable binding must be created in a form that guarantees the binding and include the interfaces necessary to connect with the digital world. It should also be easy and cost-effective for all to use.
Of course, the cryptography and standards that this identity ecosystem depends on must be fully open, peer-reviewed and accepted, and freely available, so that all governments and interested parties can assure themselves, just as they can with AES encryption today, that it’s truly open and there are no barriers to implementation. The technologies needed around cryptography, one-way trusts, and zero-knowledge proofs, all exist today, and some of these are already implemented. They need to be gathered into a standard that will support the required model.
Adoption of an identity ecosystem requires a major mindset change in the thinking of relying parties – to receive, accept and use trusted identities and attributes from the identity ecosystem, rather than creating, collecting and verifying all this information for themselves. Being able to consume trusted identities and attributes will bring significant added value to relying parties, because the information will be up-to-date and from authoritative sources, all at significantly lower cost.
Now that you have followed these five Identity Key Concepts videos, we encourage you to use our Identity, Entitlement and Access (IdEA) commandments as the test to evaluate the effectiveness of all identity solutions – existing and proposed. The Open Group is also hosting an hour-long webinar that will preview all five videos and host an expert Q&A shortly afterward on Thursday, August 16.
Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.
Ian Dobson is the director of the Security Forum and the Jericho Forum for The Open Group, coordinating and facilitating the members to achieve their goals in our challenging information security world. In the Security Forum, his focus is on supporting development of open standards and guides on security architectures and management of risk and security, while in the Jericho Forum he works with members to anticipate the requirements for the security solutions we will need in future.