This document summarizes an EY presentation on blockchain and identity and access management. It discusses how blockchain can transform IAM by facilitating a decentralized, trust-based model of identity verification and access management. Key benefits include improved user experience, regulatory compliance, risk reduction, and cost savings. The presentation provides examples of blockchain applications today and outlines how it could fit into the next generation of IAM architecture.
2. Page 1 EY Global Blockchain Summit
Blockchain
The trust fabric for next-generation digital identity management
3. Page 2 EY Global Blockchain Summit
Identity and access management (IAM) overview
IAM client needs
► Cloud access governance
► Certification
► Automated provisioning
► Access request
► Role and rule management
► Password self-service
► Entitlement data
► Segregation of duties (SOD)
► Manual access administration
► Centralized user profile repository
► Elevated user repository
► Enterprise identity directory
► Utility directory service
► Identity data synchronization
► Access data warehouse
► Identity analytics and intelligence
► Customer identity registration and
proofing
► Third-party access
Human resources (HR) processes
Hiring
Onboard
Termination
Mobility
Nonemployee
processes
Other processes
Internet of Things
Customer portals
Mobile apps
Contingent
workers
Business
partners
and vendors
Employees
Customers Devices
► Central authentication and single sign-on
(enterprise/web)
► Privileged access management (PAM)
► Remote access
► Federation (cloud authentication)
► Device authentication
► Mobile authentication
► Database, network and operating system
management
► Strong authentication and public key
infrastructure (PKI)
► Location-aware authentication (risk-based
access management)
Access enforcement
Identity data services
Access administration
4. Page 3 EY Global Blockchain Summit
IAM terminology
Term Definition
Identity
administration
Identity administration is the process of handling access requests and approvals to grant and remove users’
access to applications and other resources available in an enterprise environment (including cloud apps, Internet
of Things).
Identity governance Over time, users may accumulate entitlements that are no longer needed or appropriate for their job function.
Identity governance is a process by which appropriate business stakeholders, such as users’ managers or
application owners, can periodically review entitlements and identify those that should be removed.
Authentication
(AuthN)
Authentication is the process or action of verifying the identity of a user before granting access to an
application or other resource within an enterprise environment. An analogy is the process of allowing a passenger
onto a plane.
Authorization (AuthZ) AuthZ is the process of granting a user permission to do or have something (e.g., entitlements to certain
screens within an application) based on attributes (e.g., HR job title, location) or the role (e.g., job function, peer
group) of a user. An analogy is telling the passenger in which seat (e.g., first class, business, economy plus or
economy) on a plane to sit.
Application
onboarding
This is the process of subscribing an application or other network resource onto one or more of the above
services, whether through automated, semiautomated (e.g., robotics process automation) or manual (e.g.,
workflow systems) fulfillment methods.
5. Page 4 EY Global Blockchain Summit
What are some common IAM pain points we are hearing
from our clients?
Want a platform that can cater
to Internet of Things,
customers, third parties and
the workforce
Don’t want to manage and
store customer identities
anymore
Would like third-party and
business partner onboarding
to be seamless
PKI too costly to set up
and manage
Need an efficient way to
provide identity proofing
(customers and third parties)
Would like to use social media
(e.g., Facebook, Google+) as
primary form of customer
identity access management
6. Page 5 EY Global Blockchain Summit
What is a blockchain?
Shared ledger immutable database transferring data securelyand for
A shared book or
collection of entries in
which transactions
are recorded
A collection of
information organized
so it easily can be
accessed, managed
and updated, and
practically impossible
to change
Information that has
been translated into a
form more convenient
to move or process
(e.g., bits)
Preventing
unauthorized access,
use, disclosure,
disruption,
modification,
inspection, recording
or destruction of
information
7. Page 6 EY Global Blockchain Summit
Where does blockchain fit?
Physical Fiber-optic cables, servers, hardware security modules, computers and other hardware
Network Communication between components at the physical level (to communicate, servers and
computers must agree on similar protocol
Applications End-user programs that rely on database to store identity information or a directory to provide
identity information.
Business processes Activities that leverage multiple applications to accomplish a particular goal. EY is leveraging
robotics to automate this layer.
Blockchain
Shared ledger and forimmutable database recording/transferring data securely
8. Page 7 EY Global Blockchain Summit
Example applications of blockchain today
► Bitcoin
► Know your customer (KYC)
► Insurance:
► Underwriting
► Processing claims
► Government:
► Public notary
► Electronic health records
9. Page 8 EY Global Blockchain Summit
How blockchain is transforming IAM
Evolution of enforcement models (AuthN)
Ownership
Efficiency
Mainframe
(direct AuthN)
Databases Directory
services
Single
sign-on
Federation Identity as a
service
(IdaaS)
Trust-based
network
Next 18–24 months
“What others know”“What you know, what you have”
10. Page 9 EY Global Blockchain Summit
How blockchain is transforming IAM
Evolution of enforcement models (AuthZ)
Ownership
Efficiency
Mainframe Databases Directory
services
Role based Attribute
based
Risk based Trust-based
network
Next 18–24 months
11. Page 10 EY Global Blockchain Summit
How blockchain identity works (in a nutshell)
Blockchain attributes: immutable, verifiable, auditable and resilient to attack
2020 and beyond
Identity services are provided by peers in the
network and the trust fabric (self-policing and
enforcement).
Centralized provider needs to provide
identity services.
Identities are
centrally managed
and administered
(whether in the
cloud or on the
premises).
Today
&
Each node within the
blockchain has a
copy of the identity
ledger.
12. Page 11 EY Global Blockchain Summit
Business benefits of blockchain-based IAM
Top five
business
drivers
Risk
reduction
Regulatory
compliance
User
experience
Operational
effectiveness
and
efficiency
Cost
containment
► Fewer passwords to remember
► Improved digital experience through unified
identity experience and improved app store
ratings
► Interoperability with Internet of Connected
Things
► Improve service-level agreements related
to user onboarding (days instead of months)
for third-party access
► Utilize payment networks to establish
identities
► Fault tolerance and elastic scaling because
each node in the blockchain can consume the
self-contained assertion
► Reduced time and effort to manage access
rights by reducing the need for centrally
managed identity governance and
administration solutions.
► Reduced need to maintain identities in
a directory or identity data warehouse
► Improved AuthN and AuthZ mechanism
(“what you have and are” + “what others know”)
► Trust score of identity ledger increases with quantity and
quality (e.g., credit bureaus, trusted authorities) of peers on
blockchain
► Improved auditability of identities due
to distributed, open nature of identity
ledgers
13. Page 12 EY Global Blockchain Summit
What blockchain is not
► Something that can be viable without a big enough ecosystem
► Not mature enough where it applies to every sector
► Revolutionize business and redefine companies immediately
► Something that is plug and play
► Application and blockchain layer needs to be bridged
► Smart contract logic need to be defined
► Nascent vendor ecosystem
► Nascent talent pool
14. Page 13 EY Global Blockchain Summit
How blockchain fits into the next-generation IAM reference
architecture
Identity analytics
Operational reporting
Identity governance
and administration
Enterprise
applications
Access management
system (authentication)
Mainframe
Lightweight
directory access
protocol
Databases (Java database
connectivity/open database
connectivity)Flat file
Attributes-based access control
(fine-grained authorization)
PAM
Ticketing systemApplication
Identity
EntitlementRoles
Risk
Ownership
Internet of Things
Digital applications
15. Page 14 EY Global Blockchain Summit
How blockchain fits into the next-generation IAM reference
architecture
Identity analytics
Operational reporting
Identity governance
and administration
Enterprise
applications
Access management
system (authentication)
Mainframe
Lightweight
directory access
protocol
Databases (Java database
connectivity/open database
connectivity)Flat file
Attributes based access control
(fine-grained authorization)
PAM
Ticketing systemApplication
Identity
EntitlementRoles
Risk
Ownership
Internet of Things
Digital applications
Blockchain
network
16. Page 15 EY Global Blockchain Summit
Why now? The adoption of blockchain is growing
Est. US$16.9b in
bitcoin in
circulation today
“CryptoCurrency Market Capitalizations,” www.coinmarketcap.com, CoinMarketCap
17. Page 16 EY Global Blockchain Summit
Cyber and blockchain service offerings
EY cyber service offering Description
Strategy Blockchain identity strategy and road map definition
► Third-party access
► Digital consumer identities:
► KYC strategy
► Bitcoin strategy
► Internet of Connected Things
► Technology selection
► Private vs. public blockchains
► Proof of concepts
Implementation and
transformation
► Identity ledger and smart contract definition
► Third-party access and digital customer architecture build-out:
► Day one identity proofing
► Ongoing monitoring
Managed services ► Operate blockchain as a service
► Provide clients a private blockchain for running smart contracts
► Leverage Microsoft alliance to host on Azure
18. Page 17 EY Global Blockchain Summit
Contacts
David Chan
Senior Manager, Program Lead
Ernst & Young LLP
Mobile: +1 714 422 7092
david.chan@ey.com
Sam Tang
Executive Director, Program Sponsor
Ernst & Young LLP
Mobile: +1 917 582 4872
sam.tang@ey.com
19. Page 18 EY Global Blockchain Summit
Appendix A
Case study
20. Page 19 EY Global Blockchain Summit
Blockchain-based authorization case study
► Auto finance customer registration
► Verify user via account, Social Security number or date of birth
► Bank linking is optional portion of registration flow
► Additional user information captured, such as mobile number and social
media (e.g., Twitter, LinkedIn) handles
► Design a data exchange architecture for identity proofing
21. Page 20 EY Global Blockchain Summit
Trust-based authorization case study
Auto finance customer registration (day one)
Authorization transactions
and events
► Authorize new user (create guest
profile within Virtual Directory
Service at 80% trust)
► Allow customer access to sensitive
transactions (e.g., fund transfers)
at 90%
Email address is verified
► Identity proofing
Ledger – 10% trust
Data
exchange
service
Social Security number
verification
Ledger – 30% trust
Date of birth verification –
Equifax, Experian
Ledger – 10% trust
Domestic phone and
Short Message Service
verification
Ledger – 10% trust
Trusted bank account
linking
Ledger – 10% trust
Aggregation of ledgers through
virtual directory
Blockchain network
Public Identity Data
Providers – Google,
Facebook, Yahoo!
Ledger – 10% trust
22. Page 21 EY Global Blockchain Summit
Trust-based authorization case study
Auto finance customer (post day one)
Authorization transactions and events
► Send to “at-risk list” for special
processing when ledgers <60%
► Disable user (when ledgers drop
below 30% trust)
Data
exchange
service
Periodic verification of
bank account linking
Ledger – 30% trust
Blockchain network
Aggregation of ledgers through
virtual directory
Ongoing monitoring of
credit score – Equifax,
Experian
Ledger – 50% trust
Ongoing monitoring of
Identity Data Providers –
Google, Facebook,
Yahoo!
Ledger – 20% trust
23. Page 22 EY Global Blockchain Summit
Evolution of authorization models
Summary
Model Characteristics
Centralized admin:
mainframe, database,
LDAP
► Applications and menus are tied to data sets, tables, access control lists
► Prone for “proliferation”
► Administratively assigned
Logical groupings of
access – roles and rules
► Movement toward centralization of data
► Entitlements are represented as “groups” and “group memberships”
► Prone to proliferation of groups
Advanced and risk
based
► Movement toward dynamic assignment of access
► Extends the richness of rule sets by allowing the inclusion of “actual use and behavior” data
► Allows for run-time enforcement
Trust based ► Decentralized ledgers that control the trust of any given block or transaction instead of applying ownership
to the model
► Relies on peers within the blockchain network to proof identities and control access to resources
► A true immutable information repository and service