Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Blockchain: the trust fabric for next generation digital identity management

As business models become more complex and mature, it is clear that we need to adopt an identity access management ecosystem (IAM) to support business transformations.
Learn how blockchain can transform authentication and authorization models within IAM and how to leverage blockchain to address current and emerging use cases.

Blockchain: the trust fabric for next generation digital identity management

  1. 1. EY Global Blockchain Summit San Francisco, CA April 26, 2017
  2. 2. Page 1 EY Global Blockchain Summit Blockchain The trust fabric for next-generation digital identity management
  3. 3. Page 2 EY Global Blockchain Summit Identity and access management (IAM) overview IAM client needs ► Cloud access governance ► Certification ► Automated provisioning ► Access request ► Role and rule management ► Password self-service ► Entitlement data ► Segregation of duties (SOD) ► Manual access administration ► Centralized user profile repository ► Elevated user repository ► Enterprise identity directory ► Utility directory service ► Identity data synchronization ► Access data warehouse ► Identity analytics and intelligence ► Customer identity registration and proofing ► Third-party access Human resources (HR) processes Hiring Onboard Termination Mobility Nonemployee processes Other processes Internet of Things Customer portals Mobile apps Contingent workers Business partners and vendors Employees Customers Devices ► Central authentication and single sign-on (enterprise/web) ► Privileged access management (PAM) ► Remote access ► Federation (cloud authentication) ► Device authentication ► Mobile authentication ► Database, network and operating system management ► Strong authentication and public key infrastructure (PKI) ► Location-aware authentication (risk-based access management) Access enforcement Identity data services Access administration
  4. 4. Page 3 EY Global Blockchain Summit IAM terminology Term Definition Identity administration Identity administration is the process of handling access requests and approvals to grant and remove users’ access to applications and other resources available in an enterprise environment (including cloud apps, Internet of Things). Identity governance Over time, users may accumulate entitlements that are no longer needed or appropriate for their job function. Identity governance is a process by which appropriate business stakeholders, such as users’ managers or application owners, can periodically review entitlements and identify those that should be removed. Authentication (AuthN) Authentication is the process or action of verifying the identity of a user before granting access to an application or other resource within an enterprise environment. An analogy is the process of allowing a passenger onto a plane. Authorization (AuthZ) AuthZ is the process of granting a user permission to do or have something (e.g., entitlements to certain screens within an application) based on attributes (e.g., HR job title, location) or the role (e.g., job function, peer group) of a user. An analogy is telling the passenger in which seat (e.g., first class, business, economy plus or economy) on a plane to sit. Application onboarding This is the process of subscribing an application or other network resource onto one or more of the above services, whether through automated, semiautomated (e.g., robotics process automation) or manual (e.g., workflow systems) fulfillment methods.
  5. 5. Page 4 EY Global Blockchain Summit What are some common IAM pain points we are hearing from our clients? Want a platform that can cater to Internet of Things, customers, third parties and the workforce Don’t want to manage and store customer identities anymore Would like third-party and business partner onboarding to be seamless PKI too costly to set up and manage Need an efficient way to provide identity proofing (customers and third parties) Would like to use social media (e.g., Facebook, Google+) as primary form of customer identity access management
  6. 6. Page 5 EY Global Blockchain Summit What is a blockchain? Shared ledger immutable database transferring data securelyand for A shared book or collection of entries in which transactions are recorded A collection of information organized so it easily can be accessed, managed and updated, and practically impossible to change Information that has been translated into a form more convenient to move or process (e.g., bits) Preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information
  7. 7. Page 6 EY Global Blockchain Summit Where does blockchain fit? Physical Fiber-optic cables, servers, hardware security modules, computers and other hardware Network Communication between components at the physical level (to communicate, servers and computers must agree on similar protocol Applications End-user programs that rely on database to store identity information or a directory to provide identity information. Business processes Activities that leverage multiple applications to accomplish a particular goal. EY is leveraging robotics to automate this layer. Blockchain Shared ledger and forimmutable database recording/transferring data securely
  8. 8. Page 7 EY Global Blockchain Summit Example applications of blockchain today ► Bitcoin ► Know your customer (KYC) ► Insurance: ► Underwriting ► Processing claims ► Government: ► Public notary ► Electronic health records
  9. 9. Page 8 EY Global Blockchain Summit How blockchain is transforming IAM Evolution of enforcement models (AuthN) Ownership Efficiency Mainframe (direct AuthN) Databases Directory services Single sign-on Federation Identity as a service (IdaaS) Trust-based network Next 18–24 months “What others know”“What you know, what you have”
  10. 10. Page 9 EY Global Blockchain Summit How blockchain is transforming IAM Evolution of enforcement models (AuthZ) Ownership Efficiency Mainframe Databases Directory services Role based Attribute based Risk based Trust-based network Next 18–24 months
  11. 11. Page 10 EY Global Blockchain Summit How blockchain identity works (in a nutshell) Blockchain attributes: immutable, verifiable, auditable and resilient to attack 2020 and beyond Identity services are provided by peers in the network and the trust fabric (self-policing and enforcement). Centralized provider needs to provide identity services. Identities are centrally managed and administered (whether in the cloud or on the premises). Today & Each node within the blockchain has a copy of the identity ledger.
  12. 12. Page 11 EY Global Blockchain Summit Business benefits of blockchain-based IAM Top five business drivers Risk reduction Regulatory compliance User experience Operational effectiveness and efficiency Cost containment ► Fewer passwords to remember ► Improved digital experience through unified identity experience and improved app store ratings ► Interoperability with Internet of Connected Things ► Improve service-level agreements related to user onboarding (days instead of months) for third-party access ► Utilize payment networks to establish identities ► Fault tolerance and elastic scaling because each node in the blockchain can consume the self-contained assertion ► Reduced time and effort to manage access rights by reducing the need for centrally managed identity governance and administration solutions. ► Reduced need to maintain identities in a directory or identity data warehouse ► Improved AuthN and AuthZ mechanism (“what you have and are” + “what others know”) ► Trust score of identity ledger increases with quantity and quality (e.g., credit bureaus, trusted authorities) of peers on blockchain ► Improved auditability of identities due to distributed, open nature of identity ledgers
  13. 13. Page 12 EY Global Blockchain Summit What blockchain is not ► Something that can be viable without a big enough ecosystem ► Not mature enough where it applies to every sector ► Revolutionize business and redefine companies immediately ► Something that is plug and play ► Application and blockchain layer needs to be bridged ► Smart contract logic need to be defined ► Nascent vendor ecosystem ► Nascent talent pool
  14. 14. Page 13 EY Global Blockchain Summit How blockchain fits into the next-generation IAM reference architecture Identity analytics Operational reporting Identity governance and administration Enterprise applications Access management system (authentication) Mainframe Lightweight directory access protocol Databases (Java database connectivity/open database connectivity)Flat file Attributes-based access control (fine-grained authorization) PAM Ticketing systemApplication Identity EntitlementRoles Risk Ownership Internet of Things Digital applications
  15. 15. Page 14 EY Global Blockchain Summit How blockchain fits into the next-generation IAM reference architecture Identity analytics Operational reporting Identity governance and administration Enterprise applications Access management system (authentication) Mainframe Lightweight directory access protocol Databases (Java database connectivity/open database connectivity)Flat file Attributes based access control (fine-grained authorization) PAM Ticketing systemApplication Identity EntitlementRoles Risk Ownership Internet of Things Digital applications Blockchain network
  16. 16. Page 15 EY Global Blockchain Summit Why now? The adoption of blockchain is growing Est. US$16.9b in bitcoin in circulation today “CryptoCurrency Market Capitalizations,” www.coinmarketcap.com, CoinMarketCap
  17. 17. Page 16 EY Global Blockchain Summit Cyber and blockchain service offerings EY cyber service offering Description Strategy Blockchain identity strategy and road map definition ► Third-party access ► Digital consumer identities: ► KYC strategy ► Bitcoin strategy ► Internet of Connected Things ► Technology selection ► Private vs. public blockchains ► Proof of concepts Implementation and transformation ► Identity ledger and smart contract definition ► Third-party access and digital customer architecture build-out: ► Day one identity proofing ► Ongoing monitoring Managed services ► Operate blockchain as a service ► Provide clients a private blockchain for running smart contracts ► Leverage Microsoft alliance to host on Azure
  18. 18. Page 17 EY Global Blockchain Summit Contacts David Chan Senior Manager, Program Lead Ernst & Young LLP Mobile: +1 714 422 7092 david.chan@ey.com Sam Tang Executive Director, Program Sponsor Ernst & Young LLP Mobile: +1 917 582 4872 sam.tang@ey.com
  19. 19. Page 18 EY Global Blockchain Summit Appendix A Case study
  20. 20. Page 19 EY Global Blockchain Summit Blockchain-based authorization case study ► Auto finance customer registration ► Verify user via account, Social Security number or date of birth ► Bank linking is optional portion of registration flow ► Additional user information captured, such as mobile number and social media (e.g., Twitter, LinkedIn) handles ► Design a data exchange architecture for identity proofing
  21. 21. Page 20 EY Global Blockchain Summit Trust-based authorization case study Auto finance customer registration (day one) Authorization transactions and events ► Authorize new user (create guest profile within Virtual Directory Service at 80% trust) ► Allow customer access to sensitive transactions (e.g., fund transfers) at 90% Email address is verified ► Identity proofing Ledger – 10% trust Data exchange service Social Security number verification Ledger – 30% trust Date of birth verification – Equifax, Experian Ledger – 10% trust Domestic phone and Short Message Service verification Ledger – 10% trust Trusted bank account linking Ledger – 10% trust Aggregation of ledgers through virtual directory Blockchain network Public Identity Data Providers – Google, Facebook, Yahoo! Ledger – 10% trust
  22. 22. Page 21 EY Global Blockchain Summit Trust-based authorization case study Auto finance customer (post day one) Authorization transactions and events ► Send to “at-risk list” for special processing when ledgers <60% ► Disable user (when ledgers drop below 30% trust) Data exchange service Periodic verification of bank account linking Ledger – 30% trust Blockchain network Aggregation of ledgers through virtual directory Ongoing monitoring of credit score – Equifax, Experian Ledger – 50% trust Ongoing monitoring of Identity Data Providers – Google, Facebook, Yahoo! Ledger – 20% trust
  23. 23. Page 22 EY Global Blockchain Summit Evolution of authorization models Summary Model Characteristics Centralized admin: mainframe, database, LDAP ► Applications and menus are tied to data sets, tables, access control lists ► Prone for “proliferation” ► Administratively assigned Logical groupings of access – roles and rules ► Movement toward centralization of data ► Entitlements are represented as “groups” and “group memberships” ► Prone to proliferation of groups Advanced and risk based ► Movement toward dynamic assignment of access ► Extends the richness of rule sets by allowing the inclusion of “actual use and behavior” data ► Allows for run-time enforcement Trust based ► Decentralized ledgers that control the trust of any given block or transaction instead of applying ownership to the model ► Relies on peers within the blockchain network to proof identities and control access to resources ► A true immutable information repository and service
  24. 24. EY | Assurance | Tax | Transactions | Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. © 2017 EYGM Limited. All Rights Reserved. EYG no. 04033-173GBL 1705-2288253 ED None This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice. ey.com

×