Blockchain: the trust fabric for next generation digital identity management

EY Global
Blockchain Summit
San Francisco, CA
April 26, 2017

EY Global Blockchain Summit
Blockchain
The trust fabric for next-generation digital identity management

Identity and access management (IAM) overview
IAM client needs
► Cloud access governance
► Certification
► Automated provisioning
► Access request
► Role and rule management
► Password self-service
► Entitlement data
► Segregation of duties (SOD)
► Manual access administration
► Centralized user profile repository
► Elevated user repository
► Enterprise identity directory
► Utility directory service
► Identity data synchronization
► Access data warehouse
► Identity analytics and intelligence
► Customer identity registration and
proofing
► Third-party access
Human resources (HR) processes
Hiring
Onboard
Termination
Mobility
Nonemployee
processes
Other processes
Internet of Things
Customer portals
Mobile apps
Contingent
workers
Business
partners
and vendors
Employees
Customers Devices
► Central authentication and single sign-on
(enterprise/web)
► Privileged access management (PAM)
► Remote access
► Federation (cloud authentication)
► Device authentication
► Mobile authentication
► Database, network and operating system
management
► Strong authentication and public key
infrastructure (PKI)
► Location-aware authentication (risk-based
access management)
Access enforcement
Identity data services
Access administration

IAM terminology
Term Definition
Identity
administration
Identity administration is the process of handling access requests and approvals to grant and remove users’
access to applications and other resources available in an enterprise environment (including cloud apps, Internet
of Things).
Identity governance Over time, users may accumulate entitlements that are no longer needed or appropriate for their job function.
Identity governance is a process by which appropriate business stakeholders, such as users’ managers or
application owners, can periodically review entitlements and identify those that should be removed.
Authentication
(AuthN)
Authentication is the process or action of verifying the identity of a user before granting access to an
application or other resource within an enterprise environment. An analogy is the process of allowing a passenger
onto a plane.
Authorization (AuthZ) AuthZ is the process of granting a user permission to do or have something (e.g., entitlements to certain
screens within an application) based on attributes (e.g., HR job title, location) or the role (e.g., job function, peer
group) of a user. An analogy is telling the passenger in which seat (e.g., first class, business, economy plus or
economy) on a plane to sit.
Application
onboarding
This is the process of subscribing an application or other network resource onto one or more of the above
services, whether through automated, semiautomated (e.g., robotics process automation) or manual (e.g.,
workflow systems) fulfillment methods.

What are some common IAM pain points we are hearing
from our clients?
Want a platform that can cater
to Internet of Things,
customers, third parties and
the workforce
Don’t want to manage and
store customer identities
anymore
Would like third-party and
business partner onboarding
to be seamless
PKI too costly to set up
and manage
Need an efficient way to
provide identity proofing
(customers and third parties)
Would like to use social media
(e.g., Facebook, Google+) as
primary form of customer
identity access management

What is a blockchain?
Shared ledger immutable database transferring data securelyand for
A shared book or
collection of entries in
which transactions
are recorded
A collection of
information organized
so it easily can be
accessed, managed
and updated, and
practically impossible
to change
Information that has
been translated into a
form more convenient
to move or process
(e.g., bits)
Preventing
unauthorized access,
use, disclosure,
disruption,
modification,
inspection, recording
or destruction of
information

Where does blockchain fit?
Physical Fiber-optic cables, servers, hardware security modules, computers and other hardware
Network Communication between components at the physical level (to communicate, servers and
computers must agree on similar protocol
Applications End-user programs that rely on database to store identity information or a directory to provide
identity information.
Business processes Activities that leverage multiple applications to accomplish a particular goal. EY is leveraging
robotics to automate this layer.
Blockchain
Shared ledger and forimmutable database recording/transferring data securely

Example applications of blockchain today
► Bitcoin
► Know your customer (KYC)
► Insurance:
► Underwriting
► Processing claims
► Government:
► Public notary
► Electronic health records

How blockchain is transforming IAM
Evolution of enforcement models (AuthN)
Ownership
Efficiency
Mainframe
(direct AuthN)
Databases Directory
services
Single
sign-on
Federation Identity as a
service
(IdaaS)
Trust-based
network
Next 18–24 months
“What others know”“What you know, what you have”

How blockchain is transforming IAM
Evolution of enforcement models (AuthZ)
Ownership
Efficiency
Mainframe Databases Directory
services
Role based Attribute
based
Risk based Trust-based
network
Next 18–24 months

How blockchain identity works (in a nutshell)
Blockchain attributes: immutable, verifiable, auditable and resilient to attack
2020 and beyond
Identity services are provided by peers in the
network and the trust fabric (self-policing and
enforcement).
Centralized provider needs to provide
identity services.
Identities are
centrally managed
and administered
(whether in the
cloud or on the
premises).
Today
&
Each node within the
blockchain has a
copy of the identity
ledger.

Business benefits of blockchain-based IAM
Top five
business
drivers
Risk
reduction
Regulatory
compliance
User
experience
Operational
effectiveness
and
efficiency
Cost
containment
► Fewer passwords to remember
► Improved digital experience through unified
identity experience and improved app store
ratings
► Interoperability with Internet of Connected
Things
► Improve service-level agreements related
to user onboarding (days instead of months)
for third-party access
► Utilize payment networks to establish
identities
► Fault tolerance and elastic scaling because
each node in the blockchain can consume the
self-contained assertion
► Reduced time and effort to manage access
rights by reducing the need for centrally
managed identity governance and
administration solutions.
► Reduced need to maintain identities in
a directory or identity data warehouse
► Improved AuthN and AuthZ mechanism
(“what you have and are” + “what others know”)
► Trust score of identity ledger increases with quantity and
quality (e.g., credit bureaus, trusted authorities) of peers on
blockchain
► Improved auditability of identities due
to distributed, open nature of identity
ledgers

What blockchain is not
► Something that can be viable without a big enough ecosystem
► Not mature enough where it applies to every sector
► Revolutionize business and redefine companies immediately
► Something that is plug and play
► Application and blockchain layer needs to be bridged
► Smart contract logic need to be defined
► Nascent vendor ecosystem
► Nascent talent pool

How blockchain fits into the next-generation IAM reference
architecture
Identity analytics
Operational reporting
Identity governance
and administration
Enterprise
applications
Access management
system (authentication)
Mainframe
Lightweight
directory access
protocol
Databases (Java database
connectivity/open database
connectivity)Flat file
Attributes-based access control
(fine-grained authorization)
PAM
Ticketing systemApplication
Identity
EntitlementRoles
Risk
Ownership
Internet of Things
Digital applications

How blockchain fits into the next-generation IAM reference
architecture
Identity analytics
Operational reporting
Identity governance
and administration
Enterprise
applications
Access management
system (authentication)
Mainframe
Lightweight
directory access
protocol
Databases (Java database
connectivity/open database
connectivity)Flat file
Attributes based access control
(fine-grained authorization)
PAM
Ticketing systemApplication
Identity
EntitlementRoles
Risk
Ownership
Internet of Things
Digital applications
Blockchain
network

Why now? The adoption of blockchain is growing
Est. US$16.9b in
bitcoin in
circulation today
“CryptoCurrency Market Capitalizations,” www.coinmarketcap.com, CoinMarketCap

Cyber and blockchain service offerings
EY cyber service offering Description
Strategy Blockchain identity strategy and road map definition
► Third-party access
► Digital consumer identities:
► KYC strategy
► Bitcoin strategy
► Internet of Connected Things
► Technology selection
► Private vs. public blockchains
► Proof of concepts
Implementation and
transformation
► Identity ledger and smart contract definition
► Third-party access and digital customer architecture build-out:
► Day one identity proofing
► Ongoing monitoring
Managed services ► Operate blockchain as a service
► Provide clients a private blockchain for running smart contracts
► Leverage Microsoft alliance to host on Azure

Contacts
David Chan
Senior Manager, Program Lead
Ernst & Young LLP
Mobile: +1 714 422 7092
david.chan@ey.com
Sam Tang
Executive Director, Program Sponsor
Ernst & Young LLP
Mobile: +1 917 582 4872
sam.tang@ey.com

Appendix A
Case study

Blockchain-based authorization case study
► Auto finance customer registration
► Verify user via account, Social Security number or date of birth
► Bank linking is optional portion of registration flow
► Additional user information captured, such as mobile number and social
media (e.g., Twitter, LinkedIn) handles
► Design a data exchange architecture for identity proofing

Trust-based authorization case study
Auto finance customer registration (day one)
Authorization transactions
and events
► Authorize new user (create guest
profile within Virtual Directory
Service at 80% trust)
► Allow customer access to sensitive
transactions (e.g., fund transfers)
at 90%
Email address is verified
► Identity proofing
Ledger – 10% trust
Data
exchange
service
Social Security number
verification
Date of birth verification –
Equifax, Experian
Domestic phone and
Short Message Service
verification
Trusted bank account
linking
Aggregation of ledgers through
virtual directory
Blockchain network
Public Identity Data
Providers – Google,
Facebook, Yahoo!

Trust-based authorization case study
Auto finance customer (post day one)
Authorization transactions and events
► Send to “at-risk list” for special
processing when ledgers <60%
► Disable user (when ledgers drop
below 30% trust)
Data
exchange
service
Periodic verification of
bank account linking
Blockchain network
Aggregation of ledgers through
virtual directory
Ongoing monitoring of
credit score – Equifax,
Experian
Ongoing monitoring of
Identity Data Providers –
Google, Facebook,
Yahoo!

Evolution of authorization models
Summary
Model Characteristics
Centralized admin:
mainframe, database,
LDAP
► Applications and menus are tied to data sets, tables, access control lists
► Prone for “proliferation”
► Administratively assigned
Logical groupings of
access – roles and rules
► Movement toward centralization of data
► Entitlements are represented as “groups” and “group memberships”
► Prone to proliferation of groups
Advanced and risk
based
► Movement toward dynamic assignment of access
► Extends the richness of rule sets by allowing the inclusion of “actual use and behavior” data
► Allows for run-time enforcement
Trust based ► Decentralized ledgers that control the trust of any given block or transaction instead of applying ownership
to the model
► Relies on peers within the blockchain network to proof identities and control access to resources
► A true immutable information repository and service

EY | Assurance | Tax | Transactions | Advisory
About EY
EY is a global leader in assurance, tax, transaction and advisory
services. The insights and quality services we deliver help build trust
and confidence in the capital markets and in economies the world
over. We develop outstanding leaders who team to deliver on our
promises to all of our stakeholders. In so doing, we play a critical role
in building a better working world for our people, for our clients and
for our communities.
EY refers to the global organization, and may refer to one
or more, of the member firms of Ernst & Young Global Limited,
each of which is a separate legal entity. Ernst & Young
Global Limited, a UK company limited by guarantee, does not
provide services to clients. For more information about our
organization, please visit ey.com.
© 2017 EYGM Limited.
All Rights Reserved.
EYG no. 04033-173GBL
1705-2288253
ED None
This material has been prepared for general informational purposes
only and is not intended to be relied upon as accounting, tax or other
professional advice. Please refer to your advisors for specific advice.
ey.com

Blockchain: the trust fabric for next generation digital identity management

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Blockchain: the trust fabric for next generation digital identity management

Similar to Blockchain: the trust fabric for next generation digital identity management (20)

More from EY

More from EY (20)

Recently uploaded

Recently uploaded (20)

Blockchain: the trust fabric for next generation digital identity management