How can bi-directional credential verification and data-security-as-a-service offer both businesses and users better control and access to data? One World Identity explored this theme, and the impact it has on both the personal or at the enterprise level, during the latest KNOW Identity Digital Forum.
Bi-Directional Credential Trust
In Verifiable Credentials: Reducing Fraud With Bi-Directional Trust, Andrew Tobin, Managing Director, EMEA at Evernym, and Julie Esser, SVP, Marketing Communications at CULedger, described how they are offering businesses as well as individuals the capability to authenticate who is on the other end of a transaction.
OWI: What do you mean by “bidirectional trust”? How is this defined?
Evernym: Knowing who’s at the other end of a transaction is one of the biggest challenges we face as so much of the economy goes digital. Identity fraud really is something that is expanding more and more in the digital world at the moment. There’s lots of business transformation that has taken place to fix things, but they still are burdened by a large amount of friction. That friction exists to try and figure out who those organizations are dealing with – which costs a huge amount of money to solve. It’s establishing trust in one direction, from the organization that the e-commerce webshop or the bank (for example) to the individual. But there still remains no way for the individual to know it is their bank or know that the retailer they’re dealing with is legitimate.
This is what we call bi-directional trust. If we can solve this [issue], that will be a massive benefit for economies worldwide. It will help transform business processes currently stuck doing lots of manual or high-cost transactions and processes that can’t now be avoided because there hasn’t been a way to establish trust online properly before.
OWI: How do verifiable digital credentials work?
Evernym: The solution that’s taken hold is what we call decentralized or self-sovereign identity. Put very simply, this is the ability for people like you and me to have, manage, and control their own digital credentials in the same way we do with our physical credentials. Uniquely, this can be done without needing some huge central database in the sky that sees everything that you do, which is a massive advance. This is why the momentum that we see for this new capability is moving so quickly.
What we call digital credentials, digital versions of the paper credentials you have, are interoperable and verifiable anywhere and based on open standards that are evolving rapidly at the moment. Not only can anyone issue these credentials, but anyone can verify the authenticity and integrity of any credential for any purpose. Every interaction is private, secure, and encrypted. No man in the middle sees everything that’s going on. You carry them with you, you own them, you look after them, and you can use them wherever you want. An excellent side effect is that usernames and passwords will go away as well. So you get multi-factor authentication just by default as part of this new capability.
All of this happens very securely and very independently as well; the ruling party does not have to contact the credential issuer. If they did, the issuer would know all of the places you’re going and all the places you’re using your data; that’s clearly a massive privacy breach for you. The underlying technology of digital credentials enables the ruling party to check these things without ever speaking to the issuer, which is a fundamental shift in how verification of data takes place.
OWI: How are organizations such as credit unions implementing this technology with their customers?
CULedger: The problem that credit unions are trying to solve is how their existing members interact with them and look at how new potential members could be interacting with them across all of their channels. What was found [in research shared from credit unions] is that there is a separate authentication process that exists with each independent channel.
Often the credit union may have to fall back to some manual intervention in that process. What credit unions have been doing traditionally in the past is fixing the security problem. Adding layer upon layer and adding more cost to the problem without really taking a holistic view. When you have this much inconsistency of verification across your channels, it’s going to open you up for more fraud, and the fraudsters find the weakest link to commit that fraud.
In March, they went digital overnight due to the pandemic; they weren’t working on their digital strategies. Many credit unions are now asking themselves these questions: how are we starting to re-open the branches? How are we going to verify our members when they’re covered with a mask?
The pandemic has definitely increased this problem not only for credit unions but also for consumers. We’ve had instances where consumers have received calls from imposters. Because of the trust and relationship that we as consumers have with financial institutions, we’ll fall victim to that nine times out of ten.
With bi-directional, this solves those problems for the consumer. The credit union verifies that the individual they’re interacting with is authentic, but most importantly, the consumer will know that who they’re interacting with, the credit union is real. This is the simplest, most secure way for credit unions to verify their members.
OWI: How does the ID Provider prove the identity of the person applying for a digital credential? What happens if the user’s device or credentials have been stolen or compromised?
Evernym: It can be exactly the same way as they do today. All that is changing is that the “bearer” of the verified data is changing from a paper or plastic bearer to a digital credential wrapped in sophisticated cryptography. If you’re applying for a driver’s license, for example, you’ll still be asked to show your passport and a permanent address. The only difference is that when the licensing authority issues you a physical license, they’ll simultaneously issue a digital one.
Digital credentials come with several security benefits over their traditional equivalents. They can be backed up, restored, revoked, and new credentials can be issued to supersede the stolen ones. It’s even possible to create a service where users can remotely revoke their device’s ability to act. We’ve written a whitepaper, aptly named ‘What If I Lose My Phone?‘ on this precise question for those interested in diving in more.
OWI: How does the user device know the correct user is holding the device? What if that user authentication is weak?
Evernym: A combination of biometrics and a PIN or password is likely sufficient for the vast majority of existing use cases, but those that require a higher level of assurance can ask for additional checks. At Evernym, we just announced a partnership with iProov to do just that — integrating their real-time genuine presence assurance technology to ensure that the individual using the credential is the person it was issued to.
Maximizing Your Cloud Strategy
The Forum then moved to a discussion with Doug Wick, VP of Product at ALTR, and Jason Truppi, Co-Founder at ShiftState Security, in Maximizing Your Cloud Strategy with Data Security as a Service. This panel covered both the benefits of cloud data platforms in improving speed, efficiency, and flexibility of data collection and analysis and the new set of potential risks and challenges in being a “data-driven enterprise.”
OWI: How has the cloud changed security overall? What has the impact on data security been over the past decade?
ShiftState Security: This depends on how you’ve implemented it and who’s implementing it, in fact. Let’s take a basic scenario. Many people moving into the cloud will initially do a one-for-one infrastructure swap, so one server for one server, etc. This is not necessarily the best way to move into the cloud, especially nowadays with the cloud-native services available to you. The reason is, if you’re swapping one-for-one, you still have to maintain the infrastructure, such as the operating system that your server or your application is sitting on. Whereas if you go cloud-native with some of the components that are already handled for you, updates to operating systems, patches, etc., are already being handled by automation and engineers that have been doing that for many years.
Suppose you use a lot of cloud-native functionality. In that case, your security and the infrastructure actually becomes a little bit easier in some respects but becomes more difficult and others, such as access and control. Now, you have granular access and control of every component within the cloud, down to what kind of data and data sets. Accessing it can then become cumbersome for many organizations to understand the ramifications of giving people all-access. This is why we’re seeing a lot of misconfiguration and access given to individuals that probably shouldn’t have had it to begin with.
OWI: How can [cloud data platforms, data platforms in general] improve speed, efficiency, flexibility, all of these things that you want. How are you seeing enterprises and your different customers using it to that end?
ALTR: We’re finding that organizations are leveraging more of these cloud-native platforms. They’re grabbing a lot of data from operational data storage systems that run their business and compiling it into one of these platforms. They’re then using it to drive next-generation analytics.
This type of analysis and becoming a data-driven enterprise is democratized by the cloud because these systems were costly to build and launch on-prem before or inside your own network. The cloud unlocks new ways of doing business, new ways of handling data, and the benefits of that relate directly to scalability.
OWI: What are some of the big mistakes that organizations are making when it comes down to cloud security? Specifically, when we’re talking about things such as data storage?
ShiftState Security: I’ve worked a thousand breaches over the last ten years and many of which are now moving into the cloud, [what I’m observing is] mostly around misconfiguration. It’s very simple, and in some ways, it’s the same in traditional infrastructure. When you have new technology that you’re running, understanding that technology, and finding people with the skillset and expertise is difficult. So misconfiguration is the number one issue, and it seems, based on my experience, that usually it’s the wrong person configuring that cloud resource.
OWI: What are some of those benefits to expect, especially early benefits from a data-security-as-a-service platform?
ALTR: What we see with our customers is time-to-value. Data security, and more particularly, governance of data consumption and data protection, is still to some degree dominated by legacy products that involve the deployment of appliances to your network. They’ve virtualized some of these products, but it’s still often on-prem software running on an AWS instance somewhere.
So it’s not optimized to get you to value quickly. It’s not optimized to scale up quickly. If you are a heavy user of data and have a lot of data, [we compare] it to connecting a bicycle to the back of a sports car because security attaches itself to systems. We attach what we do to other systems. If those systems are large or scale up and down quickly, the security services need to follow suit.
What’s Coming Next?
There’s always more to dive into (we recommend you secure your seat now at our next digital event). Take a moment to catch up on the sessions from this event or other KNOW Identity Digital Forums you may have missed!