Identity & Access March 13, 2020
By Milan S. Patel co-authored by Dan Gisolfi 6 min read

Identity is a difficult term to define in the cybersecurity world. The range of personal information that can be associated with an identity interaction is highly dependent on the situational context of the interaction. The definition of identity also depends on the context of the medium within which it is exchanged.

In the physical world, when we talk about identity, it’s usually rooted in government, healthcare, finance and other issued credentials, such as driver’s licenses, passports, national ID cards, health insurance cards, car registration documents and more. In the digital world, however, identity is usually rooted in what we have access to — applications, usernames and passwords, accounts and federated accounts.

Why do we consider identity differently in the physical and digital worlds? At the end of the day, isn’t identity any trusted instrument that is used for the exchange of personal information between entities?

(Source: IBM)

Some forward-thinking concepts to keep in mind as we look to address this identity dilemma include:

  • Lack of a single identity approach across physical and digital interactions
  • Evolving processes and interactions in our digital world while using the existing frameworks and standards that are already ingrained within industries
  • A standards-based approach will be the underpinning to deliver digital trust at scale

The Need for Identity Across Physical and Digital Realms

As we think about the different mediums within which we exchange identity — e.g. physical and digital — we have yet to truly develop a robust, scalable and portable way to establish trust that adheres to privacy-by-design principles.

In the digital world, this simply does not exist and we’ve defaulted to usernames and passwords. Sure, we’ve made things easier with federation and other approaches, but the fundamental piece of it remains: You need an existing account to establish trust. Having an existing account should not be the default to establish a line of trusted communication.

In the physical world, we are limited by a lack of business process modernization and a need for transforming to a digital-first interaction — online banking, e-commerce and other digital interactions have created poor onboarding experiences and higher potential for fraud.

Why not bridge how we exchange identity in the physical and digital worlds? Identity interactions and data representations should work in harmony across both worlds. The context of the relationship will dictate what personal data attributes (or collection of personal data attributes) will be needed. In different cases, these can be self-asserted, peer-asserted or asserted by a vetting institution.

In simpler terms: Anything that we store in our wallets or purses, that we use to access applications through online interactions or that is given to us by a third party for us to use downstream — such as a loyalty card, membership card, education transcript or tax form — can be considered personal data attributes that describe who we are and what we can do. These personal data attributes may also be referred to as identity traits.

A Proposed New Framework to Establish Trust

In response to the above challenges, we have been developing a new framework for handling interactions across the physical and digital worlds that is built on principles of privacy-by-design. We call this approach IdentityNext. Please note that IdentityNext is a term used to describe a proposed approach to identity. It is not intended to be used as a product name or community initiative, but rather our own term to represent identity concepts.

We believe IdentityNext is evolutionary because it can enable us to bridge our physical and digital identity interactions. We have the mental model and framework for identity at scale through user control and privacy — we do it every single day when we use various credentials stored in our physical wallets and purses. Each of those is based on established standards: ISO, WEDDI, ACCORD and others. The technologies used to create and print those physical credentials are industry- and standard-agnostic — that is to say the technology used to print a driver’s license should be the same technology that can print an insurance card because at the end of the day, these two physical credential renderings are collections of personal data attributes. All the standards do is define a common data structure needed for each of those credentials.

This same mental model and framework can be used in our digital experience — it’s not revolutionary. We are not fundamentally changing how we exchange identity, but simply using the frameworks and standards that exist in our daily physical interactions to evolve our digital interactions. Just as we need technology to print a physical credential, we need technologies to help create digital credentials with the fundamental premise of being agnostic to any industry standard and building on open protocols through a community-based approach.

(Source: IBM)

What Is IdentityNext?

IdentityNext is a concept we’ve developed to refer to an evolution in how we think about and view identity across all the interactions we have. Security, privacy, user control, transparency, portability and more are all components of IdentityNext. It is a new framework for establishing trust.

Why IdentityNext?

IdentityNext is the evolution of a new trust model that treats user privacy, security, control and transparency as priorities. For organizations, it can help create trusted relationships with end users through an interaction that values and respects their privacy. This creates the ability to grow trust and equity with users while also providing better end-user experiences.

Who Does IdentityNext Affect?

IdentityNext would touch every single entity that wants to perform a trusted transaction with another party. Any entity that needs to exchange trusted data, issue an identity instrument, hold or manage identity, or verify identity would be affected by IdentityNext.

What About Systems of Records?

One thing remains the same and will continue to remain the same: Systems of records (SORs) will never go away.

SORs will remain, but the duplication of what is in those SORs will decrease as we move to IdentityNext. Governance, privileged access, administration, and reporting and auditing for those SORs is still required. The backend components that are used to originate the issuance of a credential will remain the same. The components used to store the needed data after verifying credentials for auditing and compliance purposes will also remain unchanged.

What really changes with IdentityNext is the interaction layer. In the physical world, the interaction layers allow users to store credentials in wallets or purses and present them to verifying (or relying) parties without the verifying party ever needing to “phone home” to the issuer of the credentials. The same experience will manifest in the digital world with the issuance of credentials to the digital wallets of users, enabling them to share and exchange attributes under their control and explicit permission.

(Source: IBM)

IdentityNext Is Based on Community Interoperability

As with other evolutions of identity — from centralized to federated and now decentralized — everything we do needs to be built for community interoperability. With federation, we introduced Security Assertion Markup Language (SAML) to provide better experiences with applications within enterprises. For consumer-oriented web and mobile interactions, we created OpenID Connect (OIDC) and Oauth, still in the context of applications.

As we broaden our scope of identity and consider what is required to exchange trusted personal data across multiple mediums, interoperability becomes even more important. The decentralized identity ecosystem represents a community focused on interoperability standards and open-source code through decentralized identifiers (DIDs) and verifiable credentials, new standards in the evolving identity landscape.

(Source: IBM)

When we think about the IdentityNext concept, it is not a rip-and-replace of existing identity infrastructure. It’s not a revolutionary approach to how identity is exchanged. IdentityNext could be the next wave of how all of us will interact, putting each of us at the center of all relationships that span physical and digital interactions. It’s evolving how we transact, simplifying our experiences and building for a world that practices proper data stewardship.

Learn more about delivering digital trust through an integrated, holistic approach

 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | 
Milan S. Patel
Product Manager, IBM Security
Milan S. Patel is a contributor for SecurityIntelligence.

More from Identity & Access
Intelligence & Analytics   February 24, 2023

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Intelligence & Analytics   February 21, 2023

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Application Security   January 25, 2023

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Identity & Access   January 24, 2023

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website GTAForums.com. Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…

© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature