Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

All you need to know about SSI for Corporates and IoT – Heather Vescent

194 views

Published on

https://ssimeetup.org/gaps-corporate-iot-identity-heather-vescent-webinar-35/
Heather Vescent, the owner of The Purple Tornado a foresight and strategic intelligence consultancy, explains how Digital identity gaps in Corporate and IoT Identity can be solved from an NPE (non-person entity) point of view. The webinar will answer: What is an NPE? How is an NPE both different and similar to human identity? What is the relationship humans have with NPEs? How is NPE identity more complex than the identity we know today? What considerations do we need to make when developing identity solutions for the future?

The webinar defines a taxonomy for Non-Person Entities (NPEs), defines the relationships NPEs have with humans and each other, and identifies 11 market gaps in today’s technology solutions, that have the potential to be solved using decentralized identity technology. Industry-wide solutions must be forged collaboratively in order to address a broad set of digital identity and data privacy problems.

This webinar shares research funded by the Department of Homeland Security Science & Technology, Cybersecurity directorate by The Purple Tornado, with Heather Vescent as the Principal Investigator. Vescent has delivered research insights to governments and corporations in digital identity, military learning, payments, transactions, and new economic models. She is the writer/producer of 14 documentaries and short films about future technology. Her clients include US & UK governments, SWIFT, CitiVentures, Disney, IEEE, mid-size companies and start-ups. Her research has been covered in the New York Times, CNN, American Banker, CNBC, Fox, and the Atlantic. She is an author of the Cyber Attack Survival Manual, published by Weldon-Owen. Her work has won multiple awards from the Association of Professional Futurists.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

All you need to know about SSI for Corporates and IoT – Heather Vescent

  1. 1. Entities, Identities, & Registries Heather Vescent SSI Meetup | September 2019 Gaps in Corporate and IoT Identity Creative Commons license. (CC BY-SA 4.0).
  2. 2. 1. Empower global SSI communities 2. Open to everyone interested in SSI 3. All content is shared with CC BY SA SSIMeetup.org Alex Preukschat @SSIMeetup @AlexPreukschat Coordinating Node SSIMeetup.org https://creativecommons.org/licenses/by-sa/4.0/ SSIMeetup objectives
  3. 3. Who am I Heather Vescent • CEO, The Purple Tornado Strategic Intelligence Consultancy • Author, Cyber Attack Manual • Author, SSI Report • Filmmaker, 14 Films (IIW Films) • IIW, CCG VC WG Communities • @heathervescent Creative Commons license. (CC BY-SA 4.0).
  4. 4. Research Background • Private Sector Digital Identity • Funded by DHS Science & Technology Cybersecurity Division • Researchers: Heather Vescent & Kaliya Young • Download: bit.ly/NPEreport Objective: Research private sector companies digital identity and data privacy processes, with an emphasis on identifying market failures. Creative Commons license. (CC BY-SA 4.0).
  5. 5. Current State • Past solutions create today’s problems • New technologies create new opportunities • Onboard of billions of new identities – Humans – Companies – IoT objects (smart things) – Tracking (dumb things) – Robots • New regulations Creative Commons license. (CC BY-SA 4.0).
  6. 6. What is a Non-Person Entity Identity? Creative Commons license. (CC BY-SA 4.0).
  7. 7. What is a Non-Person Entity Identity? Company (legal entity) Creative Commons license. (CC BY-SA 4.0).
  8. 8. Thing (IoT device) What is a Non-Person Entity Identity? Company (legal entity) Creative Commons license. (CC BY-SA 4.0).
  9. 9. System (network) Thing (IoT device) What is a Non-Person Entity Identity? Company (legal entity) Creative Commons license. (CC BY-SA 4.0).
  10. 10. How many identities? 180 Million Companies 2 Gov + 3 Business IDs 900 million identities 7.7 Billion Humans 34-48% online 2 Gov + 5 Online ID 18-26+ billion identities (FB: 2.38B, G:2+B users) 25-75 billion IoT devices (by 2021) 35 million packages daily shipped/tracked (UPS & FedEx) 9 billion yearly Creative Commons license. (CC BY-SA 4.0).
  11. 11. How many identities? 180 Million Companies 2 Gov + 3 Business IDs 900 million identities 7.7 Billion Humans 34-48% online 2 Gov + 5 Online ID 18-26+ billion identities (FB: 2.38B, G:2+B users) 25-75 billion IoT devices (by 2021) 35 million packages daily shipped/tracked (UPS & FedEx) 9 billion yearly ~100 Billion Identities Creative Commons license. (CC BY-SA 4.0).
  12. 12. + robot identity? Creative Commons license. (CC BY-SA 4.0).
  13. 13. NPEs are given identity (Registries) Creative Commons license. (CC BY-SA 4.0).
  14. 14. • Identity is used to create more identifiers Web of Organizational Trust Creative Commons license. (CC BY-SA 4.0).
  15. 15. NPE identity requires human identity • Ownership / Liability • Responsibility • Humans take actions for NPEs • NPEs take action for humans • (And collect & share data) Creative Commons license. (CC BY-SA 4.0).
  16. 16. Why important to Government? • Governments give legal entities identity • Legal identity is important in many industries o Banking & Finance (KYC, AML, UBO, Beneficiary) o Global Trade • Customs o Internet of Things is growing exponentially • Security of sensors • Authenticity of sensor collected data • Who is responsible/liable when things go wrong? Creative Commons license. (CC BY-SA 4.0).
  17. 17. NPE is complex NPE Identities • Relate to each other • Interact with each other • Depend on each other Creative Commons license. (CC BY-SA 4.0).
  18. 18. Report identified 11 Market Gaps Corporate NPE Gaps IOT NPE Gaps 1. Legal Identity of Corporations 1. Legal Identity of IoT Things 2. Conclusive Ultimate Beneficial Owner 2. Tracking and Auditing in the Supply Chain 3. Conclusive Verified Corporate Data 3. IoT Security Standards 4. Corporate Delegation 4. IT Self-Authentication 5. Real-Time Verified Identity 5. Data Integrity from IoT Sensors 6. NPE Responsibility Creative Commons license. (CC BY-SA 4.0).
  19. 19. 1: Legal Identity of Corporations • PROBLEM: Digitally native identity credentials don’t exist, nor do ways to receive and give verified credentials about an organization’s identity from an authoritative source. • IMPACT: KYC checks are costly and take time. “KYC and associated processes cost the average bank $60m annually.” - Consult Hyperion report Creative Commons license. (CC BY-SA 4.0).
  20. 20. 2: Conclusive Ultimate Beneficial Owner • PROBLEM: Finding the Ultimate Beneficial Owner (UBO) of a company is difficult and sometimes impossible. Banks aren’t required by statute to conclusively find a UBO before proceeding, but to make a reasonably good-faith effort to do so. • IMPACT: Hard to quantify the cost but not knowing who a UBO can result in tax fraud, enable criminal and terrorism activities and transactions designed to circumvent sanctions. Creative Commons license. (CC BY-SA 4.0).
  21. 21. 3: Conclusive Verified Corporation Data • PROBLEM: There is no standard way to find verified corporate identity data, like legal name, address and jurisdiction along with the identification of authorized delegates who have authority to sign contracts, transfer funds, and take action on behalf of the company – in a digitally native format. • IMPACT: Initial costs (similar to KYC costs) for corporate identity proofing. These costs include accessing outside databases for information, confirming that data, as well as ongoing costs to keep this data current. Creative Commons license. (CC BY-SA 4.0).
  22. 22. 4: Corporate Delegation Humans enter into contracts, make financial transactions, and take other actions on behalf of the corporation. There are processes to initiate this delegation, and the need for up-to-date information of who remains authorized. GAP: Real-time verified delegation Creative Commons license. (CC BY-SA 4.0).
  23. 23. 5: Real-Time Verified Identity • PROBLEM: Real-time updated identity information associated with corporate accounts, specifically which humans have the authority to take action on behalf of a company on a real-time basis. Current corporate delegation data is updated anywhere from 30 days to 2 years. • IMPACT: One subject matter experts shared a story of CEO fraud, where criminals spear phished a corporate account and convinced CEOs to transfer millions of dollars to the criminal account. Creative Commons license. (CC BY-SA 4.0).
  24. 24. 6: NPE Responsibility • PROBLEM: A company (which is an NPE) owns robots (which are NPEs) that work in a factory. A company (an NPE) manufactures an autonomous vehicle (an NPE). A company (an NPE) manufactures a pacemaker (an NPE) and also collects data about the pacemaker’s system as well as data about the human system whose the device is embedded in. • IMPACT: This could become an issue in the future, for example the case of liability of self-driving car, or a factory robot, that isn’t directly mapped to an individual supervisor or “driver” but under corporate or algorithmic control. Creative Commons license. (CC BY-SA 4.0).
  25. 25. 7: Legal Identity of IoT Things Identity is built into very few IoT devices. There are no universal standards or regulations around which IoT objects have an identity assigned at “birth,” unlike a baby registry or corporate registry. • Some companies give IoT devices an identity – but legal identity is not required. • Some companies keep registries for devices like pacemakers or jet engines. GAP: Legal IoT Identity Creative Commons license. (CC BY-SA 4.0).
  26. 26. 8: Tracking & Auditing the Supply Chain • PROBLEM: Many goods are tracked and audited as they flow from manufacturer through the supply chain to the destination. While many goods are tracked with a barcode or serial number, there is the desire to more thoroughly track goods in the supply chain, including their components, sources of raw material, and the chain of custody. • IMPACT: Lost income due to IP theft. Lost tax revenue. Potential terrorist financing. Creative Commons license. (CC BY-SA 4.0).
  27. 27. 9: IoT Security Standards • PROBLEM: Smart homes, surveillance devices, connected appliances, and vehicles have persistent and structural vulnerabilities that makes them difficult to secure for many real-world situations. Many tools are designed with weak security and are vulnerable to “IoT takeovers.” • IMPACT: The liability ramifications are largely a matter of speculation, however we can get an idea of some economic impacts by the size of the ransomware market estimated at $1b in 2016 and $2b in 2017. “Securing IoT devices is a major challenge, and manufacturers tend to focus on functionality, compatibility requirements, and time-to-market rather than security.” —Interagency Report on Status of International Cybersecurity Standardization Creative Commons license. (CC BY-SA 4.0).
  28. 28. 10: IoT Self-Authentication • PROBLEM: The technical process of authenticating the veracity of the IoT device and any data collected by the IoT device. • IMPACT: Limits utility to high-exposure IoT applications, due to economic cost. Attack surfaces remain due to high cost to implement broadly. Creative Commons license. (CC BY-SA 4.0).
  29. 29. 11: Data Integrity from IoT Sensors • PROBLEM: How do I know the data coming off the sensor data is accurate? There needs to be mechanisms to know data coming off sensors, drones, and other IoT data-generating devices is reliable for high-security applications. • IMPACT: Contamination or distortion of data from smart city sensors, lightweight devices that control utility grids or operations, and other cyber-physical systems could do serious real-world damage if an attack occurred and it took significant time to detect due to failed monitoring sensors. Creative Commons license. (CC BY-SA 4.0).
  30. 30. Other Impacts • Regulation • Global landscape • Scale • Formal ownership One of the major reasons the Internet+ is so insecure today is the absence of government oversight. Government is by far the most common way we improve our collective security, and it is almost certainly the most efficient. —Bruce Schneier, Click Here to Kill Everyone Creative Commons license. (CC BY-SA 4.0).
  31. 31. Future: Augmented Identity • Software taking action on your behalf • Devices doing things on your behalf • Data collecting/sharing on your behalf Do we need more nuanced identity? Creative Commons license. (CC BY-SA 4.0).
  32. 32. Future: Combined Identity People create a collective identity that acts in a unified way as more than the sum of its parts. • Today’s systems are set up for a single or legal identity. • There is no way for a group to create a collective identity with financial and log in authentication. • This use case could be used for ad-hoc, temporal business collaborations like film productions and creative project based partnerships. • Could include NPEs. Creative Commons license. (CC BY-SA 4.0).
  33. 33. Why do we care? • Liability: who pays when something goes wrong? • Responsibility: who is responsible at a particular time? • Regulation: global trend for more regulation • Collaboration: rising trend to work together • Future Proof: envision the true scale of the problem Creative Commons license. (CC BY-SA 4.0).
  34. 34. Future Identity System Goals • Manage a trillion identities – And all their relationships • Thrive in dynamic environment • Enable delegation – Between humans & NPEs • Involve automated systems • Solve current data, privacy problems Creative Commons license. (CC BY-SA 4.0).
  35. 35. Thank you + Questions Heather Vescent • www.ssiscoop.com • www.thepurpletornado.com • heathervescent@gmail.com • vescent@thepurpletornado.com • @heathervescent Download NPE: bit.ly/NPEreport Download VDS: bit.ly/vdsreport Creative Commons license. (CC BY-SA 4.0).
  36. 36. Entities, Identities, & Registries Heather Vescent SSI Meetup | September 2019 Gaps in Corporate and IoT Identity Creative Commons license. (CC BY-SA 4.0).

×