An economic revolution is quietly occurring. It is built upon creating new, rapid interdependencies between enterprises, devices, and people. This allows us to analyze, optimize, prophesize, customize, digitize, and automate services. What most people and enterprises don’t understand are the requirements to be successful in this new world. That is what this paper addresses.
It is built upon trust. This paper identifies the foundational pieces required to create trust for an interdependent world:
• Identity verification
• Identity authentication
• Authorization consent
• Security
• Operational availability
Requirements for each piece are stated from the following perspectives:
• Users
• Third party (e.g. banks, telco’s, insurance companies, small businesses, et al.)
• Government (municipal, regional, state, and national)
• Identity verification and authentication service
The underlying infrastructure required for this interdependent world is complex. The paper illustrates this by examining the three main protocols required: OpenID Connect, OAuth, and User Managed Access.
It also discusses a potential downside of creating an interdependent world – creating a single point of enterprise and/or economic failure. A disturbing trend is the increasing size of botnet distributed denial of service attacks. The paper uses Estonia’s 2007 attack to illustrate this problem on a national scale.
Our open letter to ARNECC requesting digital mortgage options be included as a priority consideration in 2016 to encourage an acceleration of take-up of mortgage transactions in PEXA.
Will blockchain emerge as a tool to break the poverty chain in the Global South?eraser Juan José Calderón
Will blockchain emerge as a tool to break the poverty chain in the Global South?. Nir Kshetri
ABSTRACT
Just like its recent predecessors, blockchain – also known as the
distributed ledger technology – is considered to have the potential
to cause major economic, political and social transformations in the
Global South. The visible effects of this technology are already being
noted there. We present early evidence linking the use of blockchain in
overcoming some economic, social and political challenges facing the
Global South. The article highlights the key applications and uses of
blockchain in developing countries. It demonstrates how blockchain
can help promote transparency, build trust and reputation, and
enhance efficiency in transactions. The article looks at opportunities
and key triggers for blockchain diffusion in these countries. It also
delves into challenges and obstacles that developing economies are
likely to encounter in the use of blockchain.
Blockchain beyond fintech by ridgelift.ioUdayan Modhe
A comprehensive paper on blockchain technology. It covers blockchain technological aspects, blockchain evolution, future trends in blockchain implementation and reference architecture.
Our open letter to ARNECC requesting digital mortgage options be included as a priority consideration in 2016 to encourage an acceleration of take-up of mortgage transactions in PEXA.
Will blockchain emerge as a tool to break the poverty chain in the Global South?eraser Juan José Calderón
Will blockchain emerge as a tool to break the poverty chain in the Global South?. Nir Kshetri
ABSTRACT
Just like its recent predecessors, blockchain – also known as the
distributed ledger technology – is considered to have the potential
to cause major economic, political and social transformations in the
Global South. The visible effects of this technology are already being
noted there. We present early evidence linking the use of blockchain in
overcoming some economic, social and political challenges facing the
Global South. The article highlights the key applications and uses of
blockchain in developing countries. It demonstrates how blockchain
can help promote transparency, build trust and reputation, and
enhance efficiency in transactions. The article looks at opportunities
and key triggers for blockchain diffusion in these countries. It also
delves into challenges and obstacles that developing economies are
likely to encounter in the use of blockchain.
Blockchain beyond fintech by ridgelift.ioUdayan Modhe
A comprehensive paper on blockchain technology. It covers blockchain technological aspects, blockchain evolution, future trends in blockchain implementation and reference architecture.
The Digital Reserve is structured to provide the infrastructure for
increased on-chain liquidity and institutional microfinance; disrupting a $100 Billion dollar market that is growing greater than 15% per year.
This includes a strategy to move from centralized development to
decentralization. The Digital Reserve Network (“The Digital Reserve”) is a novel microfinance institution designed to produce economic gain for stakeholders and a sustainable model for increasing financial inclusion.
The Digital Reserve is a pseudo-anonymous peer to peer network
secured by a fee-based Proof of Stake algorithm and quantum
resistant cryptographic signatures. This network will utilize a modified Directed Acyclic Graph or GHOST to minimize block times and increase scalability. As a development of the ability for Blockchain networks to establish a distributed consensus based economy, one of the primary advancements will be the Denarii protocol’s utilization of the staked transactions. They will be treated as working assets allocated to users based upon increasingly stringent conditions as the amounts increase. The Denarii protocol will follow parameters established by a dynamic machine learning process that tracks borrowing rates, defaults and overall transactions to normalize the monetary supply to boundary conditions. This includes a strategy to move from centralized development to decentralization.
Tom Carlson of Weston, CT and financial professional with a wide background in business turnaround focuses on an interview that Mark Andreessen had with Bloomberg Market magazine. The interview focused on Andreessen's view on how the financial market can change and adopt new policies and ways of operation.
What is happening with the Crypto Market. Could it be than course correction or is the bubble busting on the market? You need to answer it for yourself.
"LIBRA: IS IT REALLY ABOUT MONEY?" de Valerie Khan Vice President Digital Equity Association valerie.khan@d-eq.org Geoffrey Goodell Centre for Blockchain Technologies University College London
IS BITCOIN DEAD? NOT THE PART THAT MATTERSSteven Rhyner
Like many in the digital currency community, I’m tired of the "bitcoin is dead" line that has permeated mainstream coverage of high-profile software developer Mike Hearn’s decision to quit the "failed" bitcoin experiment.
Jan 31st 2019 presentation to the Seattle Risk Management Association. Overview of how blockchain impacts the world of financial services and where the key touchpoints are for backing. Removing double spend and the middleman.
W3Coins makes earning money, monitoring income, paying bills, making purchases and even transferring funds, effortless and available to everybody through the use of mobile devices and laptops.
Presentation for Government Blockchain Association l San Juan, Puerto Rico l Piloto 151, 7'June 2018
(c) Vladislav Solodkiy, A.ID
www.followthemoney.id
Blockchain buzz - getting to the bottom of distributed ledger technologyLacuna Innovation
It's taken the world by storm, but what is it really and what it can do for you. Take a look at the buzz on blockchain, as we unpack it's potential in this whitepaper.
Identity federation – Mitigating Risks and Liabilities Guy Huntington
When I go into enterprises deploying identity federation, I frequently tell my teams that I have four letters stenciled across my forehead: R I S K. To mitigate risk from federation requires an enterprise view of the risk from Legal, Governance, Business, and IT.
It has been my experience that Business and Legal don’t fully understand the risks involved, and instead trust their IT department to “handle it.” This is why I have written this paper. It is aimed at Business, Legal, and IT leaders within an enterprise that is either embarking on identity federation and/or expanding their use of it. By reading this paper, you will learn the types of things your enterprise should be doing to mitigate federation risks and potential liabilities.
One pager - "Trust in an Interdependent World" - October 2017Guy Huntington
“The information age has ushered in a networked and interdependent world, one in which challenges and opportunities appear and disappear faster than traditional organizational models can manage.” - Chris Fussell
We are living in an economic revolution, which is quietly disrupting almost all of our ways of doing things. Driven by electronic interdependencies between multiple parties, it requires trust.
Central to creating the trust is verifying who the identity is, accepting an authentication, and obtaining the identity’s authorization consent. Technology for interdependency, i.e. federation, is outpacing our ability to create this trust. New guidelines, laws, and regulations are required to leverage biometrics for identity verification.
Couple this with the advent of a miniature “Internet of Things.” Each of us will likely have hundreds of them. We will be required to provide our authorization consent allowing each device to work with other devices, identities, and/or enterprises.
The result? A revolution is upon us. It’s unlike anything we have ever seen.
The Digital Reserve is structured to provide the infrastructure for
increased on-chain liquidity and institutional microfinance; disrupting a $100 Billion dollar market that is growing greater than 15% per year.
This includes a strategy to move from centralized development to
decentralization. The Digital Reserve Network (“The Digital Reserve”) is a novel microfinance institution designed to produce economic gain for stakeholders and a sustainable model for increasing financial inclusion.
The Digital Reserve is a pseudo-anonymous peer to peer network
secured by a fee-based Proof of Stake algorithm and quantum
resistant cryptographic signatures. This network will utilize a modified Directed Acyclic Graph or GHOST to minimize block times and increase scalability. As a development of the ability for Blockchain networks to establish a distributed consensus based economy, one of the primary advancements will be the Denarii protocol’s utilization of the staked transactions. They will be treated as working assets allocated to users based upon increasingly stringent conditions as the amounts increase. The Denarii protocol will follow parameters established by a dynamic machine learning process that tracks borrowing rates, defaults and overall transactions to normalize the monetary supply to boundary conditions. This includes a strategy to move from centralized development to decentralization.
Tom Carlson of Weston, CT and financial professional with a wide background in business turnaround focuses on an interview that Mark Andreessen had with Bloomberg Market magazine. The interview focused on Andreessen's view on how the financial market can change and adopt new policies and ways of operation.
What is happening with the Crypto Market. Could it be than course correction or is the bubble busting on the market? You need to answer it for yourself.
"LIBRA: IS IT REALLY ABOUT MONEY?" de Valerie Khan Vice President Digital Equity Association valerie.khan@d-eq.org Geoffrey Goodell Centre for Blockchain Technologies University College London
IS BITCOIN DEAD? NOT THE PART THAT MATTERSSteven Rhyner
Like many in the digital currency community, I’m tired of the "bitcoin is dead" line that has permeated mainstream coverage of high-profile software developer Mike Hearn’s decision to quit the "failed" bitcoin experiment.
Jan 31st 2019 presentation to the Seattle Risk Management Association. Overview of how blockchain impacts the world of financial services and where the key touchpoints are for backing. Removing double spend and the middleman.
W3Coins makes earning money, monitoring income, paying bills, making purchases and even transferring funds, effortless and available to everybody through the use of mobile devices and laptops.
Presentation for Government Blockchain Association l San Juan, Puerto Rico l Piloto 151, 7'June 2018
(c) Vladislav Solodkiy, A.ID
www.followthemoney.id
Blockchain buzz - getting to the bottom of distributed ledger technologyLacuna Innovation
It's taken the world by storm, but what is it really and what it can do for you. Take a look at the buzz on blockchain, as we unpack it's potential in this whitepaper.
Identity federation – Mitigating Risks and Liabilities Guy Huntington
When I go into enterprises deploying identity federation, I frequently tell my teams that I have four letters stenciled across my forehead: R I S K. To mitigate risk from federation requires an enterprise view of the risk from Legal, Governance, Business, and IT.
It has been my experience that Business and Legal don’t fully understand the risks involved, and instead trust their IT department to “handle it.” This is why I have written this paper. It is aimed at Business, Legal, and IT leaders within an enterprise that is either embarking on identity federation and/or expanding their use of it. By reading this paper, you will learn the types of things your enterprise should be doing to mitigate federation risks and potential liabilities.
One pager - "Trust in an Interdependent World" - October 2017Guy Huntington
“The information age has ushered in a networked and interdependent world, one in which challenges and opportunities appear and disappear faster than traditional organizational models can manage.” - Chris Fussell
We are living in an economic revolution, which is quietly disrupting almost all of our ways of doing things. Driven by electronic interdependencies between multiple parties, it requires trust.
Central to creating the trust is verifying who the identity is, accepting an authentication, and obtaining the identity’s authorization consent. Technology for interdependency, i.e. federation, is outpacing our ability to create this trust. New guidelines, laws, and regulations are required to leverage biometrics for identity verification.
Couple this with the advent of a miniature “Internet of Things.” Each of us will likely have hundreds of them. We will be required to provide our authorization consent allowing each device to work with other devices, identities, and/or enterprises.
The result? A revolution is upon us. It’s unlike anything we have ever seen.
Identity federation = Biometrics and Governments Sept 2017Guy Huntington
We live in an increasingly small world with rapid technological changes. Our existing identity verification systems were designed for the early 1900s. This was long before the rise of the internet with the fast, easy movement of people between government borders, electronic identity federation between enterprises and genetic cloning.
The use of high identity assurance, i.e. strong identity verification, is required to accomplish things like citizens easily being able to use digital signatures, vote online, conduct large financial transactions, etc. It requires a trusted government issued identity, from the date of birth onwards through an identity’s life. We must re-design our systems to answer the question “How do I know if you are really you?” while protecting the citizen’s privacy and their biometrics. That's what this paper discusses.
Identity Federation: Citizen Consent and the Internet of Things - October 2017Guy Huntington
With nanotechnology, devices are shrinking down to an almost molecular level and have the ability to communicate wirelessly via the Internet. These devices are beginning to proliferate in almost all aspects of our lives be it medical, transportation, government, clothing, appliances, and so on.
Since device owners have to access many different systems to manage their authorization consents, it becomes unwieldly. This paper addresses the simple question of “How do I manage all my consents across a wide variety of different devices, suppliers, and their systems in one place?”
Blockchain: A Potential Game-Changer for Life InsuranceCognizant
As a shared, secure, distributed ledger that works in a peer-to-peer environment, blockchain technology can benefit the insurance industry in numerous ways throughout the value chain. We explore several use cases, including death claims processing, to illustrate blockchain's ability to streamline cumbersome workflows, reduce errors and fraud, increase auditability and confer competitive advantage.
Healthcare.gov Rocky Rollout Infographic by Galorath.comDan Galorath
Galorath Inc. (the SEER Cost, Schedule, Risk Model Developers) watched the healthcare.gov rollout difficulties, the outcries and finger pointing and decided to take a more analytical look. While it is easy to throw stones at stakeholders, this was a huge IT project and there were bound to be challenges. Could it have gone better? Sure. Were there adequate resources? Seems so. Should testing and quality assurance been more rigorous? Yes, but there didn’t appear to be adequate time. Were the requirements firmed up in advance? That could have been a significant contributor.
We are confident that healthcare.gov will recover and this will go down in history as another IT lesson learned. Using our SEER models up front could have shown the minimum possible schedule as well as costs and risks. This foresight could have helped the government and suppliers to do better to plan for the inevitable defects. Tracking progress with SEER could have also provided an early warning indicator… Probably early enough that corrective actions could have helped.
by Galorath.com - http://www.galorath.com
Over the last decade, the first wave of fintech has mostly resulted in sustaining innovations within the financial services industry. This presentation explores the next three waves of disruption that are set to revolutionise the economy, from the modularisation of the fintech stack to global consumer platforms extending into finance to the potential of blockchain and Web 3.0.
The Digital Disruption of Financial ServicesTony Moroney
Financial services must adapt; quoting from Leading Digital Transformation, its about "the adaptations a business makes to be competitive in a digitalized world". It's the C-suites job!
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Identity Federation: Governments and Economic GrowthGuy Huntington
This paper illustrates how identity federation rethinks citizen interaction with government and third parties. It provides examples for finance, health, social services, drivers’ licenses, passports, different levels of governments, citizens’ changing addresses, and schools.
The net effects of identity federation are:
• A rapid increase in the speed of servicing a citizen via their cell phone
• Seamless interaction from the national identity verification service with governments and third parties
• Lower cost of service
• A citizen’s privacy is protected with their consent
• Economic growth
Lays out the effects of a national identity for a citizen’s lifecycle events including:
* Birth
* Vaccinations
* First day of school
* Health treatment
* Getting driver’s license and passports
* Changing name and gender
* Paying for government services taxes, fines
* i-Voting
* Moving within the country
* Claiming for social services
* Death
This presentation covers the challenges of:
* Most African governments struggle with people Illegally immigrating in and then masquerading as a citizen
* Voting irregularities
* Pretending to be students when they’re not
* Using dead citizen’s identities to then use them to access social programs
* Governments find the identity is effectively siloed in many different ministry databases and have problems with fake identity cards being used
Presents an integrated framework that not only addresses this BUT ALSO can be used for education, health and citizen payments
Global & National Identity Projects Failures and SuccessesGuy Huntington
* Reviews common causes for why so many large identity projects fail, go over budget and timelines and under-deliver
* Describes, based on my experience, ways to structure a large identity program with several related identity projects such that they will be successful
Developing Countries National ICT Identity Governance StrategyGuy Huntington
Reviews the governance components required to successfully implement and maintain an e-government strategy:
* Identity data governance
* Identity infrastructure governance
* Laws and regulations governance
Reviews current government challenges in receiving and making citizen payments
Presents a way for governments to make more money every day by leveraging citizen identity and the phone
National Identity ICT Defence and Intelligence StrategyGuy Huntington
Examines:
* Significant risk of governments being held for ransom from malware attacks on their national ICT infrastructure
* Lays out high level requirements for:
- Privacy
- Malware and denial of service attack defence
- High availability
* Lays out existing healthcare delivery problems many developing countries have
* Presents a high level framework for an ICT health care strategy leveraging identity
National ICT & Education Strategy July 2016Guy Huntington
Presents the author’s own experience and efforts to change the Canadian education system
Warns countries of simply adding cost to their existing education and ICT budgets by adding technology if they don’t learn from past mistakes other countries have made
Presents a high level framework for an education strategy leveraging identity and ICT
National identity strategy presentation may 10, 2016Guy Huntington
Based on my recent activities in Africa, I have updated my proposed national citizen digital identity strategy to include:
* Benchmark it against Estonia
* Include overview of the number of different RFP's required and show how they can be combined with local and off-shore suppliers
* Compare against what the World Bank's ID4D study recommends
Based on all my experience, i want to assist governments in creating a national citizen identity that will enable citizens to use the technology they have, the cell phone, to improve their lives. This high level overview outlines how by using their voice to authenticate, citizens can receive young children vaccination management, health and education management and pay for government services using their SMS Banking and telco e-wallet services.
Proposed country identity strategy july 24, 2015Guy Huntington
Based on all my experience, i want to assist governments in creating a national citizen identity that will enable citizens to use the technology they have, the cell phone, to improve their lives. This high level overview outlines how by using their voice to authenticate, citizens can receive young children vaccination management, health and education management and pay for government services using their SMS Banking and telco e-wallet services. As well the slides also show how governments can use this to make and save money.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
2. Huntington Ventures Ltd – The Business of Identity Management
6262 Wellington Avenue, West Vancouver, BC V7W 2H4
1-780-289-2776 www.hvl.net
Page 2
Table of Contents
Executive Summary ..................................................................................................................................................3
Introduction................................................................................................................................................................4
The Foundational Piece – Identity Verification ..........................................................................................................5
Identity Authentication ...............................................................................................................................................9
Authorization Consent .............................................................................................................................................11
Security ...................................................................................................................................................................14
Operational Availability............................................................................................................................................22
Summary .................................................................................................................................................................24
About the Author .....................................................................................................................................................25
3. Huntington Ventures Ltd – The Business of Identity Management
6262 Wellington Avenue, West Vancouver, BC V7W 2H4
1-780-289-2776 www.hvl.net
Page 3
Executive Summary
An economic revolution is quietly occurring. It is built upon creating new, rapid interdependencies
between enterprises, devices, and people. This allows us to analyze, optimize, prophesize, customize,
digitize, and automate services. What most people and enterprises don’t understand are the requirements
to be successful in this new world. That is what this paper addresses.
It is built upon trust. This paper identifies the foundational pieces required to create trust for an
interdependent world:
• Identity verification
• Identity authentication
• Authorization consent
• Security
• Operational availability
Requirements for each piece are stated from the following perspectives:
• Users
• Third party (e.g. banks, telco’s, insurance companies, small businesses, et al.)
• Government (municipal, regional, state, and national)
• Identity verification and authentication service
The underlying infrastructure required for this interdependent world is complex. The paper illustrates
this by examining the three main protocols required: OpenID Connect, OAuth, and User Managed
Access.
It also discusses a potential downside of creating an interdependent world – creating a single point of
enterprise and/or economic failure. A disturbing trend is the increasing size of botnet distributed denial
of service attacks. The paper uses Estonia’s 2007 attack to illustrate this problem on a national scale.
4. Huntington Ventures Ltd – The Business of Identity Management
6262 Wellington Avenue, West Vancouver, BC V7W 2H4
1-780-289-2776 www.hvl.net
Page 4
Introduction
In a recent column, the noted NY Times Columnist Thomas Friedman stated1
:
“We’re going through a change in the “climate” of globalization — going from an
interconnected world to an interdependent one, from a world of walls where you build your
wealth by hoarding the most resources to a world of webs where you build your wealth by
having the most connections to the flow of ideas, networks, innovators, and entrepreneurs. In this
interdependent world, connectivity leads to prosperity and isolation leads to poverty. We got rich
by being “America Connected” not “America First.”
Finally, we are going through a change in the “climate” of technology and work. We’re moving
into a world where computers and algorithms can analyze (reveal previously hidden patterns);
optimize (tell a plane which altitude to fly each mile to get the best fuel efficiency); prophesize
(tell you when your elevator will break or what your customer is likely to buy); customize (tailor
any product or service for you alone); and digitize and automatize more and more products and
services. Any company that doesn’t deploy all six elements will struggle, and this is changing
every job and industry.”
This begs the question: “What is required to enable myself or my enterprise to prosper in this
revolution?” The answer lies in the word “trust”.
In an interdependent economy, trust for each party to a transaction is dependent upon:
• Identity verification
• Identity authentication
• Authorization consent
• Security
• Operational availability
1
https://www.nytimes.com/2017/09/27/opinion/globalization-trump-american-
progress.html?rref=collection%2Fcolumn%2Fthomas-l-
friedman&action=click&contentCollection=opinion®ion=stream&module=stream_unit&version=latest&contentPlaceme
nt=1&pgtype=collection
5. Huntington Ventures Ltd – The Business of Identity Management
6262 Wellington Avenue, West Vancouver, BC V7W 2H4
1-780-289-2776 www.hvl.net
Page 5
The Foundational Piece – Identity Verification
Who are you? How do I know you are who you attest to be? The answers to these questions depends on
risk.
For many transactions, the risk is low, requiring little or no identity verification. As risk rises, the
foundational documents that attest to the identity need to be viewed and/or verified.
The old way of identity verification for high risk was the birth registry. It is no longer a valid test due to
the low cost of forgery of birth certificates. Mitigating this risk requires the ability to attach a physical
attribute of the person to the birth registry.
A verification service will need to be accessed at various times in an identity’s life to verify they are
who they claim to be (e.g. name and gender changes, marriage, and death). It will become foundational,
and other more widely used credentials (such as driver’s licenses, passports, identity cards, and voting
registries) can then be built upon it.
As this paper describes “Identity Federation: Biometrics and Governments”
(https://www.slideshare.net/ghuntington/identity-federation-biometrics-and-governments-sept-2017-
80192336), accomplishing this requires governments to create new laws and regulations protecting the
biometrics used to identify a person (fingerprints, iris, and DNA). It also requires the national identity
verification service to be run separately from other traditional government ministries responsible for
things like drivers’ licenses and passports.
6. Huntington Ventures Ltd – The Business of Identity Management
6262 Wellington Avenue, West Vancouver, BC V7W 2H4
1-780-289-2776 www.hvl.net
Page 6
Requirements
Users
Users are rightfully concerned about their privacy in an “interdependent world”. They should be
demanding that governments create and/or modify laws and regulations adhering to the principles laid
out in the “Biometrics and Governments” paper.
Third Parties
In an “interdependent world,” third parties will be entering into legal agreements with many other
enterprises and/or governments where there is potential risk and liabilities. As the risk rises, third parties
need to have a secure, legal way of verifying the identity of the person they are conducting business
with.
One of the effects of an interdependent world is fast speed of service. For example, the “Biometrics and
Government” paper illustrates this by stating that in some countries creating a bank account can be
created online in less than 18 minutes. This requires identity trust. Thus, third parties need a low cost,
secure, trusted way of doing this.
Third party requirements:
• Lobby governments to:
o Create laws and regulations offering an identity verification service that is secure and
always available
o Create digital signatures for citizens to use after verifying their identity
o Create standard levels of identity assurance which can be referred to in any federation
legal agreement
• OpenID Connect should be used to federate with:
o The national identity verification and authentication service (see the Security and
Operations section of this paper for more details), or
o Third parties who are the authoritative source for an identity
• For the Identity Provider, federation contracts should include:
o Identity assurance levels, notification processes to Relying Parties when the identity
changes, identity termination processes, archival policies, privacy breach processes, etc.
• For a party consuming the identity (Relying Party), federation contracts should include:
o The identity assurance levels required, agreement to the notification, privacy breach
processes
o The assignment of legal liability to the Identity Provider when the identity isn’t whom
they claim to be and damages occur to the Relying Party
7. Huntington Ventures Ltd – The Business of Identity Management
6262 Wellington Avenue, West Vancouver, BC V7W 2H4
1-780-289-2776 www.hvl.net
Page 7
Governments
All levels of governments need to know who they are dealing with based on risk with varying levels of
trust. The identity may or may not be required to comply with laws. Many may be willing to provide
their consent to join an optional government-offered key contact service. The citizen would update their
address and phone numbers with the updated information is instantly sent out to different levels of
governments and third parties.
Therefore, all levels of governments need to:
• Agree on the creation of an identity verification service which is authoritative for the identity
• Create and/or amend laws and regulations protecting the identity’s privacy and their biometrics
• Agree to consume identities from the identity verification service
• Agree on identity assurance standards
• Create memorandums of understanding which agree on terms and conditions regarding how the
identities will be used
• In addition, OpenID Connect should be used to federate with the identity verification and
authentication service (see the Security and Operations section of this paper for more details)
Government Agencies
Government departments and ministries responsible for things like driver’s licenses, passports, national
ID cards, and voting registries should:
• Consume the identity verification from the national identity verification service
• NOT be authoritative for the identity. This is the responsibility of the national identity
verification service
• Get citizen consent to obtain biometrics used in driver’s licenses, passports, etc.
• Be notified by the national identity verification service when an identity undergoes changes to
their name, address, or gender as well as when they die
8. Huntington Ventures Ltd – The Business of Identity Management
6262 Wellington Avenue, West Vancouver, BC V7W 2H4
1-780-289-2776 www.hvl.net
Page 8
Identity Verification and Authentication Service
Should meet the following requirements:
• Protect the biometrics used to verify the identity by adhering to laws and regulations.
• Should NEVER:
o Export any biometrics out of their service to any other government agency or third party
o Use the biometrics for any other purpose other than identity verification
• Should be responsible for:
o Securely collecting citizen biometrics when a citizen is born
o Attaching biometrics to the citizen’s birth record as well as to their national e-identity
o Creating standards and operating procedures for any device used to obtain a biometric
and for sending it to the national identity verification service
• Should offer an optional service for citizens where they can update their address and phone
number and then have the updated information automatically sent out to government agencies
and third parties which the citizen specifies
• Should run the identity verification service on a separate secure network that is accessible via the
Internet to different levels of governments and third parties
• Be legally liable for high levels of identity assurance
• After identity verification, issue digital certificates to citizens
9. Huntington Ventures Ltd – The Business of Identity Management
6262 Wellington Avenue, West Vancouver, BC V7W 2H4
1-780-289-2776 www.hvl.net
Page 9
Identity Authentication
One of the consequences of an interdependent economy is that many of the transactions will occur
electronically. Authentication is either one or a combination of:
• Something you know
• Something you have
• Something you are
The type of authentication used should be based on risk. Low risk is something like a user name and
password. Higher risk is something you carry physically or electronically with you, e.g. a PIN sent to
your phone. Highest risk is usually a combination of all three, i.e. including one or more biometrics.
In today’s world, the increasing use of biometrics to authenticate is now occurring. Biometrics
authentication is now becoming a standard part of cell phone operating systems. What is missing are the
laws and regulations protecting the user’s biometrics.
The “Biometrics and Government” paper referred to in the previous section lays out the principles for
biometrics used for authentication. New laws and regulations are needed which require a citizen’s
consent to use their biometrics. Additionally, these laws and regulations would protect how the
biometrics will be used and stored as well as providing processes for an identity to request that the
biometrics no longer be used.
In an interdependent world, the way an identity is verified and authenticated is by using a protocol called
OpenID Connect. About one billion people use OpenID Connect daily without realizing it when they log
on to Google, Facebook, or PayPal. This occurs when a user clicks on links to other parties, gaining
access to services without having to re-authenticate or be authorized for them.
10. Huntington Ventures Ltd – The Business of Identity Management
6262 Wellington Avenue, West Vancouver, BC V7W 2H4
1-780-289-2776 www.hvl.net
Page 10
Requirements
Users
Users should demand that laws and regulations be created to:
• Require their consent for biometrics to be used for authentication
• Safely protect their biometrics
• Require their consent if the biometric is to be used for another purpose
• Ensure their biometrics can’t be transferred between enterprises
• Offer processes for the citizen to revoke use of their biometrics
Third Parties
Third parties will want to authenticate the identity based on risk. They should:
• Either use a national identity authentication service to authenticate the identity, or
• Comply with government laws and regulations allowing them to collect and use biometrics as a
form of authentication
• Be aware of:
o Equal error rates (ERR) for different types of authentication (the rate where a false
positive equals a false negative).
§ I.e., all biometrics are not equal or as reliable
o How device readers can be fooled, thereby allowing a person to masquerade as another
• If available, OpenID Connect should be used to federate with:
o The national identity verification and authentication service (see the Security and
Operations section of this paper for more details), or
o A trusted third party, which will be used as the identity and authentication provider
• Mitigate their potential risks and liabilities for false identities by assigning risk in federation
agreements to the identity and authentication provider
Governments
Different levels of government should:
• Standardize their authentication across all levels of government by using a central government
identity verification and authentication service
• Assign liability for authentication to the national identity and verification service in the
memorandums of understanding between the various levels of governments
• Use OpenID Connect to federate with the national identity verification and authentication service
(see the Security and Operations section of this paper for more details)
National Identity Verification and Authentication Service
Should meet the following requirements:
• Offer an optional national citizen identity authentication service
• Protect the forms of authentication by complying with laws and regulations associated with the
principles described in the “Biometrics and Government” paper
• Ensure the service is secure and highly available (see the Security and Operations section of this
paper for more details)
11. Huntington Ventures Ltd – The Business of Identity Management
6262 Wellington Avenue, West Vancouver, BC V7W 2H4
1-780-289-2776 www.hvl.net
Page 11
Authorization Consent
A few years ago, the authoritative source for an identity was also the provider of identity attributes. An
example could be a user logging on to an enterprise, Acme Inc. When the user clicks on a link to another
third party’s service, Acme Inc. sends both the identity and authorization attributes to the other party.
The other party trusts the identity as well as accepting authorization attributes. They use these to provide
customized services to the identity.
However, in today’s interdependent world, an enterprise might be authoritative for an identity while
other enterprises are authoritative for authorization.
With the rise of the Internet of Things, a user may own hundreds of devices. Each device will have
owner consent requirements pertaining to who can use the device and/or the data it produces. If a user
has to sign on to each device to provide their consent, it will become unmanageable.
There is a technological solution for this – a protocol called “User Managed Access.” It allows a user to
centrally manage all their consents from one console, regardless of where each device consent
management resides.
What’s missing is a regulatory framework providing citizens with protection on how their consent is
obtained, used, stored, and transferred. Please refer to “Consent and the Internet of Things”
(https://www.slideshare.net/ghuntington/identity-federation-citizen-consent-and-the-internet-of-things-
october-2017), which lays out principles to construct new laws and regulations.
12. Huntington Ventures Ltd – The Business of Identity Management
6262 Wellington Avenue, West Vancouver, BC V7W 2H4
1-780-289-2776 www.hvl.net
Page 12
Requirements
Users
In an interdependent world, users want to:
• Ensure:
o Their authorization consents are obtained
o That no one can masquerade as them to provide false authorization consents
• Have the option of centrally managing all their consents from one place
• Have processes where they can securely transfer from one centrally managed authorization
service provider to another
• Be able to see their history of consents
Third Parties
Third parties offering end user services, producing smart devices requiring consent and/or consuming
data from these devices should:
• Lobby governments to provide a regulatory framework for authorized consent using the
principles laid out in the paper “Consent and the Internet of Things”
• Create legal agreements with both end users as well as enterprises offering the centrally managed
user authorization consent service, which:
o Assigns potential risks and legal liability to the appropriate party
o Defines terms of service including:
§ Time frames from when a consent is given/changed and then implemented
§ Identity and credential assurance levels required to make or change a consent,
§ Archival policies of the consent, and
§ Chain of custody of the consents as required by laws, regulations, and legal
agreements based on risk
o Consider joining or creating common trust frameworks
Third Parties and/or Governments Offering Central User Authorization Consent Services
Third parties and/or governments offering users a central user authorization consent service should:
• Adhere to any laws or regulations pertaining to authorization consent
• Have legal agreements with the end user:
o Specifying potential risks and legal liability to the appropriate party
o Notification processes if and when the user wants to leave the service
o Specify how long the records will be archived
o Consider joining or creating common trust frameworks
13. Huntington Ventures Ltd – The Business of Identity Management
6262 Wellington Avenue, West Vancouver, BC V7W 2H4
1-780-289-2776 www.hvl.net
Page 13
Governments
• Create a regulatory framework for authorized consent using the principles laid out in the paper
“Consent and the Internet of Things”
• Ensure that citizen consent for government services is able to be integrated with User Managed
Access and OpenID Connect
National Identity Verification and Authentication Service
• Offers a national citizen identity authentication service, where required, for consent
• Offers optional citizen authentication services, where required, for consent
14. Huntington Ventures Ltd – The Business of Identity Management
6262 Wellington Avenue, West Vancouver, BC V7W 2H4
1-780-289-2776 www.hvl.net
Page 14
Security
Protocols:
There are three types of protocols used regarding identity to create an interdependent world:
• OpenID Connect
• OAuth 2.0
• User Managed Access (UMA)
2
2
http://kantarainitiative.org/confluence/download/attachments/17760302/Venn+infographics.pdf
15. Huntington Ventures Ltd – The Business of Identity Management
6262 Wellington Avenue, West Vancouver, BC V7W 2H4
1-780-289-2776 www.hvl.net
Page 15
There is a large challenge in securing the underlying business and identity processes in an
interdependent world transaction – they are fragmented. Why? Because the network traffic flows
between multiple enterprises.
When I have led large identity teams in the past, to explain this to the team, I tell there we are going “to
follow the electrons for a single transaction”. It usually results in diagrams showing between 40-100
steps per transaction as it flows between the user, Identity Provider, the Relying Party, Certificate
Authorities and then through the Relying Party’s infrastructure to the service the user wants to access.
To illustrate this, let’s take a high-level look at the traffic flow for UMA:
3
Each arrow, i.e. step, is governed by the protocol. Why should you care?
There are different ways the protocols can be configured. To illustrate this, let’s look at protocols used
to configure OpenID Connect:
3
https://www.google.ca/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0ahUKEwj4y4uS6efWAhVHwlQKHYLODP
wQFgguMAE&url=http%3A%2F%2Fkantarainitiative.org%2Fconfluence%2Fdownload%2Fattachments%2F17760302%2F
UMA%2520webinar%25202015-05-16.pdf%3Fapi%3Dv2&usg=AOvVaw1oJfaOHNVkdakPPgYjrI-D
16. Huntington Ventures Ltd – The Business of Identity Management
6262 Wellington Avenue, West Vancouver, BC V7W 2H4
1-780-289-2776 www.hvl.net
Page 16
4
Each of the boxes above contains different ways it can be configured. Thus, dependent upon the
configuration, each of the arrows depicting a communication between the parties may or may not be
secure. Therefore, an identity transaction might be in jeopardy of being successfully attacked.
Does it matter? The answer depends on risk. Enterprises participating in low risk federation won’t likely
care. HOWEVER, many transactions are medium to high risk. Potential liabilities arise to the
participating parties if the transaction isn’t secure.
This leads to the next question – “How can we mitigate our risk?” There are three ways risk can be
mitigated:
• Business processes
• Technology
• Legal agreements
This paper “Enterprise Federation: Mitigating Risks and Liabilities”
(https://www.slideshare.net/ghuntington/identity-federation-mitigating-risks-and-liabilities-79942481)
lays out the many considerations that are required to mitigate risk and liabilities.
4
http://openid.net/connect/
17. Huntington Ventures Ltd – The Business of Identity Management
6262 Wellington Avenue, West Vancouver, BC V7W 2H4
1-780-289-2776 www.hvl.net
Page 17
Requirements
User
Users, often wrongly, assume that their communications and transfer of identity information, are secure.
They require:
• Laws and regulations protecting their identity and consent as they interact with services and
devices
• Notification processes when security fails and their identity and/or consent information is
breached
The type of device they are using to access a service, its underlying operating systems, and what is been
deployed on the device, all affect a user’s identity and authorization security. Their requirements are
based on risk.
If the risk is low, then the security requirements from a federated service on the user’s device and
associated software might be minimal. Thus, the user is free to do as they choose and may or may not
pay a price if they have malware on their device.
HOWEVER, for high risk transactions, the user might be required by laws, regulations and/or legal
agreements to access the service from a device that has certain specifications to reduce the risk of
malware attacks.
Third Parties
Security requirements vary depending on the role the third party is playing AND the risk involved.
When acting as an Identity and/or Authorization Provider
• Mitigate risk by specifying in federation agreements the time it takes for an identity and/or
authorization to be created, modified, or terminated and when/how the Relying Parties will be
notified
• Use stronger identity verification and/or authentication assurance to verify/authenticate an
identity depending on risk and then state this in legal agreements
• Usually the communication between the federated enterprises in legal agreements specifies:
o Algorithms on how the secure internet tunnel (Transport Layer Security) will be achieved
o Use of digital certificates (included Certificate Authorities) used to:
§ Digitally sign a JSON token
§ Encrypt the identity information within the JSON Token
o Notification processes when a digital certificate is about to expire
o Testing processes used to update the digital certificate
o Attack vectors, how they will be mitigated technically, and assignment of potential
liability to the federation partners
o The number of environments the Identity Providers offer
o If external penetrations test will be done by parties to the federation to ensure the
configurations have been properly implemented
18. Huntington Ventures Ltd – The Business of Identity Management
6262 Wellington Avenue, West Vancouver, BC V7W 2H4
1-780-289-2776 www.hvl.net
Page 18
o Session management settings with assignment of potential liability to federation partners
based on the settings
o Notification processes for security and/or privacy breaches
When acting as a Relying Party
• Mitigate risk by specifying in federation agreements the agreed to times it will take for identity
and authorization information provided by the authoritative parties to then be implemented into
their systems/services
• Assign liability to the Identity and/or Authorization Provider if they accept an identity that is no
longer valid or, a person is able to successfully masquerade as another
• Usually the communication between the federated enterprises in legal agreements specifies:
o Algorithms on how the secure internet tunnel (Transport Layer Security) will be achieved
o Use of digital certificates (included Certificate Authorities) used to:
§ Digitally sign a JSON token
§ Encrypt the identity information within the JSON Token
o Notification processes when a digital certificate is about to expire
o Testing processes used to update the digital certificate
o Attack vectors, how they will be mitigated technically, and assignment of potential
liability to the federation partners
o If external penetration tests will be done by parties to the federation to ensure the
configurations have been properly implemented and the frequency of ongoing tests.
o Notification processes for security and/or privacy breaches
When acting as a Central Authorization Consent Service
• Mitigate risk by specifying in federation agreements the agreed to times it will take for a consent
to be received by the consent service and how fast it will be communicated to the other parties
• Assign liability to the consent service if a consent change is made by the user and the consent
service didn’t properly notify the associated parties
• Usually the communication between the federated enterprises in legal agreements specifies:
o Algorithms on how the secure internet tunnel (Transport Layer Security) will be achieved
o Use of digital certificates (included Certificate Authorities) used to:
§ Digitally sign a JSON token
§ Encrypt the authorization information within the JSON Token
o Notification processes when a digital certificate is about to expire
o Testing processes used to update the digital certificate
o Attack vectors, how they will be mitigated technically, and assignment of potential
liability to the federation partners
o If external penetration tests will be done by parties to the federation to ensure the
configurations have been properly implemented and the frequency of ongoing tests.
o Notification processes for security and/or privacy breaches
19. Huntington Ventures Ltd – The Business of Identity Management
6262 Wellington Avenue, West Vancouver, BC V7W 2H4
1-780-289-2776 www.hvl.net
Page 19
Governments
• Should use OpenID Connect, OAuth, and User Managed Access protocols configured to mitigate
potential attack vectors
• Ensure:
o Citizen consent for government services is able to be integrated with User Managed
Access and OpenID Connect
o Any change to the core citizen identity is immediately sent out from the national identity
verification service to departments and ministries, required by law, to mitigate the risk of
people masquerading as others
• Specify in memorandums of understanding between different government agencies:
o Algorithms on how the secure internet tunnel (Transport Layer Security) will be achieved
o Use of digital certificates (included Certificate Authorities) used to:
§ Digitally sign a JSON token
§ Encrypt the authorization information within the JSON Token
o Notification processes when a digital certificate is about to expire
o Testing processes used to update the digital certificate
o Attack vectors, how they will be mitigated technically and assignment of potential
liability to the federation partners
o If external penetration tests will be done by parties to the federation to ensure the
configurations have been properly implemented and the frequency of ongoing tests
o Notification processes for security and/or privacy breaches
• If governments are participating in federation with third parties, then they sign legal agreements,
which are separate from memorandums of understanding specifying:
o Algorithms on how the secure internet tunnel (Transport Layer Security) will be achieved
o Use of digital certificates (included Certificate Authorities) used to:
§ Digitally sign a JSON token
§ Encrypt the authorization information within the JSON Token
o Notification processes when a digital certificate is about to expire
o Testing processes used to update the digital certificate
o Attack vectors, how they will be mitigated technically, and the assignment of potential
liability to the federation partners
o If external penetration tests will be done by parties to the federation to ensure the
configurations have been properly implemented and the frequency of ongoing tests.
o Notification processes for security and/or privacy breaches
20. Huntington Ventures Ltd – The Business of Identity Management
6262 Wellington Avenue, West Vancouver, BC V7W 2H4
1-780-289-2776 www.hvl.net
Page 20
National Identity Verification and Authentication Service
• Offer a national citizen identity verification service, where required, for consent
• Offer optional citizen authentication services, where required, for consent
• Create a regulatory framework for authorized consent using the principles laid out in the paper
“Consent and the Internet of Things” and “Biometrics and Governments”
• Specify in memorandums of understanding between different government agencies and
federation legal agreements with third parties:
o Algorithms on how the secure internet tunnel (Transport Layer Security) will be achieved
o Use of digital certificates (included Certificate Authorities) used to:
§ Digitally sign a JSON token
§ Encrypt the authorization information within the JSON Token
o Notification processes when a digital certificate is about to expire
o Testing processes used to update the digital certificate
o Attack vectors, how they will be mitigated technically, and assignment of potential
liability to the federation partners
o If external penetration tests will be done by parties to the federation to ensure the
configurations have been properly implemented and the frequency of ongoing tests.
o Notification processes for security and/or privacy breaches
• Operate the identity verification and authentication service on a separate network
• Continually schedule regular penetration tests on the service
• Ensure that administrators are strictly monitored with high levels of identity and credential
assurance to make any changes to the underlying architecture
• Any change to the underlying biometrics MUST be to legal laws and regulations with public
reporting of the actions
• All biometric data stored within the identity verification service MUST NEVER leave the
identity verification databases/directories
• Any upgrade to the underlying architecture must be very carefully monitored to ensure that no
malware code is inserted in the upgrade rendering the service susceptible to a malware threat
21. Huntington Ventures Ltd – The Business of Identity Management
6262 Wellington Avenue, West Vancouver, BC V7W 2H4
1-780-289-2776 www.hvl.net
Page 21
Creating a Potential Single Point of Enterprise and Economic Failure
The beginning of this paper used a quote from Thomas Friedman outlining the benefits of an
interdependent world. What wasn’t said is this creates potential points of enterprise and economic
failure. How? Let’s use Estonia as an example.
Estonia offers more than 1,000 online services to their citizens including e-health, e-pharmacy, e-
education, e-voting, e-banking, e-residency, etc. Estonians use government issued digital signatures,
based on trust that the identity is who they claim to be, for their legal transactions. The country therefore
relies upon the infrastructure supporting this.
In 2007, Estonia came under a distributed denial of service attack which effectively shut them down.
They had created a potential point of failure
(https://en.wikipedia.org/wiki/2007_cyberattacks_on_Estonia). The interdependency relies on trust
between various parties with the government at the heart of it. This begs the obvious question – What
has changed between 2007 and today?
Countries like Estonia have built infrastructure that is more resilient to these types of attacks. NATO has
their “Cyber Defense Center of Excellence” located in Estonia. So, some enterprises are taking steps to
mitigate their risk. What has happened on the attack front?
The attacks have increased. In 2016, distributed denial of service attacks greater than 600 gigabits per
second were documented (https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/).
Most of the non-military and non-large Fortune 500 infrastructure around the world aren’t prepared for
this. It will effectively shut them down.
How are these attacks made? They are usually done by taking control of Internet of Things devices with
poor security and commandeering them into what’s called a “botnet.” With the rise of the Internet of
Things, these types of attacks will likely increase in size.
How hard is it to do this? It’s not hard. In fact young people are learning from others how to do it
https://krebsonsecurity.com/2016/09/israeli-online-attack-service-vdos-earned-600000-in-two-years/ and
https://nakedsecurity.sophos.com/2016/11/03/teen-pleads-guilty-to-creating-ddos-tool-used-in-1-7-
million-attacks/. This article alludes to what “state actors” could do to enterprises and/or governments
from these types of attacks: https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-
mirai-botnet.
There’s yet another risk to consider which could target the identity verification and authentication of a
country – electromagnetic attacks. This type of attack could paralyze the infrastructure. It’s paramount
the underlying identity verification data be able to withstand this attack.
Federation introduces new types of risks that have to be mitigated to be successful in this new type of
economy. All enterprises MUST be aware of the growing risks and potential liabilities from these
types of attacks and mitigate against the risk.
22. Huntington Ventures Ltd – The Business of Identity Management
6262 Wellington Avenue, West Vancouver, BC V7W 2H4
1-780-289-2776 www.hvl.net
Page 22
Operational Availability
In an interdependent world, if any of the Identity Provider, Relying Party, Authorization Provider, or
consent Service Provider systems, are not available then the interdependency can fail. One of the
consequences of this is ensuring that the systems are they are highly available, i.e. 24x7x365.
Historically, this has proven to be costly to implement. Many executives delay the expenditure to focus
their resources instead in other areas where the payback is more readily achieved. Today there are tools
like the cloud, which can be brought to bear to address this. However, “the cloud” is not a panacea for
all operations problems AND there are restrictions on how and when it can be used.
Requirements
Users
Users somewhat naively assume that when they want to do something, the systems will be there for
them to do it. They are increasingly becoming accustomed to services being available 24x7x365. To
access some of the services, based on risk, they might or might not be required to have:
• A certain type of web browser and/or versions
• Certain types of operating systems with appropriate version upgrades
• Certain types of antimalware on the device
• A service that detects malware on their devices
Third Parties
What most third parties don’t realize is that with an increasing interdependency on other parties, be they
government, third parties and/or smart devices, there is a follow-on effect in an increased integration
with their formerly internal infrastructure and security operations support.
Therefore, depending on the degree of risk involved in the federation, third parties may need to state in
the federation legal agreements the following:
• Service level availability
• Peak load
• Integrated incident management ticketing systems
• Integrated incident management responses
• Integrated help desk responses
23. Huntington Ventures Ltd – The Business of Identity Management
6262 Wellington Avenue, West Vancouver, BC V7W 2H4
1-780-289-2776 www.hvl.net
Page 23
• Synthetic transactions once per minute or whatever time frame is agreed upon
• Privacy breach processes
• Disaster recovery processes
• Environments made available to test in
• Emergency code change processes
• Digital certificate renewal processes
• Test users agreed to by the Identity and/or Authorization Provider
• Data standards used for any identity and/or authorization data communicated via the protocols
The legal agreement needs to not only specify the technical processes but also the business notification
processes associated with the above.
The high availability requirements mean that enterprises must now be monitoring most points in a
federated transaction, as determined by mapping the flow of electrons referenced earlier on, on a
frequent basis. The enterprise needs to mitigate risk that a system will go down by seeing early on
component failure. It then needs to alert the central support team to instantly address and remedy the
problem.
As well, depending on degree of risk, automated testing needs to frequently occur to test out attack
vectors. This mitigates risk of potential liabilities from attackers gaining access to a transaction and/or
back end system.
If the operations are cloud based, then consideration needs to be given to where the cloud based servers
are located. Why? Many jurisdictions now require the identity data to stay within their borders.
Therefore, regulations like the upcoming 2018 EU General Data Protection Regulation (GDPR) affect
where cloud based operations might store and/or transfer data.
As referenced above in the security section, operations can now be disrupted via denial of service and
distributed denial of service attacks. Therefore, enterprises need to enter into any federation agreement
with their eyes wide open to the risks associated with this.
Governments
Governments face similar requirements as third parties. Therefore, all the requirements for third parties
also apply to governments.
National Identity Verification and Authentication Service
The national identity verification and authentication service is a potential single point of economic
failure for a country’s economy reliant upon identity verification and authentication services. All the
requirements stated for third parties also applies to this service.
HOWEVER, it needs to be even more resilient. The architecture used to provide these services must
be designed to be resilient to large scale distributed denial of service attacks and potential
electromagnetic attacks. Close attention should be paid to ongoing global attack developments and then
a well thought out mitigation risk response needs to be implemented.
24. Huntington Ventures Ltd – The Business of Identity Management
6262 Wellington Avenue, West Vancouver, BC V7W 2H4
1-780-289-2776 www.hvl.net
Page 24
Summary
Technology is now being widely deployed which dramatically changes the way we live, i.e. creating an
“interdependent world.” All of this is built upon trust.
Trust needs to be attested for the identity without being able to see the person who is digitally interacting
with multiple enterprises. Existing laws and regulations are not keeping up with the technological
changes in identity verification, authentication, and authorization consent.
Creating the identity verification laws and regulations to operate in this world will likely slowly occur.
Without this, it creates higher potential liabilities for enterprises operating in a federated world when
they need higher levels of identity assurance. Therefore, enterprises need to be aware of the risk
associated with identity federation. They need to create contracts with their federation partners
mitigating risk and potential liabilities.
The Internet is both an exciting as well as a dangerous place. Federation requires enterprises to open
themselves up to other parties upon which they become dependent. The number of potential attack
vectors on the transaction is therefore larger.
Enterprises entering into federation need to do so with their legal, business, technology, operations, and
security eyes wide open. If they do so, they will prosper in the new economy.
25. Huntington Ventures Ltd – The Business of Identity Management
6262 Wellington Avenue, West Vancouver, BC V7W 2H4
1-780-289-2776 www.hvl.net
Page 25
About the Author
Guy Huntington is a veteran identity architect, program and project manager who’s lead as well as
rescued many large identity projects with many of them involving identity federation. His past clients
include Boeing, Capital One, Kaiser Permanente, WestJet, Government of Alberta’s Digital Citizen
Identity and Authentication Program and Alberta Blue Cross. As one of his past clients said “He is a
great find, because he is able to do high quality strategic work, but is also well-versed in project
management and technical details, so he can traverse easily from wide to deep. With Guy, you get skills
that would typically be encompassed in a small team of people.”