Entities, Identities, & Registries

Heather Vescent

SSI Meetup | September 2019

Gaps in Corporate and IoT Identity

Creative Commons license. (CC BY-SA 4.0).

• Empower global SSI communities
• Open to everyone interested in SSI
• All content is shared with CC BY SA

SSIMeetup objectives

Alex Preukschat @SSIMeetup @AlexPreukschat

Coordinating Node SSIMeetup.org

​

https://creativecommons.org/licenses/by-sa/4.0/

SSIMeetup.org

Who am I

Heather Vescent

• CEO, The Purple Tornado �Strategic Intelligence Consultancy
• Author, Cyber Attack Manual
• Author, SSI Report
• Filmmaker, 14 Films (IIW Films)
• IIW, CCG VC WG Communities
• @heathervescent

Creative Commons license. (CC BY-SA 4.0).

Research Background

• Private Sector Digital Identity
• Funded by DHS Science & Technology Cybersecurity Division
• Researchers: Heather Vescent & Kaliya Young
• Download: bit.ly/NPEreport

Objective: Research private sector companies digital identity and data privacy processes, with an emphasis on identifying market failures.

Creative Commons license. (CC BY-SA 4.0).

Current State

• Past solutions create today’s problems
• New technologies create new opportunities
• Onboard of billions of new identities
• Humans
• Companies
• IoT objects (smart things)
• Tracking (dumb things)
• Robots
• New regulations

Creative Commons license. (CC BY-SA 4.0).

What is a Non-Person Entity Identity?

Creative Commons license. (CC BY-SA 4.0).

What is a Non-Person Entity Identity?

Company

(legal entity)

Creative Commons license. (CC BY-SA 4.0).

What is a Non-Person Entity Identity?

Thing

(IoT device)

Company

(legal entity)

Creative Commons license. (CC BY-SA 4.0).

What is a Non-Person Entity Identity?

System

(network)

Thing

(IoT device)

Company

(legal entity)

Creative Commons license. (CC BY-SA 4.0).

How many identities?

Creative Commons license. (CC BY-SA 4.0).

How many identities?

~100 Billion Identities

Creative Commons license. (CC BY-SA 4.0).

+ robot identity?

Creative Commons license. (CC BY-SA 4.0).

NPEs are given identity (Registries)

Creative Commons license. (CC BY-SA 4.0).

Web of Organizational Trust

• Identity is used to create more identifiers

Creative Commons license. (CC BY-SA 4.0).

NPE identity requires human identity

• Ownership / Liability
• Responsibility
• Humans take actions for NPEs
• NPEs take action for humans
• (And collect & share data)

Creative Commons license. (CC BY-SA 4.0).

Why important to Government?

• Governments give legal entities identity
• Legal identity is important in many industries
• Banking & Finance (KYC, AML, UBO, Beneficiary)
• Global Trade
• Customs
• Internet of Things is growing exponentially
• Security of sensors
• Authenticity of sensor collected data
• Who is responsible/liable when things go wrong?

​

​

Creative Commons license. (CC BY-SA 4.0).

NPE is complex

NPE Identities

• Relate to each other
• Interact with each other
• Depend on each other

Creative Commons license. (CC BY-SA 4.0).

Report identified 11 Market Gaps

Creative Commons license. (CC BY-SA 4.0).

1: Legal Identity of Corporations

• PROBLEM: Digitally native identity credentials don’t exist, nor do ways to receive and give verified credentials about an organization’s identity from an authoritative source. 
• IMPACT: KYC checks are costly and take time.

​

“KYC and associated processes cost the average bank $60m annually.” - Consult Hyperion report

​

Creative Commons license. (CC BY-SA 4.0).

2: Conclusive Ultimate Beneficial Owner

• PROBLEM: Finding the Ultimate Beneficial Owner (UBO) of a company is difficult and sometimes impossible. Banks aren’t required by statute to conclusively find a UBO before proceeding, but to make a reasonably good-faith effort to do so. 
• IMPACT: Hard to quantify the cost but not knowing who a UBO can result in tax fraud, enable criminal and terrorism activities and transactions designed to circumvent sanctions.

​

Creative Commons license. (CC BY-SA 4.0).

3: Conclusive Verified Corporation Data

• PROBLEM: There is no standard way to find verified corporate identity data, like legal name, address and jurisdiction along with the identification of authorized delegates who have authority to sign contracts, transfer funds, and take action on behalf of the company – in a digitally native format.
• IMPACT: Initial costs (similar to KYC costs) for corporate identity proofing. These costs include accessing outside databases for information, confirming that data, as well as ongoing costs to keep this data current.

​

Creative Commons license. (CC BY-SA 4.0).

4: Corporate Delegation

Humans enter into contracts, make financial transactions, and take other actions on behalf of the corporation. There are processes to initiate this delegation, and the need for up-to-date information of who remains authorized.

Creative Commons license. (CC BY-SA 4.0).

5: Real-Time Verified Identity

• PROBLEM: Real-time updated identity information associated with corporate accounts, specifically which humans have the authority to take action on behalf of a company on a real-time basis. Current corporate delegation data is updated anywhere from 30 days to 2 years.
• IMPACT: One subject matter experts shared a story of CEO fraud, where criminals spear phished a corporate account and convinced CEOs to transfer millions of dollars to the criminal account. 

Creative Commons license. (CC BY-SA 4.0).

6: NPE Responsibility

• PROBLEM: A company (which is an NPE) owns robots (which are NPEs) that work in a factory. A company (an NPE) manufactures an autonomous vehicle (an NPE). A company (an NPE) manufactures a pacemaker (an NPE) and also collects data about the pacemaker’s system as well as data about the human system whose the device is embedded in. 
• IMPACT: This could become an issue in the future, for example the case of liability of self-driving car, or a factory robot, that isn’t directly mapped to an individual supervisor or “driver” but under corporate or algorithmic control. 

​

Creative Commons license. (CC BY-SA 4.0).

7: Legal Identity of IoT Things

Identity is built into very few IoT devices. There are no universal standards or regulations around which IoT objects have an identity assigned at “birth,” unlike a baby registry or corporate registry.

• Some companies give IoT devices an identity – but legal identity is not required.
• Some companies keep registries for devices like pacemakers or jet engines.

Creative Commons license. (CC BY-SA 4.0).

8: Tracking & Auditing the Supply Chain

• PROBLEM: Many goods are tracked and audited as they flow from manufacturer through the supply chain to the destination. While many goods are tracked with a barcode or serial number, there is the desire to more thoroughly track goods in the supply chain, including their components, sources of raw material, and the chain of custody. 
• IMPACT: Lost income due to IP theft. Lost tax revenue. Potential terrorist financing.

Creative Commons license. (CC BY-SA 4.0).

9: IoT Security Standards

• PROBLEM: Smart homes, surveillance devices, connected appliances, and vehicles have persistent and structural vulnerabilities that makes them difficult to secure for many real-world situations. Many tools are designed with weak security and are vulnerable to “IoT takeovers.” 
• IMPACT: The liability ramifications are largely a matter of speculation, however we can get an idea of some economic impacts by the size of the ransomware market estimated at $1b in 2016 and $2b in 2017. 

​

“Securing IoT devices is a major challenge, and manufacturers tend to focus on functionality, compatibility requirements, and time-to-market rather than security.” 

—Interagency Report on Status of International Cybersecurity Standardization

Creative Commons license. (CC BY-SA 4.0).

10: IoT Self-Authentication

• PROBLEM: The technical process of authenticating the veracity of the IoT device and any data collected by the IoT device. 
• IMPACT: Limits utility to high-exposure IoT applications, due to economic cost. Attack surfaces remain due to high cost to implement broadly.

​

Creative Commons license. (CC BY-SA 4.0).

11: Data Integrity from IoT Sensors

• PROBLEM: How do I know the data coming off the sensor data is accurate? There needs to be mechanisms to know data coming off sensors, drones, and other IoT data-generating devices is reliable for high-security applications. 
• IMPACT: Contamination or distortion of data from smart city sensors, lightweight devices that control utility grids or operations, and other cyber-physical systems could do serious real-world damage if an attack occurred and it took significant time to detect due to failed monitoring sensors.

​

Creative Commons license. (CC BY-SA 4.0).

Other Impacts

• Regulation
• Global landscape
• Scale
• Formal ownership

One of the major reasons the Internet+ is so insecure today is the absence of government oversight. Government is by far the most common way we improve our collective security, and it is almost certainly the most efficient.

—Bruce Schneier, Click Here to Kill Everyone 

Creative Commons license. (CC BY-SA 4.0).

Future: Augmented Identity

• Software taking action on your behalf
• Devices doing things on your behalf
• Data collecting/sharing on your behalf

Creative Commons license. (CC BY-SA 4.0).

Future: Combined Identity

People create a collective identity that acts in a unified way as more than the sum of its parts.

​

• Today’s systems are set up for a single or legal identity.
• There is no way for a group to create a collective identity with financial and log in authentication.
• This use case could be used for ad-hoc, temporal business collaborations like film productions and creative project based partnerships.
• Could include NPEs.

Creative Commons license. (CC BY-SA 4.0).

Why do we care?

• Liability: who pays when something goes wrong?
• Responsibility: who is responsible at a particular time?
• Regulation: global trend for more regulation
• Collaboration: rising trend to work together
• Future Proof: envision the true scale of the problem

Creative Commons license. (CC BY-SA 4.0).

Future Identity System Goals

• Manage a trillion identities
• And all their relationships
• Thrive in dynamic environment
• Enable delegation
• Between humans & NPEs
• Involve automated systems
• Solve current data, privacy problems

​

​

Creative Commons license. (CC BY-SA 4.0).

Thank you + Questions

Heather Vescent

• www.ssiscoop.com
• www.thepurpletornado.com
• heathervescent@gmail.com
• vescent@thepurpletornado.com
• @heathervescent

Download NPE: bit.ly/NPEreport

Download VDS: bit.ly/vdsreport

Creative Commons license. (CC BY-SA 4.0).

Entities, Identities, & Registries

Heather Vescent

SSI Meetup | September 2019

Gaps in Corporate and IoT Identity

Creative Commons license. (CC BY-SA 4.0).