Zero-trust is not possible with centrally managed identity. Centrally managed identity has many dependencies on the underlying compute architecture. Whether it be public cloud, private cloud or discrete edge processors, an array of attack-vectors exist at each layer of the compute stack.
- From physical layer (lowest): Side channel attacks (rogue VMs leverage cache overwrite
- To governance layer (highest): GDPR reg-tech software (abuse of privileged access)
To label centrally managed identity as a leaky bucket is an understatement. Transparency around who has access to identity data is obscured by a complex array of policies, procedures and interfaces. The solar winds exploit, clearly illustrated how helpless even the best security/privacy teams are. The phrase “Sophisticated attack” has become synonymous with “we don’t have a clue”.
Defending centrally managed Identity is a game of whack-a-mole. Cyber criminals and fraudsters have access to well-crafted exploits for known vulnerabilities and zero-day vulnerabilities. Zero-trust is not possible, each dependency between identity management and centrally managed compute requires trust, examples include:
- Trust that there is no insider attack.
- Trust that security packages have been installed and configured correctly.
- Trust that no rogue VMs are present.
- Trust that back-ups are not being accessed.
- Trust that administrator credentials have not been compromised.
Even grey areas such as “risk-based authentication”, “web fraud prevention”, “trust scoring”, “auto-form-fill”, etc. are huge privacy / security leaks based on 3rd party access to vast repositories of user attested PII.
Privacy regulations are ineffective in the face of well-heeled lobbyists, who either water-down the legislation or make the legislation too-complicated to prosecute. (GDPR 200 pages, Ireland’s intransigency against the large tech platforms)
Decentralized Identity
The identity market is changing, there is growing focus on user-controlled (decentralized) identity. New initiatives, including self-sovereign identity (SSI), Web3 and W3C standards for decentralized identifiers (DIDs) and verifiable claims (VCs), are being adopted. Many organizations understand that centrally managed identity is a honeypot for attackers and a liability for customer trust. The new challenge for these organizations is that decentralized identity is new and the specifications are complex.
Additional complexity arises from market entanglement between decentralized identity and crypto-tokenization. Traditional Web2 organizations do not want to replace current parasitic data-broker business models with similarly parasitic tokenization schemes.
TGrid is addressing this industry challenge by providing a simplified pure-play decentralized identity infrastructure. TGrid provides an integrated stack of services that enable high assurance pseudonymous decentralized identity. vrtYou is a user agent available both as a DAPP and a Mobile APP, which puts users in control of their own decentralized identity. vrtYou capabilities, include:
- Generation of Zero-knowledge decentralized identifiers (W3C DIDs)
- Hardware attested DIDs, non-custodial identity credentials.
- Request methods for Verifiable credentials
- Secure storage of Verifiable credentials.
- Counter signing and secure presentation of verifiable credentials.
- Selective disclosure of credentials, control of who gets which attributes.
- Validation of verifiable credentials.
- Cryptographically provable user consent with a non-custodial key.
The impact of vrtYou decentralized identity, is that organizations can give their customers the respect of letting them own and manage their own identity. vrtYou also provides end-users with a cryptographically provable, non-spoof’able mechanism for consent. vrtYou decentralized identity enables direct peer-to-peer zero-trust transactional relationships between providers and the end-user. Organizations now have a decentralized alternative to centralized identity management. Benefits include increased customer trust, more accurate customer data and reduced costs.