https://ssimeetup.org/gaps-corporate-iot-identity-heather-vescent-webinar-35/
Heather Vescent, the owner of The Purple Tornado a foresight and strategic intelligence consultancy, explains how Digital identity gaps in Corporate and IoT Identity can be solved from an NPE (non-person entity) point of view. The webinar will answer: What is an NPE? How is an NPE both different and similar to human identity? What is the relationship humans have with NPEs? How is NPE identity more complex than the identity we know today? What considerations do we need to make when developing identity solutions for the future?
The webinar defines a taxonomy for Non-Person Entities (NPEs), defines the relationships NPEs have with humans and each other, and identifies 11 market gaps in today’s technology solutions, that have the potential to be solved using decentralized identity technology. Industry-wide solutions must be forged collaboratively in order to address a broad set of digital identity and data privacy problems.
This webinar shares research funded by the Department of Homeland Security Science & Technology, Cybersecurity directorate by The Purple Tornado, with Heather Vescent as the Principal Investigator. Vescent has delivered research insights to governments and corporations in digital identity, military learning, payments, transactions, and new economic models. She is the writer/producer of 14 documentaries and short films about future technology. Her clients include US & UK governments, SWIFT, CitiVentures, Disney, IEEE, mid-size companies and start-ups. Her research has been covered in the New York Times, CNN, American Banker, CNBC, Fox, and the Atlantic. She is an author of the Cyber Attack Survival Manual, published by Weldon-Owen. Her work has won multiple awards from the Association of Professional Futurists.
Russian Call Girls Pune (Adult Only) 8005736733 Escort Service 24x7 Cash Pay...
All you need to know about SSI for Corporates and IoT – Heather Vescent
1. Entities, Identities, & Registries
Heather Vescent
SSI Meetup | September 2019
Gaps in Corporate and IoT Identity
Creative Commons license. (CC BY-SA 4.0).
2. 1. Empower global SSI communities
2. Open to everyone interested in SSI
3. All content is shared with CC BY SA
SSIMeetup.org
Alex Preukschat @SSIMeetup @AlexPreukschat
Coordinating Node SSIMeetup.org
https://creativecommons.org/licenses/by-sa/4.0/
SSIMeetup objectives
3. Who am I
Heather Vescent
• CEO, The Purple Tornado
Strategic Intelligence Consultancy
• Author, Cyber Attack Manual
• Author, SSI Report
• Filmmaker, 14 Films (IIW Films)
• IIW, CCG VC WG Communities
• @heathervescent
Creative Commons license. (CC BY-SA 4.0).
4. Research Background
• Private Sector Digital Identity
• Funded by DHS Science & Technology
Cybersecurity Division
• Researchers: Heather Vescent & Kaliya
Young
• Download: bit.ly/NPEreport
Objective: Research private sector companies digital identity and data
privacy processes, with an emphasis on identifying market failures.
Creative Commons license. (CC BY-SA 4.0).
5. Current State
• Past solutions create today’s problems
• New technologies create new opportunities
• Onboard of billions of new identities
– Humans
– Companies
– IoT objects (smart things)
– Tracking (dumb things)
– Robots
• New regulations
Creative Commons license. (CC BY-SA 4.0).
6. What is a Non-Person Entity Identity?
Creative Commons license. (CC BY-SA 4.0).
7. What is a Non-Person Entity Identity?
Company
(legal entity)
Creative Commons license. (CC BY-SA 4.0).
8. Thing
(IoT device)
What is a Non-Person Entity Identity?
Company
(legal entity)
Creative Commons license. (CC BY-SA 4.0).
13. NPEs are given identity (Registries)
Creative Commons license. (CC BY-SA 4.0).
14. • Identity is used to create
more identifiers
Web of Organizational Trust
Creative Commons license. (CC BY-SA 4.0).
15. NPE identity requires human identity
• Ownership / Liability
• Responsibility
• Humans take actions for NPEs
• NPEs take action for humans
• (And collect & share data)
Creative Commons license. (CC BY-SA 4.0).
16. Why important to Government?
• Governments give legal entities identity
• Legal identity is important in many industries
o Banking & Finance (KYC, AML, UBO, Beneficiary)
o Global Trade
• Customs
o Internet of Things is growing exponentially
• Security of sensors
• Authenticity of sensor collected data
• Who is responsible/liable when things go wrong?
Creative Commons license. (CC BY-SA 4.0).
17. NPE is complex
NPE Identities
• Relate to each other
• Interact with each other
• Depend on each other
Creative Commons license. (CC BY-SA 4.0).
18. Report identified 11 Market Gaps
Corporate NPE Gaps IOT NPE Gaps
1. Legal Identity of Corporations 1. Legal Identity of IoT Things
2. Conclusive Ultimate Beneficial Owner 2. Tracking and Auditing in the Supply Chain
3. Conclusive Verified Corporate Data 3. IoT Security Standards
4. Corporate Delegation 4. IT Self-Authentication
5. Real-Time Verified Identity 5. Data Integrity from IoT Sensors
6. NPE Responsibility
Creative Commons license. (CC BY-SA 4.0).
19. 1: Legal Identity of Corporations
• PROBLEM: Digitally native identity credentials don’t exist, nor
do ways to receive and give verified credentials about an
organization’s identity from an authoritative source.
• IMPACT: KYC checks are costly and take time.
“KYC and associated processes cost the average bank
$60m annually.” - Consult Hyperion report
Creative Commons license. (CC BY-SA 4.0).
20. 2: Conclusive Ultimate Beneficial Owner
• PROBLEM: Finding the Ultimate Beneficial Owner (UBO) of a
company is difficult and sometimes impossible. Banks aren’t
required by statute to conclusively find a UBO before
proceeding, but to make a reasonably good-faith effort to do so.
• IMPACT: Hard to quantify the cost but not knowing who a UBO
can result in tax fraud, enable criminal and terrorism activities
and transactions designed to circumvent sanctions.
Creative Commons license. (CC BY-SA 4.0).
21. 3: Conclusive Verified Corporation Data
• PROBLEM: There is no standard way to find verified corporate
identity data, like legal name, address and jurisdiction along
with the identification of authorized delegates who have
authority to sign contracts, transfer funds, and take action on
behalf of the company – in a digitally native format.
• IMPACT: Initial costs (similar to KYC costs) for corporate
identity proofing. These costs include accessing outside
databases for information, confirming that data, as well as
ongoing costs to keep this data current.
Creative Commons license. (CC BY-SA 4.0).
22. 4: Corporate Delegation
Humans enter into contracts, make
financial transactions, and take other
actions on behalf of the corporation.
There are processes to initiate this
delegation, and the need for
up-to-date information of who remains
authorized.
GAP: Real-time verified delegation
Creative Commons license. (CC BY-SA 4.0).
23. 5: Real-Time Verified Identity
• PROBLEM: Real-time updated identity information associated
with corporate accounts, specifically which humans have the
authority to take action on behalf of a company on a real-time
basis. Current corporate delegation data is updated anywhere
from 30 days to 2 years.
• IMPACT: One subject matter experts shared a story of CEO fraud,
where criminals spear phished a corporate account and convinced
CEOs to transfer millions of dollars to the criminal account.
Creative Commons license. (CC BY-SA 4.0).
24. 6: NPE Responsibility
• PROBLEM: A company (which is an NPE) owns robots (which are
NPEs) that work in a factory. A company (an NPE) manufactures
an autonomous vehicle (an NPE). A company (an NPE)
manufactures a pacemaker (an NPE) and also collects data about
the pacemaker’s system as well as data about the human system
whose the device is embedded in.
• IMPACT: This could become an issue in the future, for example the
case of liability of self-driving car, or a factory robot, that isn’t
directly mapped to an individual supervisor or “driver” but under
corporate or algorithmic control.
Creative Commons license. (CC BY-SA 4.0).
25. 7: Legal Identity of IoT Things
Identity is built into very few IoT devices. There are
no universal standards or regulations around which
IoT objects have an identity assigned at “birth,”
unlike a baby registry or corporate registry.
• Some companies give IoT devices an identity – but legal
identity is not required.
• Some companies keep registries for devices like
pacemakers or jet engines.
GAP: Legal IoT Identity
Creative Commons license. (CC BY-SA 4.0).
26. 8: Tracking & Auditing the Supply Chain
• PROBLEM: Many goods are tracked and audited as they
flow from manufacturer through the supply chain to the
destination. While many goods are tracked with a barcode or
serial number, there is the desire to more thoroughly track
goods in the supply chain, including their components,
sources of raw material, and the chain of custody.
• IMPACT: Lost income due to IP theft. Lost tax revenue.
Potential terrorist financing.
Creative Commons license. (CC BY-SA 4.0).
27. 9: IoT Security Standards
• PROBLEM: Smart homes, surveillance devices, connected
appliances, and vehicles have persistent and structural vulnerabilities
that makes them difficult to secure for many real-world situations.
Many tools are designed with weak security and are vulnerable to “IoT
takeovers.”
• IMPACT: The liability ramifications are largely a matter of speculation,
however we can get an idea of some economic impacts by the size of
the ransomware market estimated at $1b in 2016 and $2b in 2017.
“Securing IoT devices is a major challenge, and manufacturers tend to focus on
functionality, compatibility requirements, and time-to-market rather than security.”
—Interagency Report on Status of International Cybersecurity Standardization
Creative Commons license. (CC BY-SA 4.0).
28. 10: IoT Self-Authentication
• PROBLEM: The technical process of
authenticating the veracity of the IoT device
and any data collected by the IoT device.
• IMPACT: Limits utility to high-exposure IoT
applications, due to economic cost. Attack
surfaces remain due to high cost to implement
broadly.
Creative Commons license. (CC BY-SA 4.0).
29. 11: Data Integrity from IoT Sensors
• PROBLEM: How do I know the data coming off the sensor data is
accurate? There needs to be mechanisms to know data coming off
sensors, drones, and other IoT data-generating devices is reliable
for high-security applications.
• IMPACT: Contamination or distortion of data from smart city
sensors, lightweight devices that control utility grids or operations,
and other cyber-physical systems could do serious real-world
damage if an attack occurred and it took significant time to detect
due to failed monitoring sensors.
Creative Commons license. (CC BY-SA 4.0).
30. Other Impacts
• Regulation
• Global landscape
• Scale
• Formal ownership
One of the major reasons the Internet+ is so insecure today is the absence of government
oversight. Government is by far the most common way we improve our collective
security, and it is almost certainly the most efficient.
—Bruce Schneier, Click Here to Kill Everyone
Creative Commons license. (CC BY-SA 4.0).
31. Future: Augmented Identity
• Software taking action on your behalf
• Devices doing things on your behalf
• Data collecting/sharing on your behalf
Do we need more nuanced identity?
Creative Commons license. (CC BY-SA 4.0).
32. Future: Combined Identity
People create a collective identity that acts in a
unified way as more than the sum of its parts.
• Today’s systems are set up for a single or legal
identity.
• There is no way for a group to create a collective
identity with financial and log in authentication.
• This use case could be used for ad-hoc, temporal
business collaborations like film productions and
creative project based partnerships.
• Could include NPEs.
Creative Commons license. (CC BY-SA 4.0).
33. Why do we care?
• Liability: who pays when something goes wrong?
• Responsibility: who is responsible at a particular time?
• Regulation: global trend for more regulation
• Collaboration: rising trend to work together
• Future Proof: envision the true scale of the problem
Creative Commons license. (CC BY-SA 4.0).
34. Future Identity System Goals
• Manage a trillion identities
– And all their relationships
• Thrive in dynamic environment
• Enable delegation
– Between humans & NPEs
• Involve automated systems
• Solve current data, privacy problems
Creative Commons license. (CC BY-SA 4.0).