All you need to know about SSI for Corporates and IoT – Heather Vescent

Entities, Identities, & Registries
Heather Vescent
SSI Meetup | September 2019
Gaps in Corporate and IoT Identity
Creative Commons license. (CC BY-SA 4.0).

1. Empower global SSI communities
2. Open to everyone interested in SSI
3. All content is shared with CC BY SA
SSIMeetup.org
Alex Preukschat @SSIMeetup @AlexPreukschat
Coordinating Node SSIMeetup.org
https://creativecommons.org/licenses/by-sa/4.0/
SSIMeetup objectives

Who am I
Heather Vescent
• CEO, The Purple Tornado
Strategic Intelligence Consultancy
• Author, Cyber Attack Manual
• Author, SSI Report
• Filmmaker, 14 Films (IIW Films)
• IIW, CCG VC WG Communities
• @heathervescent

Research Background
• Private Sector Digital Identity
• Funded by DHS Science & Technology
Cybersecurity Division
• Researchers: Heather Vescent & Kaliya
Young
• Download: bit.ly/NPEreport
Objective: Research private sector companies digital identity and data
privacy processes, with an emphasis on identifying market failures.

Current State
• Past solutions create today’s problems
• New technologies create new opportunities
• Onboard of billions of new identities
– Humans
– Companies
– IoT objects (smart things)
– Tracking (dumb things)
– Robots
• New regulations

What is a Non-Person Entity Identity?

Company
(legal entity)

Thing
(IoT device)
Company
(legal entity)

System
(network)
Thing
(IoT device)
Company
(legal entity)

How many identities?
180 Million Companies
2 Gov + 3 Business IDs
900 million identities
7.7 Billion Humans
34-48% online
2 Gov + 5 Online ID
18-26+ billion identities
(FB: 2.38B, G:2+B users)
25-75 billion IoT devices
(by 2021)
35 million packages
daily shipped/tracked
(UPS & FedEx)
9 billion yearly

How many identities?
180 Million Companies
2 Gov + 3 Business IDs
900 million identities
7.7 Billion Humans
34-48% online
2 Gov + 5 Online ID
18-26+ billion identities
(FB: 2.38B, G:2+B users)
25-75 billion IoT devices
(by 2021)
35 million packages
daily shipped/tracked
(UPS & FedEx)
9 billion yearly
~100 Billion
Identities

+ robot identity?

NPEs are given identity (Registries)

• Identity is used to create
more identifiers
Web of Organizational Trust

NPE identity requires human identity
• Ownership / Liability
• Responsibility
• Humans take actions for NPEs
• NPEs take action for humans
• (And collect & share data)

Why important to Government?
• Governments give legal entities identity
• Legal identity is important in many industries
o Banking & Finance (KYC, AML, UBO, Beneficiary)
o Global Trade
• Customs
o Internet of Things is growing exponentially
• Security of sensors
• Authenticity of sensor collected data
• Who is responsible/liable when things go wrong?

NPE is complex
NPE Identities
• Relate to each other
• Interact with each other
• Depend on each other

Report identified 11 Market Gaps
Corporate NPE Gaps IOT NPE Gaps
1. Legal Identity of Corporations 1. Legal Identity of IoT Things
2. Conclusive Ultimate Beneficial Owner 2. Tracking and Auditing in the Supply Chain
3. Conclusive Verified Corporate Data 3. IoT Security Standards
4. Corporate Delegation 4. IT Self-Authentication
5. Real-Time Verified Identity 5. Data Integrity from IoT Sensors
6. NPE Responsibility

1: Legal Identity of Corporations
• PROBLEM: Digitally native identity credentials don’t exist, nor
do ways to receive and give verified credentials about an
organization’s identity from an authoritative source.
• IMPACT: KYC checks are costly and take time.
“KYC and associated processes cost the average bank
$60m annually.” - Consult Hyperion report

2: Conclusive Ultimate Beneficial Owner
• PROBLEM: Finding the Ultimate Beneficial Owner (UBO) of a
company is difficult and sometimes impossible. Banks aren’t
required by statute to conclusively find a UBO before
proceeding, but to make a reasonably good-faith effort to do so.
• IMPACT: Hard to quantify the cost but not knowing who a UBO
can result in tax fraud, enable criminal and terrorism activities
and transactions designed to circumvent sanctions.

3: Conclusive Verified Corporation Data
• PROBLEM: There is no standard way to find verified corporate
identity data, like legal name, address and jurisdiction along
with the identification of authorized delegates who have
authority to sign contracts, transfer funds, and take action on
behalf of the company – in a digitally native format.
• IMPACT: Initial costs (similar to KYC costs) for corporate
identity proofing. These costs include accessing outside
databases for information, confirming that data, as well as
ongoing costs to keep this data current.

4: Corporate Delegation
Humans enter into contracts, make
financial transactions, and take other
actions on behalf of the corporation.
There are processes to initiate this
delegation, and the need for
up-to-date information of who remains
authorized.
GAP: Real-time verified delegation

5: Real-Time Verified Identity
• PROBLEM: Real-time updated identity information associated
with corporate accounts, specifically which humans have the
authority to take action on behalf of a company on a real-time
basis. Current corporate delegation data is updated anywhere
from 30 days to 2 years.
• IMPACT: One subject matter experts shared a story of CEO fraud,
where criminals spear phished a corporate account and convinced
CEOs to transfer millions of dollars to the criminal account.

6: NPE Responsibility
• PROBLEM: A company (which is an NPE) owns robots (which are
NPEs) that work in a factory. A company (an NPE) manufactures
an autonomous vehicle (an NPE). A company (an NPE)
manufactures a pacemaker (an NPE) and also collects data about
the pacemaker’s system as well as data about the human system
whose the device is embedded in.
• IMPACT: This could become an issue in the future, for example the
case of liability of self-driving car, or a factory robot, that isn’t
directly mapped to an individual supervisor or “driver” but under
corporate or algorithmic control.

7: Legal Identity of IoT Things
Identity is built into very few IoT devices. There are
no universal standards or regulations around which
IoT objects have an identity assigned at “birth,”
unlike a baby registry or corporate registry.
• Some companies give IoT devices an identity – but legal
identity is not required.
• Some companies keep registries for devices like
pacemakers or jet engines.
GAP: Legal IoT Identity

8: Tracking & Auditing the Supply Chain
• PROBLEM: Many goods are tracked and audited as they
flow from manufacturer through the supply chain to the
destination. While many goods are tracked with a barcode or
serial number, there is the desire to more thoroughly track
goods in the supply chain, including their components,
sources of raw material, and the chain of custody.
• IMPACT: Lost income due to IP theft. Lost tax revenue.
Potential terrorist financing.

9: IoT Security Standards
• PROBLEM: Smart homes, surveillance devices, connected
appliances, and vehicles have persistent and structural vulnerabilities
that makes them difficult to secure for many real-world situations.
Many tools are designed with weak security and are vulnerable to “IoT
takeovers.”
• IMPACT: The liability ramifications are largely a matter of speculation,
however we can get an idea of some economic impacts by the size of
the ransomware market estimated at $1b in 2016 and $2b in 2017.
“Securing IoT devices is a major challenge, and manufacturers tend to focus on
functionality, compatibility requirements, and time-to-market rather than security.”
—Interagency Report on Status of International Cybersecurity Standardization

10: IoT Self-Authentication
• PROBLEM: The technical process of
authenticating the veracity of the IoT device
and any data collected by the IoT device.
• IMPACT: Limits utility to high-exposure IoT
applications, due to economic cost. Attack
surfaces remain due to high cost to implement
broadly.

11: Data Integrity from IoT Sensors
• PROBLEM: How do I know the data coming off the sensor data is
accurate? There needs to be mechanisms to know data coming off
sensors, drones, and other IoT data-generating devices is reliable
for high-security applications.
• IMPACT: Contamination or distortion of data from smart city
sensors, lightweight devices that control utility grids or operations,
and other cyber-physical systems could do serious real-world
damage if an attack occurred and it took significant time to detect
due to failed monitoring sensors.

Other Impacts
• Regulation
• Global landscape
• Scale
• Formal ownership
One of the major reasons the Internet+ is so insecure today is the absence of government
oversight. Government is by far the most common way we improve our collective
security, and it is almost certainly the most efficient.
—Bruce Schneier, Click Here to Kill Everyone

Future: Augmented Identity
• Software taking action on your behalf
• Devices doing things on your behalf
• Data collecting/sharing on your behalf
Do we need more nuanced identity?

Future: Combined Identity
People create a collective identity that acts in a
unified way as more than the sum of its parts.
• Today’s systems are set up for a single or legal
identity.
• There is no way for a group to create a collective
identity with financial and log in authentication.
• This use case could be used for ad-hoc, temporal
business collaborations like film productions and
creative project based partnerships.
• Could include NPEs.

Why do we care?
• Liability: who pays when something goes wrong?
• Responsibility: who is responsible at a particular time?
• Regulation: global trend for more regulation
• Collaboration: rising trend to work together
• Future Proof: envision the true scale of the problem

Future Identity System Goals
• Manage a trillion identities
– And all their relationships
• Thrive in dynamic environment
• Enable delegation
– Between humans & NPEs
• Involve automated systems
• Solve current data, privacy problems

Thank you + Questions
Heather Vescent
• www.ssiscoop.com
• www.thepurpletornado.com
• heathervescent@gmail.com
• vescent@thepurpletornado.com
• @heathervescent Download NPE: bit.ly/NPEreport
Download VDS: bit.ly/vdsreport

All you need to know about SSI for Corporates and IoT – Heather Vescent

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à All you need to know about SSI for Corporates and IoT – Heather Vescent

Similaire à All you need to know about SSI for Corporates and IoT – Heather Vescent (20)

Dernier

Dernier (20)

All you need to know about SSI for Corporates and IoT – Heather Vescent