EPISODE SUMMARY
Subscribe or listen now: 
Hello from Cybrary and Delinea, and welcome to the show. If you've been enjoying the Cybrary Podcast or 401 Access Denied, make sure to like, follow and, subscribe so that you don't miss any future episodes. We'd love to hear from you. Join the discussion by leaving us a comment or a view on your platform of choice or emailing us at Podcast@Cybrary.it. From all of us at Cybrary and Delinea, thank you and enjoy the show.
Paul Simmonds:
And at the end of the day, IT, and particularly security people, I put my hand up, guilty as charged, are control freaks. We like to say, "Give it all to me. I will make it all work for you," because that's what floats our boat. So that's problem number one, if you don't understand the locus of control problem, then you are doomed to repeat it time and time again. You've got to make things work outside your locus of control. Yes you might downgrade the level of trust or certainty you have in the information because it's coming from a different source, but you have to be able to accommodate that.
Joseph Carson:
Hello, everyone. Welcome back to another episode of the 401 Access Denied podcast, brought to you by both Delinea and Cybrary. I'm Joseph Carson, the host of the episode for today, and I'm really excited. This is one of my favorite topics to talk about, and it's really close to my heart. And actually, of course, we're very close to where I live in Tallinn, Estonia, which is all about identity, and we're joined by the amazing Paul Simmonds. Paul, do you just want to give us an introduction about your background, who you are, and what you do?
Paul Simmonds:
Yeah, hi, I'm Paul Simmonds. I suppose you'd called me a serial chief information security officer, having started at Motorola, and then ICI, and then obviously AstraZeneca, and along the way got involved in this thing called the Jericho Forum, which first of all gave us deperimeterization which people now call zero trust. But then we went to do a lot of work on identity so we span that out into an organization called the Global Identity Foundation, which I nominally head up, so chief spokesman, I suppose, for that, and a general advocate for how we do identity properly going forwards.
Joseph Carson:
Absolutely. And so that's great, throughout my entire history I've been doing identity, a big part for a long time, but heavily much in the last 10, 10 plus years mainly because I'm based in Estonia and the whole digital society here, it's whole foundation is built on identity. Some things are done right, some things are not done so well and it's always progressing and always getting better. And one of the things I remember just a few years ago we had a riveting conversation about identity and one of the things you really kind of opened my mind to a different way of looking at some of it and recently you wrote a couple of blogs which really got me excited because it really brought back a lot of that conversation. One of the things is that people sometimes misunderstand what identity's for and the background. Can you talk a bit about what is identity? What is it used for and the background? 'Cause I think that's a great place to start.
Paul Simmonds:
Yeah, it's really interesting. People, I've noticed, and I was guilty as sin of this when we started the identity journey is because we dived into the world of IT people, when we start doing computer identity, digital identity, whatever we want to call it, we throw out what people do and do it from a computer base and the problem is that if you think about it, if you go back to before I started in computers, when you had mainframes and if you were lucky enough, you got an account on the mainframe and you had to sign your first children in your life away to get that account and the mainframe was God with a small G and it went on from there.
As we started to connect these things together, what we then did is we said, look, actually we need a central source of truth, therefore we started to get an individual computer that acted as the central repository for identity and if you were lucky enough, you got an account on it, et cetera, et cetera, et cetera. And that is almost diametrically opposed for how humans do identity and that's where the problems start. As humans, we've had thousands of years of evolution to actually fine tune how we do trust and identity 'cause that's what it's linked in. How well do you trust this entity is who they say they are or who they claim to be or what they claim to be able to do.
Joseph Carson:
Absolutely. And that was one of the kind of big things that we discussed. One of our mutual friends, Brian Horn introduced us, I think it was at the CSA event in RSA and we ended up discussing for the rest of the night and one of the things that really got me was that to your point is that you are the best person to know your identity. You're the best person to bring it because it's you. It's everything, I mean some things are permanent, you can't change and some things are variables that can be modified. And one of the things I remember was that it was all about when you get introduced, you get introduced by another person who you already have a trust relationship with and that in our case was Brian. Brian was the mutual person that actually knew both of us and introduced us.
So therefore you've got some type of already trust getting established and then you take it from there. And so your point is that we lose that very much when we get into the digital world. We end up having a single source of trust rather than that deperimeterization where you can have different types of trust where you can actually solely build and trust. And where zero trust of course turns out around where it starts with zero starts with nothing and you have to define where those trust anchors are, those trust sources are. So what's some of the things that kind of personas or entities that build an identity, what's the things that make an identity? And those could be in the physical world and such as our name and date of birth and so forth and that in the digital world, what builds an identity, what is an identity that makes it?
Paul Simmonds:
So identity effectively consists of three parts, which is first of all is there's some form of authentication attached to it that allows you to uniquely identify this entity and humans use faces.
Joseph Carson:
Yeah.
Paul Simmonds:
Billions of years of evolution we are fine tuned to using faces. So you know, you might have met me 20 years ago or whatever when I had a lot less gray hair and everything else but 20 years on, you'll look at me and go, "Ah, Paul Simmons." Or "I recognize that person generally."
Joseph Carson:
Yes.
Paul Simmonds:
And then you are trying to attach a name attribute because that's all a name is to that identity, but we call... That is the authentication part of it and then on top of that we start layering what we call personas, which are groups of attributes ideally from an authoritative source but they don't need to be. And that builds up effectively what an identity, what this big thing called identity is, which is a group of personas in totally different contexts. So I'll have a sexual persuasion persona for example. I will have a citizen persona which is my join between me and the UK government because I'm British, I have a British birth certificate and generates passports and other bits and pieces.
But I'll have a whole bunch of other personas. I have a family persona, I have a sporting persona, I have personas which goes with various interests. I have accounts in the computer world which effectively are the same. They are personas, they are the join between me and the entity I am interacting with, et cetera, et cetera, et cetera. The aim is that we trust those personas more or less depending on how authoritative they are. So obviously family persona is easy because I was born into a family, I have children, we all know that relationship and therefore we trust that relationship.
But when it comes to other personas, it depends on how much you trust it. So my example is always, I mean I used to travel into London on an occasional basis and standing on the platform for the train for the ten past seven from Gerrards Cross every morning there would be, for example, a woman standing there who, very British, stood in the same place every single day, got on the same carriage every single day, tended to sit in the same seat every single day, whatever, got off at Marylebone. So if you think about it, what am I doing? As a human being, I'm going, okay, there's a attractive girl, a woman, whatever, gets on the train. Obviously worked in London because she gets off at Marylebone in the same place as I do and then goes elsewhere, I don't know, no idea where. She obviously lives in or near Gerrards Cross.
So I'm applying a bunch of attributes against her face. That's it. They're not authoritative, they're totally subjective, I'm adding them to it and everything else. Now that was actually fine. About two years after I did this, I went to a party in Gerrards Cross and lo and behold, guess what? There was the woman who I got introduced to. So now I have a name attribute, it may not be her real name because I have a name attribute to go with the face and everything else and I have a... Starting to build up more stuff and because again as you say, it was introduced by a mutual friend.
Joseph Carson:
Correct, yes.
Paul Simmonds:
Yes? There is a level of trust that goes with the fact that actually she's who she says she is.
Joseph Carson:
And if that person's using the same name also builds up a level of more trust in the name that that person's using.
Paul Simmonds:
Yeah, and again, if you think about it, certainly IT's dirty little secret is that we don't accept that women like to get married occasionally and change their names, I mean sometimes men change their name as well but it's more unusual but ultimately you know, you join a company and you know get assigned Jane Doe and then one day Jane gets married and says, "Well I'm now Jane, someone else, Jane Smith." And the IT department goes, "You can't do that..."
Joseph Carson:
You can't change...
Paul Simmonds:
You can't change name because somehow we think the name is unique but it's not, it's just an attribute.
Joseph Carson:
And that's a good point as well.
Paul Simmonds:
Of identity..
Joseph Carson:
Is this, a lot of those attributes are changeable and a lot of them are fixed and permanent. And when we are thinking about IT, it sometimes that's why using IT, it's sometimes better to use a more an index type of reference to create, to have that uniqueness to build them around rather than using the assumed names as those references because names can change.
Paul Simmonds:
Yeah.
Joseph Carson:
To your point is that...
Paul Simmonds:
Yeah, very much. And it's interesting, I mean when I work for AstraZeneca because it's drug producing and everything else, they have to keep records for you know, FDA and all the other regulations around the world such that you can track back 80 years time if you have a problem with a drug and go who actually made that batch? And were they trained and everything else. So my AstraZeneca user ID is KQRD644.
Joseph Carson:
Non-repudiation.
Paul Simmonds:
There might be multiple Paul.simmonds@astrazeneca.com but there is only one KQRD644.
Joseph Carson:
Yep. And that's why it's important to have those specifics because then you can have even at least the anomaly as well anonymous piece if you need to go back and trace back of non-repudiation or proof of that history or proof of evidence there's a way of or pulling that back as well. And that was one of the things here in Estonia as well, especially around things like the voting side of things was that you can have that proof of voting but that basically there's an identity that's giving to the citizen that is, that's fixed to that person. That person can change their name, they can get married, they can change their gender if they ever even wish to or change lots of different variables about themselves, but that there's fixed unique identity number that is permanent against that citizen and that's the one that gets basically referenced in all the different data vaults and data lakes and so forth.
And if you ever need to, you can pull those attributes back in order to verify this citizen. So absolutely it's a great way of basically making sure that one is you've still got some type of anomalous in the system itself, but you can go through, in certain scenarios, and had non-repudiation have purposes of reason to have that exposure revealed.
Paul Simmonds:
Yeah, which of course is great when you trust your government.
Joseph Carson:
It's one of the things I get asked. I get asked a lot about the Estonia side of things as well from that trusting the government and I think it's one of the key things that the government has done is that trust is not automatic. Trust is not something that's basically just a given. What the Estonian government has done over time is they are transparent as much as possible to the citizen. So the citizen has a certain amount of visibility into the data that is collected and generated on that citizen so they can go in and see it and they can see the uses and the transactions with that data. So it's all about making sure that you've got transparency and I think that's what's, over time, as long as there's no abuse of that, that the citizen starts building trust with the government into the use of digital services.
So absolutely trust it. It's all about a matter of and where does that trust score? Where is it at any point in time? And that's something that, 'cause it goes up and down depending on government changes. It depends on scams and other types of things that get disclosed. That trust kind of varies but as long as it stays at a pretty good high level, then majority of citizens look at that and they buy into it and they accept it but it's all about transparency. Trust is not, yeah, it's something that's just not automatic and it's something that, it's a digital society that all work together to self… it's almost like a auditing the government in some way that the citizens had the ability to do that over time.
Paul Simmonds:
Yeah, which I mean it's been really an interesting journey for me because that was very much my perception when I started this journey because I live in Britain. I mean Britain hasn't been invaded since 1066. We are pretty much a benign western country for all intents and purposes. But as I've taken the journey, it's been really interesting to talk to an awful lot of people out there and really a case of saying, well how do you solve some of these more... The bigger problems where you don't have benign governments or actually you have governments that go bad and they do. My sister-in-law is Rwandan and she was a refugee from the Rwandan genocide.
She has one parent who is Hutu and one parent who is Tootsie if your African history and she ended up as a refugee in Uganda as a result and there we have an example of where identity information is hazardous to your health because the two, if you were a Hutu, the Tutsi wanted to kill you and vice versa and she had one parent who was each, so she was actually couldn't win either way. And there are lots of other examples out there of where things can go bad. I mean I tend to use this example an awful lot and we've been doing some work with Oxford University and their computer science people and they introduced us to one of their PhD students and I used that example with him and he said "I can go better than that." He said "I did five trips to Saddam Hussein's torture chambers before I was 12."
Joseph Carson:
That reminds me, I think one of the conversations I had in the past was I was always thinking about the ability and having the ability for an anonymous ability on the internet is one thing. And I remember, I think it was is open ID was based on to make sure that you don't have that, you have the ability of having a permanent internet place, which means that the government cannot make you disappear was one of the... It's the opposite side in those regime side of things is that to make sure that you've got some permanent reference on the internet that you can go to that, you can't delete or you can't make disappear. Because your point, there's definitely some governments out there that they make citizens disappear and you want to have the ability to make sure that you can have that permanent, your government cannot just make you disappear all of a sudden and you don't have never existed.
Having that ability is important. One of the things I wanted to ask you about as well, I thought was very intriguing in the blogs that you wrote, we'll definitely make sure for the audience that we'll put the references of all the blogs into the show notes as well for the pilot podcast so they can actually have references to. One of the things I thought was really interesting one is that, and there was a conversation I've had with different analysts over the time is the difference between the human side of things. Because a lot of times when we're talking about, in the digital world and IT is we're very much focused purely a lot on the human side of identities, but it goes well beyond that. And sometimes I talk about, usually I refer to it as the non-human identities, which other analysts refer to it as machine identities. And there's different kind of terms it's been given. I think it was, you've referred to it as just identities in general. Can you talk a bit about the differences between human identities and devices and organizations and then you've even got code and agents and so forth. Can you talk a little bit about the differences of those?
Paul Simmonds:
Yeah, so when we started looking at it, we sort of said actually identities is probably... It's entities is the overarching term and we'd originally defined them as people, devices, organizations, code and agents but that's actually just a subset. And the key thing here is we shouldn't do anything different between entities. So we defined five to sort of whet people's appetites or thinking about what the scope of this actually was but in reality it's anything that you can uniquely identify. It's a similar-
Joseph Carson:
And if you're talking about the pharmaceutical background as well, a lot of that could go into different prescriptions and drugs or health records to lots of different types of things that make up, as you pointed, there's entities and then the associations to the personas as well.
Paul Simmonds:
Yeah. And I-
Joseph Carson:
You can identify even pieces of paper today have unique identities. Every page that goes through a printer has unique identity, potentially that has the dots put printed on it.
Paul Simmonds:
Yeah, potentially yes. And the key behind this, and if you take this to its more logical conclusion of why are entities important? Which is the big thing and it goes to personas. So in a pure world, the join between the entities gives you personas. So if you think about it, entity organization, UK government, entity person, me, the digital, the join between us, digital or otherwise, it doesn't make any difference, is my citizen persona because UK government are authoritative for my birth certificate. So there are five attributes that the UK government give me in the form of my birth certificate, which is name at birth, because remember it can change, place of birth, which obviously doesn't change, date of birth, which doesn't change, sex at birth, which these days can change or sex can change, sex at birth we can debate and the right to be a UK citizen.
But basically there are five attributes for which organization UK government are authoritative and the join between me potentially anonymous me and UK government gives me five attributes that I can assert signed by UK government that only I can assert because I should own them. And we then have... Think about all the other joins in your life. So when I join a company then the join between me and organization company. The join between me and laptop, my laptop, makes it Paul's laptop. The join between me and my corporate issued laptop makes it Paul's corporate laptop. That's the persona that goes with it and all of those attributes, all of those personas will have a different set of attributes that we should be able to assert in a digital world or a non-digital world. We shouldn't differentiate between the two.
Joseph Carson:
Yes. I think somebody always reminded me that I always had to remember that all the entities are digital in some form or another. There's no, unless we're in the physical world, when we're talking about digital, they're all digital.
Paul Simmonds:
Yeah, but we should be able to assert those and when you receive those assertions, you should be able to look at that assertion and make a decision about how much you trust that assertion.
Joseph Carson:
Mm-hmm. And what's some of those ways to do the trust anchor or the root of trust? What's some of those assertions to that when you're either collecting and looking at identity or you're providing, what's some of those assertions that you can do to show that trust?
Paul Simmonds:
So if you think about it, let's give you an example. So I want to buy a bottle of alcohol. So think about it, so let's look at it in terms of physical and digital. So in the physical world it's pretty easy. In the UK you had to be over 18. I walk in with a £20 note, I want a bottle of whiskey, I walk into an off license and they go gray hair, yeah, definitely over 18. Some places in the world you will still have to show ID but in the UK, no they'll just go no gray hair, £20 note, here's your bottle of whiskey. Thank you very much. Pretty well an anonymous transaction.
Joseph Carson:
Yep.
Paul Simmonds:
As much as you can make it, you can debate about cameras and other bits and pieces, but for all intents and purposes-
Joseph Carson:
The world that privacy is always a challenge today with the facial recognition.
Paul Simmonds:
It's a private, anonymous transaction. Now try to do it in the digital world, how do you make that equivalent work in the digital world? And the answer is let's go to a favorite e-commerce store that is now allowed to sell alcohol. Let's call it Amazon for want of... There are other vendors out there. In reality, think about how you do that in their world so they are concerned with three things in the business world, which is are they going to get paid for it? Are they going to get their license to sell alcohol revoked? And is it going to be a fraudulent transaction such that it gets reversed? So those are the things that they need to achieve.
So how do you do that? Well first of all, I issue you, I issue Amazon with an assertion that I am over 18 because from my citizen persona signed by UK government, so I give them an I am over 18 assertion signed by UK government, yep? And that is authoritative because they define how old I am because they issue my birth certificate. Easy. I issue them with I'm going to pay you £20 signed by Visa. Again we can do that as an anonymous... As a one way anonymous transaction so that's easy. We can even do it with bitcoin and I'm going to give you an Amazon Locker to put it in. So I'd like you to put it in the Amazon Locker at my local gas station or petrol station or whatever.
Joseph Carson:
Yep, just a pickup point, simply-
Paul Simmonds:
A pickup point.
Joseph Carson:
... just a pickup point.
Paul Simmonds:
And in return, Amazon gives me a onetime code, which is unique to me that only I can assert to unlock that locker and whatever. And because those three assertions need to be locked together, in other words, only one entity could have asserted them even anonymously, then we need to wrap them up in a nice little cryptographic bow, which the cryptographer will tell you is pretty easy to do such that Amazon can say, yeah, I've got three assertions signed by the authoritative sources for those such that only one entity could have asserted all three as a triple. And now you have the equivalent, the digital equivalent of walking into an off license and buying anonymously my bottle of whiskey.
Joseph Carson:
So the only challenge was a lot of those today is that they're using your mobile number as a way of a source of identity as well.
Paul Simmonds:
Yep.
Joseph Carson:
So as one of those entities, which in many cases, is a part of your persona that's permanent in many cases, in most cases. So they have the ability to have that association. We do that transaction multiple times, that mobile number becomes that kind of repetitive kind of reference.
Paul Simmonds:
Yeah, no, very much and that's the problem because the challenge in the identity world is how do you prove the level of what we call immutable linkage?
Joseph Carson:
Yeah.
Paul Simmonds:
How well the wetware, me, is linked to the firmware, whether it be the device or the attribute or whatever. So it's that level of immutable linkage and at the moment, yeah absolutely. We tend to use a phone or a mobile device anyway, a sim.
Joseph Carson:
Yeah.
Paul Simmonds:
With a reasonably guaranteed unique identity.
Joseph Carson:
Exactly. And this is something kind of reminds me what you're touching on as a conversation that I had with Ian Glazer on the exact same point is that in the ideal scenario when we were talking about going similar process you're mentioning about purchasing alcohol is you're going to another country to rent a car or you're going traveling and you're staying at a hotel, that a lot of the purposes what that hotel needs to do by law is verify that you're over the age of 18 and that's pretty much it. They just want to make sure that you're legally allowed to sign a hotel and that you have the financial funds to pay for the hotel. If you're renting a car, what the car rental company really needs to know is that are you legally allowed to drive and do you have insurance and do you have the funds to cover?
So they... And a lot of things when they collect the data, a lot of times the hotel will scan your passport but they don't need all of that details in the passport. The only one thing that they're looking for is your date of birth and that calculation is that you're over the age of 18. When you go to rent a car, they scan your driver's license but they don't need your basically your address. They don't need a lot of the data and attributes on that entity in order to rent the car, they only need to know that you've got a valid driver's license. But they take copies of that in order to have that, let's say, that non-repudiation of they're gathering enough proof before they will permit you. And then get into a conversation myself and Ian are having is that all they need to do is ask the right questions and all they just need to do is provide a source of trust to say here is a place that you can go to that we both have immutable trust.
And it could be the driver's license entity from the government, it could be the password entity and all they do need to do is ask the right questions. Is this person legally allowed to drive? And that should be a great way of doing a digital authorization authentication for to make sure that I am allowed to do that. And that would remove a lot of the wasted collection of data as well and it would simplify a lot of those processes as well. I know that in the EU, the Schengen area, they're also trying to do that with physically Tesla's travel as well where they're trying to achieve that where you can just go up to the booths and they will do a facial recognition and they will check to make sure that all of the entities that you've provided is allowing you to travel to that country. So what's your thoughts around that over collection of data that a lot of those entities are doing what they really only need the basic essentials? Is that something that's we can improve on or change?
Paul Simmonds:
Oh absolutely. I mean the answer is we do and we don't. So let me do the politician's answer and answer a slightly different question. So if you think about it, and I've done this 'cause I work in security, I've been onto the dark web and I have effectively done a Google search dark web on my name and I can tell you that every single bit of information about me is out there. So name, date of birth, where I live, my postcode, my mother's maiden name, who my family are, et cetera, et cetera, et cetera. It is all out there. If you don't subscribe to it, have I been pawned from Troy Hunt, which is a fantastic service.
Joseph Carson:
Troy's a great guy, he so is.
Paul Simmonds:
And I get alerts on a regular basis from that service and I started off putting them in a PowerPoint slide and I have now run out. The text has got too small for all the breaches that I have been involved in over the years. So the reality is all my personal information is out there. So the challenge is how do you ensure that only I, as the owner of that personal information, can assert it?
Joseph Carson:
Yes.
Paul Simmonds:
So that is your ultimate challenge going forwards because you can take all that information and you can go, I am Paul Simmonds because I can tell you my date of birth, where I live, my postcode, my mother's maiden name, my inside leg measurement, et cetera, et cetera.
Joseph Carson:
But a lot of that information's already out there.
Paul Simmonds:
Absolutely. I don't doubt that. How do you ensure that you cannot use that information to create an account in my name or do an account takeover-
Joseph Carson:
Yes.
Paul Simmonds:
... in my name? So the challenge is how can only I as the owner of that PII assert it? And that, if you like, is the ultimate challenge that we face as an industry.
Joseph Carson:
Yep.
Paul Simmonds:
And what does that then mean to go back and to answer your original question, yes, absolutely. We should only be asserting minimal privacy enhancing information. So I should not be giving, if you asked me to prove are you over 18? I should not be giving you my date of birth.
Joseph Carson:
Yes.
Paul Simmonds:
I should be giving you a digitally assigned assertion by UK government.
Joseph Carson:
Yep.
Paul Simmonds:
Yes? So that when I give it to you you can say, yep, I can check that this is... What I'm checking is not that actually there is a central server that holds Paul Simmonds' date of birth. I can check that the assertion you give me is signed by UK government because there are only 350 odd places that they issue passports. So holding 350 public keys these days is not difficult. You can cash that without any problems. So I can give you an assertion that says I am over 18 or in the case of a car, I am over 25 and under 65.
Joseph Carson:
Yep.
Paul Simmonds:
Yep?
Joseph Carson:
That's exactly. I would love to find a way forward to make that... In all those different scenarios, there's certain things, solutions that can be had but in a generic way for all of it. I would love to have a world where that's being able to do that simply would be-
Paul Simmonds:
Yeah.
Joseph Carson:
... the ideal way forward.
Paul Simmonds:
That is the challenge going forwards is how do we do that in a common manner and do it simply And more importantly, how can I then take those multiple assertions and connect them with a bow that says actually they all come guaranteed, cryptographically guaranteed from one entity.
Joseph Carson:
Yeah.
Paul Simmonds:
You might not know who I am.
Joseph Carson:
In Estonia it's almost that way. The difficulty is that when you cross border, when you go outside of Estonia then you always have to go back and this is a common problem for a lot of Estonians actually is that when they travel, because they're so used to having their, let's say digital wallet is part of their mobile phone and sometimes and that's how they do those assertions, is through basically the digital signature between themselves and the government. And they can do that between different entities here in Estonia, whether it being the financial, whether it be rent a car, here you've got companies like Bolt where you can just simply with your mobile phone go on and lock the car door with the mobile phone and the cable will switch, get in the car and drive, finish and unlock and so forth. So that simple simplicity, but the moment you leave Estonia, you're going back to...
I think the bigger problem is now when we're getting into international cross borders it becomes more of a challenge because as to your point is that those assertions then tends to go back to government identities as being the source. It'll be great to be able to expand on that as you know that they'll be able to move forward. I was, remember years ago thinking about even having things like data brokers that would provide those types of things where, because one of the other challenges I think is that, as your point is that a lot of the attributes can change and when you search your data, if you do a search on your data, you'll find a lot of old data out there that your previous addresses that you lived at, previous cars that you may have driven or owned. So there's a lot of legacy data out there, your school that you went to which... So there's a lot of those attributes.
Some are still valid and could be useful, some are basically outdated and need to be updated and those data brokers idea was all about getting to a single source of truth is that this is where rather than saying, hey Facebook, here's my data, here another social site, here's my data, here Snapchat and you're providing all at that time the data was correct, but over time it becomes still and outdated. And the data broker idea was around having the ability to make sure that I don't put my data in those social sites but I do as I provide that joining to a central source.
So in Estonia they have that ability where it's not data is only in certain data vaults or data lakes and it's unique and you can't duplicate it. So my home address is only in the population register and that's it. If the bank need to send me something, then they have to get that data from the population register so they don't hold outdated data. So how do we solve that problem in a deperimeterized and a broader skill? Do you see data brokers or other elements of ways because managing it is a bit of a mess today because it just, because you're storing the same data in so many places.
Paul Simmonds:
Yeah, there are two issues here. The first one is what we defined way back when we defined the commandment, the Jericho Foreign Commandments back in 2003, which is this concept of locus of control. And there are so many IT folk out there who don't understand the locus of control problem which is I can make it all work as long as you play in my locus of control. And effectively that's what the Estonian system is. We can make it all work as long as you play in Estonia's locus of control.
Joseph Carson:
Right.
Paul Simmonds:
And you can make it work really nicely. And at the end of the day, IT and particularly security people, I put my hand up, guilty as charged are control freaks. We like to say give it all to me, I will make it all work for you because that's what floats our boat. So that's problem number one is if you don't understand the locus of control problem, then you are doomed to repeat it time and time again. You've got to make things work outside your locus of control. Yes, you might downgrade the level of trust or certainty you have in the information because it's coming from a different source, but you have to be able to accommodate that. So that's number one.
Brokers won't scale. It is as simple as that. You have to go back and say your single source of truth has to be the authoritative source. So you need to turn this on its head and say for this bit of information, who is authoritative, truly authoritative? So as I said, my date of birth, UK government is truly authoritative. My bank is Barclays, who are truly authoritative because it's their bank account at the end of the day. Do I work for AstraZeneca? The answer is not anymore but can I prove I worked for AstraZeneca? Who is authoritative to prove that? The answer is AstraZeneca.
And I need to be able to give you an assertion signed by the authoritative source. The instant you start using brokers, you can make it work, to a certain extent, while you trust that club, but it won't scale globally. So the challenge is if I have a broker, let's call them Verizon for want of a better word, the question is are the Chinese government going to trust Verizon when I assert something signed by Verizon? And they're going to go, no, absolutely not because they're not Chinese. And quite rightly so.
Joseph Carson:
Absolutely not. That's-
Paul Simmonds:
However, if I give you date of... If I give you an assertion that says I'm a US citizen and here is my date of birth and they are both signed by the US government, the Chinese already accept that because it's called a passport. So you have to go back to first principles and say the only way you make this work and scale globally is if it is signed by the authoritative source.
Joseph Carson:
Absolutely. No that absolutely makes sense. It's... Sometimes you think, try to think of things in a simpler skill, but when you get down to it is that the original authoritative of source is the root of trust where it was established and created in the first place.
Paul Simmonds:
Yep.
Joseph Carson:
And therefore if you've got a way of verifying that on some type of token level, NFTs have some purposes in the world but-
Paul Simmonds:
Maybe.
Joseph Carson:
... for non-repudiation purposes this is a token that was created that it shows that you've got this assertion or this attribute was valid and has a timestamp associated to it.
Paul Simmonds:
Yeah.
Joseph Carson:
So absolutely. One things... After I think we spoke, I had this whole idea and it was about when you talked about you are the person that is the best to establish your own identity and they got me thinking about the whole bring your own identity concept so where see the future of this going? Do you see bring your own identity as where organizations and others, they don't necessarily need to have, they just need to have that joining of the identity that you bring. And to your point is that authoritative level determines that level of trust that you might have and the trust might be low, might high depending on the authoritative level. Where do you see the future going? Do you see bringing your own identity as something that will become more common for organizations and businesses and governments? Or where do you really see the future in identity going? The path? The direction? Decentralization, we've seen a lot of the, where you have a lot of leverage of self-sovereign identity is I guess, the technical term that we've been using for that. So what do you see the future going?
Paul Simmonds:
Okay, so I'm going to make one caveat before I start and just say the problem with self-sovereign, so self-sovereign identity, the problem statement I totally agree with. The problem is that the self-sovereign identity community are coming at it from the solution is blockchain. Now what…
Joseph Carson:
They're coming… I agree, you've got a solution that you're trying to fit into-
Paul Simmonds:
Yep.
Joseph Carson:
... to make that solve the problem but we have to remember what the problem is-
Paul Simmonds:
Yeah.
Joseph Carson:
And we have to be open to the solution.
Paul Simmonds:
The problem statement, the self-sovereign identity crowd port I totally agree with, the solution I fundamentally disagree with.
Joseph Carson:
Yeah.
Paul Simmonds:
So if you think about it, yes, bring your own identity or actually bring your own assertible attributes. So I want a collection of attributes held probably in some kind of common wallet. Yes, that only I can have access to and I can then assert those attributes. And the trick to making this work is yes I hold the attributes, yes I choose privacy here to say actually yeah I'm happy to give you an 18 assertion but I'm not happy to give you my date of birth because you don't need it. I am happy to give you an assertion, I'm going to pay you $20 for this bottle of whiskey, et cetera, et cetera. So that's fine and I need to be able to wrap it up in this nice cryptographic bow so you can see it all comes from one entity.
But then the other thing you need from a trust point of view is you need to be able to understand how well the entity is linked to the assertions.
Joseph Carson:
Mm-hmm.
Paul Simmonds:
In other words, so we did a proof of concept with a very high profile, publicly known name, which I can't mention.
Joseph Carson:
No problem.
Paul Simmonds:
Working in their skunk works labs and we actually built this with them and yeah, absolutely and one of the questions was because this was selling stuff that needed an RU18 assertion that went with it is how do I trust that actually mom hasn't sent little Johnny who's 14 in to actually go and get these goods.
Joseph Carson:
Yes.
Paul Simmonds:
And so we had this discussion with the American executives that went with it and said, well what are your requirements? What do you think is acceptable? And the answer was yes, you need to have unlocked the device with a biometric because we were using mobile phones obviously.
Joseph Carson:
Yes.
Paul Simmonds:
And you need to have unlocked this device with a biometric assertion within the last five minutes or two minutes or whatever because at the end of the day, it's your-
Joseph Carson:
Time based authorization.
Paul Simmonds:
It's your license, it ultimately the people who are going to get dinged are the store because it's your license to operate to sell restricted goods.
Joseph Carson:
Yep.
Paul Simmonds:
So if you do this too many times like selling cigarettes to 12 year olds, you know lose your license to sell cigarettes. It's as simple as that, certainly in the UK. So the challenge is, you need to be able to... You, the person who's taking the risk, the store in this case, needs to be able to understand not only are all the attributes I asked for linked cryptographically, that one's easy but with that you need the information that says yes and I need to know because I require it, that actually those attributes were unlocked in the last two minutes or five minutes or 10 minutes, whatever, your risk and you need to be able to know with what degree of certainty is the wetware linked to the firmware.
In other words, Paul Simmonds or this entity here linked to the mobile device. So you need to know the device and how it was unlocked. So was it unlocked with a facial biometric? Was it unlocked with a fingerprint or a pin or whatever and what type of device was it? So that ultimately if you want to do high security or higher security transactions, you need to be able to say, yeah, we know this device is now five years old and its fingerprint reader is so easily spoofed with a gummy bear that yeah, we're not going to let you use that anymore. We're going to depreciate your ability to use this make of device versus I've got the latest, greatest one plus or iPhone or whatever and we're really happy with that.
Joseph Carson:
Yep.
Paul Simmonds:
You can-
Joseph Carson:
So there's lots of levels of lots of risk that needs to be calculated into.
Paul Simmonds:
Absolutely.
Joseph Carson:
And determine it.
Paul Simmonds:
The other key thing that goes with that is you never ever turn a variable into a binary because again we do that time and time again. We turn-
Joseph Carson:
Yep.
Paul Simmonds:
... my example is always look at the corporate world with active directory. So in AstraZeneca I could log onto active directory with a username of password and it could be very dodgy and it could have taken five attempts to do it and I got it right on the last one and whatever. The problem is, active directory then says binary one, this is Paul Simmonds and it then passes that on.
Joseph Carson:
And that's for the session that you've got for…
Paul Simmonds:
All the session and passes the binary one, this is Paul Simmonds onto 137,000 other devices in the organization. What is wrong with this picture?
Joseph Carson:
Yep. In the entire forest you've become Paul.
Paul Simmonds:
Yeah, exactly. Yeah. So if I can-
Joseph Carson:
Anything that's from that top down level, the moment you've got the level of trust that's specifically established, that just becomes apparent in everything underneath and that hierarchy believes it.
Paul Simmonds:
Yeah. And absolutely. This is one of the good things that's going on in the zero trust discussion at the moment is it is about continuous authentication. It is about re-authentication, it is about risk-based authentication depending on what the asset at risk is. So as I keep telling people, if it's the lunchtime server, then actually your entitlement rule is let everyone have access to it, we don't care, because it's the menu for lunch versus the corporate results that are going to the city and the risk…
Joseph Carson:
Absolutely. Continuous authentication and verification.
Paul Simmonds:
Yeah, and-
Joseph Carson:
It's also important to separate authentication between authorization clearly and having those very distinct as well-
Paul Simmonds:
Yeah.
Joseph Carson:
... so that there's one thing is about me proving, but then what can I do after I proved who I am?
Paul Simmonds:
Yes.
Joseph Carson:
And if I'm changing the level, let's say, of risk, then I need to go through some additional security controls or I need to level myself up in regards to-
Paul Simmonds:
In some form, yes. Yes, some form of step up authentication so you know, if all I want to do is look at my bank account balance, then absolutely fine 'cause it's read only.
Joseph Carson:
Yeah.
Paul Simmonds:
There's a level. But if I want to transfer £6,000 to a Russian bank, then behind the scenes the bank is asking, does Paul Simmonds normally transfer £6,000 pounds into Russian bank?
Joseph Carson:
Is this something you do previously? Is it the first time you're doing it?
Paul Simmonds:
Yeah. The wonderful phrase that someone told me the other day, it's called normative transactional profile. In other words, do they normally do this?
Joseph Carson:
Yes.
Paul Simmonds:
But a whole bunch of other stuff and some of it will be in the background because we want to make this as frictionless as possible.
Joseph Carson:
One of the terms I've come up with as is zero friction security is my term. Next term is I'm not a big fan of zero trust in, I like the concept, the terminology doesn't really resonate with business, which is always a problem I've got is that when you translate into business use, it doesn't go that well. We've been talking about zero assumptions so that you're not assuming security's been satisfied, you have to continue to satisfy so zero source has been a term that I've been using. But to your point, absolutely it has to be zero friction as well. It has to be something that we do as much as the security controls in the back room are possible and only when you need to verify the person behind the keyboard or on the screen or the device, then you create some type of friction. And that friction has to be seamless, it has to be simplified and say absolutely. And to your point is profiling, is this something you normally do? Is key to that type of transaction.
Paul Simmonds:
Yeah and it has to be commensurate with what the person at the end of that keyboard thinks is reasonable.
Joseph Carson:
Absolutely.
Paul Simmonds:
Because otherwise they'll find ways to bypass it.
Joseph Carson:
Which is that one of the things they always take the easy path and the easy path is the least secure, they will go down that path.
Paul Simmonds:
Yeah.
Joseph Carson:
'Cause at the end of the day they want to do a transaction, they want to finish a task, they want to do something and they'll always take the path of least resistance.
Paul Simmonds:
Yeah, they will.
Joseph Carson:
We're humans by nature, we want to get things done but that path always has to be the secure path in my mind. So when you do any new implementation of anything, you should always make it better than the previous experience.
Paul Simmonds:
Yeah.
Joseph Carson:
While it being more secure at the same time. Paul it's been a fantastic discussion. I'm really excited about looking, I'm keeping an eye for, I think we're on part three as today, if I recall so I'm looking forward to the next series and the blogs. We'll make sure as they come out we'll put them on the show notes. Any last comment you have around some of the things that the audience should be aware around identity? What's some of the do's and don'ts? What tips do you have for the audience?
Paul Simmonds:
I suppose I'd reiterate the locus of control thing. If you don't understand it, go read the Jericho Forum Commandments but locus of control is absolutely key is you need to get away from this. I can make it all work if you play in my locus of control because that's how we're going to make a global environment work. And if we-
Joseph Carson:
Absolutely.
Paul Simmonds:
... can do it globally because we are global at the end of the day as businesses generally.
Joseph Carson:
Yep.
Paul Simmonds:
We need to be able to travel, we need to be able to work internationally, we need to be able to do joint ventures and collaborations. The days of being staff on payroll and you've just worked in that one building have gone-
Joseph Carson:
It's gone.
Paul Simmonds:
... forever. Irrespective of the pandemic.
Joseph Carson:
I love the book by Abe McCormick, I'll make sure also it's included as well. Abe McCormick is that we're moving back to the old school of trade is that, and that's one of the things I wanted when I was talking about bringing identity is that concept is that I will have my own skill and my own profession and I can work for many companies providing that skill and therefore that's where we're moving toward where it's about what value can you add and do you want to have that value to as a one-on-one relationship? Are you want it as a one to many? And we have to be able to make that. And I think that's when you're referring to we need to be open and we need to be flexible in regards to some of those establishments and rules, so absolutely.
Paul Simmonds:
Yeah, which is what your board wants at the end of the day because if you talk to the board, that's what they want. They want to be able to that level of fast, flexible, and cheap.
Joseph Carson:
Absolutely.
Paul Simmonds:
Our challenges in industry is how we deliver that.
Joseph Carson:
That's fantastic. That's very wise words. I'll definitely... I'll also make sure that the Jericho Farm page is linked with those commandments and the rules, the foundation, because I think that's really set forward where we are with identity today and where we're going. It's really kind of a great foundation and what you've done, and I always remember we've discussed it last year when Pamela Dingle was on, we were talking about the identity journey and for Pamela that was one of the foundations that really got her excited was those establishments and really set forward the identity industry and where we are today. So what you've done for the industry is amazing and keep up the great work, it's been fantastic.
Paul Simmonds:
Thank you very much.
Joseph Carson:
Really enjoyed having the conversation with today and hopefully-
Paul Simmonds:
Likewise.
Joseph Carson:
... it won't be another long time before we get to catch up again. Maybe next time Brian will be there as well.
Paul Simmonds:
Yeah, absolutely.
Joseph Carson:
So it's been fantastic and again, for everyone, hopefully this has been enjoyable. Hopefully you've learned a lot about identity and that it is given you a whole new perspective on where we are, where we came from and where we're going. It's really exciting times, really exciting where going and I think it's really going to change, not just as a business life, but as we do in digital society and what we do in our day-to-day and lifestyles is going to make our digital lives much more, let's say, basically we can do a lot more and a lot more flexibility and a lot more luxury hopefully, so Paul, it's been fantastic. For the audience, stay safe. Tune in every two weeks for the 401 Access Denied podcast. I'm your host for the episode, Joseph Carson. It's been a pleasure and all the best and take care. Thank you.
