The potential of decentralised identity in securing multi-cloud IT estates

For decades CIOs owned and managed technology deployment within the secured perimeter of their organisations. Data leaving the perimeter or the need for internal systems to be accessed externally was minimal, and everyone accessed company systems from corporate offices. However, organisations’ continued onset of hybrid and multi-cloud service consumption and APIs to expose internal systems to external organisations challenge the established centralised and perimeter style of identity access management. With the abundant use of cloud services, is there such an organisational cyber-security perimeter anymore where all forms of device, system and employee access can be managed centrally within the perimeter?

The global pandemic further accelerated the growing trend of remote and hybrid work to become a new norm for employees. Which further eroded the ability of CIOs and CISOs to effectively manage the security status of remote workplaces and application access. At the same time, cyber-attacks are continuing to increase. At the recent Microsoft EMEA Analyst Strategy Days 2022 event, it was discussed that in 2021 they analysed 24 trillion threat signals every day and blocked 31 billion identity threats globally. They are tracking 40+ nation-state actors and 140+ threat groups.

As discussed in a recent blog post (i.e. From data ownership to sovereignty, how CIOs must consider the impact on cloud service usage), data governance within organisations is growing ever more complex. From per-country laws regarding data sovereignty to an organisation’s ability to authenticate data provenance through data lineage and ownership. This mesh of complexity is challenging how CIOs and CISOs securely manage the data their organisations use and the identity of those accessing it (in conjunction with other cyber-security topics). This fragmentation of the cyber-security perimeter has seen growth in organisations considering a zero-trust security model. This is a perimeter less approach to cyber-security where trust is never implied or implicit and must always be verified, using a minimum level of permissions, to achieve trust with an employee or devices/systems.

In conjunction with zero trust, the concept of decentralised identity, also referred to as self-sovereign identity (SSI), has garnered the attention of CIOs and the vendors that supply technology services. Decentralised identity is a means of verification where a person, not an organisation, retains identity, and selective disclosure of credentials occurs to establish and verify trust. This approach flips identity ownership by centralising it on the individual but decentralising it from organisations. This is achieved through digital wallet implementations that cryptographically store a range of credentials that provide a single source of identity verification. Individuals create a pair of private and public encryption keys through a digital wallet to share the minimum level of identity to achieve trust for access or a transaction. Distributed/Blockchain ledgers are the other main piece of the puzzle to connect issuers of identity, individuals, and consumers of identity together.

While the use of decentralised identity to reduce the operational complexity of identity verification across a multi-cloud environment is significant, it must be understood that standards, protocols, frameworks, and laws regarding decentralised identity are all still nascent in nature and under development. The leading industry body in this space is the Decentralised Identity Foundation (DIF), which works with technology companies to establish a standardised approach for digital identities. To develop a common framework for digital wallets, trusted transactions, and verification across multiple distributed ledgers.

However, despite the current nascent nature of decentralised identity, there is rapid movement in this space akin to what is being seen regarding artificial intelligence. For CIOs and CISOs, there will be a decrease in user data exposure from potential hacker breaches and a reduction, if not elimination, of regulatory compliance regarding storing of identity-related data. As individuals will retain ownership of identity data about themselves, organisations will leverage encrypted keys across distributed ledgers to derive authentication.