websights Self-sovereign identity : all you need to know | Cybersecurity

Looking for inwebo.com? You are in the right place! Read all about it in our blog post

Come and join us in person at upcoming industry trade shows and conferences

Join us for an insightful 30-minute webinar designed to empower your external identities online onboarding process!

Contents

The rise of Self-sovereign identity

Consumers and citizens have a growing distrust against the way organizations are using their personal data. If digital identity has become the cornerstone of the digitization of our society, then Self-sovereign identity (SSI) is the way people want to keep control over their data and the way they share them. The merits of self-sovereign identity have been touted for a couple of years already, and the use cases are clear. Although Self-sovereign identity, often also called Decentralized Identity is still a moving target and requires better definitions and standardization, TrustBuilder is already putting many of its promises into practice.
In its most recent hype cycle for Identity and Access Management (IAM) technologies, Gartner firmly places Decentrialized Identity as one of the technologies at the ‘peak of inflated expectations’. And indeed, sometimes it looks as if SSI is a technological solution looking for a problem. In Gartner terms, the ‘trough of disillusionment’ is yet to come and the ‘plateau of productivity’ is still a long way off. Yet that does not mean organizations can afford to ignore one of the concepts that promises to be transformational to the way companies deal with identity.

What is Self-sovereign identity?

Self-sovereign identity (SSI) is a digital identity concept where individuals or organizations maintain and control their own identity-related data. It arose from a need for privacy and autonomy in an increasingly digital age, ensuring identity information isn’t solely controlled by centralized entities like governments or corporations. Instead, SSI enables a trustable, verifiable, and user-centric approach to managing digital identities. 

While most people agree on this definition, the way it is implemented or interpreted, differs from one source to another. For some, decentralized identity is inextricably linked to blockchain. As a World Economic Forum article describes SSI, the user and the third party a user is exchanging identity information with, both hold public keys that are recorded in a distributed ledger. Others see self-sovereign identity as another word for being able to authenticate with your social media logins such as LinkedIn or Facebook, rather than by using credentials in the form of username and password. And SSI is often associated with digital wallets, data vaults like Fednot’s Izimi or personal data stores like the Solid Pod proposed by internet pioneer Tim Berners-Lee. 

What are digital identities?

Digital identity refers to the data that uniquely represents an individual, organization, or device in digital contexts. It encompasses identifiable and behavioral information, including usernames and passwords, data of birth, social security numbers, citizenship, university degree, medical information, biometric data, transaction history, and online behavior. Recently, digital identity has become increasingly important due to the rapid growth of online transactions, digital services, and remote work, necessitating the accurate identification of digital entities to ensure security and trust. Just like you will store your physical ID card or driver’s license in a safe place (the wallet in your pocket), you will save your digital identity information in a safe place, for instance a digital wallet.

Digital identity is closely intertwined with Identity & Access Management (IAM), a framework for business processes that facilitates electronic or digital identity management. IAM ensures that the right individuals access the right resources at the right times and for the right reasons. It provides a means to verify digital identities (authentication) and to determine what actions these identities are permitted to perform (authorization). As digital identities become more prevalent, robust IAM systems are crucial to prevent unauthorized access, ensure accountability, and protect sensitive data in our increasingly digital world. In this sense, digital identity is not just about identification, but is a key element in securing digital spaces and preserving privacy.

What are the use cases for self-sovereign identity?

There are many use cases for self-sovereign identity, whatever the definition of that term you use. Going forward, SSI will play a key role in the way consumers and citizens exchange personal information with government institutions, corporations and among each other. Here are some obvious use cases:

Self-sovereign identity in banking

When taking out a mortgage, a bank will often ask you to provide your three most recent pay slips. In that way they can ascertain that you have a fixed job and a steady income and will not get into trouble making your monthly payments. People often send these pay slips by mail, which is an unsafe way exchanging data, as mails can be intercepted or hacked. More importantly, consumers are sending information that the bank does not really need to know. They have no business knowing exactly how much you earn. All information that is required is if your income is above a certain threshold. In a Self-sovereign identity scenario, the consumer can allow that only the mandatory information is exchanged, for instance between the bank and the HR services provider that produces these salary statements.

Self-sovereign identity in human resources

When you apply for a job, you are frequently asked to send a copy of your diploma to the potential employer. Usually this means the applicant has to scan in a paper diploma and send it through mail. Again, you are sending more information than the employer needs. All they need to know is you have a degree in a specific field, not whether you graduated with distinction or with highest distinction. In a Self-sovereign identity scenario, applicants will just send proof that they did graduate. TrustBuilder is part of a consortium that also includes Randstad, Docbyte, Enhansa, karamel and the Flemish government organization athumi and that is working on the safe exchange of data in a human resources context. This project is based on the aforementioned Solid Pod technology.

Self-sovereign identity in insurance

When taking an insurance, you need to prove the value of the goods you are insuring, for instance a house, an expensive watch or a precious jewel. In the case of a mortgage ensurance, most people will send the mortgage contract to the insurance company, again providing information the insurer does not need, such as how much you borrowed, what capital you provided yourself…. All the insurance company needs to know  is how much your house is valued. In a Self-sovereign scenario, you can just provide that piece of information that is mandatory, and nothing more. 

What are the advantages of self-sovereign identity?

The concept of Self-sovereign identity solves a number of problems that come with the digitization of our society. Both consumers, citizens and companies will benefit from SSI, in different ways.

  • Privacy and Control: Self-sovereign identity empowers individuals to control their personal data, reducing the risk of centralized data breaches and unauthorized access, thus preserving their privacy and autonomy.
  • Security: By utilizing decentralized cryptographic methods, SSI mitigates the risk of single points of failure, making it harder for malicious actors to compromise or forge identities, ensuring a more secure identity ecosystem.
  • Reduced identity fraud: The cryptographic nature of SSI reduces the reliance on traditional identifiers like usernames and passwords or other credentials, making it harder for identity thieves to impersonate individuals and commit fraud.
  • Compliance: For enterprises, SSI solves the problem of GDPR. They will no longer need to store and protect mountains of personal data, as they will receive less data from consumers and third parties.

Why is TrustBuilder’s IAM a good choice when considering self-sovereign identity?

TrustBuilder is one of the leaders when it comes to innovation in the Identity and Access Management market. We have already been protecting personal data and digital identities even before the concept of Self-sovereign identity became hype.
  • Digital ecosystems: TrustBuilder is a pioneer in helping organizations build and secure digital ecosystems in which companies can safely exchange data and information.
  • Zero-knowledge proof: TrustBuilder introduced its Policy Information Broker which allows you to connect to any application or database to draw conclusions based on external data. The Policy Information Broker can gather information that you are not allowed to store in your own databases, for instance because of privacy regulations. As an example, the systems can check whether a person is an adult or a minor, without storing the exact birth date. This is called zero-knowledge proof and is a key element in protecting personal data.
  • Concrete implementations: TrustBuilder is involved in concrete implementations of digital vaults and digital wallets. Our IAM is a cornerstone of the Izimi project in Belgium, where the Royal Federation of Belgian Notaries, Fednot, offers Belgian citizens a safe way to store their own documents and exchange them with third parties. This project won a coveted KuppingerCole award at their 2023 European Identity and Cloud conference. And TrustBuilder is part of a consortium with the Flemish Government to implement digital vaults based on Solid Pods.
  • Connectivity: TrustBuilder is a champion in providing connectivity with a large number of European and global Identity Providers (IdPs). These IdPs play a critical role in connecting applications with digital wallets and Pods. TrustBuilder verifies the integrations and offers security to organizations.
  • Policy-based access control (PBAC): Thanks to policy-based access control, TrustBuilder can guarantee the quality of connections between digital vaults, organizations, consumers and citizens.
As our society and all actors in it are increasingly getting digitized, digital identity, decentralized identity and the protection of personal data will only get more important. Self-sovereign identity, whether it is based on blockchain or on the use of digital wallets, is a concept that will help secure the exchange of data and information between citizens, consumers, enterprises and government. If you want to find out how TrustBuilder can help you catch on to this new wave, contact us.