Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/15/2019
04:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Microsoft Builds on Decentralized Identity Vision

The company elaborates on its plan to balance data control between businesses and consumers by giving more autonomy to individuals.

Microsoft wants to give people more control over their digital identities. In doing so, it aims to shift the power between consumers and the businesses currently holding most of their data.

Organizations have the bulk of control over users' information, and people are becoming more aware. More than 75% think companies need to protect their information — a 16% increase from last year — and 68% strongly agree it's their responsibility to protect their information. More are taking action by changing passwords and enabling multifactor authentication (MFA) after learning of a breach.

Still, more can be done, and Microsoft this week shared updates on its plan to reshape the future of identity. In February 2018, it outlined this vision and explained its investment in using blockchain and distributed ledger technologies to create decentralized digital identities. Rather than having people give broad consent to apps and services and spread their identities across providers, Microsoft wants them to have an "encrypted digital hub" for storing identity data.

"Our goal is to create a decentralized identity ecosystem where millions of organizations, billions of people, and countless devices can securely interact over an interoperable system built on standards and open source components," writes Daniel Buchner, program manager in Microsoft's Identity Division, in an update published Monday.

In a separate blog post posted today, Joy Chik, corporate vice president for Microsoft Identity, explained the role of businesses in helping to achieve this goal. She argues in a world where people have greater control over information, businesses must be more intentional about the type of information they collect, where it's from, where it's stored, and how much it collects.

"They accept information from individuals that an independent authority has verified, like citizenship verified by a government agency or education level verified by a university," she writes. With these verifiable credentials, people can prove who they are without the business holding all of their sensitive data. This puts less liability on organizations and gives people control. Further, businesses can choose to store data with people rather than keeping it themselves.

"The individual, in essence, becomes a data controller," she adds. "This changes the relationship — and the balance of power — within organizations."

As part of a decentralized identity (DID) system, public keys and identifiers can be linked to distributed ledger tech (Bitcoin, Ethereum, and others) that complies with standards set by the community via the Decentralized Identity Foundation (DIF) and W3C Credentials Community Group. But while these ledgers are useful for the foundation of decentralized identifiers, they should not be used to store personal identity data, Microsoft says. This demands different storage. Its solution is Identity Hubs, unveiled in early March, which are decentralized, off-chain personal data stores that give people control over identity info, official documents, app data, and more.

Since early 2018, Microsoft has been building on its vision with contributions to emerging industry standards and development of open source components, explains Alex Simons, vice president of program management for Microsoft's Identity Division, in Monday's blog post. This week Microsoft announced an early preview of Identity Overlay Network (ION). The is a DID network based on Sidetree, a blockchain-agnostic protocol for building DID networks; it was built in partnership with Microsoft and other DIF members, including Transmute and Consensys.

ION is a public and permission-less open network that anyone can use to create DIDs and manage their public key infrastructure (PKI) state. The code for its reference node is still under development, Microsoft says, and there are still aspects to be implemented before it's ready to be tested on the Bitcoin mainnet. In the coming months, it'll be working with open source contributors and players in the identity community to publicly launch ION on Bitcoin's mainnet.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5007
PUBLISHED: 2020-01-17
Directory traversal vulnerability in the agentLogUploader servlet in ZOHO ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90055 allows remote attackers to write to and execute arbitrary files as SYSTEM via a .. (dot dot) in the filename pa...
CVE-2020-5397
PUBLISHED: 2020-01-17
Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not incl...
CVE-2019-17635
PUBLISHED: 2020-01-17
Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a deserialization vulnerability if an index file of a parsed heap dump is replaced by a malicious version and the heap dump is reopened in Memory Analyzer. The user must chose to reopen an already parsed heap dump with an untrusted inde...
CVE-2019-19339
PUBLISHED: 2020-01-17
It was found that the Red Hat Enterprise Linux 8 kpatch update did not include the complete fix for CVE-2018-12207. A flaw was found in the way Intel CPUs handle inconsistency between, virtual to physical memory address translations in CPU's local cache and system software's Paging structure entries...
CVE-2007-6070
PUBLISHED: 2020-01-17
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-1382. Reason: This candidate is a reservation duplicate of CVE-2008-1382. Notes: All CVE users should reference CVE-2008-1382 instead of this candidate. All references and descriptions in this candidate have been removed to prevent ...