How to ensure authorised access to sensitive informationJune 25, 2019
Posted in: Blog
If we look at the systems used to manage data sharing today, they tend to fall into two categories – file based, one-way sharing (i.e. I send you an Excel spreadsheet) and API based sharing (you call my system to update me). The first of these is a security nightmare; the second doesn’t always reflect the dynamics of the relationship between companies.
With API based sharing, one organisation is in control not only of the data, but also of what is perceived to be the truth. This is fine until there is a disagreement, which can lead to all kinds of problems as soon as any party feels mistreated. Often the process is collaborative in nature in that data flows both ways and the associated loss of control can make both companies uncomfortable.
Distributed ledgers are perceived to be a way around this problem by using consensus to decide who can update data in the shared view. By this, we mean that the companies agree together whether a write can be made to their shared understanding of the data, preventing errors or malintent by any individual or company polluting the data. They also agree the history of the data, meaning there is a distributed record of who has made changes. No company unilaterally makes changes – in effect there is no “leader”.
Gospel Technology goes beyond this by also requiring consensus for reads to be made. We do this by encrypting the data in such a way that sensitive information cannot be read without a verified transaction recorded in the blockchain. This allows us to deliver true cryptographic trust between the companies working together, giving them complete assurance that nobody has acted against their interests.
But how does this relate to identity and access management? Forgetting the common IAM paradigm for a moment, there are two separate questions here. Let us first consider identity. Whilst there are a number of companies claiming blockchain consensus will drive the future of identity, we remain unconvinced. Identity exists where there is the ability to uniquely identify an individual or system with confidence and today, depending on application, that is typically enterprise identity systems such as Active Directory or consumer providers such as Google, Microsoft and Facebook. Businesses struggle to get their users to safely manage the logins they already have, so adding yet another is not a good idea. To that end, the Gospel Platform™ integrates with the providers already used.
The second part of the identity question is providing the assurance that the user recorded as taking an action really was who is recorded. This is a function performed well by distributed ledger consensus where PKI is associated with a user. In other words, we can verify you are who you say you are.
Secondly, there is the matter of access management. By distributing the decision as to who can take an action, distributed ledger provides assurance through consensus that the correct decision has been made. With Gospel Technology’s consensus-on-reads, we have that assurance for reads as well as writes and know that no company involved has accessed our data outside the terms we’ve agreed. We use an easy-to-understand contextual mechanism to express permissions that’s specially tailored to cross-company data sharing applications.
Hopefully this has provided a comprehensive, quick overview of how distributed ledger consensus relates to identity and access management. To learn more, please join our webinar on Wednesday 26th June – you can register or watch back the webinar here.