According to a recent Gartner study <1>,global spending on security and risk management is projected to reach $215 billion next year, reflecting a 14% year-over-year increase from 2023.
Primarily, this increase is driven by the alarming levels of data breaches. In 2023, the average global cost of a data breach surged to a staggering 4.45 million USD, signalling a 15% spike since 2020. The urgent need to confront the vulnerabilities of traditional security models has never been more apparent. Let’s explore the evolution of digital trust, from claim-based identity to identity-based trust and trust-based security, marking a transformative era in digital security.
Part 1: Trust Based Security
Trust But Verify: Traditional security models often assume that everything and everyone within the network perimeter can be trusted. Once users and devices gain access to the network, trust is implicitly granted based on location and often relies on login accounts and associated password. According to Verizon's annual Data Breach Index Report, up to 80% of data breaches are the result of compromised login credentials.
In this traditional “Castle and Moat” security models, trust is acquired by proving the possession of passwords, which is easily stolen and breached. Often multi-factor authentication is employed to counter this vulnerability in the form of either a One-Time Password (OTP) or a Magic link and even push notifications. However, these often rely on the trust that this additional factor has reached the right person and is phishing resistant.
In 2022, the US Government’s Office of Management and Budget issued a memo <2> to set the groundwork for Zero Trust Cybersecurity, where phishing resistance MFA is enumerated as a requirement. It also establishes the need for employing cryptographic proofs of user identity to move towards this new security model.
Trust No One or Anything – And Always Verify: In this new paradigm of cybersecurity called Zero Trust Security; trust is not implicit. It is based on continuous validation and verification of identity and must be continuously earned through strong authentication, authorisation, and identity verification methods; instead of relying on login accounts and passwords.
Zero trust security is identity-centric and security here is always a function of trust and this trust is never assumed. It always has to be earned.
What Exactly Is Trust?
Trust is the assumption that a subject is ‘Who’ or ‘What’ the subject claims to be.
But how do we establish trust in the digital realm between transacting parties? To answer this, let us understand how trust operates in the physical world.
Part 2: Identity-Based Trust
In the real world, any relationship – personal or professional is based on the foundation of trust.
To trust you, the relying party first identifies you. The more concretely they identify you, the higher the level of trust that can be established. This leads to a higher degree of transactions that the relying party can now carry out with you.
This trust is transitive in nature. If you trust your friend, you will trust a recommendation made by them. Similarly, at work, if someone you trust recommends a candidate for a job, you are more likely to place your trust in that candidate.
Identity-Based Trust Forms the Foundation of Real-World Transactions
But how does this occur in the digital world? Like in the physical world, systems and platforms need to be able to trust you before allowing you to transact. Additionally, the extent to which they identify you defines the level of interaction and access you are granted.
Imagine the difference in what you can do on a platform as an 'Anonymous Guest User' versus an 'Authenticated User'. The more you are identified, the more you are trusted. This determines how much more you can transact.
This brings us to a very important yet flawed aspect of the digital world: The Identity Layer of The Internet. Digital identity, as we know it today, is broken.
The internet was created without a way to know who and what you are connecting with. This lack of a universal identity model gave rise to centralised and federated identity models, which limit the identification of an individual to merely proving the possession of a password. Just as identity-based trust forms the foundation of real-world transactions, a similar capability in the digital world is needed to instill confidence among peers involved in a transaction.
To understand this better, let’s again refer to the concept of identity in the real world.
How are you identified in the real world? How does a relying party authenticate you?
Authentication: Identifying someone to trust them, to transact with them.
When you identify someone, it is always contextual. For my employer, my identity is my employee ID and my associated employment records. For the government, my identity is the national identifier issued to me. For a nightclub, the only relevant identity aspect is whether I am over 18 years of age.
How do I prove myself in different contexts? This can be done by proving a certain claim that I make about myself. To my employer, I need to be able to prove that I am the rightful owner of my employee ID, which I can do using the letter of employment issued to me. To prove the claim of my nationality when I land in a new country, I use my passport, a credential issued by the government themselves. To prove that I am at least 18 years old at a nightclub, I may use my driver’s license.
Physical Identity is Simple, Universal and Decentralised
The foundation of this identity lies in the underlying claims and an individual’s ability to prove those claims using the credentials they own. A verifier can validate the authenticity of these credentials and make decisions about you – such as whether to let you board a plane, enter the office, or order a beverage.
What happens in the digital world is inherently broken. To authenticate ourselves to a digitally relying party, we most commonly use a login account. These accounts are either created with the relying party or with another third-party system that the relying party chooses to trust more than an individual’s identity. This has led to the creation of centralised or federated identity models in the digital world.
To make matters worse, to prove that we rightfully own a login account, we are often forced to rely on passwords, the very concept which defies the idea of zero-trust security.
In 2020, to bridge the gap between the real world and digital identity, the Linux Foundation created a trust ecosystem. They introduced a global open-source or open-standard project – the Trust Over IP Foundation<3>. This foundation identified digital credentials as the means to counter the flaws of digital identity.
Reclaiming Control of Your Digital Identities
At Affinidi, we discovered that the missing piece of this puzzle was the ability of individuals to employ digital credentials as a representation of their identity, in order to establish trust in a digital realm.
We aim to revolutionise the current paradigm of digital identity, empowering individuals to take control of their digital identities.Our concept of "Holistic Identity" encompasses the complete spectrum of discovering, collecting, sharing, storing, andeven monetising personal data in the digital realm.
The Affinidi Trust Network (ATN), is the embodiment of our Holistic Identity vision, with the goal of establishing end-to-end trust in data. It is the infrastructure that powers the conceptualisation of individuals’ digital identities.
At the heart of the ATN is the Affinidi Vault. The Affinidi Vault allows users to discover, collect, store, share, and even monetise their data, according to their preferences and values. It leverages decentralised technologies like W3C-Verifiable Credentials to amend the broken identity layer of the internet. With the power of digital credentials, the security of cryptographic proofs in the form of digital signatures, and the verifiability by means of open standards, your digital identity can now be Claim-Based.
Affinidi Login an identity-based, password-less mode of authentication. In a digital ecosystem, a relying party can now establish trust by verifying the identity of all the individuals involved.
When Claim-Based Identity and Identity-Based Trust are realised, they redefine the way security and privacy are implemented, paving the way for new cybersecurity models. Here, security becomes a function of trust, based on continuous validation and verification of identity.
At Affinidi, we strongly believe the open-source ecosystem fosters interoperability and empowers developers and organisations to harness technologies without the constraints of proprietary lock-ins.