Data breaches are nothing new, but those occurring over the past few years have certainly pushed the discussion into the mainstream – a string of high-profile incidents hitting the likes of Equifax, Yahoo and Facebook have seen billions of records containing sensitive user data exposed.
Who Watches the Watchmen?
It’s growing increasingly difficult to trust that companies can simply patch an overlooked vulnerability and move on with pristine security hygiene. Since the Cambridge Analytica catastrophe, Facebook has been repeatedly hit by further attacks resulting in the compromise of its users’ accounts. The effects are by no means contained to the platform, either – a malicious actor having gleaned the username/password combination for a given user may very well succeed in accessing their accounts on other websites. Estimates vary from survey to survey, but it’s thought that the majority of individuals reuse passwords across sites.
It’s easy to point the finger at a business whose database has been breached by cybercriminals. Indeed, even governments have begun to sanction companies that fail to adhere to stringent data protection regulations aimed to secure customer information. One has to wonder, however, how much of the blame can be put on these entities when the problem is evidently a symptom of a fundamental flaw at the infrastructure level. No architecture is perfect, and having multiple developer teams working on large amounts of code is a recipe for the creation of bugs to be later exploited.
A Systemic Oversight
At the root of the issue lies the very practice of users sharing their data. In order to interact with virtually any company that keeps digital records, customers must surrender a questionable amount of data, ranging from card details and physical addresses to social security numbers and identity documents. The most basic identity information that almost every personalized site asks for is usernames and passwords. They have no assurances as to the protection of this highly sensitive information, other than the word of those holding it.
This pattern is repeated around the globe, in spite of it being demonstrably broken time and time again. With the username/password combo maintained by a third party, a central authority is the true ‘owner’ of any data submitted by users, thus making said authority a lucrative point of failure for attackers to target. There’s a veil of privacy/security, but it is rapidly lifted when a breach inevitably occurs.
It would be too optimistic to assume that all users effectively partition their online activities. If the aforementioned stats regarding password repetition are anything to go by, then the majority of individuals are put at considerable risk when even one of the services they use is compromised. Though they may only have some fairly innocuous information stored with that particular service, the login could be tried on other sites linking to sensitive data. The breach of a small blogging platform can soon lead to fraudulent spending on e-commerce platforms.
‘Bring Your Own Identity’ – The Saving Grace?
It’s perhaps unsurprising that a number of teams are working on protocols to put an end to a problem so detrimental to so many industries. The most interesting of these are developing digital user-owned identities – that is to say, a portable and self-sovereign identity controlled solely by a given individual, which can be used to authenticate the user anywhere.
The advent of distributed ledger technology enables these identities to forego the need for a middleman to administer a central database of users – instead, private keys stored in users’ smartphones would grant them access to an encrypted container that holds identity documentation.
In doing so, the incentives for attackers to target businesses’ databases are completely destroyed: though the business can still have its users authenticate themselves as is the norm, they would no longer hold a registry with sensitive user information. In order to perform a large-scale breach, a cybercriminal would need physical access to the tens of thousands to millions of phones held by the individuals (which can be rendered even more difficult still with biometric authentication) – a task too expensive for even the most well-funded opponent.
In this system, users are the owners of their data. We’ve touched primarily on identity, but in fact, these systems expand beyond identification and encompass sensitive documents of all kinds, with given services able to certify its authenticity without any damage to user privacy.
Building for the Future
The distributed identity offering appears to be the logical way forward. As with any major technological shift, however, it will not come about without significant effort. In order for such a system to have value to the end user, it needs to be widely adopted by businesses – which means making changes to their existing architecture and educating their customers on how to use these identities.
Industries across the board need to consider how to streamline the onboarding process for customers and employees alike. Ideally, such solutions should seek to incorporate existing authentication standards like SAML and OpenID, in such a way that they can easily be deployed within incumbent frameworks (and save enterprises the hassle of needing to rewrite protocols from scratch). This approach provides a bridge between the old identity paradigm and user-owned, distributed identity.
The looming threat of data breaches only grows more worrisome with every passing day. In an ecosystem of fragile databases, sensitive data continues to be stacked in insecure containers that sit waiting for attackers to exploit them. We need to do better, and distributed identities promise to be the solution.