Google, Hyperledger launch online identity management tools
- 15 April, 2019 20:00
In two separate announcements last week, Google and Linux's Hyperledger project launched tools aimed at enabling secure identity management for enterprises via mobile and other devices.
Hyperledger, the blockchain-based, open-source project under the Linux Foundation, announced that its Indy distributed ledger for identity management is now live after nearly a year of development.
Google wants to make its enterprise cloud platform the center of the universe for identity and access management (IAM) and security, according to Jack Gold, principal analyst with J. Gold Associates.
"Cloud, in the past, has been questioned by some organizations as not being as secure as on-prem[ises]," Gold said. "With these announcements, Google is trying to show that it can provide very high-level security features that are as good as, and in some cases even better than, on-prem solutions – even when running on their cloud."
Google's upgrades include context-aware enhancements through the launch of the BeyondCorp Alliance, which is a partnership with endpoint security and management vendors who feed device posture data into Google's context-aware access engine.
"Initially, we are working with Check Point, Lookout, Palo Alto Networks, Symantec and VMware, and will make this capability available to joint customers in the coming months," Google said in a statement.
Google's G Suite customers will automatically get the upgrades.
There are a number of medium and some large enterprise customers who have standardized on G Suite, so the upgrades could prevent, "say, a hacker getting your credentials and trying to log in from London when the system knows you are actually in Boston," Gold said.
"There is also an API that allows [identity and access management] functions to be added to any on-premises or public cloud web-based apps," Gold continued. "It's basically a service you can call. And they are working with the MDM vendors to make the link from devices to bring context info to the app servers in the cloud. This can help with access security and help avert data breaches."
Additionally, Google added:
- Security keys for Android phones based on FIDO (Fast IDentity Online) Alliance authentication standards, which it said will help defend against phishing attacks.
- Cloud Identity enhancements, including single sign-on capabilities to thousands of cloud-hosted apps and integration with human resource management systems (HRMS).
- General availability of Identity Platform, an encryption protected, single sign-in authentication tool.
- And the availability of Managed Service for Microsoft Active Directory for select customers.
The most interesting upgrade, Gold said, is the addition of Google's key technology to all Android phones (running Android 7 and above), which will turn the phone into a two-factor authentication device.
Everyone is carrying a phone these days, so the ability to work as a 2FA device without having to have something unique (like an RSA token), and [being] much more secure than via a text message, is pretty interesting," Gold said. "It should be attractive and cost effective to many more enterprises beyond the extremely security-conscious regulated industries like financial and healthcare."
Hyperledger Indy, a distributed ledger built for decentralized identity, leverages blockchain technology to create a platform for issuing, storing, and verifying credentials that are transferable, private, and secure.
"An enterprise can use Hyperledger Indy for managing employee identities and, with the right set-up and agents, manage them over mobile devices," a Hyperledger spokesperson said via email. "However, the self-sovereign nature of Indy goes much further, as it lets individuals own their own data and creates trusted frameworks for employees, partners, customers, etc."
With its activation notification, the Linux Foundation also announced it has a number of "diverse" people and organizations already building "real-world solutions" using Indy.
For example, the Sovrin Foundation has organized the largest production network powered by Indy. The Province of British Columbia was the first to deploy a production use case to the Sovrin Network with work on its Verifiable Organizations Network, a platform for managing trust at an institutional level.
Fintech firms, software makers, telecom providers and other businesses have joined forces to develop a blockchain-based network that will enable anyone to exchange digital credentials online and without the risk of unintentionally exposing any private data.
The companies are part of the Sovrin Foundation, a new nonprofit organization now developing the Sovrin Network, which could enable anyone to globally exchange pre-verified data with any entity also on the network.
The online credentials would be akin to identify information a person might have in a physical wallet: a driver's license, a bank debit card or a company ID.
Instead of a physical card, however, the IDs in digital wallets would be encrypted and link back to the institutions that created them, such as a bank, a government or even an employer, which, through the blockchain, would automatically verify information to a requestor.
The owner of the digital wallet can determine what information a requesting business receives, and no more.
British Columbia created an online directory service using an Indy-powered blockchain to enable businesses to quickly verify whether a client they're dealing with is legally registered to do businessas as a corporation. The blockchain-based service can also find "Doing Business As" names registered by corporations.
In addition, BC's blockchain ledger makes applying for credentials faster and less error prone, and issuing (and reissuing) credentials simpler and more secure, as well as being able to verify those credentials from anywhere in the world.
"Can we create a quick and easy way to navigate through the maze of services from your local, provincial, or federal governments?" BC's product lead John Jordan said, referring to his time working for the federal government in Ottawa.
Jordan estimated BC spent about $1 million while Ontario and the Canadian government each spent another $300,000 to $500,000, mostly on salaries for a handful of developers to create the identify management system.
"We've got a $2 million investment that we're all benefitting from, and we didn't have to pay $2 million, right?" Jordan said. "So we actually saved taxpayers millions of dollars." He noted that the larger team had richer ideas, delivered code faster, and tested it more thoroughly, a collaborative approach that benefited everyone.