In this blog we will discuss the technical and business value of verifiable credentials for Zero Trust security. Targeted at IT and security professionals responsible for access management, both physical and cyber.
Zero Trust is a persistent approach that provides security at every stage of digital interaction, avoiding the assumption of trust at any point.
Traditionally, people shared their personal information via physical documents. Transforming from a “paper trail” to a digital platform should follow a zero-trust approach, one that secures data, records and transactions. With Entra Verified ID, every user is authenticated for every task they perform, across any number of credentials such as employment verification, training, credit history, criminal records, education, and more.
How did we get here? A couple of decades ago, cyber security teams introduced a layered network architecture. Here is an example:
Having a layered network architecture was a significant improvement over the even earlier model:
Today, we still see a lot of references to “private network”, but that is misleading.
A corporate network segment, no matter what layer it is in, has no guarantee of privacy. Therefore, referring to it as private gives us a false sense of security.
Modern security systems and processes have created an environment where it is exceedingly difficult for an intruder (hacker) to penetrate a well-designed and operated network.
However, there is one corporate system that cannot be replaced with a hacker-proof version, the person, be it an end-user, administrator, or developer.
Most intrusions today are accomplished via social engineering methods, this can take the form of mass phishing or some highly targeted, well planned attack including phone calls, mobile texts, compromised corporate email clients, etc.
85 percent of breaches in 2021 involved a human element - Verizon’s Data Breach Investigations report
In March 2022, phishing texts rose 28% from February 2022 and increased by 1,024% from April 2021 - 2022 Spam Text Statistics
It is important to note that we have people with access to all systems and all layers of the network (Systems administrators, Network administrators, Database administrators, HR personnel, Corporate Executives, etc.).
People are the perimeter, there is absolutely no such thing as a TRUSTED network layer.
With Zero Trust, we aim to implement systems assuming ALL components may be compromised.
Organizations continue to see an increase in workforce turnover and the need to reduce costs. With so many people joining, leaving, and working remotely, our need to have better and more secure identity and access strategies grows.
In this modern workplace, managing how and when mission-critical applications are accessed remains top of mind.
Despite what many vendors try to portray, you cannot buy Zero Trust.
It is not a tool, but a philosophy that should be applied in the design of all modern IT systems. Not only the network, application architecture, authentication systems, APIs, etc. but also to all the organization’s processes. It even includes the employees' behaviour.
As previously stated, people are the perimeter, and as with any other system they cannot be implicitly trusted.
It's important from a cyber security point of view to look at human interactions as being potentially compromised.
People are increasingly becoming the entry point for intruders across multiple systems. By now we all know that strong passwords and multi factor authentication are essential, but those solutions tend to be defeated by users tired of the onerous requirements of such authentication methods.
Password recycling, MFA fatigue and password lists in text files are all common practice among users and completely defeat the best security systems.
Verifiable credentials (VC) solve problems like data residency and the difficult federation that we rely on in most of today’s security solutions. They solve the need to store login credentials on an identity provider (IdP) server, eliminating the issue with an attack on your IdP and the potential loss of all passwords. They solve the need to set up trust and integration between two or more systems: your IdP and your other corporate software. They replace usernames and passwords with digital tokens that are portable and tamper-evident. Best yet, these credentials are encrypted, giving the person full control over where and how they are used.
How does it work? Well, as the party interested in verifying someone’s access, you generate a presentation request (could be a QR code) and have the person scan and present their valid VC. As long as your system and the person’s wallet (the place where the VC is stored) are compatible (both using the W3C standard for encryption, file type and signature), the information is exchanged in real-time. Nothing is stored on your servers, and that difficult federation is eliminated.
Entra Verified IDs are a secure alternative, that are much simpler to implement than Identity Management System federation and allow users to simply use their mobile wallet for login to various systems.
Credivera is a Microsoft Preferred Partner in Identity Management. We use Entra Verified ID as a service in our suite of products (the Identity Platform, the Workforce Management Platform and the Issuer Platform) to enable organizations and individuals to use verifiable credentials in their everyday lives.
What we like about Verified ID is that it is built on open standards, giving our customers the freedom to change solution providers and not lose their data.
This is not just an academic exercise in how VCs may someday be used in a Web3 dream world (or Web5 depending on whom you talk to). We are already delivering daily live implementations of verifiable credentials that comply with W3C standards.
Our practical approach to real time verification of credentials takes organizations one step further in their journey to Zero Trust ensuring workers begin employment with pre-verified education, training and identity information.
Our clients use our solutions and other Microsoft Security solutions to ensure their employees entering a worksite have the required certifications needed (and that they are valid), as well as permission for physical access to the site. Those same workers may not be allowed on site the following day because of an expired requirement.
The Credivera offering includes an Identity Platform delivered through a digital wallet that each user controls. In this wallet, users store verifiable credentials. With the wallet, the information is verifiable by the organization - no more re-validating every certification when new workers join an organization.
Entra Verified IDs are compatible with the Credivera Identity Platform but also with the Microsoft Authenticator wallet. This enables a user to claim credentials from 3rd parties, such as a degree, issued by a Credivera trusted authority, directly into the Authenticator making the VC instantly available to other native Microsoft Security tools.
These features are enabled by leveraging Microsoft Entra Verified IDs technology, in tandem with Credivera’s applications for organizations.
The old saying goes “Trust but verify”. This is where verifiable credentials shine.
In high-risk industries, we enable organizations to supply and record proof that an installer or equipment operator has the proper qualifications, including real-time validity checks. The real-time verification, logging capability, inherent fraud proof nature and ease of implementation make Credivera an extremely appealing solution for clients looking to use verifiable credentials in their organizations.
Real time verification of certification/accreditation is built into the logic, including ownership and validity. Credivera adds an additional layer for specific job requirements to be met before enabling access to a site or system. These are visually displayed on intuitive dashboards, without the need to custom build them and pre-map to verifiable credentials that a person holds.
The encryption mechanism of the distributed IDs used in Entra’s Verified IDs makes the credentials tamper-proof, so you can rest assured that the credential or the proof cannot be altered, and that the verification comes from an authorized source (also referred to as a trust registry). At Credivera we call this trust registry the Issuer Platform.
Individuals control their own credentials. Even when employment with an organization ends, the wallet remains. An individual can keep all 3rd party issued credentials related to their personal identity, training, professional designations and education. Because of the open standards deployed in the Credivera solution, an individual is also not tied to our proprietary “wallet” brand, so they can change providers and still have secure access to their credentials.
External sharing via email and to social networks such as LinkedIn is another feature available to individuals.
Email sharing of credentials can be done directly from the wallet. A digital report of a person’s credentials can be emailed to anyone. The user, being in full control, can disable the report at any time, preventing future access to this information.
We are the Zero Trust platform for people in the real world, enabling several improvements in an organization's journey to better security and control over their data.
Check out our offerings here: Credivera
About the author: Trajano has been in IT DevOps and Infrastructure leadership positions at startups as well as multi-national companies with diverse product areas including energy, finance, luxury retail and health care. Trajano's forte is bringing enterprise-level maturity and discipline, adapting to startup needs and building high-performing teams.