Thursday, 16 June 2016

Blockchain for Identity: Access Request Management

This is the first in a series of blogs, that will start to look at some use cases for leveraging block chain technology in the world of identity and access management.  I don't proclaim to be a BC expert and there are several blogs better equipped to tackle that subject, but a good introductory text is the O'Reilly published "Blockchain: Blueprint for a New Economy".

I want to first look at access request management.  An age old issue that has developed substaintially in the last 30 years, to several sub-industries within the IAM world, with specialist vendors, standards and methodologies.

In the Old Days

Embedded/Local Assertion Managment

So this is a typical "standalone" model of access management.  An application manages both users and access control list information within it's own boundary.  Each application needs a separate login and access control database. The subject is typically a person and the object an application with functions and processes.

Specialism & Economies of Scale

So whilst the first example is the starting point - and still exists in certain environments - specialism quickly occured, with separate processes for identity assertion management and access control list management. 

Externalised Identity & ACL Management

So this could be a typical enterprise web access management paradigm.  An identity provider generates a token or assertion, with a policy enforcement process acting as a gatekeeper down into the protected objects.  This works perfectly well for single domain scenarios, where identity and resource data can be easily controlled.  Scaling too is not really a major issue here, as traditionally, this approach would be within the same LAN for example.

So far so good.  But today, we are starting to see a much more federated and broken landscape. Organisations have complex supply chains, with partners, sub-companies and external users all requiring access into once previously internal-only objects.  Employees too, want to access resources in other domains and as-a-service providers.  

Federated Identities

This then creates a much more federated landscape.  Protocols such as SAML2 and OAuth2/OIDC allow identity data from trusted 3rd parties, but not originating from the objects domain, to interact with those resource securely.

Again, from a scaling perspective this tends to work quite well.  The main external interactions tend to be at the identity layer, with access control information still sitting within the object's domain - albeit externalised from the resource itself.

The Mesh and Super-Federation

As the Internet of Things becomes normality, the increased volume of both subjects and objects creates numerous challenges.  Firstly the definition of both changes.  A subject will become not just a person, but also a thing and potentially another service.  An object will become not just an application, but an autonomous piece of data, an API or even another subject.  This then creates a multi-point set of interactions, with subjects accessing other subjects, API's accessing API's, things accessing API's and so on.

Enter the Blockchain

So where does the block chain fit into all this?  Well, the main characteristics that can be valueable in this sort of landscape, would be the decentralised, append-only, globally accessible nature of a blockchain.  The blockchain technology could be used as an access request warehouse.  This warehouse could contain the output from the access request workflow process such as this sample of psuedo code:

{"sub":"1234-org2", "obj":"file.dat", "access":"granted", "iss":"tomorrow", "exp":"tomorrow+1", "issuingAuth":"org1", "added":"now"}

This is basic, but would be hashed and cryptographically made secure from a trusted access request manager.  That manager would have the necessary circle of trust relationships with the necessary identity and access control managers.

After each access request, an entry would be made to the chain.  Each object would then be able to make a query against the chain, to identify all corresponding entries that map to their object set, unionise all entries and work out the necessary access control result.  For example, this would contain all access granted and access denied results.

A Blockchained Enabled Access Requestment Mgmt Workflow

So What?

So we now have another system and process to manage?  Well possibly, but this could provide a much more scaleable and interoperable model with request to all the necessary access control decisions that would need to take place to allow an IoT and API enabled world.

Each object could have access to any BC enabled node - so there would be massive fault tolerance and elastic scaling.  Each subject would simply present a self-contained assertion.  Today that could be a JWT or a token within a proof-of-possession framework.  They could collect that from any generator they choose.  Things like authentication and identity validation would not be altered.

Access request workflow management would be abstracted - the same asychronous processes, approvals and trusted interactions would take place.  The blockchain would simply be an externalised, distribued, secure storage mechanism.

From a technology perspective I don't believe this framework exists, and I will be investigating a proof of concept in this area.


  1. Are we limiting this discussion to ACL's (RBAC)? I would think that this offers the potential for enhanced granularity of attributes to support ABAC (XACML) implementations.

  2. maybe consider process-based access control -

  3. The practice of restricting entrance to the building or property, room or to meet any authorized person is called security and the access control system controls the security. access control system installation

  4. This comment has been removed by the author.

  5. Thanks for a very interesting blog. What else may I get that kind of info written in such a perfect approach? I’ve a undertaking that I am simply now operating on, and I have been at the look out for such info. ICO

  6. Such is the idealistic dream of tech designers. The up and coming age of PC organizing gears up to encompass the world for more prominent's benefit. Welcome to the planned blockchain (monetary) change of the world. Visit our site

  7. With customary exchanges, an installment starting with one individual then onto the next includes some sort of mediator to encourage the exchange.Initial Coin Offering

  8. This pattern offers numerous preferences that can't be found on fiat monetary formscrypto currencies to invest in

  9. There are numerous components which decide the 'adequacy' of cash to realize positive social and natural change; infesting political philosophy, monetary condition, Crypto CFD Trader

  10. Be that as it may, it is constantly prescribed to have a fundamental thought about the innovation in setting before utilizing it as this sufficiently disentangles the utilization Double Ripple

  11. The common rendition of occasions enhances store network productivity, better multi-party coordinated effort, and streamlined resolutions if there should be an occurrence of question. ICO Video

  12. Contingent upon the application making the exchanges, they ought to be scrambled with various calculations. Since this encryption utilizes cryptography to "scramble" the information put away in each new "square", the expression "crypto" portrays the procedure of cryptographically anchoring any new blockchain information that an application may make. Blockchain ICO Marketing

  13. From the underlying purpose of the start of the system, the database is shared between various clients that are incorporated to get to the data of the considerable number of exchanges. binance crypto exchange

  14. The motivation behind why this characteristics a "cost" to the different "coins" is a direct result of the misguided judgment that "Bitcoin" will by one means or another enable you to profit by goodness of being a "crypto" resource.

  15. Blockchain builds up a mutual, anchored record of data streams for the inventory network organize. It empowers quicker, permissioned, and auditable B2B collaborations between purchasers, dealers, and coordinations suppliers. ICO Marketing Agency

  16. The internet deal for IcoPulse is the best and it's also known ad internet ICO. You guys need to see it and then tell me if you guy slike it or not. I think that there is nothing better than this and we need to respect it. It's something that we all have been working with and we need to get some idea from it.

  17. Cryptocurrencies seem to be the hottest investment products going around. Eavesdrop on any of your friend's conversation, it is about bitcoins. All the workplace chat is also about virtual currencies. ICO PR Distribution

  18. Of course, the use of bitcoins has drawbacks, such as the possibility of losing them. lost the game you loose the bitcoin too..

  19. lot of faith in Bitcoin to the point of saying, "Bitcoin is a technological tour de force

  20. Awesome blog. I enjoyed reading your articles. This is truly a great read for me. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work! Cryptocurrency Mining

  21. I am jovial you take pride in what you write. It makes you stand way out from many other writers that can not push high-quality content like you. blockchain jobs

  22. i and my folllowing your blogs regularly,thanks for such a nice blog Blockchain Online Training Bangalore