Listen to Ubisecure CEO, Simon Wood, on the State of Identity podcast. With host Cameron D’Ambrosi from One World Identity, Simon discusses trusting an individual’s digital right to represent their organisation.

The conversation explores:

  • Current challenges of proving an individual’s right to represent their organisation
  • How digitising representation governance is made possible by trust anchors and delegation – with the benefits here from the globally-applicable Legal Entity Identifier (LEI)
  • What benefits digitisation of representation enables
  • How the Finnish government digitised representation governance
  • Predictions for digital identity in the year ahead

“…What that gives us is a trust anchor which couples a director of the organisation to a highly- assured record for that organisation. Coupled with the identity access management platform we have, we can now enable an authentication scenario that then returns your representation rights for that organisation. So you’ve now transitioned from what was a manual checking of documents, understanding process to a standard online authentication, which returns your association with a highly-assured organisation. The act of issuing that LEI has allowed us to generate that linkage between the individual and the organisation and that is the trust anchor that has been missing so far to date to enable these representation government services to take place.”

Listen to the podcast now, or find the transcript below.

Podcast transcript:

Cameron D’Ambrosi: Welcome to State of Identity. I’m your host Cameron D’Ambrosi. Joining me this week is Simon Wood, CEO at Ubisecure. Simon, welcome back to State of Identity.

Simon Wood: Excellent, thank you. Great to be here again.

Cameron DAmbrosi

Cameron DAmbrosi

Cameron: For folks who might have missed that first episode, you have a pretty interesting background in the broader identity space. Again, like myself, maybe wasn’t necessarily thinking about it, the lens or through the lens of digital identity at the time. But maybe looking in retrospect seems like there’s maybe quite the interesting digital identity through line that kind of runs around your career. How did you come to be the CEO at Ubisecure?

Simon Wood

Simon Wood

Simon: Thank you. Yeah. As you say, it’s quite a long story. We will try and keep it short. I guess I’ve been involved in identity, as you say when you look backwards and realise where you’ve come from, since the start of my career. And that was originally the military battlefield equipment and scenarios.

One of the things that was always clear at that point, is that the need for security is paramount and without identity, it’s – I would suggest– impossible to enforce security. You have to understand who the actors are, who the parties are, involved to be able to have that security.

So right from the mid-90s, so what’s that? 25 years ago. From that time dealing with identity and then through various different high-performance technical environments: Formula One telemetry, aircraft flight recording, various legal software systems as well.

But then more up-to-date into the world of PKI, I was, prior to this, CTO for GlobalSign –world number three public trust CA– and of course PKI is a fine-grained, complex, high-assured provider of identity and security services, and then from there into the CEO role here.

Cameron: Simon, for folks who are not familiar with Ubisecure, what you guys do and what your platform is, what’s a quick 15,000-foot overview?

Simon: We are a company that specialises in external identity, more specifically business-to-business external identity with a strong focus on the importance of organisation identity coupled with individual identity. We’ve been in existence since 2002 – a great footprint in the Nordics, a lot of the Finnish government services, pairing more and more with the Swedish government services now pushing out across Europe and delivering identity management solutions that couple together organisation identity with individual identity.

Cameron: Not to step on the entire conversation we’re about to have, but I think is right at the intersection of so many trends that we really saw catalyzing even before this horrible global pandemic. But now in the wake of COVID in some parts of the world or the deepest pit of despair of COVID in others is so, so relevant.

To kick off the conversation, before we get started, we’re really kind of talking about this flattening of identity into a single layer. Previously, you might have had a personal physical identity. Then you had your legal identity, like a driver’s license, and then you maybe had your organisational identity and we’ve really begun to see that flatten around as digital identity solutions enable identity to happen for lack of a better word. How are you seeing this trend manifest in the marketplace right now with Ubisecure?

Simon: Yes. So we’re absolutely seeing more and more demand for the coupling together, the bringing together, of an individual and an organisation, and the various rights and representations that can fit between those two different identity classes.

It’s important to understand the logical difference between an individual identity –so yourself, myself, as natural people. We have government-issued identities, bank-issued identities, however, they may be formed, but we are natural people, individuals.

By the same token, organisations also have an identity. So an organisation, it could be Amazon, it could be Walmart… These organisations are legal entities. They have legal capabilities, but they also typically have online interactions as well in the current situation in the COVID pandemic.

The amount of interactions that are happening online have obviously spiraled significantly. We see that as almost a primary interaction now – and I don’t know what the natural numbers look like but I suspect a good proportion of the world that it’s shopping on Amazon this year, not wanting to venture out, not wanting to be exposed and so on.

And in those interactions, it’s understanding who you’re dealing with. It’s fine that the online provider may go through great works, significant verification to check you as an individual. But how do you understand that organisation? How do you really know that you’re talking to the right organisation?

Also, now we’re seeing a continual wave of cyber-attacks, bad actors, out there. More often than not, they’re looking to exploit weaknesses in that either identity definition or identity verification.

Are they looking to fill in gaps in identity that have been unfortunately not correctly handled so they can take over systems, or are they looking to claim to be something else? You know, the standard phishing types of attacks that we see.

So, having the ability for individuals to understand organisations and organisations to understand individuals at that identity level I think is very important.

Moreover, as we see individuals becoming remote from their organisations in a – certainly in a physical sense –, having the ability for individuals to effectively represent their organisation becoming more and more important all the time.

Cameron: Tie this back to Ubisecure in a bit more of a direct sense. Where does Ubisecure fit into this conversation and how is your platform enabling some of these applications that previously may have not been possible and establishing that trust layer and those digital underpinnings in a real sense?

Because I think where it can be challenging for some folks who are interested in implementing some of these technologies is “OK, all this sounds really cool and this is something I want to do but, I maybe don’t understand at a more nuts and bolts level, how it works and how we go about doing it”.

Simon: To help understand that, we should talk a little bit about what I refer to as trust anchor and that will help set the context of how Ubisecure then helps to deliver solutions to solve some of these challenges.

When we think about trust anchors, trust anchors are already defined. They’re not a new term. It’s not a new phrase. There’s an RFC that defines what a trust anchor is with regards to a PKI solution in terms of a root point where there is no external validation. It’s just where there is a starting point for trust, so a root of trust, and that is a trust anchor.

Those trust anchors today exist in many different forms, in many different places. So, you have them in your cars. Your bank is a trust anchor. Any certificate that you have, whether it’s an email sign-in certificate or a browser, service security, SSL providing certificate, etc., they all work with trust anchors in different ways to provide the capabilities that they need to deliver that trust and allow those services to happen.

When we look at the challenges that you have with individuals representing their organisation, it comes down to how do you define that trust anchor? Where does that trust anchor come from and then how can you use that within a transaction to alleviate some of the challenges that we see there?

Today, a lot of that processing is administrative. So we have many government processes and organisations and that can be from things as simple as events reporting through to complex legal transactions, all transactions and so on.

The majority of those assertions, the majority of those operations, those processes, are controlled by administrative processes. Somebody checks that the right thing has been done, somebody validates it, somebody puts the appropriate documentation in place to cover what should be done.

But that leaves you in the world of manual processes and the complexity that you get around those manual processes. So really, it’s about how can you look to digitise that representation governance and what does that gives you as a set of benefits.

From a Ubisecure point of view, we’ve spent a long time dealing with systems that digitise representation governance. If we look back in our history, 2008, we deployed a platform to the Finnish government that essentially allowed organisations to have a unique identity, and individuals were allowed to have a unique identity, and had those coupled together, so that individuals within the organisation could represent online features of the organisation, make claims, make statements on behalf of the organisations in a digital form and use that to enable online commerce, enable online business, way beyond just online financial transactions, online ordering and so on.

Cameron: That is really tremendously powerful and I don’t necessarily think in the way that you just described it for folks who maybe don’t understand why that’s so powerful is thinking about we are in a world where companies have on-boarded employees in the midst of the pandemic that have maybe never been into the office. You have all sorts of new business relationships that maybe previously would have been consummated with handshakes and cocktails and steak dinners and that trust was kind of ingrained in the physical realm. That is no longer possible and may not be preferable moving forward just from an efficiency perspective.

If you think about what is required to do that, knowing that when I am representing One World Identity in a transaction, that I am in fact Cameron D’Ambrosi and that I do in fact hold a position in the company that is high enough to allow me to enter into legally-binding contracts remains a huge problem.

You know, we see this all across the space where you have outright fraud, money laundering or other embezzlement type activities that occur, specifically because you can’t establish that linkage not just around someone’s identity but tied to the identity of that organisation itself in a way that can be verifiable.

Simon: Absolutely and that is the root challenge that’s out there. How do you form that bond? What builds that trust anchor in the first place? As you say, previously –and this is not just something that has changed as a result of the pandemic–, but previously those trust anchors have been subjective, maybe emotive from a number of business point of views.

Of course, they’re  are legal contracts. Of course, there are mechanisms that define limits authorities and so on. But a lot of the time when businesses have been done, it has essentially been undertaken manually. It has been undertaken face to face. And now we’re seeing the pandemic, plus efficiency drivers, moving away from that to looking at online operation, online business, online transactions in the broadest possible sense, and the ability to digitally express that representation and the limits of that representation are becoming more and more critical, absolutely.

Cameron: The governance layer of all of this is a piece that is critical as well. And from that angle of this conversation, does Ubisecure help organisations figure out that structure and administration piece or are you primarily focused on the technical side and it is up to the implementing organisation to really figure out how they’re managing these identities from that governance perspective?

Simon: We’re very much a software and systems provider, so we focus on the technology aspects of solving these challenges. The one key delivery that we bring to this, which allows us to help organisations or build these trust anchors for organisations, is the legal entity identifier issuance business that we have.

So while we are primarily known, or have been primarily known, as a provider of kind of classical identity and access management systems focused on B to B external relationships, we have since mid-2018 been approved as an issuer of legal entity identifiers.

Now this may be a new term to a number of people listening to this. A legal identity identifier is a globally unique number that gives you a unique reference to a legal entity, to an organisation.

That is something that was set up essentially by the G20. It’s the result of the 2008 financial crisis. One of the core causes of that crisis were a number of circular investments where ultimately you had corporate structures investing in a circular fashion which caused a lot of this issue, and that couldn’t be seen. The LEI was requested as a concept to be introduced by the G20 as an aid to stopping that situation happening again.

You see today that there are statements around certain types of financial instrument trades so that if you don’t have an LEI, you can’t undertake the trade and that is there to stop these patterns emerging again or at least to detect them early if that should happen.

The issuance process is a well-defined, well-regulated thing. Every issuer, called an LOU, has to go through a yearly audit, not dissimilar to a web trust audit that public trust CAs have to go through, to check the issuance has been done correctly.

One of the core parts of the process of that issuance is checking if the individual who’s requesting the LEI for the organisation has the appropriate right to make that request.

So as part of that issuance, we have to examine the individual who’s making the request, we have to look at the organisation and what we end up with is the LEI itself, which is a highly-assured identity record describing various attributes about that organisation and a qualified individual, qualified in the sense of we’ve determined who they are and we’ve verified that they have a right to make that request.

Now a right to request is not the same as a right to represent. A right to represent is a higher, more privileged right. But with a few extra checks, we can promote that right to request to a right to represent.

What that gives us is a trust anchor which couples a director of the organisation to a highly- assured record for that organisation. Coupled with the identity access management platform we have, we can now enable an authentication scenario that then returns your representation rights for that organisation.

So you’ve now transitioned from what was a manual checking of documents, understanding process to a standard online authentication, which returns your association with a highly-assured organisation.

The act of issuing that LEI has allowed us to generate that linkage between the individual and the organisation and that is the trust anchor that has been missing so far to date to enable these representation government services to take place.

That’s really what we’re now pushing forward with from Ubisecure point of view.

Cameron: That’s a great overview and I think what is super, super interesting is the way in which we have seen this infrastructure develop – I don’t want to say completely organically but – in a way that can really support kind of the current and future growth of this identity layer. From your personal perspective, has COVID really been the catalysing force that we have kind of expected it to be with regard to organisations that maybe were hesitant to jump onboard protocols like this to finally make the leap and realise that they need to move into the digital trust anchor realm?

Simon: I certainly think that the current situation has driven a large acceleration of that. I don’t think it’s exclusively caused by the current COVID situation. I think if we kind of broaden that slightly to identity and access management, I think what we see right now – there are a number of organisations where digital transformation has happened, but either not completely or in some organisations still not hyper-effective digital transformation in place at this point.

We’re seeing those organisations now stepping back and accepting that this is the time that they really have to move forward with this, start putting those projects in place and driving them forward.

I made the comment there that it’s not just from the pandemic. We also see and have seen over the last – I guess last 10 years – but over the last 24 months, the massive increase in cyber-crime activity. There’s not a week that goes by when we don’t see another set of personal information being leaked somewhere, being stolen from an organisation, a system being hacked.

We saw, – I don’t know if you saw the news on Monday – just before Parler was taken down by Amazon, it appeared that there was a security breach there that pulled out a lot of information. I think people are still waiting to see what that actually means in terms of that breach.

But we see these cyber-attacks becoming more and more prevalent and I think we see organisations recognising the need for a holistic, broad digital identity view within the organisation that helps them tackle these challenges and make sure that they’re best prepared to respond to those.

I think that coupled with the situation that has been forced on the world by COVID is starting to drive an acceleration of those projects, of those considerations. And I think when you get to that point, we see the situation now where companies that haven’t done that yet, I guess they kind of get to take advantage of the step change in infrastructure. They don’t have to go through all of the iterative phases of what companies just 15 years ago have now gone through.

They can jump straight to the higher order, higher value delivery points including potentially online representation governance and so on, to take advantage of that in a single step.

Cameron: And branching out from I guess some of the more stead applications, not to say that anything that we discussed isn’t tremendously important and – I guess for lack of a better word – underpinning the global economy, tremendous use cases outside of just what we have discussed that might not be obvious to the average listener. What are some of the other areas that you are hoping the Ubisecure platform can be impactful with regard to bringing trust anchors and delegation to a broader audience?

Simon: I think it’s interesting to look at some of the projects we’ve already delivered that kind of show where we can go forwards with this.

One of the solutions that we’re involved in, and this goes back to 2008 so this is not a new concept for us, but we do have this new much high value trust anchor with the LEI basis. That LEI basis gives us what we would refer to as an open ecosystem. So, it’s globally applicable.

But these systems have been deployed for a number of years based on closed ecosystems. A great example of that is the Finnish Tax Authority. So back in 2008, we deployed a platform there to the Finnish Tax Authority. That is linked with the business registry. So that when a company’s set up in Finland, the details are automatically passed to the Finnish Tax Authority.

The Finnish tax authority reaches out digitally to the nominated contact point for that organisation, be it the CEO/be it the Chairman, whoever is at the top of that contact point. They receive an invite to the tax platform. Their organisation has to submit sales tax, corporate tax, payroll tax. Those are the three classic taxes that we’re all having to process all the time.

So they received an invite to the platform. But of course the CEO is not going to undertake that, it will be the CFO of the organisation who’s responsible. So, the CEO signs onto the platform but then delegates the rights and the responsibilities of submission to the CFO.

The CFO receives an invite to the platform, signs up, accepts those responsibilities, but has a team working for him or her, so delegates to the team. The team get invited to the platform. They follow the same process. So, we’ve seen this chain of delegation and invites to the platform.

If we look at the payroll side of this, it’s very common for organisations to use external payroll providers. Let’s assume that’s the case here. The person responsible for payroll will now invite the external organisation to the platform that has the payroll responsibility for the target company.

That organisation will be invited in. The organisation will receive that, accept it and delegate internally to whoever is the account manager for the original company.

That whole process has happened outside of the oversight of the cost of the tax authority. It has been handled by the people who know the information, so by the CEO, CFO, the team within the payroll company. They’ve done that directly without any interaction there.

It’s that kind of scenario that brings a value of representation governance. The top level CEO role delegated down the rights and responsibilities related to national tax obligations. That was passed through the organisation, it was passed out to external organisations, and all of that was done without the tax administration having to do any particular activity. And that’s the efficiency side that comes in as well.

So I think that’s a great example of a different type of use case that brings delegation, that brings representation capability into that. And this is something that we’ve been doing for the last 10 years or so.

Cameron: That’s amazing. I think you guys are at the vanguard in so many ways, bringing this infrastructure to every aspect of both person-to-government interactions as well as corporate interactions. I think it’s really not an “if”,  It’s a “when” in many regards.

It’s funny when you unpack identities and this transition to digital identity. A lot of the concerns, and I think there are legitimate privacy concerns and I think we need to be cognizant of how we’re approaching those challenges, but the notion that we don’t have digital identities already that are just out of our control? I think is something that people who take a hardline stance on adopting some of these technologies haven’t fully internalised. And there is, I almost think of the risk as like matter in the universe. It can’t be created or destroyed. You’re just kind of deciding how it’s apportioned.

Right now, I think a lot of the risks around identity have just been shunted onto the user themselves and there is such a limited recourse and such limited control and protection against fraud, whether that’s in these interactions with governments or interactions between enterprises, especially small businesses.

So, the faster we can implement some of these transitions, I think we’re all going to be better off and consumer education and business leader education I think, is a large part of it. I think to, again, help people understand that “look, you already have a digital identity. It’s just a question of whether or not you can control it, whether or not aspects are revocable, for example”.

If you have an employee who right now can go around pretending to be part of your organisation and signing documents based on the email address that they have, is that better or worse than a system in which that attestation they can make is completely revocable from your end? I would argue I would much rather be in that latter situation.

Simon: Absolutely. I think – as you say – the risk that any transaction faces is always going to be at a certain level. That level can be managed, risks can be mitigated and again oftentimes by the use of appropriate technology controls.

You touched on the point of individuals wanting to have control over their identity as well. We recognise that. We see that self-sovereign identity type models are becoming of growing importance now.

That manages the claim aspect from the individual side. Authentication is always going to come down to some kind of shared trust and in fact, SSI is still based on having trust anchors there. The underlying verified credentials that are being used by the wallets, by the verifiers against the issuer, and so on. There is still that trust anchor mechanism that’s required that has to sit in place.

So, the broader side of the representation governance provides a very strong benefit to the management and the reduction of the risks that we see in place today. I think it sits nicely alongside where we see the future going potentially with more individual control over core identity management, identity attribute release. I think that does all fit together really quite nicely.

Cameron: Amazing. So, Simon, before we wrap up here, I did want to give you a chance to dust off your trusty crystal ball and maybe make a few fun predictions for 2021. Certainly, already off to a rip-roaring start here for many reasons. If we wanted to focus just on digital identity and what we might expect to see over the course of the next year, I would love to get some of your thoughts.

Simon: Sure, absolutely. I think unfortunately right now as we’ve touched on multiple times already, predictions today are probably very much grounded in the situation we all find ourselves in right now.

I’ve touched on this already in the discussion that we’ve just had. But I do think the pushing of individuals remotely through the current pandemic situation, the fact that we’ve unfortunately become more separated, more external as a result of that, will see an acceleration, a rise in the number of digital identity projects that are out there.

It could almost be seen as a silver lining. I think a number of countries even have been slow to adopt at a national level general pervasive identity capabilities. Not from the point of view of obviously monitoring people but from the point of view of enabling effective business.

I think as we go through and as this pandemic continues to unfold, I think we will see more adoption of generic identity solutions that help organisations deal with that increased separation, with the fact that employees are starting to look more like external identities and the fact that the relationships they have will be more and more online with the organisations and the end individuals that they deal with.

So, I certainly see that accelerating during this year. I think we’ve already seen the start of that from the tail end of last year as well. So I think that’s definitely going to happen over the next 12, 18 months or so.

The other area and again it ties into what we’ve already touched on in the conversation. I think like yourself, self-sovereign identity. I think we see a number of early proposals of how governments and countries are going to deal with things like vaccination records and so on.

I think that is going to drive an increase in awareness of self-sovereign identity. I still think there are some underlying challenges around that. I always go back to technology is available for mainstream adoption if my mother can use it. That’s my baseline for figuring out if something is practical, is viable.

I think self-sovereign identity is where we will all end up, is where individuals should be able to manage their own identity. But there are challenges in individuals being able to manage their own identity. But I do think as we go through this, as we start to come out the other side, we will definitely see a rise in that aspect as well, as one of the mechanisms for being able to share the information that we do need to share but under our control.

Cameron: I couldn’t agree with you more there. I think that’s a really great perspective on these issues and I share your optimism that hopefully we can continue seeing progress made towards solving these challenges because life is hard enough without anything else, let alone getting in our own way regarding making some of these challenges easier with technology.

So, fingers crossed. Although I’ve learned to mute my expectations for what might happen in a given year.

Simon, thanks again so much. I really, really appreciate it. For folks who wanted to learn more about Ubisecure, I take it your website is the best place for them to go?  [www.ubisecure.com]

Simon: Yes, indeed. Absolutely.

[End of transcript]