Okay, I think let's start. Hello everyone. Thank you for coming to this workshop on blockchain and identity and security, very happy to have you, and we hope you are looking forward to this interesting workshop we are presenting to you. Let introduce myself only very shortly. My name is Karin Graceland. I'm a advisor as scientific advisor for Ko across since 2015, the end of 2015. You and in my other life, I'm a professor for finance information management, of course, a little bit in FinTech stuff. We have a second moderator and speaker.
So I introduce him even ly, who is our senior Analyst at Copia co also since 2015, focusing on risk management and identity and excess manage management with a very deep understanding and lengthy experience in security consulting across three continents, not only countries, continents worldwide in a wider wide number of industrial verticals, government and education.
He's also the lead Analyst of copy a coal in Asia, Pacific operations, and interesting to him is that he holds not only a master in it management, but also in political economics.
Makes it very interesting to this, to this session because you will see there are several themes involved and he worked before for Accenture, of course, in for Accenture Australia in the area of FinTech two. So this is the speaker we will begin today.
Later on, we have the honor to have Sebastian with us from the keynote. I think there will rest several questions could be discussed. I will have a look at it that it would address compliance.
Okay, so you have other themes, other workshops to, to address question there, but perhaps I hope there will come many questions to you too later on. So let's begin with even please he's presenting on blockchain identity and cybersecurity, revisiting risk management in a past privacy age of trusted, distributed ledgers. And of course, unlike other technology innovations, blockchain with their horizontal peer to peer nature will have an impact. Not only on the technological way we behave, but also on non technological governance and social effects.
So I hope we address the question, how trust is established between partners without trusted party.
Great technical.
So then, okay. This is for me the moment to smile, but no conference on technologies without little problems on technology, not with me. Okay.
I, but I can click for you.
Oh, I can do. That's fine. Yeah. Okay. So I'm gonna take a bit of a circuitous route in discussing as usual. You present an abstract and then facts change realities, change, new things come out. So it's a bit different to manage abstract. And it's got a bit of a circuitous route tracing, risk management and data privacy, and seeing what the real risks are with,
With the problem of personal information, but also the problem of centralized stores of information.
So all of we, all of us, if you move continents or even just, you go on Amazon trying to get Google to understand you've changed country or Amazon, that you're not interested in the books you're still interested in anymore, or that you don't still behave like a drunken teenager, that you're not still obsessed with some research topic that you had during your, during your thesis research. It's very hard. And this is, we talk a lot about the problem of personal data, but this is very much linked as well to the problem of big data as well on an organizational level and on a personal level.
And Lucha florid puts this very well in this blog post he's an ethicist and data. He actually stands for completely banning ads. He wants to treat ads, advertising, internet based advertising as smoking.
He wants to ban it, but that's a bit of an extreme position, but it's quite interesting. And it's telling that we can quote foyer back because this is Germany after all, man is what we Google. And the key problem here is digital technologies become defining technologies rather than merely identifying one. So immediately two things come to mind here with personal data.
It's a personal growth issue. It's a question of, I am not anymore. The person I was when I was 20, when I was 14, but on a organizational level, the problem becomes existential because the self fulfilling prophecy of big data of the dominance of bays theorem and the normal distribution is really, really, really problematic. No one actually the idea of unified dashboards, the idea of the hubris of actually believing that we can predict the future or have insight in, into future events.
BA based on past events is extremely problematic.
And I mean, every time there's a big event, be it the GFC or some big climatic event, we have a bit of a spike and interest in the problem of, or of the misuse of statistics. And then we kind of go back to what we've already known in the past. So we've had the black Swan, we've had the blank Swan we've had after affinity. And we kind of go back to, Ooh, big data is awesome. And big data is, is an illusion to many extents. So the hubris we have of centralized control.
So, and from a risk management perspective, we need to be very careful when we have these centralized troves of information or these perception that we have a single unified view of, of data. And I'm gonna make a jump from this to the blockchain and cyber security.
And for me, cybersecurity is mainly asking two questions is who are you? And how can I, and can I trust you?
So for me, key to cybersecurity is as we all identity experts here is still identity. So the problem of, of identification and Martin carpenter has said this, and that's true, no technology will ever solve the identification challenge. Even if we were to, as someone has said, who wasn't me and barcode barcode babies' bottoms at birth, we wouldn't solve the identification problem because of context because of privacy, because of the complexity of human behavior.
However, that's why we're gonna avoid this issue to ask the blockchain to do this is to ask too much of it is to ask too much of any technology yet carpenter call has long spoken of life management platforms and what you can do with blockchains. So blockchain's allowed for anonymous, anonymous and identified data sharing aspect to IBM recently.
And an example is information security instance. So for example, this is a real use case is we have a problem of information sharing during security breaches.
So we, your big organizations don't want to share details about a security breach because it identifies them. If they're publicly traded organization, the stock price drops, but imagine a permission ledger where there could be an anonymous sharing of all of the details relating to a zero day exploit to an attack, to a breach. And for example, health, you would want say, maybe alerts to tell you that based on your internet of things, tracking you're of high risk of certain forms of cancer or something given your age, you want this alert, but you don't want it personalized.
You don't want someone actually knowing that you eat hamburgers every day. That's, that's kind of too personal. So this is what really blockchains can permit and centralized identification. We still will need the state to some degree, we still will need some birth certificates, some centralized I, to a degree you could say this would be the state would be the permissioned blockchain gatekeeper. The one who says I'm just emitting a new, a new node onto the network.
However, we could still have decentralized authentication authorization and personal data storage and third party access contracts. And what I like to term a UDP of identity and trust. So in short, it's highly scalable, highly fault tolerant, and it's decentralized and
A key component of blockchains consensus. We mentioned on Monday, we got into a bit of a theory of consensus and consensus is only important when you have decentralized systems and decentralized and centralized systems can coexist. So there's no need to be purists about this.
We can have a centralized state functions, but we can also have decentralized. So we spoke on Monday about the difference between algorithms and human judgment. This is a bit, there are times when we need human judgment. There are times when we just it's, it's something it's, it's bureaucratic nonsense that can just be automated. It's not really important. We can automate it. We can free up seats. We can liberate jobs
With blockchains as well, rather than discussing trusted systems. We should discuss consensus mechanisms. It's it's similar.
And we're gonna discuss later on with some of the other panelists, actual reputational scoring of web of trust. So up until now, we've had very, the complex it's been recently, the 25th anniversary of PGP, and we've had a bit, the problem of the web of trust is very complex to establish. You have to think of revocation keys. You have to think of private keys or public keys. It's just not user friendly. And usability is a key feature of any sort of personal data store or life management platform.
If, if my mother can't use it, if she can't understand it, if she can't properly set it up, then it might be a beautiful system in theory, but it won't really have a good uptake. Another key factor of consensus is randomization of the nodes to avoid cyber attacks.
So it's very hard to coordinate attacks if the cyber attacks and as well, we're thinking of the internet of things here and small embedded objects with low compute power, decentralized consensus based systems don't mean just an army of everyone at the infantry. There will be node validation nodes.
There will be just devices, which are the equivalent of blockchain wallets. There will be sensors who have little more than identification code.
So again, we, we don't must not think in terms of absolute sphere of totally decentralized, totally decentralized, but it's key to think about where consensus, where algorithmic consensus is necessary and where it's let, where, where it's better to have centralized human judgment or authoritative systems.
So decentralized life management platform requirements, we need decentralized data and metadata encryption. We need third party data sharing in the form of informed pull and consented portion of information revocable as well. We need full tolerance and performance.
And key is if we want these systems to be any better than systems, do we have today? Key themes that have been going along this EIC have been the rise of privilege management and the rise of not the rise, but now two-factor authentication or multifactor authentication is just considered baseline security. It's not privileged. Management is key, and that's, that's kind of what these solutions are hitting is it's we haven't up until now properly managed privileged access.
So PKA, and, and route certificates, directory servers, service accounts, we haven't properly managed these. So if we want a decentralized life management platform to be any better, we have to really think about privileged access. And this is a common misperception of blockchains is that transactions are publicly available for analysis. This is only true for the Bitcoin blockchain. It's very easy with all the other blockchains to completely obfuscate metadata and data, unless you actually own the key. You cannot follow any information.
And the centralized data in practice is each node says blocks meaningless data. So only the owners or owners will see quorum access control as well can make sense of the information.
And homomorphic encryption is very interesting. It allows for the processing of operations and data without the need to decrypt the underlying data.
Again, we're, we're gonna discuss as well in the panel and with other people, the, the performance versus the performance versus security constraints. So home encryption has a performance penalty today. There's a lot of research and interest in this area of encryption, but it's, it's a key area to keep in mind because the ability to, for a use case could be the ability to, for a third party to query whether you can pay for something without needing to know the balance in your bank account or anyone to actually know that.
So a function where the value of your bank account is never decrypted to any third party. It's just a yes, no response, but no one except yourself actually ever. Decrypts the value of your bank statement?
This is just an example, much like OAL today, but OS like LDAP only defines the access protocol. It only defines the contracts, but let's think of O like we thi thought of X 500 X 500 was the whole big architecture behind L app. And let's think of a decentralized X 500, it's a terrible analogy, but we can kind of see how everyone knows L app and LDAP was just the access component.
It wasn't the actual underlying data store, but if we think of life management platforms, the key is not just, we can take O as an example, as a very useful example of how you can perform third party and revocable authorizations to access to data. And then, however, with an underlying decentralized personal data information store, we can actually have quite a powerful system for decentralized user information data.
And this is key. This always continues to come up is including with PGP is the problem of personal private encryption keys.
The problem of if I have, if Google encrypts, my mail and Google has the keys to my mail, but if I encrypt my mail, I have to store and keep safe. My private keys somewhere. I'm talking in these terms as a, as a stupid end user who just thinks GPG tools is just an extra complex thing. I have to install on my laptop and I have to install it on my devices. And it's an extra problem we need to do.
So balancing this, we have it's similar to privilege management privilege management solutions today are talking of the use of multifactor authentication, step up authorization or authentication based on risk and context scoring a lot of this stuff. We can actually explicitly encode in algorithms, for example, much like we could have a primary private key are system administrator key.
And then a number of other keys, which say are authorized family members.
We were talking about life management platforms includes the management of events like your death or your, you know, or the birth of a child. All of these things need to be taken into consideration. So we discussed and we'll discuss more in future.
The, the case where you die, for example, how would you certify who would take over your data? We're thinking of, it would take a quorum of say, four of your friends, plus your registered coroner to, to certify your death. And at that point, you've got encoded as well, who would then inherit your data?
This, this is something which could be encoded. It would be much like I alluded briefly to in the first slide, the problem that legislation and compliance have not cut up, caught up to the data sphere.
And this is an example of where you set up your will as an individual, you actually set up what, how you want to control your data.
What, what should happen to your private information once you die, who should, who should obtain it? Hopefully when we discuss compliance and regulation, we can discuss how future laws, such as the EU data breach protection law are dealing with catching up the regulatory framework to the problem of this exploding data sphere. So this ends sort of my introduction for today, sort of a bit setting the stage for many interesting implementations, which we'll see with the future talkers of, of implementing identity on the blockchain or life management platforms on blockchains.
If you have any questions before we go onto the next speaker.
So I'm coming back to help you little bit with a, with a moderation. You addressed a lot of provoking statements. I think so big data is an illusion for example, but we can't talk, talk about this here. What I took with me and I have to ask back is you said, instead of trustless, we should talk about consensus and that consensus can be automated, of course, and is not important. Did I get this right?
Oh, no. I meant, I meant more trust. This is actually key because when we have algorithmic trust, algorithmic consensus, you can then say, it's trustless.
However, I wanted to avoid absolutism. So thinking we just need trustless algorithmic. So it's good because consensus can involve humans, consenting humans in a room consenting to something. It can also mean algorithmic consensus. It's a bit more of a, a wider statement rather than the, the exclusive subcategory of trustless, algorithmic consensus. So I would, I would define that as a sub consensus is the, is the master category.
Okay. So I did something, got something wrong, but now we are clear about this and I gave you some minutes to think about your own questions, please.
There is one question we, we tested it. It should work. Please try it.
No, not yet.
Just
This.
No, there is a, there is a one, no push
Push the button
Just, okay.
Yep.
Is there all the use cases use in some cases? So it looks like blockchain is one possibility, but for example, just to collect data somewhere and this could also happen other technologies, right?
Yes, absolutely. So,
Cause the blockchain itself is just, you know, some data, hash data, Ashford, example transactions, and a certain to certain old. And so
I, I completely agree with that.
And that's why I would say that what we end up with could probably very only arguably even be called a blockchain and like your presentation today, you know, the hammer looking for nails rather than talking about blockchains, I would rather wanna talk about the requirements for the problems we're facing today, which is decentralized user access and, and the avoiding of, of privilege and insider abuse of system administrator credentials. Because all of those cryptographic technologies are really old proven technologies.
So
Yes,
I think this will be addressed later on too. Yes.
Yes, because we are then talking about this distributed undistributed blockchains. Yes. If we take away UN UN no distributed, if it's then still a blockchain or as Sebastian, I think you, you addressed it also on your keynote. Do you need, in this case for this group, blockchains, do you really need blockchain or that, or other, other technologies better suiting this situations.
