The pandemic changed the way enterprises and people view identity ownership and security, as more people work from home on personal devices, shop online for everything and communicate digitally with family and friends. Control and protection of a user’s online identity and data is what drives both centralized and decentralized identity management. The end goal is the same, but the approaches are different.
A 2021 Identity Fraud Study by Javelin Strategy & Research found that identity fraud losses in 2020 reached $56 billion. Enterprises need a safe and secure identity management system that prevents bad actors from impersonating valid users to steal data and cripple networks, like the recent Colonial Pipeline ransomware attack. At the same time, data breaches and identity theft have caused users to look for ways to control their own online identities rather than allowing enterprises to do it.
Digital identity is a national security issue. There is no “one size fits all” answer, which is why solutions are needed for both centralized and decentralized identity management. The two approaches can work together to secure identity data.
What is Centralized Identity Management?
Centralized identity management (also known as identity and access management or IAM) is used by enterprises to protect data and control authentication and access to applications, APIs and other resources.
The most recent IBM Cost of a Data Breach study found the average cost of a data breach was $3.92 million, with 36% of the total ($1.42 million) the direct result of lost business. In addition, the most common initial attack vector, compromised credentials, was responsible for 20% of breaches, with an average breach cost of $4.37 million.
To help prevent data breaches, enterprises had to find a way to verify legitimate users and give them access to the resources they needed without frustrating them to the point they give up. IAM solutions ensure users are verified, typically through single or multi-factor authentication (MFA), to prove they are who they say they are. According to Microsoft, MFA can “prevent 99.9 percent of attacks on your accounts.”
When a single sign-on (SSO) solution is also in place, users have the ability to access the tools they need without having to login to multiple accounts because a trust relationship exists between the user, enterprise and partner sites. This reduces frustration, friction and password fatigue while increasing data security.
What is Decentralized Identity Management?
Decentralized identity (also known as personal identity, self-sovereign identity and distributed identity) gives users more control. The decentralized identity model lets individuals store identity-related data in a digital wallet on their own mobile device. They can keep that information updated and share exactly what data they want with businesses or other individuals to open a bank account, buy a car, start a new job and so on.
Users receive credentials proving their identity from multiple issuers (employers, government, etc.) and store them in their digital wallet much like we do with wallets that contain our driver’s license, credit cards and insurance cards. The user can create a pair of private and public keys in their identity wallet, and choose to share just the minimum amount of information required for a transaction. After the person presents proof(s) of their identity to a company that requests it, the company can verify the proofs are valid through a blockchain-based ledger.
How it Works
Issuers are official sources of data, such as universities, credit bureaus or pharmacies, that provide verified data about people. Users can click a link from an issuer or scan a QR code to add verified data—in the form of a card—to their digital wallet.
Users are individuals (potential employees, customers, etc.) who store identity data (driver's license, vaccination record, transcript, etc.) in a digital wallet that uses blockchain technology to ensure the information is never modified or deleted. Personal information is stored only in the digital wallet so it is never outside of a user’s control.
Verifiers are businesses or individuals that need to confirm something about someone. By scanning a QR code, users can share up-to-date, verified data about themselves with verifiers.
Gartner stated, “the emergence of blockchain as a technology for applying a decentralized and tamper-evident shared-ledger enables new experimentation in how best to implement a common trust domain” in 2018. Known as the identity trust fabric (ITF), it reduces the role of central identity providers in managing trust.
What are the Differences between Centralized vs Decentralized Identity Management?
As identity security evolves, the balance between centralized and decentralized identity management may shift. Because Ping offers solutions for both approaches to protecting personal data, we understand the similarities and differences.
Centralized Identity Management
Identity and access management (IAM) solutions have existed for years and are based on established trust relationships between and among users, identity providers (IdP) and service providers (SP). IAM solutions are designed for customers, workforces and partners, making them a flexible option for enterprises.
IAM relies on directories to store user profiles, with data being gathered from numerous sources. Customer identity and access management (CIAM) solutions are similar to IAM, but may provide additional features, such as registration, self-service account management, consent and preference management and data access governance. The user profiles that are created allow companies and their partners to provide personalized service to their customers.
Because businesses are storing and potentially sharing sensitive data with third-parties, there are risks. Regulators have stepped up to protect consumer data and penalties are associated with noncompliance. The General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) are just two examples.
Improve user experience and security through multi-factor authentication (MFA)
Increase productivity with single sign-on (SSO)
Trust relationships already exist
Lower IT costs, especially for identity as a service (IDaaS) subscription models
Data breaches put user data at risk
Regulatory compliance around data sharing can be burdensome
Poor planning can lead to performance and implementation issues
Disruptions, outages or ransomware can shut down operations
Decentralized Identity Management
A 2019 Pew Research study found “79% of adults assert they are very or somewhat concerned about how companies are using the data they collect about them, while 64% say they have the same level of concern about government data collection.” It is no wonder people want more control over their online identity and data sharing.
Digital wallets are a user-friendly method of storing and accessing personal information on a user’s smartphone, which is easily accessible. Unlike single sign-on that relies on a centralized profile to verify users for multiple applications, personal identity users have to sign on to each application separately.
Users control what data to share
Mobile phones act as digital identity devices
Monetization of personal data by companies, including social media, is reduced
Less user data will be exposed should hackers breach enterprises
Protocols are still being developed and it isn’t universally accepted
Users may have trouble receiving all the credentials they need to store in their wallets
Users may have trouble selecting a reputable company to manage their identity
A learning curve exists for users and enterprises
Ping Identity joined the Decentralized Identity Foundation to advance open standards for personal identity earlier this year. The goal of DIF is to help people and organizations gain control over their digital identities, enabling them to conduct trusted online transactions and interactions safely. DIF members are actively working on protocols and implementations that enable creation, resolution and discovery of decentralized identifiers and names across decentralized systems, including distributed ledgers and blockchains.
What are Examples of Centralized Identity Management?
Federated identity management is a centralized identity management solution that enables single sign-on to applications across multiple domains or entities. A company can give employees one-click access to third-party applications like Salesforce or Zoom. When an employee logs on in the morning, there is no need for multiple accounts and passwords to carry out their daily activities, which increases productivity.
CIAM provides customers with a similar experience. For example, a bank can provide customers with seamless access to banking services that are externally managed, like ordering checks, sending money via Zelle or applying for a loan. If the customer updates their address in one application, it is updated in all applications.
What are Examples of Decentralized Identity Management?
You may already have experience with decentralized identity without knowing it. Ping’s Project COVID Freedom enables vaccine providers, businesses and individuals to securely prove vaccination and COVID test results to others, while keeping users up to date on vaccination status over time via private encrypted messages. Individuals receive digital proof of their vaccinations in their secure ShoCard mobile wallet, which they can securely share with participating employers, restaurants and others using a QR code.
Ping’s decentralized identity management solution, PingOne for Individuals, allows businesses to issue digital identity cards to their users, which are tied to verified data and stored in the ShoCard digital wallet. This allows users to manage their own data, securely stored on their mobile devices.
Ping’s centralized identity management solution, the PingOne Cloud Platform, helps enterprises provide employees and customers with a smooth, secure online experience. To learn more about how customer identity and access management can help your business, please read our Ultimate Guide to CIAM.