Identity 3.0: A Mental Model of Cyber Security

By Paul Simmonds, with an Introduction from Rosemary Scully

As a relative new comer to the world of cyber, I have asked just about everyone I meet ‘What is your mental model of what we are dealing with here?’ In my view, a shared holistic mental model of the problem, the challenge, the “system” is the best way I know to collaboratively develop a view of how and where best to intervene to achieve the desired change.  It is highly likely that the mental model will change over time in response to greater experience and insight, but without any such construct it becomes very difficult to design effective interventions.  Most people look slightly perplexed when faced with this question, so you can imagine my delight when Paul Simmonds from the Global Identity Foundation said straight away, “Yes, I have a model, and this is it!”  So, many thanks to Paul, who has generously agreed to outline his model of the issue we are facing with cyber security.

We all know that passwords are beyond their sell-by date – the IT industry has been telling us for years; and it seems that recently every week there is the next high profile hack. Conservative estimates place losses at over $400 billion; and if you examine how the bad guys find it so easy – nearly all has as its root-cause a failure of identity.

Digital identity has not evolved from the 60’s mainframe mono-directional trust model, with every evolution simply a kludge (or band-aid) and every solution a compromise of either security or privacy.

In contrast to the digital world, humans have evolved simple methods of mixing identity, privacy and primacy.

We operate, generally with a “core identity” (the philosophical “I am me and always will be,” or “sameness”) and from that are linked to a “core identifier” (typically our face) which we use as the root of our identity with many English language expressions reflecting this, such as “doing it face to face,” “see you soon,” and “in-person.”

From there we operate a link to the many and various personas we all operate, professional, family, religious, ethnicity, sporting, gym, social club, citizen, sexual preference, and choose to share one or more of these “persona” with people we meet. As we place more trust in a relationship, then we may choose to share aspects of our other personas that we have kept private up until then.

Key to this, is that the only person who knows all my personas is me; and as long as I choose to protect and segregate my personas, then it should not be possible to know and interact in one persona, and the third-party to derive one of my other personas.

Should we need to increase trust in any one persona, then we are asked for supporting evidence from an authoritative body. My birth certificate to prove name, age or right to citizenship, a utility bill to prove where I live, or a bank statement to show an existing financial relationship in good standing, etc..

Work originally from the Jericho Forum (part of the Open Group) showed that it is possible to replicate the same proven model in the digital world; but we need to retrain our frames of reference when it comes to “digital” identity;

  • We must have 100% anonymity at the root of an (entity’s) identity.
  • We must do identity, identically, for all the five entity types (people, devices, organisations and agents).
  • We must let entities (particularly people) manage their own identity – note that this DOES NOT mean access to a system which allows them to manage their identity.
  • We need to have an identity eco-system where you only sign attributes for which you are authoritative and consume all other attributes signed by their authoritative sources.

Finally we need to make using our digital identities frictionless – “can my non-techie grandmother do it?”, but ensure it inserts trust into every part of our digital lives leveraging the same identity ecosystem.

Can we do this?  Yes we can! None of this is new or particularly difficult, but we need to think differently and then commit to an open, fully decentralized identity eco-system where everyone is free to play their part (and no more).

We call this Identity 3.0; an identity ecosystem, with the architecture and cryptography built to common, open standards; and you can join us to make this happen!


Rosemary Scully is the Executive Director, United Kingdom and Europe, at the Global Cyber Alliance.

Paul Simmonds is the CEO of the Global Identity Foundation, a global not-for-profit foundation working to make Identity 3.0 a reality.