Decentralised identity and access management model : a self-sovereign identity solution for enterprises and employees : empowering employees with data subject rights and transparent control over their shared credentials and attributes using private or permissioned blockchain technology

Abstract

Enterprises are affected by data breaches and associated overheads. The classical identity and access management models rely on centralised third-party certificate authority for authentication, leading to a single point of failure. In these systems, the access control systems are either role-based or attribute-based with limited attention to employee identity information. Cloud-based identity provider solutions necessitate data sharing for access permission handling, the data may be stored securely but can be misused without transparent processing and consent management. These systems store copious amounts of sensitive employee data which makes them lucrative for malicious attackers. Decentralised identity systems, particularly self-sovereign identity systems propose solutions. Designed using public permissioned blockchains, self-sovereign identity systems allow the users to gain complete control of their identifiers and personal data which is stored locally with the users. While SSI models exist for customers and patients, employee data security is often overlooked. This study critically reviews classical identity systems in the context of employee identity systems, access control policies and data subject rights. It explores decentralised identity systems and the necessary components for self-sovereign identity functionality. The model leverages privacy-preserving standardised technologies by aggregating these technologies inspired by existing systems, like decentralised identifiers, verifiable credentials, smart contracts and zero-knowledge proofs along with private permissioned Hyperledger Fabric. This model aligns with European General Data Protection Regulation principles and data subject rights, enabling employees to access both the internal database and service application through decentralised identifiers and verifiable presentations. This dissertation constitutes a qualitative desk-based research analysing employee privacy and security concerns in classical identity management systems, decentralised identity systems, decentralised access control and the association of technical components with regulatory compliance. Employing thematic analysis of the research articles through inductive and deductive coding techniques to prepare a theoretical framework. The research aims to assess the potential and challenges in permissioned self-sovereign identity ecosystems and introduces a conceptual model addressing concerns about employee data protection and control.