The distributed ledger approach used in blockchain technology has enormous potential for security applications, and one vendor is looking to turn that promise into reality.

Ping Identity earlier this summer struck a partnership with a startup called Swirlds, investing an undisclosed amount of money in the company. Swirlds, founded by CEO Leemon Baird, introduced what it calls hashgraph, which is similar to the distributed ledger featured in bitcoin's blockchain scheme, with one important difference: instead of recording one transaction after another in a chain, the hashgraph algorithm weaves multiple transactions together at the same time in a graph.

Swirlds aims to use hashgraph for application development and distributed computing platforms, while Ping CEO Andre Durand sees potential for the distributed ledger in identity and access management systems. In part one of SearchCloudSecurity's interview with Durand at the Cloud Identity Summit 2016, he talked about the growth and obstacles of the identity as a service market. In part two of the interview, Durand talks about hashgraph and how distributed ledgers can improve identity security. He also discusses the maturation and interoperability of identity standards such as OpenID. Here are excerpts from part two of the conversation:

There's been a lot of talk in recent years about blockchain and its applicability for security. Hashgraph obviously takes the concept a distributed ledger but goes in a different direction with it. So how does it work on a large scale?

Andre Durand: That is a game changer, let me be right up-front. A distributed ledger enables fairness without servers. The reason we build servers is to ensure fairness of transactions. If we can mathematically do that in distributed sets, that's as big as the cloud. And I think that's really, really profound. We as an industry virtualized the servers in the cloud with a combination of VMware and consuming computing as a service, but we've never been able to provision the excess capacity of our mobile phones. This has the possibility of doing that. That's a really big deal.

So think about how VMware took unused cycle time of servers and made it usable. If you use 10% of a server, virtualize it and use the other 90%. Uber virtualized the three vacant seats in all our single-driver cars. AirBnB virtualized the two bedrooms in our oversized houses. We haven't yet virtualized the excess capacity of our mobile phones, for example. Maybe the only inhibitor here is no longer bandwidth or CPU -- because my phone's not doing anything right now – but it's just power. Ultimately battery power is going to be a factor; you're not going to do anything that's going to drain the power. But we'll catch up on that one too. The second you can get power beyond a day, in theory, you're in a zone where it's possible for all of us to be virtualizing the excess capacity of the mobile device as a distributed computing platform. Think about that for a second. How much compute power is sitting on all of our phones?

And hashgraph is a way to harness that compute power without relying on centralized servers in a data center?

Durand: Right. It's a way to do distributed computing without centralized servers. It's the antithesis of the cloud. It enables the antithesis of the cloud. There's no data center hosting the application.

So using hashgraph's distributed ledger, there would be no one centralized location to compromise that identity or verification process. Why is that important for identity and access management?

Durand: I see most systems doing wave oscillation between distributed and centralized systems. And it seems like we're never done in the oscillation between distributed and centralized. But this is the enabler of the disruption of centralized systems [for identity]. The verification of an identity is distributed across numerous devices. The identity system is fully distributed. And there are a lot of applications for this technology, and this is just one of them. But something this profound takes a little while to get your feet underneath. And so the hashgraph has to be vetted, and the platforms need to get built up. It will take a little bit of time, but something this big is not going to be ignored for long.

On the standards side, there seems to be a lot of momentum with OpenID. What do you attribute that to?

Durand: Well, there are two things. OpenID Connect is an extension of OAuth. That's important, because you didn't want an authentication and authorization standard for API's and then build something totally different for web. That's the first point. The second point is OpenID Connect allows for discovery of who the IDP [identity provider] is so you don't have to manually make connections. Think about it this way. What if DNS did not have DHCP? I'm trying to send you an email message -- what's the IP address of your computer so that I can send you an email message? How would that scale? So I have to dynamically discover the port where your mail server's running by your domain name and resolve that automatically. That's what OpenID Connect does for identity; it provides a discovery mechanism for who the IDP is. There is no manual configuration for the IT staff to do it. So those are the two reasons.

So the momentum is there for OpenID. Why don't we see more adoption?

Durand: This takes time. We're retrofitting 30 years of software. And you can't just rip legacy systems out. It takes a long time to enable all this. You get in these big companies, and there are thousands of applications. It's insanely complicated. If we only used 20 SaaS apps, the problem would be over, but that's not the case. Keep in mind, for the better part of two decades we enabled the enterprises to build apps. And guess what? They built a lot of them to codify all their business processes. And now we're dealing with all those legacy apps.

Compared to last year's Cloud Identity Summit, it seems there's more willingness in this industry to cooperate on interoperability with identity systems and get on the same page standards-wise.

Durand: For the most part, yes.

Then what are the challenges going forward?

Durand: The challenge is each one of these standards -- and there's not one, there's several -- are not perfectly delineated. For example, SAML and OpenID Connect overlap. So they're not perfectly delineated, and getting everyone to implement them well is challenging and it takes time. These specs can be 300 to 400 pages. And it's just really complicated. I like to say that, SMTP for email was gloriously simple: it's subject, message, body and done. Identity is infinitely more complicated.

Should the industry collectively settle on one standard to make the process easier? Do enterprises need to be concerned about the fact that, for example, they use SAML internally but their cloud services use OpenID?

Durand: There's really no reason to. SAML just sits there and works, and it will stay there and work like most legacy systems. And there are layers; the same infrastructures can use and talk to both. With Ping, you can have x number that are SAML connections, and they're fine, and then x number of OpenID connections that are newer. The old stuff just becomes embedded, and it still works. If there's an impetus to change it, then the enterprise will change it. There are always new projects that take precedence over cleaning everything up to keep it on the latest thing. So I don't think there's anything we need to do, per se. SAML got to this level, and it will probably stay there for a while. And then OpenID is growing. It's getting at more apps than SAML got at that stage at a faster rate. But as far as choosing one standard and completely getting rid of another, there's no need.