Meet Your Security Twin! (2 of 2)
If you missed it, click here to read part one of the blog, register here for our joint webinar with Ping Identity “Who Secures Trust in Digital Transformation with Connected Things? Meet your Security Twin!” on 10 September 8am PST. Bring your best questions by reading the IDC Technology Spotlight (registration required) on Security Twins before joining us.
The Future of Trust is a Team Sport
Identity is a pillar of trust for any transaction – without it we don’t know who we’re dealing with and there is little recourse if things go wrong.
Identity describes the relationship between two entities. You could be a citizen of a country, a parent to a child, a member of a social group; in all cases there are two parties involved, each with their view of what the other entity means to them. Trusted relationships form with a history of transactions – the more we know about how each transaction worked in the past, the more trust we can place in future transactions. Reputations are forged and can facilitate transactions with other parties when one will vouch for another.
It’s this collaborative reputation sharing that can serve as a security and trust model for digital transformation. The Future of Trust is a Team Sport.
Cyber security maintenance of Connected Things is a team sport. Prescriptive Maintenance is an automated plan for when who should do what to move fast and fix things. With a fully traceable record of when who did what to a Thing, the result is a device maintenance history that can accompany data to prove its trustworthiness.
We call this a Security Twin.
A transaction history of Connected Thing maintenance builds a collective reputational memory to build integrity in data synchronised with Digital Twins. This builds trust amongst parties that rely on the data, and since that data includes control signals it also helps to keep the system as a whole safer and more reliable.
The type of information to store in a Security Twin should be anything that relates to the security or maintenance posture of the device: the hardware bill of materials, identity protection technologies such as secure enclaves, where the device was built and under what conditions, how it got its birth certificate, what software, libraries and frameworks are in use, who maintains them and when were they last updated, what are its approved configurations and advisories? Anything that can be placed in a JSON document can be included in a Security Twin.
Most importantly we must record WHO claimed what and placed the information there. In a collaborative system of record we need transparency to ensure we know our sources and spot obvious attempts to corrupt the record. The Thing Maker, its software suppliers, the system integrator, owner, operator and auditor may all need to contribute to the record, but only those organisations and people who have the authority to do so.
Security Twins need a collaborative system of record that is private by default and manages access permissions based on organisations and attributes. It must be distributed amongst participants and permanently record when and where who claimed what. It must keep a faithful record of exactly when what was claimed in its correct order. All of these properties are ready-made in a private permissioned distributed ledger which delivers the technical foundations for the Jitsuin Archivist Security Twin platform. With that in place it can it can strengthen Identity and Access Management of Things.
Security Twins and Identity and Access Management
There are several integration points for Security Twins and IAM systems. Identity forms a core part of a Security Twin, and a Security Twin strengthens identity and integrity of data from Connected Things and their Digital Twins.
1. Connect Your Identity Provider with Jitsuin Archivist. The platform logs an OpenID Connect authorization token associated with each transaction of “when who claimed what” stored in a security twin.
2. Enrol Technology Supply Chain by delegating permissions for your stakeholders to contribute to the permanent record. Then automate workflows based on Service Level Agreements in the supply chain.
3. Know Your Things with a full service history for each connected thing. Well maintained things should benefit from streamlined authentications and policies.
4. Automate Compliance Reporting to move beyond paperwork to data-driven record of evidence built from all stakeholder’s actions to keep connected things secure.
5. Build intelligent API Protections that learn from known good sources. Use Security Twins as inputs to machine learning models so that anomalous behaviour can be correlated with device security posture.
6. Build Trust with Operating Partners and proactively manage risk before it accumulates. Get to the Truth in Things!
That’s a lot of steps, but there are three simple ones that you can take today to get started on the journey:
· Download our IDC Research report on the Future of Trust – they’ve identified it’s a team sport!
· Talk to us about a free trial of Archivist and see how it will boost trust in your Digital Transformation with Connected Things.
· Register for our 10 September webinar and bring your best questions