This blog is co-authored by Baber Amin, CTO West, Ping Identity & Jon Geater, CTO, Jitsuin
Identity and IoT—meant to be The IoT turned 21 this year. With news of its untimely “death”, we should remember that identity was there at its birth. In the beginning, IoT meant using radio frequency identification (RFID) tags to track fast-moving consumer goods in supply chains. Two decades on, the meaning of IoT has changed. It now means using data to sense and control smart, connected cyber-physical machines, or connected “Things”. By either definition, there is an important common strategic technology that has unlocked digital transformation: Digital Twins.
Digital Twins—everything is an API
Digital Twins represent real-world objects in virtual form that allow software to interact with them through data flows. Different users of Digital Twins will value data differently: a system user of a Thing places more value on live data feeds, whereas a Thing manufacturer is more interested in aggregate data for maintenance scheduling. This indicates a need for multiple Twins.
Security Twins—the trust enabler for Digital Twins
As we move towards that world of multiple and composite Digital Twins, it’s important to choose and aggregate the right data sources that match your business case and take account of your risks and ambitions. Broadly, these sources fall into two major categories: data from devices and data about devices.
It’s data about devices that make up the Security Twin: maintenance information, firmware patches, configuration updates, etc. The Security Twin underpins data to ensure that connected devices are trustworthy and running in accordance with compliance processes. This leaves operations and business intelligence software free to do what they do best: consume and analyse data from the telemetry systems. And when moment-of-truth decisions must be made based on live data, the vital input from a Security Twin helps chart the correct course of action.
Now it’s time to go back to the origin of the IoT: the supply chain. But this time the cybersecurity supply chain.
The cybersecurity supply chain
Connected things are only secure until they’re not. Kaspersky says its ICS CERT researchers find no less than 60 vulnerabilities in ICS and IIoT products every year, and these flaws can affect hundreds or thousands of systems. If we are to move fast and fix Things, the supply-chain must collaborate. Manufacturers create patches, integrators test them, owners approve, maintenance teams schedule and auditors monitor performance. The cybersecurity supply chain of a Thing is physical when installed and digital for the rest of its life. We need a way to represent that digital supply chain with Security Twins.
A shared service history of Things
A permanent record of when who in the supply chain did what to a Thing creates a shared service history. Just as the value of a used car is judged by its service history, the value of data from Things—and their Digital Twins—can be cross-checked against their history. Is the patching history sensible? Who authorized what configurations to be loaded on the device? How long has it been running in a vulnerable state? These detailed questions are almost impossible to answer in isolation, but become clear when a collaborative maintenance system is in place.
How do we build a Security Twin?
An organization will need a fast-responding, secure system of record to store Security Twin information. It should store static and semi-static metadata like provisioning records, available firmware versions, issuers, X509 certs for direct methods, vulnerability reports and more. It should also synchronize data of events with other supply chain participants.
Access and governance built on the foundation of Security Twins
A high-quality source of security meta-information can increase risk visibility and reduce it while proving continual compliance at low cost. It can speed the execution of operational decisions by increasing trust in data, whether those decisions are made by humans or artificial intelligence. Step-up authentications can be applied when it matters most, just as with human identity and access control decisions.
The same tools we use to govern human access to data can be used to govern Things to meet compliance. When a business is digitally transformed, everything is data and everything is accessed through APIs. Unifying the identity governance of people, Things and Digital Twins makes it a lot simpler to comply with regulations and improve business outcomes.
Security Twins for Internet Things lower business risk.