Safeguarding COVID-19 Vaccines with SSI — Part 2/3
Dylan realizes that the identified design requirements correspond to properties that are typically solved by means of cryptography. To embed cryptographic methods securely in their network, VirGo needs to identify both a network architecture and an identity management paradigm that fulfill the design principles when they interact.
Network Architecture: Basis for Scalability and Availability
Upon more research, they discover various solutions currently in productive use. In particular, Microsoft proposes Trust Zones [1] separated by Trust Boundaries. Software-defined networking, on the other hand, offers more granularity and flexibility through standardization. In addition, Dylan also gathers some ideas on how to improve these solutions — particularly with the help of blockchain/distributed ledger technology and self-sovereign identity.
Microsoft Azure: Trust Zones and Trust Boundaries
Microsoft’s IoT security architecture is based on the idea that different contiguous parts (“zones”) of the network operate in distinct security environments and need to be shielded against each other. The assumption is that each zone operates under different data and access control policies, guarded by a gateway, so that each zone can have its own security environment. The gateways will control the attached devices and services within their zone, resulting in the simplification that security efforts split into managing the gateways and protecting the communication links between the trust zones/gateways (see Figure 1). In this way, VirGo’s warehouse gate sensors would operate in a different security environment controlled by a different field gateway than the trucks’ sensors. This setup allows for some degree of standardization across and between the gateways: the field gateways can be configured to process the received data into a standardized output and to enforce secure communication standards through, e.g., pre-shared secrets or public-key cryptography. On the other hand, gateways and devices still need to be provisioned (although provisioning service infrastructure like the Microsoft Azure IoT Hub Device Provisioning Service and proprietary standards like Microsoft Azure IoT Plug and Play simplify this to some extent), and the architecture seems somewhat dependent on having one central data processing unit (the Cloud).
Software-Defined Networking: Distributing Network Control
Software-defined networking (SDN) can provide the desired level of abstraction for an IoT network. Microsoft’s Trust Zones depict a special case of an SDN, where one of the SDN domains serves as the sole data processor. In an SDN, just like in Microsoft’s IoT architecture, devices and services are shielded in SDN domains controlled by SDN controllers. However, data processing is not reliant on a specific cloud architecture. This level of abstraction allows for a wider variety of use cases like distributed data management or federated learning. With SDN, VirGo can allow their warehouse to independently give access permission to a truck based on its authentication and perhaps unforeseen, local circumstances. This kind of setup minimizes the communication hops between Trust Boundaries/SDN domains, which effectively reduces the number of technological and human attack vectors. Also, it is operatively easier to customize warehouse operations based on each facility’s physical setup. Device management can be decentralized to the extent that it can be cascaded down to the security domains. In this way, devices can be replaced flexibly at the point where a failure emerges (see Expansion Scenario 1).
Expansion Scenario 1: Device Management
To keep the vaccines chilled, VirGo relies on smart temperature sensors. The sensors are redundant: failure of one sensor is quickly detected and the sensor is replaced. VirGo needs a solution to decommission the faulty device and integrate the replacement sensor seamlessly without interrupting operations.
Blockchain-Based Access Management
More recently, ideas have come up to leverage distributed access management for IoT networks even more. In FairAccess [2], the idea is that resource access and control can be tokenized, so that resource owners create unique access tokens (which are, in fact, NFTs) and send them to resource users on a blockchain. The resource owner can even record access conditions for the user in an encrypted script on the blockchain. Only when the user fulfils the condition, the script could record the access authorization on the blockchain. The user can then send their access NFT to the device, which can verify the access policy related to the NFT on the blockchain. This would allow VirGo to share their IoT resources dynamically with trusted partners outside their nexus like in the example of permissioned tracking in Expansion Scenario 2. A system like this would especially improve peer-to-peer access between the devices.
An even more streamlined, yet limited, way to manage access between devices and controllers would be to record group membership on a blockchain. Researchers dub this concept “Bubbles of Trust” [3], assuming there is one controller per bubble of devices entering into master/slave relationships with the other devices and users. The master issues signed “tickets” to the slaves, which in turn can associate with the master on the blockchain. The Bubbles of Trust provide a rather straightforward mechanism to manage a multitude of devices. Because of its simplicity, that could be a powerful way towards dynamic and standardized access management, although interoperability does not necessarily extend to messaging protocols. Thus, use cases for Bubbles of Trust can be found in areas where devices of different ecosystems need to authenticate each other and frequently join or leave the network.
Expansion Scenario 2: Permissioned Tracking
The general public is outraged at the vaccine supply — too slow, too little, too chaotic, too uncertain. The government is in a dilemma: they know things have not gone as smooth as expected, and releasing all shipment and tracking information would only reveal the true extent of mishaps. Times have been rocky, and the last thing the administration wants is to risk civil unrest. However, they would like to improve planning certainty and increase the planning window for their mass vaccination sites. Can VirGo grant the government-managed vaccination sites access to live location data for their assigned vaccine lots?
From Dylan’s and our nerdy engineer’s point of view, this paradigm of identity-based security is also very exciting as it aligns neatly with the trend of increasingly systemic and holistic enterprise-grade cybersecurity management. After the ISO 27001 standard, the Cybersecurity Maturity Model Certification newly established by the US-American Department of Defense, is becoming an increasingly mandated quasi-standard of best practices in high-security IT environments.
Compared to SDN, blockchain-based access management increases resilience and availability of the system as there is no single point of failure anymore. In an SDN architecture, an attack on the domain controller would cause an outage of the whole domain. Due to its immutability and public visibility, blockchain-based access management is also advantageous when you need to create an audit trail across ecosystems. The trade-off here is the requirement of standardization across ecosystems: As long as all devices are within your control, a blockchain would constitute too much overhead. Since you would normally trust your own entity, access policies could resiliently be stored in an internal database system. Once you move beyond your nexus, however, your business partners would need to make their devices compatible with the blockchain-based access solution to harness its benefits — a complex endeavor that could still be advantageous if it aligns with your value strategy.
Join us for the third part, where Dylan explores the identity component of the network. Find out what makes SSI so attractive for network security and why you should still think twice before using it.
Sources
[1] Shahan, R., Meadows, P., & Lamos, B. (2018). Internet of Things (IoT) security architecture. https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-architecture.
[2] Ouaddah, A., Elkalam, A. A., & Ouahman, A. A. (2017). Towards a Novel Privacy-Preserving Access Control Model Based on Blockchain Technology in IoT. In Á. Rocha et al. (Eds.), Europe and MENA Cooperation Advances in Information and Communication Technologies (Advances in Intelligent Systems and Computing, 520). Cham: Springer. https://doi.org/10.1007/978-3-319-46568-5_53.
[3] Hammi, M. T., Hammi, B., Bellot, P., & Serhrouchni, A. (2018). Bubbles of Trust: A decentralized blockchain-based authentication system for IoT. In: Computers & Security, 78, 126–142. https://doi.org/10.1016/j.cose.2018.06.004.
