The rise of the Internet of Things (IoT) and the increasing number of smart devices is being matched by the development of digital twins used to encode and emulate real-world objects. However, these developments will falter unless we have privacy-preserving identity protection to create trust across the new population of digital beings, argues Nelson Petracek, global CTO at TIBCO.
Everyone on the planet has an identity. Given our growing understanding of, and attention to, all forms of diversity, inclusion and belonging, we have all spent more time considering every individual’s identity status in the more emotive and humanistic sense of the word.
However, identity is not just a means of expressing someone’s individuality, persona and sense of self. That’s the psychoanalysis side of the playbook. On a more clinical and exacting level, we also talk about identity as the defined characteristics around which a person can be differentiated, validated and identified.
In the current age of digital document signatures, smartphone payment systems and electronically-enabled ePassport biometrics, identity is the digitally encoded footprint that describes a person for who they are, what they’re called and various other distinguishing attributes.
Nominative nomenclature needs
It is this need for nominative nomenclature that we have now extended into the world of machines.
The rise of the Internet of Things has given us a wider universe of identity points, as every machine, every sensor and every virtually abstracted ‘thing’ now has a name and a point of presence. Even if only software-based and composed-of-code syntax, attributes and data, every element of the IoT has an identity point. It is important that we know the who, when, why, where and what of every member of this new digital family.
There is a fascinating new world of identity structures emerging and the ‘population’ is increasing. Where this conversation gets more interesting is at the intersection point between real-world devices (by which we mean internal components, whole pieces of machinery, complete factories or even entire cities) and the use of digital twins which are built to perfectly emulate their real-life cousins.
Digital twins are virtual models of physical entities used to test and support better decisions for the tangible things being emulated. But digital twins cannot act alone. To bring a digital twin to life and power the digital model that represents the real-world thing, we are typically dependent on sensors and two-way interactions between the digital twin and the physical system.
As we build digital twins into our lives, we are employing an increasing amount of advanced analytics, machine learning (ML), and artificial intelligence (AI) to make them smarter and more capable. This has further spiralled in line with IoT devices that now enjoy an increasing amount of processing capability, making them capable of enacting complex and independent functions.
Even if we use a digital twin to represent a process or procedure comprised of many parts, we still need that sensor-to-software interaction layer to feed the data stream that will update the state of the digital twin at any given moment in time. This layer requires trust to ensure the accuracy of the entire system. IoT devices need an associated trusted identity to ensure information is coming from a verified source, and for every digital twin we build, there is an equal and correspondingly opposite identity value that we need to encode, secure, protect and register.
Managing IoT devices, digital twins, and user identities involves significant challenges. Many of the issues come down to standards… or lack of them. Today, there is a lack of Identity Credential and Access Management (ICAM) standards for IoT. The result of which is the development of many disconnected proprietary standards, which directly contributes to a lack of interoperability. Without proper identity, trust is hard to establish and maintain – a problem in this rapidly expanding population.
If we think about how we ‘prove’ who we are today, we exist inside limited boundaries. As a user, you might personally rely upon a username and password to login to a system. Equally, you might place your trust in a third-party service that has already established a secure boundary with you, such as Google or Facebook. For devices, identity is typically supported by a collection of techniques such as certificates, which are complex to manage and maintain. Neither human or machine-based identity management is currently built to scale to meet the demands of tomorrow’s IoT-powered digital twins. We need to think about alternate approaches, one of which is the decentralised or self-sovereign identity model.
The world needs a digital trust framework built around decentralised architecture and decentralised identity. This is especially true in industries such as healthcare, as digital twins generate and consume volumes of sensitive, private and regulated data. Both the digital twin and the physical entity whose data is being used would benefit from the privacy-preserving identity protection capability afforded by decentralised identity. As we start to build digital twins in the healthcare market in particular, we can even include techniques such as selective disclosure and zero-knowledge proofs to protect identity and identity attributes.
Triangulating the trust triangle
Self-sovereign identity hinges around the concept of us all being responsible for our own identity and how our identity can be used to securely and privately connect with different services in real life. In a world where we are currently dependent upon identities managed by third parties, this is a crucial differentiating factor. Do you really want to sign in to your gaming console with the same information you use to connect to your doctor?
Just like individual human identity, device and digital twin identity will involve a number of parties, including issuers, holders and verifiers. Each has a role to play in the creation of trust, but this trust triangle can only exist if the participants are able to exchange information in a secure, standardised fashion.
We need to use an approach that does not depend on a single, external third party (outside of the original identity issuers), eliminates (or greatly reduces) the attack surface (no one single thing can be attacked upon which everything else depends) and increases the level of trust in the system. Trusted data from trusted sources results in trusted digital twins – this is of paramount importance as more behaviours become dependent on the operation of these simulated or parallel digital representations.
Our intelligent autonomous future
As devices become more autonomous and we transition into a future where IoT ‘things’ are interacting with each other without human involvement, the ability to create and manage identity based upon standards with robust privacy and security mechanisms is going to be extremely important. When we do this, we can create a system that is capable of safely and securely exchanging identity information across multiple parties.
Our next step is to fluidly operate our real-world devices, processes and systems concurrently with digital twins and approach the point at which digital twins will layer and build upon one another. This will enable us to create new processes and functions of every kind that start from a codebase and a keyboard.
Just remember, every part of our future, digitally-enabled life has an identity stamp, so don’t just be nice to everybody, be nice to everything.
The author is Nelson Petracek, global CTO at TIBCO.
Follow us and Comment on Twitter @TheEE_io