Securing and Governing the Digital Double – Path to a Trusted Digital Ecosystem
- Asanka Abeysinghe
- CTO - WSO2
- 17 Apr, 2023
First published on Enterprise Viewpoint.
Many of us now take our daily digital experiences for granted, whether it’s making a purchase, taking an exercise class, playing a game, or checking our bank accounts. Moreover, the lines between the physical and digital worlds have become increasingly blurred, and few people think twice about using mobile tickets to attend an event or checking a digital watch to track a workout. However, security has not kept pace with the demands of today’s digital ecosystems.
To modernize our approach, we need to first recognize the need for a “digital double” for each person that represents both physical and digital assets, such as the people, places, and things in digital ecosystems. I first introduced this concept in a 2016 keynote and more recently defined it in an article titled “Creating a seamless access experience with the digital double”
Because the digital double holds a rich set of information and takes actions on behalf of the owner, securing and governing it is a must. The good news is that we don’t have to reinvent the wheel. We can start by sticking to four security principles: privacy, trust, confidentiality, and security controls. However, from there, we need to address six new avenues to achieve the security and governance criteria required for protecting and managing a digital double.
Security by design
Digital doubles and the attributes associated with each are maintained in various forms of persistent storage and transferred across the network using communication channels. Therefore, the four security principles need to be considered during design time. Additionally, domain-driven design (DDD) is an excellent framework for considering the ownership of each digital double and how it associates with a domain. This approach helps build a decentralized identity runtime, which we will discuss later. Application and security architects can use a DDD-friendly, decentralized emerging architecture style, such as Cell-based Architecture (CBA) to implement security by design decisions.
The creation and access of a digital double is handled by using application programming interfaces (APIs) in a digital ecosystem. Hence, having an API-first architecture associated with an advanced security model is critical. In such a model, the API gateway acts as a policy execution point (PEP) that connects to a policy decision point (PDP), which in turn is associated with many policy information points (PIPs) and a policy administration point (PAP). APIs provide multi-level security control using access tokens and scopes. Role-based access control (RBAC) brings additional security by controlling the discovery and ability to subscribe and consume various APIs, including REST, asynchronous, event-driven, and query-based.
Traditionally, identity and governance were a centralized operation. However, modern cloud native and microservice architecture styles along with domain-driven design have pushed identity to a decentralized position. As a result, it is important to consider concepts like identity fabric, identity mesh, and decentralized identifiers (DIDs) to govern decentralized digital double representations. With a decentralized model, extending the security and governance managed by the center of excellence (COE) out to a developer-first practice is critical to protecting and managing the digital double. When developers apply and associate the organization’s security standards during development and testing, it ensures that compliance is maintained, so teams can avoid any surprises in the delivery process.
As people engage more in the digital world, they expect to have control over access to their data. Increasingly, governments are establishing regulations that put this power into consumers’ hands. But even without mandates, businesses need to give customers greater control over their data to maintain trust and loyalty. Therefore, ownership of identity needs to move from the identity provider (geocentric) to the individual (heliocentric). This model helps to properly manage consent by considering the various attributes associated with each digital double.
Platform and zero trust
Providing a zero-trust environment through a development, delivery, and runtime platform, such as an internal developer platform (IDevP), helps tighten the digital double’s end-to-end security and governance. These platforms also offer application, communication, data, and infrastructure security as part of zero trust. Therefore, developers can utilize the platform services and incorporate security into the digital double, while administrators can enforce security and governance policies through the platform.
Observability and business analytics
By nature, a digital double travels in the digital ecosystem. Therefore, securing and governing it in the runtime is essential. By enabling observability and business analytics in the runtime environment, organizations can identify the different behaviors of the digital double and inform stakeholders by displaying them in dashboards and broadcasting notifications in real time. Furthermore, observability and analytical data can feed into machine learning (ML) and artificial intelligence (AI) models to obtain predictive information about the possible future behavior of a digital double.
As more people engage in digital ecosystems, the digital double serves to provide a rich set of information and take actions on behalf of the owner. Therefore, it is critical to secure and govern these digital doubles. To do so, organizations need to build on the foundation set by the four security principles of privacy, trust, confidentiality, and security controls. This includes adopting modern design patterns and architectural styles, as well as support structures, such as development and runtime platforms, observability, and analytical engines, to facilitate the implementation of required security and governance standards. Taking these steps to secure and govern the digital double not only addresses today’s gaps in security and governance; it also creates the foundation to step into the metaverse and web 3.0.