Identity standards needed in the age of digital twins

Today, identification is required to engage in society. Many activities require proof of an individual’s identity in the form of driver’s licences, passports or credit cards and, as more contact occurs online, the need for universally recognised and secure digital identities has grown.

In 2015, the Australian Government took its first steps in developing a digital identity system after a financial inquiry highlighted the economic benefits of such an approach. It was estimated a whole-of-economy digital identity system had the potential to save up to $11 billion in economy-wide costs of verifying identities.

As a result, the Digital Transformation Agency (DTA) developed the Trusted Digital Identity Framework (TDIF), outlining strict rules and standards to be applied to all providers and services within Australia’s digital identity system. To implement the framework, the government developed the Australian Government Digital Identity System, which is now widely used by individuals to access government services.

Non-government organisations can seek accreditation under the TDIF, but legislation is required to enable them to provide digital identity services within the Digital Identity System. That legislation was drafted as the Trusted Digital Identity Bill 2021, with an exposure draft released in October 2021.

‘Things’ need a digital identity

People, however, are not the only entities requiring strong identity. The Internet of Things (IoT) — which represents the billions of worldwide physical devices collecting and sharing data via the internet — is based on interactions between ‘things’, not humans, making it critical that the identification of ‘things’ is also established and verified.

Augmenting the value of these physical devices is the use of IoT with digital twin technology. This combination is becoming increasingly important, especially as organisations seek to improve their ability to model and interact with digital representations of real-world entities. This is because most of the data that drives these twins — especially real-time twins — comes from the IoT. But with this comes many challenges. For example, since a digital twin is a digital representation of a real-world system, an online entity masquerading as a valid digital twin could wreak havoc with its paired real-world system. This is an issue to be observed and managed, and highlights the need for a strong digital identity system.

Australia’s current status

So where is Australia when it comes to this technology? Digital twins are definitely making inroads, but the development of a parallel digital identity system seems to be lacking.

For example, in December 2019 The Australian and New Zealand Land Information Council (ANZLIC) released Principles for Spatially Enabled Digital Twins of the Built and Natural Environment in Australia. This document outlines the vision of a federated ecosystem of securely connected digital twins and demonstrates their value to the Australian economy, stating there will be a need for “agreed approaches for authentication of user identity and role” but makes no mention of digital identity.

In addition, in December 2021 the NSW Government announced it would spend $40m to develop a digital twin of the entire state, bringing together “data sources from across government including spatial, natural resources and planning, and integrate[d] … with real-time feeds from sensors to provide insights for planners, designers, and decision-makers across industry and government.”

Ultimately this will allow stakeholders to visualise a development digitally before it is physically built, making it easier to plan and predict outcomes of infrastructure projects, right down to viewing how shadows fall, or how much traffic is in an area. However, the project still does not incorporate a digital identity system.

These examples demonstrate that more work needs to be done in this area. A digital twin is a digital entity in its own right and, to be trusted, a robust digital identity is required. Also, a digital twin does not operate independently. Instead, it often relies on dozens or even thousands of IoT devices: sensors that convey the real-world information needed to create the digital twin and emulate the real world. A digital identity that represents a digital twin will be meaningless unless every one of the inputs used in its execution can also be trusted.

Digital identity standards needed

Achieving trusted digital identity, whether for humans or ‘things’, is not easy. In IoT, there are no universally accepted standards for identity credential and access management (ICAM), and the plethora of proprietary interfaces makes interoperability challenging. This is especially true in large, complex environments with many different types of IoT devices.

Compounding this problem is the increasing ‘smartness’ of many IoT devices. Today’s devices contain high levels of processing power and functionality, leading to rogue smart devices creating more havoc than the ‘less smart’ devices from the past.

In addition, as the use of digital twins grows, they will require data about people as well as ‘things’ and systems. A digital twin in health care, for example, is likely to incorporate sensitive personal data, increasing the need for trusted and highly secure digital identities. Trusted identity is key to acceptance of a digital twin and its use in a live environment.

SSI and the trust triangle

One possible approach to the problem of digital twin identity involves the application of self-sovereign identity (SSI) principles. SSI is a specific form of digital identity focused on ‘people’ — but elements of SSI can also be applied to ‘things’.

With SSI, the individual (not a third party) is in control of their identity, and identity interactions occur between various roles in a ‘trust triangle’: issuer, holder, and verifier. In the case of an individual, the issuer could, for example, be a trusted third party issuing driving licences, the holder the licensed individual, and the verifier an entity that requires proof of identity before providing a good or service.

Parallels exist with digital identities for things. The roles in the trust triangle apply, although with a focus on verified manufacturing credentials, device wallets, cryptographic anchors, and other mechanisms for ensuring device identity. And, as digital systems become more autonomous and things interact without human intervention, it follows that multiple things must be able to exchange trusted and verified digital identity information autonomously and under their own control, a function similar to that described by self-sovereign identity concepts.

To create secure and trusted digital twins, various best practices are needed, including: not relying on a single, external third party to control the entire identity process; eliminating or reducing the ‘attack surface’, where no single identity service can be targeted in an attack; and lastly, ensuring sources are verified and trusted so any supplied data is also trusted. In the long run, a system that incorporates these practices is more secure and trustworthy, leading to broader adoption and usage.

There is a path to operating devices, processes and systems concurrently with digital twins in a fluid and trustworthy manner, but until approaches to digital identity become clearer, this path is likely to be fairly rough. Solution building blocks powered by verified digital twins and devices enable the creation of trusted business processes, functions and data — powering systems capable of safely and securely exchanging information, and extracting the maximum value of IoT and digital twins for the enterprise.

Image credit: ©stock.adobe.com/au/sutowo