Navigating Data Ecosystems: Innovations and Challenges in Identity Management and Security
Data ecosystems provide opportunities for new ways to communicate, exchange and store data.
However, a particular challenge is how to utilize identity or device data as effectively as possible
while preventing potential misuse scenarios. End users, data providers and interest groups will
need to trust these systems to use and provide data. Trust will be based on how to prevent any
compromises and whether assurance of security can be provided. Furthermore, privacy matters
are more topical than ever, focusing on how to control and conceal any usage and spreading of
inessential identity information.
In order to respond to these challenges, novel technological innovations are revolutionizing the
way end-users and organizations share, store, and manage data. These innovations provide fair,
accountable, trustworthy, and sustainable ways to ensure data security and privacy. One such
framework is the Distributed Trust Management Framework developed in TANGO, which includes
several innovative components such as Self-Sovereign Identity, Seamless Onboarding, User
Behavioural Authentication, Device Behavioural Authentication and Side-Channel Attack
Hardening.
Self-Sovereign Identity (SSI) component offers user-controlled identity management and identity
verification functions. The three subcomponents provide a secure and private way for end-users to
share their identity information with organizations, while maintaining control over their data. The
SSI subcomponent, identity Wallet, functions as a personal credential manager of a person and
enables the end users to present identity proof in the form of Verifiable Credentials. These
Verifiable Credentials, containing claims or attributes of the user, are provided in TANGO by the
subcomponent SSI Agent. In the context of SSI model, SSI Agent acts as an Issuer and a Verifier
of identity. For enhanced privacy of the user, TANGO offers a subcomponent utilizing distributed
privacy-preserving Attribute-Based Credentials (dp-ABC). This dp-ABC submodule enables the
user to minimize and in some cases, conceal identity data by the use of Zero-Knowledge Proofs.
Seamless Onboarding is another innovative component in TANGO, enabling strong identity
verification with a High Level of Assurance. End-users are provided a method to onboard their
identity remotely using an existing identity document, by utilizing techniques such as Optimal
Character Recognition and facial feature validation. More precisely, this component allows end-
users to transform their physical identity into Verifiable Credentials with co-operation of the SSI
component. During the process, various security measures such as liveness detection and face
matching are applied to mitigate potential attacks and attempts to falsify the identity of the user.
Once the end-user has completed the onboarding process, the information is cross-checked to
detect any inconsistencies, and if successful, the data is sent to the SSI components for the
generation of the Verifiable Credential at the Issuer side of the SSI component.
User Behavioural Authentication is a component that offers continuous authentication by utilizing
behavioural elements of the user. The authentication process is user friendly since there is no user
input involved. The component achieves authentication by learning and analyzing users’ several
behavioural patterns over time, integrating these behavioural observations to establish a user’s
identity, and continuously assess the user when accessing a particular online service. For building
the behavioural profile of the user, the component leverages biometrics, human, device, and
transactional behavioural patterns, to provide a more robust identification of individuals.
Device Behavioural Authentication component is targeted to continuously assess and identify a
device identity while the device is in function. The continuous authentication mechanism functions
in real time, and it relies on a risk assessment engine that performs continuous data processing
and analysis. It confirms the authentication of the device while its operation time. This component
provides a secure way for organizations to continuously assess the authenticity of the devices
accessing their infrastructure and data, and it is complementary to User Behavioural
Authentication.
Side-Channel Attack Hardening component is targeted against side-channel attacks, which pose a
threat, targeting especially embedded systems and IoT device environments. In essence, the side-
channel attacks exploit the interconnection between physical quantities such as the
electromagnetic emissions and the internal activity of a chip. As a result, the attacker can reveal
secret data. This component’s function is mainly focused on technique of hiding countermeasures.
In particular, the component focuses on the code polymorphism countermeasure and aims at
raising the security level by improving the countermeasure and combining it with other
countermeasures.
In conclusion, TANGO enriches the data ecosystem space by providing innovative technological
components such as Self-Sovereign Identity, Seamless Onboarding, User Behavioural
Authentication, Device Behavioural Authentication and Side-Channel Attack Hardening are
providing fairness, accountability, trustworthiness, and sustainability for sharing, storing, and
managing data for the end-users and organizations. These components respond to the growing
need of identity data privacy requirements by assuring that end user security and privacy will not
be compromised when sharing their identity information, while maintaining control over their data.
They also provide trust and ensure data security and privacy by continuous assessment and
identification of user and device identity.