Public
  • Reference Architecture
    • INTRODUCTION
      • Core Principles
      • Stack and KITs
      • BDI Technical Roles
    • BDI Maintenance and Community Contributions
    • Trust KIT
      • Digital Identity
        • Digital Identity M2M
        • Digital Identity H2M
      • Authentication
        • Authentication M2M
        • Page
        • Authentication H2M
      • Authorization
      • Edge agreements
      • Policy agreements
      • Onboarding Terms and Conditions
      • Association Register
      • Discovery
      • Demos
        • Trusted Goods Release & Delegation
    • Logistics Event KIT
      • Notification pub/sub service
      • Event Choreography
      • Trusted Goods Release - Event Demo
    • Semantics KIT
      • Overview
      • Logistics event Ontology
      • Demos
    • Representation KIT
      • Representation Chain
      • Professional Qualification Chain
      • BDI Association Roles
      • Demos
    • Federation KIT
      • Federation of Associations
      • Business Partner Reputation Model
      • Interoperability
      • Demos
    • Data Set KIT
      • Data Licenses
      • Demos
    • Verifiable Credentials KIT​
      • Verifiable Credentials
      • Provenance & Traceability
      • Demos
    • Security
      • Information Security Policy
      • Risk Assessment and Treatment
      • Control Implementation
      • Monitoring, Measurement, Analysis, and Improvement
    • Boundary Management
      • Digital Asset Boundaries
      • Physical Asset Boundaries
      • Legal Asset Boundaries
      • Demos
    • GLOSSARY
      • BDI Terms
Powered by GitBook
On this page
  • No manual editing possible in Association Register
  • Roles and access
  • Security Testing
  • Keep components up-to-date
  • Backups
Export as PDF
  1. Reference Architecture
  2. Security
  3. Security

Operational security

Operational security is critical to ongoing protection. Access controls and permissions are vital for restricting employee access to sensitive resources. Regular access reviews and audit trails ensure accountability and security maintenance.

No manual editing possible in Association Register

An Association Register is a core part of automated trust assessment. This requires both:

  • Rigorous design and testing for IT-security weaknesses (cryptographic libraries, protocols, pentesting, supply chain attacks etc.)

  • An operational security process that minimizes the risk of humans as attack vector (social engineering, pressure) to compromise the integrity of the register

The human attack vector is considered to be the most risky: onboarding should therefore be a one-way automated process in three separate steps (see also onboarding T&Cs Association articles):

  • Collecting information (automated and/or manual)

  • Verifying information and test trust chain (automated)

  • Committing to the register (manual action by functionary)

Modification of information should only be possible by deleting or deprecating information, followed by a new onboarding process.

Roles and access

Define roles for actors and restrict access to relevant actions or endpoints based on these roles. This ensures that users only have access to the functionalities necessary for their roles, reducing the risk of unauthorized access.

Security Testing

Security testing involves systematic (and automatic) assessments to uncover vulnerabilities. This includes penetration testing, vulnerability scanning, and code reviews. Integrating security testing into the development lifecycle is critical for identifying and rectifying security weaknesses.

Keep components up-to-date

For this process it is helpful to have an inventory of all software (and software dependencies), sometimes referred to as a software Bill of Materials. This could be integrated in the CI/CD pipeline.

During development and operations should have processes in place to keep the system’s dependencies up to date and to make sure dependencies are still supported by the vendor. CVEs should be monitored for issues and workarounds.

The development cycle should make it possible to release bugfixes and security-fixes on a fast schedule.

Backups

Backups to recover from crashes and/or data loss must be in place. Access to backups must be restricted to the CISO.

Last updated 7 months ago