The IDSA Working Group Certification has developed the IDS Certification Scheme which defines three different security and assurance levels for IDS components and operational requirements as well as the requirements to be implemented for each security level. The IDS_ready evaluation prepares companies for the certification process and gives them an opportunity to have their products pre-evaluated as “IDS_ready” until the certification will become available at the end of 2021.
We talked to Monika Huber, a research associate at Fraunhofer AISEC and head of the Working Group Certification, and Nadja Menz who is group leader in the Digital Public Services business unit of Fraunhofer FOKUS about the certification process and the IDS-ready assessment.
Why should a company apply for the “IDS_ready” label?
Nadja Menz: The main goal of the IDS Working Group Certification is to build up trust in IDS, in the underlying technologies, and in the companies involved in this endeavor. Together with these companies, the working group is continuously working on developing and detailing the certification scheme. Its official precursor, the IDS-ready label, however, is an excellent opportunity to actively prepare for IDS certification – not just in regard to the criteria to meet, but also regarding the entire certification process.
In connection with IDS-ready, we assess a developer’s connector implementation concept, in order to verify, that the concept meets all IDS certification requirements for this component type (e.g. Connector) and selected security level (e.g. Trust). For the applicant, this means that they must develop an implementation concept in line with the IDS certification criteria, so that they can see what technical requirements their connector must live up to, and to what extent it does so already.
Does the IDS-ready label apply to connectors only or to other IDS components as well?
Monika Huber: IDS-ready is not limited to certification for components. The label can also be granted to companies with regard to their operational environment. In terms of components, we cover connectors as well as IDS Meta Data Brokers for which we have already defined a criteria catalog as well which can be used as the baseline for IDS-ready assessments of Broker components. For other components, we have not specified any evaluation criteria yet, but are actively working on this.
The next big step will be the go-live of the IDS Certification, which you expect to be available at the end of this year. Will this certification process be applicable to all IDS components then?
Monika Huber: Certification of components will be made available on a step-by-step basis, simply because evaluation criteria have yet to be specified for some components. We do have the criteria catalogs ready for Connectors and Brokers but are still developing and discussing the test specifications defining exactly how components are to be evaluated against these criteria. Framing these specifications is very time-consuming but essential in order to make certification comparable across different evaluation facilities. However, the target view is to have a certification available for all components in the IDS with the different security and assurance levels defined.
Meanwhile, five connectors have been awarded the IDS-ready label – T-Systems’ DIH connector, the German Edge Cloud’s TSC, the DSC from Fraunhofer ISST, the Connector@SIM50FX from SICK and Fraunhofer AISEC’s Trusted Connector., Why has striving for the label become so popular lately?
Nadja Menz: The IDS working groups Certification and Architecture play an important role here. A lot of companies and organizations have joined these groups over the course of the last year. They all contributed to the IDS and many actively work on adopting the IDS. The working groups are the places to be. They have their fingers on the pulse of business and technological innovation. Here you can find the experts knowing how to translate the idea of IDS into daily practice.
Another important aspect is the fact that receiving the IDS-ready label is much easier and faster for companies to accomplish, than what will be required to ultimately become IDS-certified. Nevertheless, they need to develop an implementation concept and take part in expert workshops. Companies are willing to do so only if they expect to gain a significant benefit from all these efforts. And they are encouraged by the numerous activities taking place around IDS in the past year, showing them that now is the time to become part of this exciting initiative. Many have recognized that it is important to get into a good position now in order to be successfully certified further down the road.
How much effort is it to develop a connector or other IDS component until it is ready for IDS?
Monika Huber: That depends on the resources a company makes available for developing the component and on the basis they can build on. In many cases an IDS connector is based on a complex software stack and developers have to understand and integrate the functional requirements with regard to their infrastructure and different kinds of services allowing to process data according to the expectations. While many requirements are based on best practices, their correct implementation needs to be ensured and interoperability with other IDS components is essential.
The source codes of the two IDS-ready connectors developed by Fraunhofer ISST and Fraunhofer AISEC are Open Source. Is this helpful for companies thinking about developing an IDS compliant connector?
Monika Huber: That’s right. Fraunhofer ISST‘s Data Space Connector and Fraunhofer AISEC’s Trusted Connector are two open-source implementations. It should be noted, however, that both implementations do not completely cover all criteria yet. IDS-ready is defined as an evaluation of documentation and concepts, assessing whether the intended implementation concept generally meets the evaluation criteria specified. That does not mean that the concept must be fully implemented at the time the label is awarded. Still, companies thinking about developing an IDS compliant component can definitely benefit from Fraunhofer’s implementations by viewing the latest version of the source code, using that source code under consideration of applicable licensing terms, and building their own connector based on it.
IDS components can be certified according to different security levels. Can you explain the difference between the various levels?
Nadja Menz: We distinguish between three security levels: the Base Profile, the Trust Profile, and the Trust Plus Profile. The Base Profile defines core security requirements for a connector to meet, such as secure data sharing and exchange between connectors. It gives component developers a first impression of what IDS is all about.
Monika Huber: The Base Profile also requires data owners and data providers to support attaching data usage policy information to the data to be exchanged, and to transmit this information to potential data users and communicate about it. To technically implement the application of a data usage policy, however, a higher Security Profile (Trust or Trust+ Profile) is required. Here the differentiating is that a Trust+ Profile also must ensure protection from a malicious administrator while a Trust Profile only needs to prevent accidental misuse of the component. In general, to accomplish policy enforcement, appropriate security mechanisms must be in place with regard to the platform and the connector, respectively.
The Base Connector is ideal for easy and quick access to the IDS ecosystem, as the security criteria applicable for it are rather moderate, compared to the other security levels. At the same time, the Base Connector is suitable for use cases involving non-sensitive data. The Open Data Connector, for example, allows making publicly accessible data available in IDS. In case of sensitive business data, which may only be shared with certain partners and against a fee, a Trusted or even Trust+ Connector is recommended, as the data owner or data provider must rely that a data consumer truly adheres to the agreed data usage policies specified beforehand.
Thank you very much for the interview.
The open-source connectors are available on GitHub: https://github.com/International-Data-Spaces-Association/IDS-G