Product Security

Security by Design

As a core technology enabling secure, selective data sharing across organisational boundaries, IOTICSpace's unique and patented architecture has been designed with security at its heart.

Every IOTICSpace is architected as a single-tenanted, decentralised application which can be hosted by IOTICS in our managed environment, or deployed anywhere within your own on-prem, public cloud, or sovereign cloud infrastructure.


Hosted IOTICSpace

If you choose to have IOTICS host your IOTICSpace(s) in our managed environment, it will be deployed as a single-tenanted application with physical separation from any other customers' IOTICSpaces. Unlike typical SaaS platforms, your IOTICSpace will not share compute or storage with other IOTICSpaces, which is essential to ensure you retain sovereignty of your data.

Our managed environment is built on AWS and has achieved AWS Well-Architected Framework status.

We provide a backup and restore capability for disaster recovery purposes.


On-prem

Hosting your IOTICSpace(s) within your own infrastructure provides you with the most secure solution possible compared with any modern data sharing architecture.

Aside from trusting that IOTICS' software works as described, you do not have to trust IOTICS at all.

Data you publish or subscribe to will never pass through our systems and we have no means to access your information.

This deployment provides sensitive industries such as utilities, health and defence with the most secure and self-sovereign interoperability capability in the world today.


Observability

Hosted in IOTICS' managed environment, your IOTICSpace(s) is continuously and securely monitored for system health. Our autonomous infrastructure can usually detect, alert and allow us to mitigate issues before they impact customer workloads.

If you choose to host your IOTICSpace(s) in your own infrastructure, the same monitoring hooks as used by our own infrastructure are exposed to allow you to connect your own monitoring and alerting solutions.


Data

Data Storage
Data (as opposed to metadata) is never stored in IOTICSpace.
Data is streamed only when an interested and permitted consumer registers an interest.

Sovereignty
Retain control of your own data, choosing who to share it with, and in what context.
You are empowered to validate provenance, quality and integrity according to your own policies.

Asset Access
No direct connectivity to real-world assets due to virtualisation of assets and symmetric interactions, vastly reducing cyber attack surface area and impact.

Access Controls
Highly granular, programmatic and selective approach to sharing asset data.
Share only what is necessary, when it is necessary, in line with information governance policies.

Identity
Sovereign identity is mapped to ownership of a private key based on W3C DID standard.
Secure elliptic curve cryptography (ECC) for generating unique and tamper-proof identities.


Network and Infrastructure

Security Boundaries
IOTICSpace natively provides the means for multiple, scalable security boundaries.

Interfaces
IOTICS’ symmetrical server-server model ensures that the application interface is isolated from the network interface, which is not accessible and protected separately.
Data is encrypted using TLS 1.3.

Trust
No central entity is needed to mediate interactions between you and your cooperating organisations, enhancing security and eliminating single points of failure.
Secure delegation model for authentication and authorisation.

Interactions
Symmetric server-server architecture enforces that only virtual assets may interact with other virtual assets.
Elevation of privileges is not possible as any actor must first virtualise themselves with an identity.


Application

Enterprise Security Boundary
Connectors reside inside the enterprise firewall, leveraging existing CI/CD and deployment processes, keeping intellectual property such as business logic and AI models inside the enterprise firewall, while the data sharing logic is managed securely by IOTICSpace.

Data Sharing
Share what’s needed, when it’s needed. Codify business/use case context for transient, context-based selective sharing across organisational boundaries.

Information Sharing
Share processed and/or synthesised data when raw data isn’t appropriate, using the same interface.

Compute to Data
When data can’t be shared, share the process instead, leveraging IOTICS’ sovereign data access and secure symmetric interactions.