Tools and Collaborations Developed During the Project

TL;DR:
This is the second of a two-part article detailing the achievement of the IOTA Foundation in the ENSURESEC project. We created a solution for securing data exchanged in the e-commerce ecosystem. This solution builds on two new DLT-based microservices: the Audit Trail Gateway and the Self-Sovereign Identity Bridge. These services, along with other learnings and software assets developed for the project, will be made available to the IOTA ecosystem and paves the way for future contributions we can make to the development of blockchain in both an EU and enterprise context.

In the first part of this article, we summed up the recently-completed ENSURESEC project to safeguard the EU’s digital single market’s e-commerce ecosystem and why IOTA’s distributed ledger technology (DLT) can play a role in e-commerce cybersecurity.

So, what did we build in the ENSURESEC project?

Based on the project’s requirements, the IOTA team designed and developed two DLT-based services, the Audit Trail Gateway (GW) and the Self-Sovereign Identity (SSI) Bridge.

The first service leverages the power of IOTA Streams to share immutable data, while the second offers integration with IOTA Identities to allow people, organizations, and devices to create unique decentralized digital identities and to be issued with verifiable credentials.

Decentralized identities are highly useful authentication and authorization tools for the e-commerce ecosystem. This is because the ecosystem itself is made up of several small and large organizations, and connecting them with a decentralized identity management tool allows trust to be established between parties without the need for identifying pre-defined information stores (such as databases) that can become an additional threat to infrastructure security.

In ENSURESEC, tools and their organization are assigned with several verifiable credentials (VCs) using the SSI Bridge, while tools share data using the Audit Trail GW. Each piece of data is annotated with its source decentralized identifier (DID). The SSI Bridge authenticates and authorizes data-reading tools by using their VCs.

The security of the two developed microservices was reviewed by SearchLab, a partner in the ENSURESEC consortium. Privacy and GDPR compliance (i.e., in handling the personal data of off-chain users) were assessed by KU Leuven ​​research university.

The IOTA Foundation supported the deployment of the microservices in the ENSURESEC infrastructure and oversaw integration with other partner tools for demonstration in three pilot cases. Similar to the scenario described above, most of the pilot cases focused on B2B scenarios in which IOTA services were utilized by other tools to securely share e-commerce information and trigger alarms from verifiable sources.

During the project, we also demonstrated the alignment between our services and the EU’s upcoming eIDAS SSI bridge and European Digital Identity wallet. Working directly with CaixaBank and ABI Lab (Association of Italian Banks) we explored the impact that decentralized digital identities can have on securing e-commerce transactions.

As part of this exploration, we developed an age verification solution based on DIDs and VCs. Bank customers import their verified data (from the bank KYC) to their credential wallets. These credentials can be presented to e-commerce shops. This enables shops to sell products to the right customers while avoiding having to collect personal data, which requires strict security and privacy standards to be managed. You can try our demo here and check out the explanation video embedded below.

The solution paves the way for a future where e-commerce transactions are more trustworthy and don’t require tedious login processes to prove a customer is who they claim to be.

The demo was presented during the final project review and was positively acknowledged in the official review report. In particular, the scenario (Pilot 3 – Scenario 2b – IOTA/eIDAS) in which IOTA's immutable decentralized audit trail was deployed and used for assessing and enforcing the authentication mechanism between the customer, the e-commerce retailer, and the bank caught the attention of the reviewers.

It is also worth mentioning that the development of the SSI Bridge was not initially part of the original project requirements, which focused on the use of IOTA Streams to guarantee data immutability. However, it became clear to us that immutability on its own isn’t enough to guarantee full and trustless data auditability –  trust in a central authority also has to be established. For this reason, the use of IOTA Identities was explored to create a full and auditable provenance of shared data. We believe that our approach to the delivery phase of ENSURESEC went above and beyond what was originally envisaged. This belief is backed up by the positive project review.

Spreading the word

During the development phase, we continually promoted IOTA’s work on ENSURESEC. These included conferences, podcasts, and an article in the UK’s Telegraph newspaper. A non-exhaustive list of dissemination activities is below:

Beyond ENSURESEC

Not only does the participation of the IOTA Foundation in ENSURESEC end with a positive evaluation from the EU Commission, which helps us build trust in similar initiatives in the future, but it also leaves the IOTA ecosystem with a set of useful tools and services that should reduce development time for anyone building IOTA-based solutions not only in e-commerce but other vertical domains.

An example of the reusability we strive for is the fact that we used the same frameworks and interfaces to build and integrate third-party Digital Product Passport solutions, like the one created with our partner eReuse for the European Blockchain Services Infrastructure.

In addition to the above use cases, some of the core developments of our Cloud Integration Services will be used in the IOTA Foundation’s various spin-off activities (developing them with public funding has reduced the Foundation’s risks). These spin-offs will also leverage some of the major learnings derived from working with enterprises, especially those focused on cybersecurity for critical infrastructures. These learnings include: 1) a distributed single point of access to a decentralized infrastructure is preferred from a security and integration point of view; 2) a hybrid ledger infrastructure made of permissionless and permissioned networks allows us to deal better with GDPR compliance.

Our work for ENSURESEC has paved the way for the future adoption of IOTA Identity, particularly concerning the EU DI Wallet initiative and its relevance for EBSI and eIDAS. We will continue to explore this space through our partnership with CaixaBank and ABI Lab. The software assets developed in ENSURESEC will continue to evolve in projects like SECANT, Dig_it, and ORCHESTRA. Stay tuned for more news on that front. If you would like to discuss any of these projects or use the tools, please contact us through our Discord channel.


Links in this article


Follow us on our official channels for the latest updates:
IOTA: Discord | Twitter | LinkedIn | Instagram | YouTube

Follow us on our official channels for the latest updates:
Discord | Twitter | LinkedIn | Instagram | YouTube | CoinMarketCap

Tags

Michele Nati

Head of Telco & Infrastructure Development @IOTA Foundation, PhD in Computer Science, Data and Digital trust expert, Internet of Things researcher. Leader for IF engagement with TMForum. Runner.