Secure communication even over insecure networks.

Spectra is an Identity and Access Management (IAM) solution specially designed for machine-to-machine communication (M2M). Spectra implements FIDO2 standards for establishing the role of a Trusted Administrator who creates and manages perimeter-less applications involving an arbitrarily large number of devices communicating with other devices. Spectra is built upon the powerful combination of Authentication, Authorization, and Auditing, working together to ensure proper access to the right resources by suitable devices.

The Problem

In recent years, cybersecurity reports reveal that most recorded malware attacks occurred over encrypted connections. The same report shows that 9 out of 10 malware attacks will go undetected if traffic over HTTPS is not examined at the perimeter. Such phenomena indicate that security at the channel level cannot be the single mitigation effort against malware.

One of the most severe types of malware is ransomware, malicious software that blocks access to data, servers, an entire network, or any other valuable resource until the victim pays the ransom. Very unfortunately, ransomware attacks are on the rise. This attack has generated losses that surpassed 500 million dollars only in the last couple of years. The total costs of ransomware are expected to exceed 20 billion dollars, with other short-term projections reaching up to 6 trillion dollars in the mid-term.

The top reasons for ransomware attacks include:

  • Poor user practices
  • Weak passwords
  • Access management
  • The use of Open Remote
  • Desktop Protocol (RDP)
  • Lost/stolen user credentials

The above issues suggest faulty human behavior and a lack proper policies, automation, and safeguards for compromising incidents. It is easy to see that a secure network alone won’t address the significant causes of malware attacks.

The Solution: spectra by Algemetric

The framework of policies and technology for authentication (verification of the identity of someone or something) and authorization (verification of access rights/privileges to some resource) is known as Identity and Access Management (IAM). There are at least two prominent identity and access management types: IAM for human-to-machine communication (H2M) and machine-to-machine communication (M2M).

 

Spectra is an efficient, flexible, and scalable IAM data-centric solution for M2M. Spectra operates the same way in various environments, from a private data center to the cloud, from resource-constrained devices to supercomputers.

How spectra Works

Spectra protects access to any resource in any given machine, including any shape or form of data, applications, services, etc. Machines typically communicate with a domain name or IP address associated with some port. M2M via Spectra is conducted via digital authenticator exchanges in which information about machine identity and access privileges are specified. Spectra API is invoked to verify the legitimacy and the constraints specified in any given token. Depending on what Spectra API sees in each digital authenticator (that is encrypted at all times and can only be decrypted by Spectra API), it returns an answer to the target machine that, in case the access request is legit, will include attributes that the target machine will use for authorization proposes.

 

All requests and responses between Spectra Dashboard, Spectra API, and Spectra SKD are encrypted at all times with ephemeral secret keys that are used only once.

Identity and access management

  • Spectra Dashboard: The “control room” where trusted administrators can create applications, define how many machines are in the scope of those applications, and the rules for those machines to communicate with each other.
  • Spectra API: The “brain” where the configurations defined in the Spectra Dashboard are processed and consolidated in the form of digital authenticators, namely Spectra tokens, which are then used between machines for data exchange. Spectra API does not store any information about these machines. Tokens are a form of signature of one machine’s identity and access privileges concerning one or more other machines according to constraints defined by administrators via Spectra Dashboard.
  • Spectra SDK: Each machine is equipped with the “tool belt” for efficient machine onboarding and properly communicating with other machines and with the Spectra API.
  • Data-centric: Spectra is a type of data-centric technology (DCT), a technology that is enabled via specialized treatments of data as a construction. For example, Spectra provides the Spectra Token. This digital authenticator can be described as a signature of a prior agreement that established machines’ identity and access privileges within a Spectra application. The Spectra token is encrypted with AES-GCM-256 for securely transmitting information about identity and access privileges between applications, services, and other accessible resources. Spectra provides a customized way to generate Spectra Tokens for M2M authentication and authorization, which can be programmed using custom parameters defined by the Trusted Administrator, allowing organizations to use Spectra as an efficient and flexible framework for IAM.
  • Infrastructure-agnostic: Spectra works in the cloud, corporate intranets, private networks, and open insecure WIFIs while offering the same functionalities, flexibility, and security. Onboardable devices can be personal computers, servers, terminals, IoT, and edge computing devices.
  • Least privilege: permissions associated with any given machine are limited to the minimum required to perform a particular task. This helps to decrease cybersecurity risks related to relaxed permission grants.
  • Separation of duties: a given task can be broken down into multiple sub-tasks, each of which is operated by different machines with different access privileges. Attackers must subvert various machines simultaneously to compromise a system that employs separation of duties, which happens with a probability much lower than subverting a single machine. The same protection goes against malfunction and any other type of non-malicious operational failure. It also protects against insider threats in case one machine is compromised.
    Per-request authentication, authorization, and auditing: communication is always encrypted with ephemeral keys; authentication and authorization are performed before any attempt of communication between machines is made. No machine is trusted by default, and network and/or perimeter security is not considered for authentication and authorization purposes. Spectra always verify if any given machine’s identity and access privileges are legitimate, still valid, and match the request being made towards any other machine. Every single request and response is tracked and can be monitored by the Trusted Administrator.
  • FIDO2: Spectra implements the FIDO2 specifications for secure multifactor authentication for H2M from the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and the FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP). FIDO2 is used to authenticate Trusted Administrators on Spectra Dashboard.
  • Application management: Trusted Administrators can create and manage an arbitrary number of applications on Spectra Dashboard. On Spectra Dashboard, Trusted Administrators can manage as many platform and external hardware authenticators as they want. Trusted Administrators can also manage API Keys and their permissions, access model controls, and customize Spectra Tokens, all of which will take place under the scope of each application.
  • Access control models management: With Spectra, Trusted Administrators can decide which access control model makes sense for each application. Spectra supports the following access control models: mandatory access control (MAC), discretionary access control (DAC), role-based access control (RBAC), and attribute-based access control (ABAC). Each of these access control models has its advantages and disadvantages. Therefore it is imperative that the Trusted Administrator can choose the one that works best on a case-by-case basis.
  • Machine onboarding: Spectra provides an interface for proper machine onboarding within an application under Spectra’s control, with which a Trusted Administrator determines what devices can participate in communications within an application. The Trusted Administrator also defines each machine’s access privileges during onboarding. This process can be automated for batched onboarding, always under the control of the Trusted Administrator.
  • Auditing management: Trusted Administrators can choose the events they want to closely monitor and how they want to be alerted about specific incidents. Active monitoring is a crucial part of incident response, and Spectra provides quick visualization for meaningful transactions to support effective auditing monitoring.
  • FIDO2: Phishing-resistant authentication based on modern, possession-based credentialing. Unique credentials between Trusted Administrators and Spectra never leave the user’s device and are never stored in the server. Additionally, these credentials are easily integrated with fingerprint readers or cameras on users’ devices or by leveraging easy-to-use FIDO security keys. Support for multiple devices and authenticators. Cryptographic keys are unique for the link between a Trusted Administrator and Spectra. Biometric data, when used, never leaves the user’s device.
  • AES-GCM-256: Spectra uses the Advanced Encryption Standard (AES) with the Galois counter mode of operation (GCM) with 256-bit encryption schemes, a configuration many in the industry consider future-proof security since AES-128 is known to be secure considering all the practical threats currently available. AES-GCM-256 is used to uniquely encrypt all Spectra tokens and all payloads involved in communications in every direction between all components of Spectra.
  • ECDH P-256: Spectra uses Elliptic Curve Diffie-Hellman P-256 for securely exchanging symmetric secret keys between any two parties engaged in communication. That means that ECDH P-256 is used before any resource exchange between any communication combination between Spectra Dashboard, Spectra API, Spectra SDK, and machines within any given machines in Spectra applications.
  • Provisioning: The process of onboarding machines into Spectra. It includes everything from validating a machine’s need to access any given resource to assigning them the appropriate permissions. On Spectra, provisioning is 100% controlled by a trusted administrator, which verifies a machine’s identity and needs for accessing resources in other machines and assigns the proper privileges according to their assessment.
  • Administration: Spectra allows each application to be created according to some pre-defined system designs. This includes policy design and creation, maintenance, and updates. The application registered on Spectra works as a concrete instance of the actual IAM policies of an organization.
  • Enforcement: Spectra provides enforcement of IAM policies via the combined power of the “triple A”:
    • Authentication: Validate the legitimacy of the identity of machines requesting access to any resources within a Spectra application.
    • Authorization: Check the machine’s assigned permissions against access control policies and permit or deny access as appropriate.
    • Auditing: Monitor and review access control decisions for any anomalies that could require immediate remediation. Auditing is a critical component of Spectra for activity monitoring, analysis, and incident response. Every access denied and/or any activity that conflicts with pre-defined rules in the provisioning and administration process will raise red flags. The administrators will be alerted via email, SMS, and/or Dashboard messages.
  • Lightweight: As with everything we do at Algemetric, Spectra is designed for performance. In the worst-case scenario, Spectra’s procedures are developed to complete execution in near-real time. Spectra’s lightweight nature allows it to operate in a wide variety of limited infrastructures, including those composed of resource-constrained devices such as IoT and edge computing.
  • Plug-and-play: Spectra is designed for interoperability. Spectra can be easily integrated with applications involving communication and resource exchange between devices. Spectra can also support third-party identity services by offering M2M capabilities in H2M settings.
  • Flexible: Spectra is designed to be more than just an IAM tool but also an IAM framework. Spectra allows Trusted Administrators to create applications, control which machines are allowed to be onboarded, define the rules of machine onboarding, and define which access control model will be in place and with which characteristics. The Trusted Administrator also has complete visibility of how the application behaves via Spectra’s auditing features.
  • Scalable: One of the significant advantages of being a data-centric technology is that Spectra does not store information about the machines in any given application nor create a database associated with the number of machines on Spectra applications. Credentials are stored in encrypted authenticators that remain under the control of each onboarded machine. At an atomic level, all transactions on Spectra are peer-to-peer procedures. Therefore there is no direct correlation between the number of onboarded devices in a Spectra application and the overall performance of that application. Proper device onboarding can easily be a bottleneck for this scenario when contemplating hundreds or thousands of devices. Not for Spectra. Spectra provides automated device onboarding following the rules defined by the Trusted Administrator of each application.
  • Great standalone solution: Spectra thrives on being a solo IAM solution when nothing else is in place for secure M2M. Although Spectra works well with other solutions for a much larger application, it doesn’t shy away from taking ownership of authentication, authorization, and auditing for your organization. We carefully crafted Spectra to find the sweet spot of a lightweight solution that is flexible and powerful enough to secure communication between devices over insecure networks properly.
  • Works as a module for Prisma and Obscura: When securing M2M for our applications, there is nothing else in the world we trust more than Spectra. This is us talking the talk and walking the walk. Like Spectra, Obscura and Prisma are multi-component solutions involving intense M2M. Spectra raises the bar of the benefits brought by Obscura and Spectra by adding a particularly robust layer of security in all communications across the board.

Spectra implements the highest standards for IAM in an innovative way. Based on our principles, features, security, processes, and benefits, in a nutshell, Spectra’s main differentiators are:

  • Authentication, Authorization, and Auditing in a single solution: Under closer examination, many solutions that promise authentication and authorization for the particular case of M2M will end up revealing themselves involving humans in critical steps of these procedures. Except for the Trusted Administrator required for managing applications on Spectra Dashboard, the entire operation of Spectra is done in the legitimate context of M2M: from machines to machines with no humans involved. Several applications are typically required to cover authentication, authorization, and auditing for M2M adequately. Spectra brings the tripe A in a single lightweight yet robust IAM solution.
  • PKC, not PKI: The power and utility of public key cryptography (PKC) in modern cryptography are indisputable. However, for quite some time, many believed that PKC required an entire system of trust based on certificates and a hierarchically-intensive model of generation and verification of these certifications for being maximized results. This system is known as public key infrastructure (PKI), embodied with functional and financial complexities that inevitably result in penalties for performance and cost. By targeting efficiency, flexibility, scalability, and yet security and privacy by design, Spectra employs the best of PKC (such as asymmetric encryption, which is useful for secure peer-to-peer communication) without the worst of PKI (high cost, bureaucracy, and penalties in performance).
  • Flexibility and power to administrators: Spectra Token is a customizable digital authenticator that allows Trusted Administrators to specify arbitrary field-value pairs, which are particularly useful under the ABAC model.
  • Automated machine onboarding: Spectra allows for a rigorous onboarding procedure of thousands of machines, uniquely identified and operating under specs defined by the trusted administrator.
  • No personal and/or machine credentials stored: Distinct digital authenticators generated for each machine within a Spectra application are controlled by their respective machines. Spectra keep no database or similar record. Authentication and authorization between machines are supported by Spectra API using a digital authenticator on a case-by-case basis.
  • No dependency on network security: As the only communication security mechanism or as an additional communication security layer, Spectra is ready to provide end-to-end encryption for all exchanges between machines within the scope of Spectra applications with no impact from context-based security or lack thereof.

contact

Want more details? Contact us.

Fill in the form on the side, we will get back to you shortly.

Men talking wight someone on a notebook
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.