Want more details? Contact us.
Fill in the form on the side, we will get back to you shortly.
Spectra is a powerful Identity and Access Management solution for M2M networks. Spectra implements FIDO2 standards for establishing the role of a Trusted Administrator who creates and manages perimeter-less applications involving an arbitrarily large number of devices communicating with other devices. Spectra is built upon the powerful combination of Authentication, Authorization, and Auditing, working together to ensure proper access to the right resources by suitable devices.
These issues suggest faulty human behaviour and a lack of proper policies, automation, and safeguards for compromising incidents. Secure networks alone fail to address the significant causes of malware attacks.
Spectra is Algemetric’s solution for Identity and Access Management, focusing on machine-to-machine communication. Spectra combines the power of the triple-A: Authentication, Authorization, and Auditing, in a single, lightweight, and powerful IAM solution. It is plug-and-play, scalable and can work as a standalone solution.
Spectra is designed for performance. The module’s lightweight nature allows it to operate in a wide variety of limited infrastructures, including those composed of resource-constrained devices such as IoT and edge computing.
Spectra allows Trusted Administrators to create applications, control which machines are allowed to be onboarded, define the rules of machine onboarding, and define which access control policy should be in place. The Trusted Administrator also has complete visibility of how the application behaves via Spectra’s auditing features.
Plug and Play
Spectra is designed for interoperability. Spectra can be easily integrated with applications involving communication and resource exchange between devices. Spectra can also support third-party identity services by offering M2M capabilities in H2M settings.
Device onboarding can easily become a bottleneck for large networks that contain hundreds or thousands of devices. Not for Spectra. There is no direct correlation between the number of onboarded devices in a Spectra application and the overall performance of that application.
Spectra protects access to any resource in any given machine, including any shape or form of data, application and service.
Machines typically communicate with a domain name or IP address associated with some port. M2M IAM via Spectra is conducted via digital authenticator exchanges in which information about machine identity and access privileges are specified. Spectra API is invoked to verify the legitimacy and the constraints specified in any given token. Depending on what Spectra API sees in each digital authenticator (that is encrypted at all times and can only be decrypted by Spectra API), it returns an answer to the target machine that, in case the access request is legitimate, includes attributes that the target machine will use for authorization purposes.
All requests and responses between Spectra Dashboard, Spectra API, and Spectra SKD are encrypted at all times with single-use ephemeral secret keys.
Spectra Dashboard: The “control room” where trusted administrators can create applications, define how many machines are in the scope of those applications, and the rules for those machines to communicate with each other.
Spectra API: The “brain” where the configurations defined in the Spectra Dashboard are processed and consolidated in the form of digital authenticators, namely Spectra tokens, which are then used between machines for data exchange. Spectra API does not store any information about these machines. Tokens are a form of signature of one machine’s identity and access privileges concerning one or more other machines according to constraints defined by administrators via Spectra Dashboard.
Spectra SDK: Each machine is equipped with the “tool belt” for efficient machine onboarding and properly communicating with other machines and with the Spectra API.
FIDO2: Spectra implements the FIDO2 specifications for secure multifactor authentication for H2M from the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and the FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP). FIDO2 is used to authenticate Trusted Administrators on the Spectra Dashboard.
Application Management: Trusted Administrators can create and manage an arbitrary number of applications on Spectra Dashboard. On Spectra Dashboard, Trusted Administrators can manage as many platform and external hardware authenticators as they want. Trusted Administrators can also manage API Keys and their permissions, access model controls, and customize Spectra Tokens, all of which will take place under the scope of each application.
Access Control Models Management: With Spectra, Trusted Administrators can decide which access control model makes sense for each application. Spectra supports the following access control models: mandatory access control (MAC), discretionary access control (DAC), role-based access control (RBAC), and attribute-based access control (ABAC). Each of these access control models has its advantages and disadvantages. Therefore it is imperative that the Trusted Administrator can choose the one that works best on a case-by-case basis.
Machine Onboarding: Spectra provides an interface for proper machine onboarding within an application under Spectra’s control, with which a Trusted Administrator determines what devices can participate in communications within an application. The Trusted Administrator also defines each machine’s access privileges during onboarding. This process can be automated for batched onboarding, always under the control of the Trusted Administrator.
Auditing Management: Trusted Administrators can choose the events they want to closely monitor and how they want to be alerted about specific incidents. Active monitoring is a crucial part of incident response, and Spectra provides quick visualization for meaningful transactions to support effective auditing monitoring.
FIDO2: Phishing-resistant authentication based on modern, possession-based credentialing. Unique credentials between Trusted Administrators and Spectra never leave the user’s device and are never stored in the server. Additionally, these credentials are easily integrated with fingerprint readers or cameras on users’ devices or by leveraging easy-to-use FIDO security keys. Support for multiple devices and authenticators. Cryptographic keys are unique for the link between a Trusted Administrator and Spectra. Biometric data, when used, never leaves the user’s device.
AES-GCM-256: Spectra uses the Advanced Encryption Standard (AES) with the Galois counter mode of operation (GCM) with 256-bit encryption schemes, a configuration many in the industry consider future-proof security since AES-128 is known to be secure considering all the practical threats currently available. AES-GCM-256 is used to uniquely encrypt all Spectra tokens and all payloads involved in communications in every direction between all components of Spectra.
ECDH P-256: Spectra uses Elliptic Curve Diffie-Hellman P-256 for securely exchanging symmetric secret keys between any two parties engaged in communication. That means that ECDH P-256 is used before any resource exchange between any communication combination between Spectra Dashboard, Spectra API, Spectra SDK, and machines within any given machines in Spectra applications.
Separation of Duties: Given tasks can be broken down into multiple sub-tasks, each of which is operated by different machines with different access privileges. Attackers must subvert various machines simultaneously to compromise a system that employs separation of duties, which happens with a probability much lower than subverting a single machine. The same protection goes against malfunction and any other type of non-malicious operational failure. It also protects against insider threats in case one machine is compromised.
Provisioning: The process of onboarding machines into Spectra. It includes everything from validating a machine’s need to access any given resource to assigning them the appropriate permissions. On Spectra, provisioning is 100% controlled by a trusted administrator, which verifies a machine’s identity and needs for accessing resources in other machines and assigns the proper privileges according to their assessment.
Administration: Spectra allows each application to be created according to some pre-defined system designs. This includes policy design and creation, maintenance, and updates. The application registered on Spectra works as a concrete instance of the actual IAM policies of an organization.
Enforcement: Spectra provides enforcement of IAM policies via the combined power of the “triple A”:
Authentication, Authorization, and Auditing – All in One: Most solutions that promise authentication and authorization for M2M actually involve human intervention in critical steps of these procedures. Except for the Trusted Administrator required for managing applications on Spectra Dashboard, the entire operation of Spectra is done in the legitimate context of M2M: from machines to machines with no humans involved. Typically, multiple applications are required to cover authentication, authorization, and auditing for M2M. Spectra brings the triple A in a single lightweight yet robust IAM solution.
PKC, not PKI: The power and utility of public key cryptography (PKC) is indisputable. However, many people believed that PKC required an entire system of trust – based on a hierarchically-intensive model of certificate generation and verification for optimal results. This system is known as public key infrastructure (PKI), embodied with functional and financial complexities that inevitably result in penalties for performance and cost. Spectra’s efficient, flexible, scalable, secure and private design employs the best of PKC (such as asymmetric encryption, which is useful for secure peer-to-peer communication) without the worst of PKI (high cost, bureaucracy, and penalties in performance).
Flexibility and Power to Administrators: Spectra Token is a customizable digital authenticator that allows Trusted Administrators to specify arbitrary field-value pairs, which are particularly useful under the ABAC model.
Automated Machine Onboarding: Spectra allows for a rigorous onboarding procedure of thousands of machines, uniquely identified and operating under specs defined by the trusted administrator.
No Personal and/or Machine Credentials Stored: Distinct digital authenticators generated for each machine within a Spectra application are controlled by their respective machines. Spectra keep no database or similar record. Authentication and authorization between machines are supported by Spectra API using a digital authenticator on a case-by-case basis.
No Dependency on Network Security: As a sole communication security mechanism or as an additional communication security layer, Spectra is ready to provide end-to-end encryption for all exchanges between machines within the scope of Spectra applications with no impact from context-based security or lack thereof.
Data-Centric: Spectra is a type of data-centric technology (DCT), a technology that is enabled via specialized treatments of data as a construction. For example, Spectra provides the Spectra Token. This digital authenticator can be described as a signature of a prior agreement that establishes a machines’ identity and access privileges within a Spectra application. The Spectra token is encrypted with AES-GCM-256 for securely transmitting information about identity and access privileges between applications, services, and other accessible resources. Spectra provides a customized way to generate Spectra Tokens for M2M authentication and authorization, which can be programmed using custom parameters defined by the Trusted Administrator, allowing organizations to use Spectra as an efficient and flexible framework for IAM.
Infrastructure-Agnostic: Spectra works in the cloud, corporate intranet, private networks, and open insecure WIFIs while offering the same functionalities, flexibility, and security. Onboard-able devices can be personal computers, servers, terminals, IoT, and edge computing devices.
Least Privilege: Permissions associated with any given machine are limited to the minimum required to perform a particular task. This helps to decrease cybersecurity risks related to relaxed permission grants.
Fill in the form on the side, we will get back to you shortly.