Spectra Dashboard: The “control room” where trusted administrators can create applications, define how many machines are in the scope of those applications, and the rules for those machines to communicate with each other.

Spectra API: The “brain” where the configurations defined in the Spectra Dashboard are processed and consolidated in the form of digital authenticators, namely Spectra tokens, which are then used between machines for data exchange. Spectra API does not store any information about these machines. Tokens are a form of signature of one machine’s identity and access privileges concerning one or more other machines according to constraints defined by administrators via Spectra Dashboard.

Spectra SDK: Each machine is equipped with the “tool belt” for efficient machine onboarding and properly communicating with other machines and with the Spectra API.

FIDO2: Spectra implements the FIDO2 specifications for secure multifactor authentication for H2M from the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and the FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP). FIDO2 is used to authenticate Trusted Administrators on the Spectra Dashboard.

Application Management: Trusted Administrators can create and manage an arbitrary number of applications on Spectra Dashboard. On Spectra Dashboard, Trusted Administrators can manage as many platform and external hardware authenticators as they want. Trusted Administrators can also manage API Keys and their permissions, access model controls, and customize Spectra Tokens, all of which will take place under the scope of each application.

Access Control Models Management: With Spectra, Trusted Administrators can decide which access control model makes sense for each application. Spectra supports the following access control models: mandatory access control (MAC), discretionary access control (DAC), role-based access control (RBAC), and attribute-based access control (ABAC). Each of these access control models has its advantages and disadvantages. Therefore it is imperative that the Trusted Administrator can choose the one that works best on a case-by-case basis.

Machine Onboarding: Spectra provides an interface for proper machine onboarding within an application under Spectra’s control, with which a Trusted Administrator determines what devices can participate in communications within an application. The Trusted Administrator also defines each machine’s access privileges during onboarding. This process can be automated for batched onboarding, always under the control of the Trusted Administrator.

Auditing Management: Trusted Administrators can choose the events they want to closely monitor and how they want to be alerted about specific incidents. Active monitoring is a crucial part of incident response, and Spectra provides quick visualization for meaningful transactions to support effective auditing monitoring.

FIDO2: Phishing-resistant authentication based on modern, possession-based credentialing. Unique credentials between Trusted Administrators and Spectra never leave the user’s device and are never stored in the server. Additionally, these credentials are easily integrated with fingerprint readers or cameras on users’ devices or by leveraging easy-to-use FIDO security keys. Support for multiple devices and authenticators. Cryptographic keys are unique for the link between a Trusted Administrator and Spectra. Biometric data, when used, never leaves the user’s device.

AES-GCM-256: Spectra uses the Advanced Encryption Standard (AES) with the Galois counter mode of operation (GCM) with 256-bit encryption schemes, a configuration many in the industry consider future-proof security since AES-128 is known to be secure considering all the practical threats currently available. AES-GCM-256 is used to uniquely encrypt all Spectra tokens and all payloads involved in communications in every direction between all components of Spectra.

ECDH P-256: Spectra uses Elliptic Curve Diffie-Hellman P-256 for securely exchanging symmetric secret keys between any two parties engaged in communication. That means that ECDH P-256 is used before any resource exchange between any communication combination between Spectra Dashboard, Spectra API, Spectra SDK, and machines within any given machines in Spectra applications.

Separation of Duties: Given tasks can be broken down into multiple sub-tasks, each of which is operated by different machines with different access privileges. Attackers must subvert various machines simultaneously to compromise a system that employs separation of duties, which happens with a probability much lower than subverting a single machine. The same protection goes against malfunction and any other type of non-malicious operational failure. It also protects against insider threats in case one machine is compromised.

Provisioning: The process of onboarding machines into Spectra. It includes everything from validating a machine’s need to access any given resource to assigning them the appropriate permissions. On Spectra, provisioning is 100% controlled by a trusted administrator, which verifies a machine’s identity and needs for accessing resources in other machines and assigns the proper privileges according to their assessment.

Administration: Spectra allows each application to be created according to some pre-defined system designs. This includes policy design and creation, maintenance, and updates. The application registered on Spectra works as a concrete instance of the actual IAM policies of an organization.

Enforcement: Spectra provides enforcement of IAM policies via the combined power of the “triple A”:

• Authentication: Validate the legitimacy of the identity of machines requesting access to any resources within a Spectra application.
• Authorization: Check the machine’s assigned permissions against access control policies and permit or deny access as appropriate.
• Auditing: Monitor and review access control decisions for any anomalies that could require immediate remediation. Auditing is a critical component of Spectra for activity monitoring, analysis, and incident response. Every access denied and/or any activity that conflicts with pre-defined rules in the provisioning and administration process will raise red flags. The administrators will be alerted via email, SMS, and/or Dashboard messages.

Authentication, Authorization, and Auditing – All in One: Most solutions that promise authentication and authorization for M2M actually involve human intervention in critical steps of these procedures. Except for the Trusted Administrator required for managing applications on Spectra Dashboard, the entire operation of Spectra is done in the legitimate context of M2M: from machines to machines with no humans involved. Typically, multiple applications are required to cover authentication, authorization, and auditing for M2M. Spectra brings the triple A in a single lightweight yet robust IAM solution.

PKC, not PKI: The power and utility of public key cryptography (PKC) is indisputable. However, many people believed that PKC required an entire system of trust – based on a hierarchically-intensive model of certificate generation and verification for optimal results. This system is known as public key infrastructure (PKI), embodied with functional and financial complexities that inevitably result in penalties for performance and cost. Spectra’s efficient, flexible, scalable, secure and private design employs the best of PKC (such as asymmetric encryption, which is useful for secure peer-to-peer communication) without the worst of PKI (high cost, bureaucracy, and penalties in performance).

Flexibility and Power to Administrators: Spectra Token is a customizable digital authenticator that allows Trusted Administrators to specify arbitrary field-value pairs, which are particularly useful under the ABAC model.

Automated Machine Onboarding: Spectra allows for a rigorous onboarding procedure of thousands of machines, uniquely identified and operating under specs defined by the trusted administrator.

No Personal and/or Machine Credentials Stored: Distinct digital authenticators generated for each machine within a Spectra application are controlled by their respective machines. Spectra keep no database or similar record. Authentication and authorization between machines are supported by Spectra API using a digital authenticator on a case-by-case basis.

No Dependency on Network Security: As a sole communication security mechanism or as an additional communication security layer, Spectra is ready to provide end-to-end encryption for all exchanges between machines within the scope of Spectra applications with no impact from context-based security or lack thereof.

Data-Centric: Spectra is a type of data-centric technology (DCT), a technology that is enabled via specialized treatments of data as a construction. For example, Spectra provides the Spectra Token. This digital authenticator can be described as a signature of a prior agreement that establishes a machines’ identity and access privileges within a Spectra application. The Spectra token is encrypted with AES-GCM-256 for securely transmitting information about identity and access privileges between applications, services, and other accessible resources. Spectra provides a customized way to generate Spectra Tokens for M2M authentication and authorization, which can be programmed using custom parameters defined by the Trusted Administrator, allowing organizations to use Spectra as an efficient and flexible framework for IAM.

Infrastructure-Agnostic: Spectra works in the cloud, corporate intranet, private networks, and open insecure WIFIs while offering the same functionalities, flexibility, and security. Onboard-able devices can be personal computers, servers, terminals, IoT, and edge computing devices.

Least Privilege: Permissions associated with any given machine are limited to the minimum required to perform a particular task. This helps to decrease cybersecurity risks related to relaxed permission grants.