Decentralised Identity Management solution for zero-trust multi-domain Computing Continuum frameworks

Abstract

The adoption of the Computing Continuum is characterised by the seamless integration of diverse computing environments and devices. In this dynamic landscape, sharing resources across the continuum is becoming a reality and security must move an step forward, specially in terms of authentication and authorisation for such a distributed and heterogeneous environments. The need for robust identity management is paramount and, in this regard, Decentralised Identity Management (DIM) emerges as a promising solution. It leverages decentralised technologies to secure and facilitate identity interactions across the Computing Continuum. Particularly, to enhance security and privacy, it would be desirable to apply the principles of Self-Sovereign Identity (SSI). In this paradigm, users have full ownership and control of their digital identities that empowers individuals to manage and share their identity data on a need-to-know basis. These mechanisms could contribute to improve security properties during continuum resource management operations. In this context, this paper presents the design, workflows and implementation of a solution that provides authentication/authorisation features to distributed zero-trust based infrastructures across the continuum, enhancing security in resource sharing and resource acquisition stages. To this aim, the solution relies on key aspects like decentralisation, interoperability, trust management and privacy-enhancing capabilities. The decentralisation leverages distributed ledger technologies, such as blockchain, to establish a decentralised identity ecosystem. The solution prioritises interoperability, enabling nodes to seamlessly access and share their identities across different domains and environments. Trustworthiness is at the core of DIM, and privacy is also considered, incorporating privacy-preserving techniques that individuals to selectively disclose identity attributes while safeguarding sensitive information. The implementation includes different operations for allowing continuum frameworks to be enhanced with decentralised authentication and authorisation features. The performance has been evaluated measuring the impact for the adoption of the solution. The most expensive task, the self-identity generation, takes only a few seconds (in our deployment) and it is only executed once. Authorisation tasks operate in the millisecond range, which is a totally invaluable time if incorporated into resource acquisition processes in frameworks such as Liqo, used in the scope of FLUIDOS project.