This content was created by the Data Sharing Coalition, one of the founding partners of the CoE-DSC.
When sharing (sensitive) data, trusting that only the intended recipients receive your data is essential. To realise a high degree of assurance level for its participants in the counterparty’s digital identity, data spaces use a digital identity assurance framework. Smart Connected Supplier Network (SCSN), a data space that focuses on supply chains in the manufacturing industry, encountered challenges with regards to the scalability of its digital identity assurance framework. Together with participant Exact, the Data Sharing Coalition explores how SCSN can improve its framework to prepare for future scalability of the data space.
Scaling up a data space requires higher digital identity assurance
Usually, during the early stages of a data sharing initiatives, the participating organisations are known to each other or in a contractual relation. This becomes different when organisations share data in a (mature) data space. A data space allows other (unknown) parties to join and share data if they commit to a specific set of agreements agreed upon by its current participants. When a data space further scales up, more and different types of organisations participate. In addition, more data transactions are facilitated, and a larger variety of data becomes available. Such factors increase the likelihood of data ending up in the wrong place with financial, reputation or compliance risks as a consequence.
When providing a data sharing service in the data space, a Data Service Provider needs to have some assurance that the digital identity of the Data Service Consumer is actually the user’s “true” identity, otherwise the Data Service Provider will not provide access to their data*. However, when a data space scales up, a Data Service Provider would need to (manually) verify the digital identity of all other participants to obtain identity assurance. Since this is infeasible, at this point, one or multiple organisations are usually appointed to perform the identity verification of new data space participants and issue the authentication means. This is called the federative identity model. The organisation doing this is usually the data space authority or a certified organisation within the data space. Other participants must trust that only reliable participants are onboarded, where ‘reliable’ must be outlined in the agreements of the data space. The higher the risk of data sharing, the higher the assurance level needed as to who the participant really is. Realising a high level of assurance requires a mature digital identity assurance framework.
In regulated data spaces – e.g. government to citizen and consumer to bank interactions – mature digital identity assurance frameworks serve as inspiration for new data spaces. On a national and European level, tools such as eHerkenning or eIDAS certificates provide identification and authentication. For example, when filing taxes as an entrepreneur in the Netherlands, eHerkenning is required to log-in to the Dutch Tax Authority. However, in other domains such as B2B data sharing in manufacturing, this is not (yet) regulated.
SCSN: a data space to exchange data on order and delivery
Let’s therefore consider SCSN, a data space in a sector not (yet) regulated on digital identity. The SCSN data space provides a universal language for organisations that want to exchange data on order and delivery between a buyer and supplier who already have a contractual relation. This phase of procurement can be denoted as Procure-to-Pay (P2P). SCSN’s universal language enables organisations to create messages about, for example, orders, dispatch advice, forecasting or quotations. The SCSN data space is based on the International Data Spaces (IDS) standard. By 2022, the SCSN network adoption has grown to over 300 Users and 7 Service Providers (SPs), which means it is one of the most mature IDS based data spaces in Europe. SCSN has developed its own solution for digital identity assurance, where Users’ trust in the digital identity assurance is substantiated by liability agreements between SPs and the SCSN foundation.
A case study: developing a digital identity assurance framework to scale up data spaces
However, current liability agreements for assurance are not suitable for the next phase of the data space, in which more data space participants are connected. Furthermore, enlarging the scope of supported messages leads to data sharing before the Procure-to-Pay processes have started, which requires stronger assurance of the digital identity of respective parties.
Together with our participant Exact and SCSN, the Data Sharing Coalition explores how the SCSN data space can improve its digital identity assurance framework and prepare for future scalability of the data space. Together, we conduct market research on existing standards and frameworks for data sharing, such as iSHARE, SBR Nexus, IDSA and GAIA-X and digital identity regulation and frameworks (eIDAS, eHerkenning). In addition, interviews with Service Providers and Users of SCSN will take place.
Lessons learned about digital identity will be valuable for other data spaces
The results of this case study can be re-used by other data spaces, especially when digital identity is not regulated. Digital identity is the cornerstone of data sharing. Every data space will, at some point, run into similar challenges as SCSN. Furthermore, the question of whether the other party is really who they claim to be, is a generic one: it is not specific to manufacturing or any other sector. This makes the results of the case study generally applicable. The generic lessons are very valuable for implementing digital identity assurance in data spaces and will be shared when the research is finished.
* Two main roles can be distinguished within a data space: a Data Service Provider and a Data Service Consumer. A data service is any service aimed at exchanging or processing data. To learn more, download our Data Sharing Canvas.
Do you want to upgrade the identity assurance of your data space? Or do you want to know more about this case study? Feel free to send us an email: firstname.lastname@example.org