Virtual entity
Mirror anything
The virtual digital twin is a virtual entity that represents the original entity and provides additional capabilities above the exact representation of the original entity.
Level up
In the cyber security and confidential computing context, the original entity is a physical thing (appliance, OT controller, CPU) and a pure virtual digital thing (file, executable code, memory contents, DB). The digital twin can do much more than represent production, by providing a multitude of confidentiality and security features and acting as the gatekeeper before and around the original entity.
The additional responsibilities and active decision-making capabilities raise the bar on digital twin cyber security requirements, such as accurate representation and behavior in the presence of attackers and vulnerabilities in the runtime environment of a digital twin. The digital twin itself should be the root of trust in regulated, critical applications, ideally hardware-based so that attackers cannot manipulate the original through the digital twin.
A confidential computing environment that focuses on security includes several types of digital twins, which provide different levels of protection for the original, alongside a richness of capabilities.
Always predicts.
Never limited.
Simulation predicts the behaviour of the original entity via a simplified model, whereas emulation recreates an exact virtual duplicate of the original.
Both are used extensively in hardware and software development, especially for developing large systems. Both bring substantial value to the cyber security domain, enabling the defender to check the end result of the incoming request before executing it in the real system (e.g. a sandbox).
Bringing a digital twin to the original entity and adding an emulator or simulator twin to the access twin creates exponential benefits for security.
The next generation ultra-low latency communications (5G/6G, fiber) enable simulation/emulation execution in real time anywhere. Both trends together open a possibility for BYODT (bring your own digital twin) to secure real assets anywhere at all times.
All security concerns.
One limitless experience.
Hello hackers.
Meet my twin.
Access control and isolation to compute infrastructure and resources is critical for any type of confidential and secure operation in the data center and on the edge, while hackers easily overcome the perimeter protections of the organizational network and insider threat is a very real thing.
Access control
As a result of a service-based economy of applications and data providers, multiple unknown and sometimes untrusted parties share the same computing resource. The service provider’s system administrators have full access to the compute infrastructure (e.g. OS installation, memory dumps, BIOS updates, CPU microcode updates) and can override security configuration by intent or by mistake.
The access twin provides a virtual barrier between any type of original sensitive entity (BIOS, OS, motherboard, BMC, VM, Hypervisor, application, etc.) and the outside world by presenting to the world the exact copy of the original entity communication interface.
Therefore, external actors see the normal API and interact with it just as they would with the original entity's API, while the digital twin of the entity checks everything coming in and everything coming out of the original and transparently executes identity verification, data filters, rules, and policies on the requests.
virtual barrier
External production protection
The approved requests will be forwarded to the original entity and the rejected requests will be dropped with predefined responses (which can be nothing at all to prevent the attacker from discovering the twin’s existence). The original entity does not know or care about the existence of its digital twin, as the original experience does not change at all. The twin core can be as simple or complex as desired for the protection of the original entity.
Through the one-to-one relationship between the digital twin and the original, infinitely fine details can be controlled about the original's interface and by extension, how it operates. For example, BIOS firmware updates can be locked for approval by 3 specific employees and allowed only after image file cryptographic validation with a manufacturer certificate. This can only be done during working hours. Severe business consequences (like a Facebook DNS error) can be prevented by fully independent digital twins dedicated to the critical assets of the organization.
As a result of zero trust, constant change, and anonymity in today's world the enhanced Access Twin enables true validation of an incoming request and its impact on the original in real time and just in time to prevent disaster for the original entity. The ever-increasing compute power in all devices from the production line robot and the industrial controller to the miniature PC and rack server, combined with specialized compute ASICs, enables the simulator/emulator twin real-time execution at the location of the original entity.
Mirror your interface.
Protect your data.
Sensitive personal data obfuscation, like credit card and banking information. There is extensive regulation today on private personal information and strong enforcement by governments. The problem is that enforcement and obfuscation of data usually occur after it has been exposed to the cloud. Furthermore, this functionality requires changes to the applications or the installation of software agents, which can be overcome by hackers. A digital twin with full knowledge of the original interface will detect the sensitive payload on the fly. This will remove it automatically and transparently for both the original entity and external malicious agents.
Automated transparent encryption to prevent bugs/problems/omissions in the original entity from leaking information to the external world.
Adjusting the values of the incoming data to prevent damage to the original entity, as in the Stuxnet example.
The protection of critical disaster recovery backups or the organization's data from ransomware attacks.
Manipulation is an abstract concept applicable to any type of data and interface. Specific implementations are based on the original entity's behavior and limitsAs a result of the income relationship and direct connection to the original entity, it has power. There is no way around the twins.
The manipulator twin isolates the original entity from the external environment and proactively changes incoming and outgoing data. This keeps the source safe even in the absence of access control rules. The following examples illustrate the concept of manipulator twins:
Digital twins have been a very powerful concept for managing the physical world and connecting physical things to the virtual cloud environment. Now, the twins can help us guard and protect all things – virtual and physical – from cyber attacks of all kinds. The urgency is great in the view of rapidly expanding Metaverse environments, where real people are the original entities.
Record users.
Mirror them.
Identify potential risk.
Team twin uses artificial intelligence and machine learning models to create an exact digital replica of a person or object, then monitors its performance in real-time.
Continuous authorization measures meets endless authentication.
By having a constant stream of information about the behavior of people or objects, these digital copies can help organizations detect suspicious activities before they become a serious threat.
The advantage of using digital twins is that it allows businesses to gain insights into how people and machines interact with their systems and data. This helps organizations identify potential risks and anomalies more quickly, which reduces the amount of time it takes for them to respond to security threats. Additionally, it enables organizations to address issues immediately as they arise instead of waiting for them to escalate and cause further damage.
Digital twins also provide robust authentication and authorization measures that can be used for granting access rights, preventing unauthorized access and validating user credentials. With this extra layer of protection, businesses are able to protect their networks from attacks from both internal and external sources more effectively than by relying on traditional methods alone. Furthermore, digital twins can be used for monitoring the overall health of an organization's network infrastructure as well as individual users' activity within it. This will ensure that any suspicious activity can be identified sooner rather than later.