KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
And I would like to give a very, very simple example. And this example is both a real world use case real world adoption in the us pharma supply chain. And what's interesting if you would like to find these kind of use cases where people putting in this technology actually now is, is really a big, big challenge finding the needle in the haystack. So we reviewed hundreds and hundreds of use cases, but that's the only one of all the use case we've done. That's going onto production right now. Yeah. And this is the endpoint security and use pharma supply chain.
And I think we discussed it a bit, again, the preamble, all the AI powered cyber attacks, and then you have initial access broker on ransomware as a service big problems. And what first in Sullivan are saying, the biggest struggle is API endpoint security is, is the building blocks of authentication and authorization know. And especially in open systems, that's that's that's example, we are bringing today how to solve this problem in an in open system.
So, and about severity severity was, was founded in 2017. So we are focusing on what we call cloud edge, identity, wallets, and credentialing services.
And I, I will show you an example of a credentialing services in the, in the us supply chain. And as, as this kind of commodity technology, it's kind of being needed for energy mobility, public services, government with couple of clients from different industries. But that's interesting in the pharma industry that that's industry where the adoption is, is already here. I think that that's one of the most advanced industries in our portfolio. I think we all know that there is payment fraud in payment processing and companies, especially in Germany was Corona, Corona, subsidy fraud.
And then we have the, the counter fitting mafia with fake product. And the only way to solve this is to work with sign data, to prove authenticity and integrity. It's the same tool we also need for the API endpoint security and, and Martin, you mentioned you have been discussing decent last identity, very far credentials. This is what we are also supplying in us pharma supply chain.
So we have an issuer, an issuer that verifies the identity of a, of a pharma company, an issuer that can verify the license status as a pharma company allowed to produce to manufacture pharmaceuticals is the wholesaler allows to sell pharmaceuticals and have a license. And this is what the issuer does.
And the, then the wholesaler manufacturer, some credential can present to it's it's, it's a machine. And then the machine is making an access decision and then providing access to data and services. And I show you in a minute and how this works. I think the, of utmost importance in terms of API security and open systems. So this must be built on open standards because if there's a app proprie or insider solution, there's a chance to adopt it on a, on a broader base and anti systems, almost zero. For that reason, it must be built on, on standards.
And these standards can be used for, for identity, for humans, for organizations, but also for systems. And I show you how it works. And then when, if system S and a system, Bob, they exchange credentials, they can prove they belong to a company. They can prove the company has, has a license credential from, from the FDA, for example, and then you provide access to some services. I think the key design for inputs is here that the network is always hostile, whatever is in between security infrastructure and some, some other infrastructure.
The key design principle is the network is always hostile. And then I have, I have some agents, the have a control plane and the data plane and on the control plane. Yeah. You can inject some, some API endpoint security instruments. So we are doing this with decentralized identity in the, in the us pharma supply chain. I would like to, to briefly manage because there's probably a lot of other talks, zero trust architecture. That's these design principles have been requested by the food and drug administration in the us. Yeah.
Because with all the hex of the pipelines and tailored zero trust architecture of, of utmost important. And what's also interesting in zero trust architecture, you have three pillars and identity governance, then a network segmentation pillar, and then no on a software-defined network layer, zero trust architecture elements. And that's. So we took two of these, these, these layers, and to combine this with the, for, for what we are doing in the us track supply chain security act. So this is basically enabling component and a thumb set.
So zero trust is a lot of components because industry would like to sell the ZM system and say CDM and threat Analyst and activity lock systems. That's, that's what we basically called enabling systems. And then you have for policy enforcement point policy administra and policy engine, and in us, basically people have adopted the DS and the verifiable credentials, decent last identity, kind of to process them in the policy administration and the policy engine to do a yeah. A policy decision. So rather this gateway share, give access to data or service.
And yeah, you can also distinguish between an agent and a gateway. That's probably a little bit kind of too much, but this is how it looks like I have a company service of a requester. I have a company service of a responder. I have the hostile network in between, and then I have a requester agent or gateway and what I'm basically doing. So I'm blending credentials in an, this was an existing requester service of company one.
So basically I include my license credentials, my identity credentials, some other credentials when I sent a request to responder so that the gateway officer responder can process it can check with the policy administrator. Does my counterpart company one request a service has proper credential to access my service.
If yes, I fetch response. I determine the response and a sent response message back. And even on the incoming side, it's the same. It's the same principle is fully built on symmetry because it's not enough that I as company one provide my credentials. So the company two control plan can decide whether provides me access to this data or not, where the other way around when, when I receive data response, I also need to check what other credentials of the counterparty do I trust it? Is it really the counterpart? That's now sending the, the response and it's, it's really going in both directions.
So as, as a, so when as we question, when I get the response, I have to check the same, the authenticity and integrity and authorization of the counterparty. And only if I, when I receive the data by my, my rest API, then I can trust them. And further whole system. This is a little bit of, this is a little bit abstract, but here in, in, in us, this is a concrete example of the us drug supply chain security. And this was basically put in place by bank Obama, I think 2013.
And what's the drug supply chain security act is saying when a wholesaler and a manufacturer and the Pharmac supply chain, the exchange data, then that this is for example, use case. When I have a so-called sellable return, I get back a pharmaceutical package. I must scan it because I don't know if someone tempered with a package it's a duplicate of a counterfeited package with the same serial number for that reason, I must, I must scan the machine readable serial number. I need to result of the service endpoint of the manufacturer.
And I must send a PI product identity verification message to the, to the, to the manufacturer. And when I get the response back, I can process the pharmaceutical package further. And it's not only a mandatory requirement for wholesalers, but also for dispensers and pharmacies, because they must do a malicious product check. And they must prove that they're authorized. When they send a malicious product check to the, to the manufacturer, they must provide a pool that they authorized that have a license that's.
For example, the wholesaler has a license from the state board of pharmacy to hold sale drugs. And that's a very interesting topic, for example, that Obama's legislation already put a requirement in place. So that in the, for example, the salable return use case, the counterpart must check the ATP status. So training partner, status of their counterparty, and in the past, there've been so many, so much thought in the farmer, supply chain and death people, people dying, all these problems. And for that reason there huge requirements now to be fulfilled by the industry.
In addition to what the use drug supply chain security act is also saying, the product must be serialized, serialization identifiers must be machine readable so that I can scan it and I can automate the full process. And that's, that's also very important because we foresee that the same instruments of the drug supply chain security. So we'll be kind of adopted by other industries as well. But bottom line bar Obama basically is just legislation said, when you would like to do PI Verifi product verification message, then you must prove you're an training partner.
And for that reason you need verification instruments. The industry in us have experiment, not they have experience with decentralized solutions because part of the existing infrastructure is decentralized as even a blockchain being adopted here because the industry wanted not set say a centralized player that get full supply chain transparency and visibility, because when all these requests are sent centralized player, then it's a Google of the supply chain because they get all the scanning requests and look up requests, a full transparency. And this is how the industry has solve it today.
So the industry basically, here's a wholesaler and there's an infrastructure in place, verification, routing service providers, and they have a decentralized lookup directory. And that's important. It's decentralized, which means there's no decentralized party who gets all the look up request. So the industry has already decentralized technology in place. And this is how it works today.
I get, I get pharmaceutical package back to a wholesaler. So wholesaler scans the GS one to the data metrics. And now the wholesaler has to send the PI verify request. Then it's being forwarded to the vs infrastructure.
The vs is doing the look up forward into the endpoint and then the vs endpoint of the manufacturers based, and looking up in a database, whether there are problems with the cm of the product and sending response and the big problem here, there's huge cyber physical, or some, some other it risks and vulnerabilities because nothing is protected in terms of authenticity, integrity of the messages that something's manipulated here or manipulated between the two BSS or fake wholesaler is just sending a PI verify request or is kind of using the kind of, let's say, doing this another name of a counterpart of a competitor.
Then as a manufacturer, you cannot check it. You can't check the authenticity. And what's what what's used. Pharma people are now doing. They're introducing decentralized identity to bring the endpoint security to the next level. And here I'm talking about these endpoints. Yeah.
So when a wholesaler is doing the look up and sendings on the PI verify request to the endpoint of the manufacturer, then the endpoint of the manufacturer must be able to check the identity of the wholesaler and must be able to check whether the wholesaler was authorized, which means the wholesaler has a license credential forms of state board of pharmacy that's allowed to resell or to wholesale drugs and same for, for dispensers and pharmacies.
And so this with using thiss and verifiable credentials, the manufacturer now the instruments to, to check authenticity of the wholesaler and to check when they're authorized, because our, our system basically blends an ATP authorized trading partner credential with a PI verify message as the presentation, the manufacturer can basically check it. And when this is checked, entities checked and authorization, ATP status is checked, then they provide access to the database. They send a PI response and the same stuff is then happening on the, on the wholesaler side.
The whole set also checking is authentically coming from, for example, from Novartis Johnson or Johnson, Pfizer BMS, or some, some other manufacturers and was, did the manufacturer has an ADP license. When I give you the example of Novartis Johnson, Johnson sounds a little bit kind of weird because you think, okay, they're big players, but also they have subsidiaries. They have contract manufacturing, they're divestitures and acquisitions and, and mergers. And for that reason, the look up and all the entities that's super complex with all the common tos.
And that's the reason why the industry decided to use decentralized technology to blend identity credentials, and also as trading partner credentials with the existing systems to protect the endpoint here for the PI response. And I would, would would like to close with some, some, some final remarks. This does not, of course doesn't work. If there's a proprietary solution or silo approach, this is an open standard based solutions. I mentioned some of WCC standards, and now we have there's something called the opening open credential initiative.
And the opening credential initiative is maintaining all the conformance criterias for credential issuers, for what providers for VSOs providers, for how, how to integrate, adopt the system. And there's a huge chunk of, of players that are now adopting technology and, and yeah, and supporting the open credential initiative to get the standards in place. What's also interesting. It doesn't even help to have, let's say the API endpoint production standards defined based on w C D IDs it's is a S so sex factor here, this was entirely blended with GS one standards.
So you take some, some identity credential authorization stems from, from the kind of broader internet and blend. It was industry standards for secure supply chains. And I think this kind of blending the two standards together was, was really the critical success factors and rallying the, the industry behind the solution by why this, this worked.
And I, I mentioned, that's now in production for so-called sellable return, and it's now kind of being kind of adopted, or at least being prepared for other use cases, order to cash product, recall product, we call still big problem, not only for pharma, for other industries as well, and for malicious product checks. And I think the, the kind of the count juice count you use case will event also being used for product pricing, but that's, that's a further, further down the road. So bottom line, so we didn't protect highly sophisticated endpoints.
We protected very, very basic endpoints for so-called pied messages was decentralized technology and open system. And that's, yeah, that's, that's among the first use case being adopted. But as you see here in Europe, there's a lot of other kind of consortia ID union. Sland Gaia, X, X, some other co research project that are trying to push the same technology across the chasm to adopt it for authentication authorization on control plan and to, to, and to, to, to, to improving endpoint security.
