Zero Trust

Security as a fundamental architectural principle

Modern digital identity infrastructures require security architectures that are not based on implicit trust. The so-called zero-trust principle assumes that no component within a system should automatically be regarded as trustworthy. Every interaction, every data transfer and every access must be continuously checked and verified.

This security model has been described, amongst other things, in the National Institute of Standards and Technology’s Cybersecurity Framework, specifically in the NIST SP 800-207 guideline, which defines the basic architectural model for Zero Trust systems.

Our technologies consistently follow this approach.

Zero Trust as the foundation of our entire system architecture

We take a holistic zero-trust approach to all components of our technological infrastructure. This approach applies to every level of our systems.

These include, in particular

  • our self-service identification devices
  • the communication links to these devices
  • our management systems
  • Partner and customer portals for remote system management
  • internal system architectures and interfaces
  • Integrations with external specialist systems and platforms.

No part of our infrastructure relies on implicit trust. Every communication, every system interaction and every administrative action is independently verified, authenticated and logged.

Our architecture is therefore based on the principle that trust is not taken for granted, but is continuously verified.

Audit compliance and full traceability

A key component of our security strategy is the full traceability of all system activities.

Our systems record all relevant processes in an audit-proof manner. All system-related events, transactions and administrative actions are permanently documented and stored in a way that allows for auditing.

One example of this is the specialised logging mechanisms within our device architecture, which record all movements and system interactions in a tamper-proof manner. These logs ensure that all relevant events during an identification process are fully and transparently documented.

Our central archive and administration systems also follow this principle. Our core system, MIDAS Core, forms the audit-proof foundation of our entire system architecture and ensures the permanent, traceable and verifiable storage of all relevant processes within the platform.

The audit-proof documentation of identification processes is also an integral part of our patented system architecture. Our patents cover not only automated identification methods, but also mechanisms for tamper-proof logging and archiving of the resulting transactions.

This architecture ensures that all activities remain auditable at all times and comply with both technical and regulatory requirements.

Relation to regulatory requirements

The consistent implementation of a zero-trust model also supports compliance with key regulatory frameworks for digital identity and trust systems.

These include, in particular

  • the requirements of the eIDAS Regulation on electronic identification and trust services
  • the requirements of the General Data Protection Regulation (GDPR)
  • technical guidelines issued by the Federal Office for Information Security, in particular BSI TR-03107 and BSI TR-03110
  • secure communication standards used by public authorities, such as OSCI
  • as well as procedures for qualified electronic signatures.

By combining zero-trust architecture, audit-proof system documentation and standardised security mechanisms, our technologies can be deployed even in highly regulated environments.

Comprehensive security architecture

For us, Zero Trust is not a single technical feature, but a fundamental principle of system development.

All components of our platform are developed on the assumption that every interaction could potentially be insecure and must therefore be verified. This principle enables robust, verifiable and long-term trustworthy identity infrastructures for public administration, the financial sector and businesses.

Our security architecture is therefore consistently based on the principle that trust is not taken for granted, but must be technically verifiable at all times.