Designing a security incident response process for self-sovereign identities

Abstract While self-sovereign identities (SSI) have been gaining more traction, the topic of SSI security has yet to be addressed. Especially regarding response procedures to security incidents, no prior work is available. However, incident response processes are essential to systematically respond to a security incident in a timely manner. We first evaluate the current state-of-the-art by conducting a literature survey and contacting organizations that offer SSI. The insights underpin the subject’s relevance, highlighting that incident response capabilities are just starting to be developed. Contributing to this development, we identify the challenges of building a security incident response process for SSI. Mainly, the decentralized nature inhibits the utilization of known best practices, which all focus on building a centralized incident response capability. However, even in the case of SSI, some centralized entities may exist. Therefore, we design two variants of SIR processes: one more centralized and one more decentralized. For the latter, the problem size is reduced in the first step by identifying all the stakeholders within an SSI ecosystem and then analyzing possible proactive and reactive measures each participant can access. This procedure leads to the grouping of SSI system participants into three distinct domains of incident response. For each domain, different capabilities for handling incidents are introduced depending on the involved stakeholders, their infrastructure, and their goals. To demonstrate the procedures, incident scenarios for each domain highlight the workflows during incident handling.