In our previous article, we imagined a digital world where trust is no longer a luxury, but a default property of the internet itself — a pervasive Trust Fabric woven into every interaction. But visions alone don’t secure a society or a platform. Translating aspiration into reality requires a rigorous examination of the technical and organizational machinery needed to evolve today’s largely stateless internet into one that is resilient, verifiable, and secure-by-design.

What follows is an architectural tomography of a secure-by-design network, one that classifies every digital actor, from humans to devices to services, and assigns each a clear role in an ecosystem built on verifiable identity. Securing the internet is analogous to securing a house in layers: one can protect individual valuables, specific rooms, or the entire structure. The architecture outlined here focuses on securing the “whole house”, the underlying network itself, so that every room inside becomes safer by default.

An emerging picture

Before exploring the architecture, it’s worth acknowledging an industry-wide reality: fully integrated, end-to-end implementations of this model are still emerging. This reflects less a question of intent than one of scale, interoperability, legacy constraints, and the inherent complexity of global communications infrastructure.

Significant components already exist. Apple and Google have demonstrated what is possible in user authentication through passkeys and platform-bound credentials (Apple, 2023; Google, 2022). Telecommunications providers, including Bell, Rogers, AT&T, and Telstra, have continued to strengthen device authentication, SIM-based identity, and network access controls through mechanisms such as EAP-TLS and 5G authentication frameworks (3GPP TS 33.501; GSMA, 2023).

What remains challenging is integrating these advances into a single, continuous trust chain, one in which every link is cryptographically verifiable across organizational and network boundaries. Rather than a simple chain, trust behaves more like a load-bearing structure: if even one critical component cannot be verified, end-to-end assurance becomes difficult to sustain.

This challenge is amplified by the foundations of the internet itself. Many core protocols, including IP, SIP, and SMTP, were designed in an era that prioritized reachability and resilience over explicit identity and state (RFC 791; RFC 3261). Modern systems must therefore thoughtfully layer identity, attestation, and policy enforcement onto protocols never designed for today’s threat landscape.

A taxonomy of trust

The architecture we propose organizes the internet into a hierarchy of trust, with each layer building on the verifiable guarantees provided by the one beneath it. At the heart of this model is a simple vertical stack that begins with the human user and extends to the services they consume.

1. The user: Human identity as the anchor

Every secure interaction begins with a person. Instead of relying on passwords, widely recognized as fragile, reusable, and phishing-prone (NIST SP 800-63B), users increasingly authenticate using Verifiable Credential (VC) wallets and FIDO2 passkeys.

Looking ahead, Decentralized Identifiers (DIDs) cryptographically bound to individuals offer a path toward user-centric identity without reliance on a single central authority (W3C DID Core, 2022).

2. The device: The trusted hardware agent

A verified user is only as trustworthy as the device they use. Modern hardware increasingly includes Trusted Platform Modules (TPMs) and Trusted Execution Environments (TEEs) capable of producing hardware-backed attestations — effectively a digital “health certificate” for the device (TCG, 2021).

Software-only authentication remains widespread, leaving exposure to malware, rootkits, and supply-chain compromise (ENISA, 2023).

3. Network access: The front door

The first operational control point is network admission. Only authenticated devices should connect, using mechanisms such as SIM-based authentication (EAP-AKA) or certificate-based approaches like EAP-TLS (3GPP TS 33.501; GSMA, 2023).

Establishing identity at network entry creates stronger assurance throughout the session.

4. Policy and gateways: The control tower

Once inside the trusted zone, traffic flows through an Identity & Attestation Gateway that enforces policy by consulting:

  • a policy engine defining authorization and context-aware rules;
  • a DID resolver verifying identities against tamper-resistant registries;
  • attestation services validating device and workload integrity.

Mutual authentication, conceptually similar to mTLS, becomes the backbone of this trust model (RFC 8705).

Illustrative applications

In financial services, impersonation fraud costs billions annually (FBI IC3, 2023). In a high-assurance network, spoofed calls lacking cryptographic identity are blocked before reaching the customer.

In healthcare, data integrity directly impacts patient safety. Medical devices become trusted agents, and compromised devices can be isolated automatically through Remote Attestation Services (FDA, 2023).

Open components in the trust chain

Despite progress, several elements remain inconsistently integrated:

  • deeper integration of SIM and eSIM identities;
  • unified trust across enterprise identity environments;
  • secure identity-bound OAuth flows;
  • network-enforced cryptographic certificates for IoT;
  • stronger identity enforcement at network boundaries.

Our perspective

The shift from hoping to proving identity will define the next decade. Telecommunications providers are uniquely positioned to anchor this evolution at the access layer where identity, hardware, and connectivity converge.

By embedding identity and integrity into the network’s DNA, we move toward an internet where trust is not assumed, but proven — a foundational property of the infrastructure itself.

In our next article — Part III: Living in a trusted fabric — we will explore the human dimension of this transformation.

 

About the authors

Dave Richards: Dave is a visionary in the field of communications and technology, currently serving as CGI Vice-President and global industry leader in the communications and media industry. In recognition of his vast contributions, CGI honored Dave as a CGI Builder Award in 2019, a testament to his dedication and commitment to excellence. His passion for driving innovation and transformation in the industry continues to inspire those around him, to this day.

Yajnavalkya Bhattacharya (external author): Yaj Bhattacharya is an Enterprise Solutions Architect and Cybersecurity Strategist with 30+ years of experience. He helps organizations modernize enterprise architecture by aligning integration, managing risk, and ensuring compliance to build secure, resilient digital ecosystems.

 

 

For more information on CGI’s security services, contact us.