While such collaboration promises efficiency and better decision-making, it also introduces a fundamental cybersecurity challenge: how to share and grant access to digital resources and physical entities without losing control over them.

This challenge is not primarily about defending systems against external attackers. It is about ensuring that digital technologies support cooperation without eroding trust, responsibilities and legal boundaries. As digitalisation deepens, security becomes a prerequisite for collaboration rather than an afterthought.

Aarhus Festuge as an illustrative example

To explore these challenges in a realistic context, the project uses Aarhus Festuge, a large annual cultural festival, as a conceptual test case. Large public events involve many actors – including organisers, municipalities, police and emergency services – all operating under different legal and organisational frameworks.

Under normal conditions, access to digital resources is tightly controlled. In emergency situations, these constraints may need to change rapidly. Actors who would not normally have access to certain data may require temporary privileges to gain situational awareness and coordinate an effective response.

The case is not intended as a deployment scenario, but rather as a way to reason about how access rights, authority and responsibility should adapt dynamically in specific situations. It highlights the limitations of static security models and the need for more flexible approaches.

Security as a matter of constraint

The Secure4DTaaS project takes this challenge as its starting point. It explores how security mechanisms can support collaboration between independent organisations that rely on shared digital representations of complex systems. At its core lies a simple, yet demanding question: how can digital systems enable the right actors to collaborate at the right time without allowing everyone to do everything all the time?

As Professor Christian Damsgaard Jensen puts it:

“Security is not about what systems allow you to do. It is about defining what they must not allow. If we keep deploying technology without being explicit about who should have access to what, things can quickly get out of control.”

When digital platforms are deployed without clear boundaries, access rights tend to grow rather than shrink. This becomes particularly problematic when multiple organisations are involved, as traditional access-control mechanisms are designed for single-organisation settings.

Digital twins and shared responsibility

The project focuses on digital twins as a central example. Digital twins are software-based representations of physical assets, processes or systems that combine models with live data to mirror real-world behaviour and enable simulation, monitoring and prediction.

Within a single organisation, digital twins can be managed using established security practices. However, when they are shared across organisational boundaries, questions arise about ownership, access and responsibility.

Because digital twins inform decisions that affect physical systems and may impact human safety, access control is not only about protecting data but also about aligning access with responsibility. Existing platforms often support data sharing, but struggle to express why access should be granted in one situation and denied in another.

From platforms to policy-based security

Secure4DTaaS builds on the Digital Twin as a Service (DTaaS) platform developed at Aarhus University. The platform enables users to create and operate digital twins within isolated workspaces and connect them to external data sources and sinks.

Challenges arise when digital twins from different organisations must interact within a so-called system-of-systems context while maintaining distinct security policies.

As Christian Damsgaard Jensen explains:

“Most platforms assume that a single organisation is in control. The moment that assumption breaks, the existing security mechanisms become too blunt.”

Instead of assuming trust within a shared platform, the project explores how each workspace can enforce its own security policies. This reflects a “Zero Trust” approach, where no entity is trusted by default.

Rather than granting access solely based on identity, policies can define the conditions, purpose and duration of access. Security thus becomes a dynamic set of constraints that adapts to changing roles and situations.

Advancing concepts through explorative research

Secure4DTaaS is exploratory and does not aim to deliver a ready-to-deploy system. Instead, it investigates architectural principles for secure collaboration across organisational boundaries.

Postdoc Asim Ul Haq explains:

“We are not just adding another security layer. We are asking how security has to be designed when several organisations share the same digital environment, but not the same rules.”

Collaboration without losing control

Secure4DTaaS addresses a broader challenge: enabling collaboration without sacrificing control. This is increasingly important in complex systems where no single actor owns the full value chain.

Rather than offering immediate solutions, the project clarifies the conditions for secure collaboration. It shows that cybersecurity is not only about resisting attacks, but about shaping how digital systems enable cooperation.

As systems become more interconnected, the ability to define and enforce meaningful constraints may be just as important as the ability to connect them in the first place.

The project is supported by Thomas B. Thriges Fond