Generic Architecture Architecture Generic for Securely Securely - - PowerPoint PPT Presentation

Trusted Architecture for Trusted Architecture for Securely Shared Services Securely Shared Services

Generic Generic Architecture Architecture for for Securely Securely Managing Managing Employability & Healthcare Employability & Healthcare Personal Personal Information Information Services Services

Web: http://tas3.eu Email: tas3@ls.kuleuven.be TAS³ is an IST FP7 funded Integrated Project TAS³ contract number 216287 Duration: 1 Jan 2008 - 31 Dec 2011 Research budget: 13.200.000 € EC Funding: 9.400.000 €

Trusted Architecture for Securely Shared Services 2

What is TAS3 About?

• TAS3 focuses federated identity management
• TAS3 consolidates scattered research in

– Security, Trust, Privacy, Digital identities, Authorization, Authentication…

• TAS3 integrates adaptive business-driven end2 end

Trust Services based on personal information:

– Semantic integration of Security, Trust, Privacy components

• TAS3 provides dynamic view on application-level

end2 end exchange of personal data:

– Distributed data repositories

Trusted Architecture for Securely Shared Services 3

18 TAS3 Partners

• Coordinators:

– K.U.Leuven & Synergetics

• 9 Research Institutes:

– Universities of Eindhoven, Karlsruhe, Kent, Koblenz-Landau, Leuven, Nottingham, Brussel, Zaragoza – Consiglio Nazionale delle Ricerche

• 9 Companies & Organizations:

– Custodix, Eifel ASBL, Intalio Ltd, Kenteq, Medisoft, Oracle, Risaris Ltd, SAP Research, Synergetics

Trusted Architecture for Securely Shared Services 4

TAS3 Phased Approach

12 M 24 M 36 M 48 M 18 M 30 M 42 M

Final Versions AdvancedVersions First Versions

• f all TAS³

6 M

Phase I Phase II Phase III

Test bed phaseI Development II Test bed phaseII Test bed phaseIII Development I Requirements Analysis System Design / Architect . Def. Update of Requirements Update of System Design / Architecture Definition Baseline Setup Test Bed Setup Final Docum .

increasing functionality as well as deepness

• f integration

Development III

• f all TAS³ services
• f all TAS³ services

services services services services services services

Trusted Architecture for Securely Shared Services 5

Co Cont ntext M t M Co Cont ntext K t K Co Cont ntext L t L

M8 L3 L4 K5 M7

M6

M5

K3

K1

M2

M10

10

M12

12

M9 L1

M4

Support for Cross-Context Adaptable Business Processes!

K4 M11

11

M1

M3

L2

L5 K2

Trusted Architecture for Securely Shared Services 6

TAS3’s 4 Core Layers

• Layer 1 – Authentication

– Federated identities

• Layer 2 – Authorization

– Federated attributes

• Layer 3 – Trustworthiness & Reputation scores

– End-user controlled – Fine-grained role-based

• Layer 4 – Data-protection policy enforcement

– Sticky policies associated with information elements

Trusted Architecture for Securely Shared Services 7

Business Process

Service Requester Directories Service Provider

Trusted Architecture for Securely Shared Services 8

Business Process

Service Requester Directories Service Provider

Trusted Architecture for Securely Shared Services 9

Business Process

Service Requester Directories

TAS3 Registry

• Service Providers
• Service Types
• IdPs

TAS3 Exit Point

Service Provider

Credential Clearing PDP Response Preparer Credentials Clearing PEP TAS3 Entry Point Actual Application Engine Authentication Authorities (IdPs) Service Provider Process Engine Trust & Privacy Negotiator External Log Analysis Service Dash Board

• Audit Aspects
• Policy Aspects

Policies Verifier Authorization, Trust & Reputation Authorities Response Verifier Audit Guard Obligations Watchdog Request Verifier Dash Board

• Audit Aspects
• Policy Aspects

Request Preparer Policies Verifier Service Requester Process Engine Audit Guard Obligations Watchdog

Trusted Architecture for Securely Shared Services 10

Business Process

Service Requester Directories

TAS3 Registry

• Service Providers
• Service Types
• IdPs

TAS3 Exit Point

Service Provider

Credential Clearing PDP Response Preparer Credentials Clearing PEP TAS3 Entry Point Actual Application Engine Authentication Authorities (IdPs) Service Provider Process Engine Trust & Privacy Negotiator External Log Analysis Service Dash Board

• Audit Aspects
• Policy Aspects

Policies Verifier Authorization, Trust & Reputation Authorities Response Verifier Audit Guard Obligations Watchdog Request Verifier Dash Board

• Audit Aspects
• Policy Aspects

Request Preparer Policies Verifier Service Requester Process Engine Audit Guard Obligations Watchdog

Trusted Architecture for Securely Shared Services 11

Trusted Employability Platform

Trusted Em ployability Platform Trusted Em ployability Platform

Employability Portfolio

Certification Services

Schools Training Institutes Private Employment Services Public Employment Services Employability Service Providers Companies Universities Social Security Services Social Network Employability Repository

Trusted Architecture for Securely Shared Services 12

Services

• Repositories with

(Personal) Health Records

• Registries
• …

Security Services

• Authentication
• Credentials
• Auditing
• …

Parties

• Primary care
• Secondary care
• Home care

Associations

• Patient
• Professional
• Scientific

Healthcare Demonstrator Platform

Patient

Trusted Healthcare Platform Trusted Healthcare Platform

Legal & Ethical

Trusted Architecture for Securely Shared Services 13

eHealth – Break the Glass Service

• Break-the-Glass service

– Only activated after strong authentication – Triggers advanced & fine grained monitoring – Audit trail provides hard evidence Policy Decision Point Patient Record

• 1. (6). Access patient record
• 2. Denied 8. Granted
• 3. Break the Glass
• 4. Enforce Data

Protection Policy

• 5. Granted

Audit Trail

• 7. Retrieve Record

Policy Enforcement Point Obligations Service Data Protection Policy Guard

Trusted Architecture for Securely Shared Services 14

Contact Information

• Web: http://tas3.eu
• Email: tas3@ls.kuleuven.be