Generic Architecture Architecture Generic to Securely Securely - - PowerPoint PPT Presentation

generic architecture architecture generic to securely
SMART_READER_LITE
LIVE PREVIEW

Generic Architecture Architecture Generic to Securely Securely - - PowerPoint PPT Presentation

Jun 16, 2023 640 likes •816 views

Trusted Architecture for Trusted Architecture for Securely Shared Services Securely Shared Services Generic Architecture Architecture Generic to Securely Securely Manage Manage to Employability, Healthcare & Employability, Healthcare

slide-1
SLIDE 1

Trusted Architecture for Trusted Architecture for Securely Shared Services Securely Shared Services

Generic Generic Architecture Architecture to to Securely Securely Manage Manage Employability, Healthcare & Employability, Healthcare & Personal Personal Information Information Services Services

Web: http://tas3.eu Email: tas3@ls.kuleuven.be TAS³ is an IST FP7 funded Integrated Project TAS³ contract number 216287 Duration: 1 Jan 2008 - 31 Dec 2011 Research budget: 13.200.000 € EC Funding: 9.400.000 €

slide-2
SLIDE 2

Trusted Architecture for Securely Shared Services 2

What is TAS3 About?

  • TAS3 focuses federated identity management
  • TAS3 consolidates scattered research in

– Security, Trust, Privacy, Digital identities, Authorization, Authentication…

  • TAS3 integrates adaptive business-driven end2 end

Trust Services based on personal information:

– Semantic integration of Security, Trust, Privacy components

  • TAS3 provides dynamic view on application-level

end2 end exchange of personal data:

– Distributed data repositories

slide-3
SLIDE 3

Trusted Architecture for Securely Shared Services 3

18 TAS3 Partners

  • Coordinators:

– K.U.Leuven & Synergetics

  • 9 Research Institutes:

– Universities of Eindhoven, Karlsruhe, Kent, Koblenz-Landau, Leuven, Nottingham, Brussel, Zaragoza – Consiglio Nazionale delle Ricerche

  • 9 Companies & Organizations:

– Custodix, Eifel ASBL, Intalio Ltd, Kenteq, Medisoft, Oracle, Risaris Ltd, SAP Research, Synergetics

slide-4
SLIDE 4

Trusted Architecture for Securely Shared Services 4

TAS3 Phased Approach

12 M 24 M 36 M 48 M 18 M 30 M 42 M

Final Versions AdvancedVersions First Versions

  • f all TAS³

6 M

Phase I Phase II Phase III

Test bed phaseI Development II Test bed phaseII Test bed phaseIII Development I Requirements Analysis System Design / Architect . Def. Update of Requirements Update of System Design / Architecture Definition Baseline Setup Test Bed Setup Final Docum .

increasing functionality as well as deepness

  • f integration

Development III

  • f all TAS³ services
  • f all TAS³ services

services services services services services services

slide-5
SLIDE 5

Trusted Architecture for Securely Shared Services 5

Co Cont ntext M t M Co Cont ntext K t K Co Cont ntext L t L

M8 L3 L4 K5 M7

M6

M5

K3

K1

M2

M10

10

M12

12

M9 L1

M4

Support for Cross-Context Adaptable Business Processes!

K4 M11

11

M1

M3

L2

L5 K2

slide-6
SLIDE 6

Trusted Architecture for Securely Shared Services 6

TAS3’s 4 Core Layers

  • Layer 1 – Authentication

– Federated identities

  • Layer 2 – Authorization

– Federated attributes

  • Layer 3 – Trustworthiness & Reputation scores

– End-user controlled – Fine-grained role-based

  • Layer 4 – Data-protection policy enforcement

– Sticky policies associated with information elements

slide-7
SLIDE 7

Trusted Architecture for Securely Shared Services 7

Business Process

Service Requester Directories Service Provider

slide-8
SLIDE 8

Trusted Architecture for Securely Shared Services 8

Business Process

Service Requester Directories Service Provider

slide-9
SLIDE 9

Trusted Architecture for Securely Shared Services 9

Business Process

Service Requester Directories

TAS3 Registry

  • Service Providers
  • Service Types
  • IdPs

TAS3 Exit Point

Service Provider

Credential Clearing PDP Response Preparer Credentials Clearing PEP TAS3 Entry Point Actual Application Engine Authentication Authorities (IdPs) Service Provider Process Engine Trust & Privacy Negotiator External Log Analysis Service Authorization, Trust & Reputation Authorities Response Verifier Audit Guard Obligations Watchdog Request Verifier Request Preparer Service Requester Process Engine Audit Guard Obligations Watchdog Log Analysis Engine

  • Audit Aspects
  • Policy Aspects

Log Analysis Engine

  • Audit Aspects
  • Policy Aspects

Policies Enforcement Point Policies Enforcement Point

slide-10
SLIDE 10

Trusted Architecture for Securely Shared Services 10 Service Provider

Business Process

Service Requester Directories

TAS3 Registry

  • Service Providers
  • Service Types
  • IdPs

TAS3 Exit Point TAS3 Entry Point Authentication Authorities (IdPs) External Log Analysis Service Authorization, Trust & Reputation Authorities Service Requester Process Engine Obligations Watchdog PDP PDP Policies Enforcement Point Trust & Privacy Negotiator Audit Guard Response Verifier Request Preparer Log Analysis Engine

  • Audit Aspects
  • Policy Aspects

PDP Response Preparer Credentials Clearing PEP Actual Application Engine Service Provider Process Engine Log Analysis Engine

  • Audit Aspects
  • Policy Aspects

Audit Guard PDP Policies Enforcement Point Request Verifier Obligations Watchdog

slide-11
SLIDE 11

Trusted Architecture for Securely Shared Services 11

End-to-End Communications Options

Communications Tube Application Data

Secure Confidential Data-origin Insecure

(1) Reference (1)

One to One

(1) Reference (n)

One to Many

(m) Reference (n)

Many to Many Some degree of anonymity (optional)

Service Provider Mediator Service Service Requester

(1) 2.a (1) (1) 2.b (n) 1.c (1) 1.b (1) (1) 1.a (1) (1) 2.c (n) (1) 2.d (n)

Service Requester Process Engine Obligations Watchdog PDP PDP Policies Enforcement Point Trust & Privacy Negotiator Audit Guard Response Verifier Request Preparer Log Analysis Engine
  • Audit Aspects
  • Policy Aspects
Service Requester Process Engine Obligations Watchdog PDP PDP Policies Enforcement Point Trust & Privacy Negotiator Audit Guard Response Verifier Request Preparer Log Analysis Engine
  • Audit Aspects
  • Policy Aspects
PDP Response Preparer Credentials Clearing PEP Actual Application Engine Service Provider Process Engine Log Analysis Engine
  • Audit Aspects
  • Policy Aspects
Audit Guard PDP Policies Enforcement Point Request Verifier Obligations Watchdog PDP Response Preparer Credentials Clearing PEP Actual Application Engine Service Provider Process Engine Log Analysis Engine
  • Audit Aspects
  • Policy Aspects
Audit Guard PDP Policies Enforcement Point Request Verifier Obligations Watchdog PDP Response Preparer Credentials Clearing PEP Actual Application Engine Service Provider Process Engine Log Analysis Engine
  • Audit Aspects
  • Policy Aspects
Audit Guard PDP Policies Enforcement Point Request Verifier Obligations Watchdog PDP Response Preparer Credentials Clearing PEP Actual Application Engine Service Provider Process Engine Log Analysis Engine
  • Audit Aspects
  • Policy Aspects
Audit Guard PDP Policies Enforcement Point Request Verifier Obligations Watchdog
slide-12
SLIDE 12

Trusted Architecture for Securely Shared Services 12

Trusted Employability Platform

Trusted Em ployability Platform Trusted Em ployability Platform

Employability Portfolio

Certification Services

Schools Training Institutes Private Employment Services Public Employment Services Employability Service Providers Companies Universities Social Security Services Social Network Employability Repository

slide-13
SLIDE 13

Trusted Architecture for Securely Shared Services 13

Services

  • Repositories with

(Personal) Health Records

  • Registries

Security Services

  • Authentication
  • Credentials
  • Auditing

Parties

  • Primary care
  • Secondary care
  • Home care

Associations

  • Patient
  • Professional
  • Scientific

Healthcare Demonstrator Platform

Patient

Trusted Healthcare Platform Trusted Healthcare Platform

Legal & Ethical

slide-14
SLIDE 14

Trusted Architecture for Securely Shared Services 14

eHealth – Break the Glass Service

  • Break-the-Glass service

– Only activated after strong authentication – Triggers advanced & fine grained monitoring – Audit trail provides hard evidence Policy Decision Point Patient Record

  • 1. (6). Access patient record
  • 2. Denied 8. Granted
  • 3. Break the Glass
  • 4. Enforce Data

Protection Policy

  • 5. Granted

Audit Trail

  • 7. Retrieve Record

Policy Enforcement Point Obligations Service Data Protection Policy Guard

slide-15
SLIDE 15

Trusted Architecture for Securely Shared Services 15

Extreme Instantiation ☺

  • Why limit ourselves to healthcare and

employability use cases?

– Generic architecture – Service providers can be physical gate keepers

  • r other guards
  • When trustworthiness becomes user-

unfriendliness

– Granularity of policy specifications & validations – Automating Big Brother through obligations

slide-16
SLIDE 16

Trusted Architecture for Securely Shared Services 16

Contact Information

  • Web: http://tas3.eu
  • Email: tas3@ls.kuleuven.be