trusted architecture for secure shared services with
play

Trusted Architecture for Secure Shared Services (with Privacy) - PowerPoint PPT Presentation

Jul 26, 2023 •105 likes •660 views

TAS 3 Trusted Architecture for Secure Shared Services (with Privacy) Sampo Kellomki (sampo@zxidp.org) 29. September, 2010, ICT, Brussels 05 TAS 3 Intro Visit TAS 3 booth in hall H (near Prime Life booth) Project runs until end of 2011

  1. TAS 3 Trusted Architecture for Secure Shared Services (with Privacy) Sampo Kellomäki (sampo@zxidp.org) 29. September, 2010, ICT, Brussels 05

  2. TAS 3 Intro • Visit TAS 3 booth in hall H (near Prime Life booth) • Project runs until end of 2011 • Architecture - Identity Management, Authorization, and Audit plumbing - Holistic combination of existing technologies • Protocol Profiles (SAML2, ID-WSF, XACML, ...) • Reference Implementation in open source - zxid.org (Apache2 non-viral license) • Vision of empowering users and building trust networks - Internet of Subjects Foundation - Competitieve Services Market Place - Delegation - Trust scoring and trust building September 29, 2010 Sampo Kellomäki: TAS3 Architecture 05 2

  3. Empowering user to take control of his data • Fully Pair-wise pseudonymous design - Prevent correlation and collusion • Model where user gives his data from his Personal Data Store - User well positioned to impose policies when releasing data - Only store data once, and in place that user chooses • Personas, partial identities • User self audit dashboard gives user visibility to use of his data - Independent means, to keep the service providers in check • Digitally signed audit trail to ensure legal enforeability September 29, 2010 Sampo Kellomäki: TAS3 Architecture 05 3

  4. TAS³ Architecture Mini 2010 User is King Identity Provider (Authentication) = Access Controll and Authorization "Front Channel" SSO Self-audit Web Site 2 Web Site 1 Dashboard "Backchannel" Personal Service O Discovery C Web Service 4 Web Service 3 T Trust, Scoring, and Reputation Web Service 5 Audit (comprehensive and ecosystemwide) Governance & Interoperable Technology September 29, 2010 Sampo Kellomäki: TAS3 Architecture 05 4

  5. TAS3 Architecture 2010 Web Browser or Fat Client Client side app (e.g. AJAX) Component Overview v2.3 Organization Domain Runtime & Enforcement Modelling Payload Applications Core TAS3 Infrastructure TAS3 User Tools & Config. Mgmt User Audit Front End Identity Provider Trust Dashboard (e.g. Web GUI) Network Mgmt Business Process Policy Editor & Identity Processes Engine Consent Management Aggregator Config. Web Services Delegation Settings Trust & Reputation Data Biz. Proc. Models Core TAS3 Infrastructure Backchannel Policies Authorization Delegation Service ID Mapper Modelling Credentials & Policies Discovery Registry Ontology Handler Tools Negotiator Org. Level Event Bus Audit Events Management Events Ontology Audit & (Operation Monitoring) (Audit Analysis) Online Compliance Testing Monitor September 29, 2010 Sampo Kellomäki: TAS3 Architecture 05 5

  6. Built-in rules of the application Built-in rules of the service Service Client App Rules of the operator Rules of the operator Org D PDP Org C PDP Alice Bob TN PDP PEP Rs Out Rules of the TN PEP 1 2 Master Master Rq Out 4 3 PDP PDP Trust PDP PEP PEP Rq In Rs In Alice PDP Bob PDP Personal rules Personal rules Corp D Firewall Corp C Firewall 20100531 Sampo or Packet Filter or Packet Filter September 29, 2010 Sampo Kellomäki: TAS3 Architecture 05 6

  7. XACML SAML profile TAS3 Integration w/ZXID zxididp zxididp with TAS3 Trust extensions 20091016 SK SAML 2.0 TUE Discovery Trust PDP IdP 3 ID-WSF 2.0 Discovery with TAS3 Trust SP1: Frontend SP2: Web Service extensions Inter- Payload 1 ceptor Servlet CTX DB Inter- ID-WSF 2.0 7 JSESSION ceptor w/TAS3 ext ZXSES H A H WSPout PEP-rs-out P P W e S s e D P P T T t E E S t I S E e t E 2 T T t P P c C O P s c P C WSPin PEP-rs-in P r P User XACML SAML profile zxid_az() zxid_az() mod_auth_saml ZXID zxid_call() or ssoservlet ZXID zxid_wsp_decorate() Servlet AXIS2 Master Master KENT zxid_simple() KENT Filter PDP2 Module PDP1 zxid_wsp_validate() September 29, 2010 Sampo Kellomäki: TAS3 Architecture 05 7

  8. Promotors TAS 3 - Trusted Architecture for Securely Shareable Services Core Security Architecture IoS - Internet of Subjects Trust Convener and Ecosystem Builder ZXID Reference implementation of the TAS 3 Core Security Arch. Core Standards • OASIS SAML 2.0 • Liberty Alliance ID-WSF 2.0 & Data Services Template (DST) 2.1 • OASIS XACML 2.0 Access Control • IoS and TAS 3 : Personal Data Store (PDS) Specification • Sector specific data schemas • Metadata standardization still TBD September 29, 2010 Sampo Kellomäki: TAS3 Architecture 05 8

  9. IoS 7 Rules 1. Personal Control 2. Searchability 3. Instant Social Networking 4. Ubiquity 5. Symmetry 6. Minimization 7. Accountability September 29, 2010 Sampo Kellomäki: TAS3 Architecture 05 9

  10. Big 4 of Privacy Protection (Seda et al. ) 1. Awareness: Self audit (dashboard), Identity mirrors 2. Confidentiality - Consent to release - Reputation based screening, Trust and Privacy Negotiation - Cryptographic protection - Avoidance of correlation handles (prevent illicit collusion) 3. Control - Intended purpose & Audience restrictions - Sticky policies - Policy enforcement & Audit 4. Practise - Right to correct and delete, Right of response - Trust and reputation feedback - Send strong positive signal of your own

  11. IoS Concepts • IoS - IoS compliant Business Services - IoS Infrastructure - Dashboards - Shared WS: AIM, calendar, directories, harvesting, publication, ... - Personal data service(s) + dashboard (one or per service?) - Symmetry in providing services - Every user can become a Service Provider • Personal - Communal - Public • Separation of data from services • Mostly pull and as-needed communication (minimization) September 29, 2010 Sampo Kellomäki: TAS3 Architecture 05 11

  12. TAS3 Recursive Call Demo 3 (yk) 20100219 sampo@symlab.com IdP Discovery 7 2,4 5 1 WSP WSP User FE (wspdemo) (wspleaf) (browser) (appdemo) 8 6 PDP September 29, 2010 Sampo Kellomäki: TAS3 Architecture 05 12

  13. TAS3 Delegated Web Service Access v02 20100922 sk IdP Deleg IDMap DiscoA 1 PDP Frontend SP1 Normal use of service by Alice WSP2 Alice Alice delegates (Job seeker) and invites 7 8 2 5 4 6 1. ps:AddEntityReq 1. Generate invitation 2. 2. Send invitation 3. 3. Bob accesses SP1 Bob uses invite 3 4. ps:ResolveIdentifierReq 4. Resolve invitation to get delegated to DITokA + perms access to Alice’s 5. im:IdentityMappingReq 5. Map Bob1 to BobDIA service 6. di:Query 6. Discover WSP2A Bob 7. im:IdentityMappingReq 7. Map Bob1 to Bob2 (Coach) 8. 8. Call WSP2 September 29, 2010 Sampo Kellomäki: TAS3 Architecture 05 13

  14. Delegation 1. Generate invitation - Assign invitation ID for management of invitation - Set up permissions for what resources invitee can access - The permissions can be keyed on invitee’s identity, or - they can be keyed on the invitation ID 2. Send by out-of-band means, such as email or IM. The invitation will be formatted as a URL. 3. When Bob (being the invitee) clicks on the URL, he lands on Fron- tend site (alternatively Bob could land on WebGUI aspect of the Delegation server site) - The site forces Bob to SSO (if this did not happen, invitation would be a bearer token) 4. The invitation is resolved to Discovery Token of Alice (the inviter) September 29, 2010 Sampo Kellomäki: TAS3 Architecture 05 14

  15. - The token contains as an attribute the invitation ID (the token is encrypted so that only the discovery service of Alice can open it, therefore the invitationID itself does not become a correlation handle). - Basically the discovery token of Alice would allow Bob to dis- cover any service of Alice. As this is not desired, it is constrained by the permissions set at step 1. - Problem: how does SP1 accessed by Bob know where Alice’s Delegation Service is located? This would be obvious if the URL points to the Delegation service of Alice. 5. For Bob to be able to call Alice’s discovery service (next step), Bob needs to present his own identity token to DiscoA. This is obtained by calling Bob’s ID Mapping service. 6. Bob discovers Alice’s WSP2. This is permitted by permissions. 7. For Bob to be able to call Alice’s WSP2 (next step), Bob needs September 29, 2010 Sampo Kellomäki: TAS3 Architecture 05 15

  16. to present his own identity token at WSP2A. This is obtained by calling Bob’s ID Mapping service. 8. Call to WSP2A is made with Alice’s token from step 6 as TargetIdentity SOAP header and Bob’s token from step 7 as wsse:Security/Token. Ideally WSP2 would also have permissions indicating that the dele- gation from Alice to Bob is valid. This could be arranged by WSP2 making a call to Delegation service to confirm the delegation. Un- fortunately such confirmation API is not specified by Liberty. We could invent an API. Another approach would be to at step 1 to provision the policies to PDP of WSP2. September 29, 2010 Sampo Kellomäki: TAS3 Architecture 05 16

  17. TAS³ Architecture Mini 2010 User is King Identity Provider (Authentication) = Access Controll and Authorization "Front Channel" SSO Self-audit Web Site 2 Web Site 1 Dashboard "Backchannel" Personal Service O Discovery C Web Service 4 Web Service 3 T Trust, Scoring, and Reputation Web Service 5 Audit (comprehensive and ecosystemwide) Governance & Interoperable Technology September 29, 2010 Sampo Kellomäki: TAS3 Architecture 05 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Trusted Architecture for Secure Shared Services (with Privacy), Future of Internet PPP, and

Trusted Architecture for Secure Shared Services (with Privacy), Future of Internet PPP, and

TAS 3 Trusted Architecture for Secure Shared Services (with Privacy), Future of Internet PPP, and Internet of Subject Personal Data Store Sampo Kellomki (sampo@zxidp.org) 11. October 2010, IIW London 09 TAS 3 Intro and Vision EU FP7

968 views • 75 slides
Four Layers to Build a Four Layers to Build a Trusted Architecture Trusted Architecture Danny

Four Layers to Build a Four Layers to Build a Trusted Architecture Trusted Architecture Danny

Trusted Architecture for Trusted Architecture for Securely Shared Services Securely Shared Services Four Layers to Build a Four Layers to Build a Trusted Architecture Trusted Architecture Danny De Cock K.U.Leuven ESAT/COSIC

369 views • 17 slides
Trusted Architecture for Secure Shared Services (with Privacy) and Personal Data Store Sampo

Trusted Architecture for Secure Shared Services (with Privacy) and Personal Data Store Sampo

TAS 3 Trusted Architecture for Secure Shared Services (with Privacy) and Personal Data Store Sampo Kellomki (sampo@zxidp.org) 13. May 2011, EIC 2011, Munich 11 EIC 2011 Munich, May 13, 2011 Sampo Kellomki: TAS3 Arch 11 2 TAS3 Trust

1.02k views • 90 slides
Generic Architecture Architecture Generic for Securely Securely Managing Managing for

Generic Architecture Architecture Generic for Securely Securely Managing Managing for

Trusted Architecture for Trusted Architecture for Securely Shared Services Securely Shared Services Generic Architecture Architecture Generic for Securely Securely Managing Managing for Employability & Healthcare Employability &

161 views • 14 slides
Generic Architecture Architecture Generic to Securely Securely Manage Manage to

Generic Architecture Architecture Generic to Securely Securely Manage Manage to

Trusted Architecture for Trusted Architecture for Securely Shared Services Securely Shared Services Generic Architecture Architecture Generic to Securely Securely Manage Manage to Employability, Healthcare & Employability, Healthcare

813 views • 16 slides
A Secure Softw are A Secure Softw are Architecture Architecture Description Language

A Secure Softw are A Secure Softw are Architecture Architecture Description Language

A Secure Softw are A Secure Softw are Architecture Architecture Description Language Description Language Jie Ren, Richard N. Taylor Department of Informatics University of California, Irvine Software Security Assurance Tools, Techniques,

354 views • 22 slides
Trusted Network Communications Architecture 2.0 Overview 20 July 2017 1 Why are we talking

Trusted Network Communications Architecture 2.0 Overview 20 July 2017 1 Why are we talking

Trusted Network Communications Architecture 2.0 Overview 20 July 2017 1 Why are we talking about this? The TCGs Trusted Network Communications Workgroup is finalizing publication of the Trusted Network Communications Architecture for

402 views • 8 slides
Laying a Secure Foundation for Mobile Devices Stephen Smalley Trusted Systems Research National

Laying a Secure Foundation for Mobile Devices Stephen Smalley Trusted Systems Research National

Laying a Secure Foundation for Mobile Devices Stephen Smalley Trusted Systems Research National Security Agency Trusted Systems Research Trusted Systems Research Conduct and sponsor research to provide information assurance for national

775 views • 38 slides
Achieving the NZ DFFs vision: New Zealand is a world leader in the trusted use of shared

Achieving the NZ DFFs vision: New Zealand is a world leader in the trusted use of shared

Achieving the NZ DFFs vision: New Zealand is a world leader in the trusted use of shared data to deliver a prosperous, inclusive society - Implications for the public sector James Mansell & Miriam Lips 5 November 2014 John

579 views • 29 slides
A Shared Service Perspective From Morris County Shared Services April 7, 2009 A Shared Service

A Shared Service Perspective From Morris County Shared Services April 7, 2009 A Shared Service

A Shared Service Perspective From Morris County Shared Services April 7, 2009 A Shared Service Perspective Why Consider Shared Services? In February 2010, the Department of Community Affairs (DCA) announced the average property tax bill

663 views • 25 slides
COMP 590-154: Computer Architecture Shared-Memory Multi-Processors Shared-Memory Multiprocessors

COMP 590-154: Computer Architecture Shared-Memory Multi-Processors Shared-Memory Multiprocessors

COMP 590-154: Computer Architecture Shared-Memory Multi-Processors Shared-Memory Multiprocessors Multiple threads use shared memory (address space) SysV Shared Memory or Threads in software Communication implicit via loads

548 views • 40 slides
1 Singapores Efforts in developing Creating a Secure and Trusted infrastructure and

1 Singapores Efforts in developing Creating a Secure and Trusted infrastructure and

Presentation Outline E- -Business Implementation Business Implementation E Part 1 The Singapore Experience The Singapore Experience How Singapore Government Agency created a secure and trusted infrastructure for e-business By Tan Jin

790 views • 25 slides
Main principles of secure OS

Main principles of secure OS

Main principles of secure OS Trusted Flexible Secure Versatile modular Internet security

490 views • 26 slides
Administrative Services Transformation Overview Presentation for Shared Services April 2013

Administrative Services Transformation Overview Presentation for Shared Services April 2013

Administrative Services Transformation Overview Presentation for Shared Services April 2013 Table of Contents Introduction to Shared Services Project Overview In-Scope Processes AST Shared Services Project Team University Readiness AST

430 views • 27 slides
System Architectures and Techniques for Efficient, Secure, and Trusted Code Execution Mario

System Architectures and Techniques for Efficient, Secure, and Trusted Code Execution Mario

System Architectures and Techniques for Efficient, Secure, and Trusted Code Execution Mario Werner May 7, 2020 Graz University of Technology Why do we care about code? www.tugraz.at 10:20 July 18 W i r e l e s s - G A D S L G

599 views • 49 slides
Evolution of the ESC Providing Models of Shared Services since 1970 October 2019 The

Evolution of the ESC Providing Models of Shared Services since 1970 October 2019 The

10/21/2019 The ESC of Morris County Evolution of the ESC Providing Models of Shared Services since 1970 October 2019 The Shared Services Initiative Over the years, NJSBA has supported the idea of shared services as well as

383 views • 9 slides
Interaction Testing Chapter 15 Interaction faults and failures Subtle Difficult to detect

Interaction Testing Chapter 15 Interaction faults and failures Subtle Difficult to detect

Interaction Testing Chapter 15 Interaction faults and failures Subtle Difficult to detect with testing Usually seen after systems have been delivered In low probability threads Occur after a long time large numbers of

768 views • 40 slides
The Markup Way to multimodal toolkits Stphane Sire Stphane Chatty IntuiLab

The Markup Way to multimodal toolkits Stphane Sire Stphane Chatty IntuiLab

The Markup Way to multimodal toolkits Stphane Sire Stphane Chatty IntuiLab http://www.intuilab.com W3C Workshop on Multimodal Interaction INRIA Sofia Antipolis, July 19-20, 2004 IntuiLab ? Foundation: Damien Figarol / Laurent

501 views • 13 slides
CodeCompass an Open Software Comprehension Framework Zoltn Porkolb 1,2 , Dniel Krupp 1 ,

CodeCompass an Open Software Comprehension Framework Zoltn Porkolb 1,2 , Dniel Krupp 1 ,

CodeCompass an Open Software Comprehension Framework Zoltn Porkolb 1,2 , Dniel Krupp 1 , Tibor Brunner 2 , Mrton Csords 2 https://github.com/Ericsson/CodeCompass Motto: If it was hard to write it should be hard to understand -- unknown

378 views • 25 slides
Startup Engineering Guest Lecture Alex Blackstock & Spike Brehm Overview The Story The

Startup Engineering Guest Lecture Alex Blackstock & Spike Brehm Overview The Story The

coursera.org/course/startup Startup Engineering Guest Lecture Alex Blackstock & Spike Brehm Overview The Story The Stack The Future Its Hack Time! 1 THE STORY Joe Nate Text Brian 2007 Brian moves in with Joe Rent increases

1.56k views • 127 slides
welcome to production Graeme Foster Spanish Software Developer 5 years ago, I co-designed,

welcome to production Graeme Foster Spanish Software Developer 5 years ago, I co-designed,

welcome to production Graeme Foster Spanish Software Developer 5 years ago, I co-designed, and built a MONOLITH We based in on the buzzwords and ideas of the time like ORMs, DDD, and web services. Like proud parents, we released it into

731 views • 34 slides
Implementation of the file system layer in HelenOS XXXII. Conference EurOpen.CZ Jakub Jermar

Implementation of the file system layer in HelenOS XXXII. Conference EurOpen.CZ Jakub Jermar

Implementation of the file system layer in HelenOS XXXII. Conference EurOpen.CZ Jakub Jermar May 21, 2008 HelenOS basic facts http://www.helenos.eu Experimental general purpose operating system Microkernel and userspace libraries

816 views • 22 slides
pSTAIX A Process-Aware Architecture to Support Research Processes Marius Politze, Bernd

pSTAIX A Process-Aware Architecture to Support Research Processes Marius Politze, Bernd

pSTAIX A Process-Aware Architecture to Support Research Processes Marius Politze, Bernd Decker, Thomas Eifert INFORMATIK 2017 - WS18 FDM2017, 28.09.2017 Outline Motivation Problem Statement Modelling Case Study 3 pSTAIX- A

522 views • 23 slides
An improved method for privacy-preserving web-based data collection Riivo Talviste Supervisor:

An improved method for privacy-preserving web-based data collection Riivo Talviste Supervisor:

An improved method for privacy-preserving web-based data collection Riivo Talviste Supervisor: Dan Bogdanov, MSc April 24, 2009 Outline of the Talk State of the Art Problem statement Improved architecture Implementation

419 views • 14 slides

More recommend