Context-based Security & Compliance GE Features available as per 2nd Major Release

PRRS: Context-based

Security & Compliance GE

Scope of the Context-Based Security & Compliance GE

To provide the security layer of FI-WARE with context-aware capabilities to support additional security requirements through the optional security enablers developed in FI-WARE (not provided by the generic FI-WARE security services (Security Monitoring, Identity Management, Privacy, Data Handling)):DBAnonymizer

Secure Storage Service

Malware Detection Service

Content-based Security

To provide, together with optional security services search and deployment, run-time reconfiguration that will allow use cases both deal with unpredictable context changes and ensure the compliance with the security requirements

Main Features of the Context-Based Security & Compliance GESelection of security requirements that can be provided through PRRS

framework bySecurityName

SecuritySpec

SecurityRules

Selection of optional security enablers to be deployed from FI-WARE Marketplace GE

 Detection of anomalous behavior or non-conformances in end-user context environments:

to monitor the status of the deployed security services to detect unavailability

to monitor changes in the end-user context environment

to detect validation rule violations

Deployment of the optional security enablers

Context-Based Security & Compliance Architecture (1)

Context-Based Security & Compliance Architecture (2) PRRS Framework:

core of the Generic Enabler

controls the rest of the components of the GE by processing requests from end-user applications and orchestrating the deployment of the optional security enablers selected

provides run-time support to end-users and client applications for performing dynamic selection & deployment of optional security enablers to support additional security requirements

Context-Based Security & Compliance Architecture (3)

Rule Repository:to allow the generic enabler to store and manage compliance

requirements

to trigger PRRS framework when some rule will be modified so that the framework could take the necessary actions in case of the modification must be taken into account on compliance measurements

Context Monitoring:to detect anomalous behavior or non-conformances in end-

user context environments

Security Specifications and Security Rules

Security Specification:

Any single security requirement that can be supported by a security service (encryption, authentication, accountability…). They are expressed with USDL-SEC vocabulary.

For example: usdl-sec:hasSecurityGoal=anonymity

Security Rule:

A set or security specifications that describes a complex security agreement that must be fulfilled commonly by two (or more) entities. They are expressed with USDL-SEC vocabulary and integrated in a SecurityProfile.

For examples: Data Protection security rule to apply data protection laws from a country or FI Domain (such as Healthcare or Telecommunication).

How to use CBS&C?

Define your additional security requirements

Define your context/constraints:

• Preferences (e.g. usdl:hasSecurityProvider=ATOS)

• Configuration (e.g. OperativeSytem=Linux)

CBS&C will deploy the security service that better matches your requirements and will provide you the endpoint to access and its usdl.

CBS&Crequest

ContextMonitoring

Security Solution

s

Security Solution

s

What are the advantages?

CBS&C automatically will search in the FI-WARE Marketplace available services and select one based on your security requirements, preferences and context.

CBS&C automatically will download and deploy the selected service if it is not running in the Service Provider facilities

CBS&C will monitor the selected services to check they are available and compliant with your requirements and context (which could have unpredictable changes)

In case of detecting not compliance or not availability, CBS&C automatically will reconfigure the service or substitute it by another with the same specifications in a transparent way for the user.

11

Demo of Context –based Security & Compliance GE

Request for Security Solution:

It is possible to indicate or select security requirements with one of the following options:By service name:

<securityRequest>

<serviceName>DBAnonymizer</serviceName> <clientEndpoint>http://86.24.57.14:7777/bobApp</clientEndpoint> </securityRequest>

By security rule:

<securityRequest> <securityRule><name>ReIdentificationRisk</name></securityRule> <clientEndpoint>http://86.24.57.14:7777/bobApp</clientEndpoint> </securityRequest>

Request for Security Solution (2):

It is possible to indicate or select security requirements with one of the following options (continue):

By security specifications:

<securityRequest>

<securitySpec>

<param>securityGoal</param>

<value>anonymity</value>

</securitySpec> <clientEndpoint>http://86.24.57.14:7777/bobApp</clientEndpoint> </securityRequest>

Request for Security Solution (3):

It is possible to include a list of user-context constraints (which are optional) that must be considered by the PRRS in the selection of the security services:context information related to usdl attributes (not usdl-sec) provided as

preferences by the user to be considered in the selection of services

configuration parameters to be considered in the selection or deployment of the services

context data published the user in the FI-WARE Context Broker GE

Context-based Security&Compliance Web Clientsecurity request written in xml (must be included in the XML

Request box):<securityRequest>  

       <serviceName>CBS</serviceName>

       <clientEndpoint>http://86.24.57.14:7777/bobApp</clientEndpoint>

</securityRequest>

 Do Post must be selected to send it to the PRRS Framework

Go! is pressed

Response frame with the URL where the implementation of the optional security enabler selected by the PRRS Framework is deployed and accessible.

Context-based Security&Compliance Web Client (2)

References

Context-based Security & Compliance Open Specifications:https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/FIWARE.OpenSpecification.Security.Context-based_security_&_compliance

Context-based Security & Compliance-User’s and Programmer’s Guide:https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/Context-based_security_%26_compliance_-_User_and_Programmers_Guide

Context-based Security & Compliance-Installation and Administration Guide: https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/Context-based_security_%26_compliance_-_Installation_and_Administration_Guide