MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
Security Research
1. AGILE M18 Review, 20 October 2017, Brussels (Belgium)
Security Research
JUAN DAVID PARRA / UNI PASSAU / WP 5 LEADER
1
2. Outline
1. Demo
2. Mapping within overall WP structure
3. Mapping within the overall Architecture
4. Goals of the Security Work Package
5. Research on Security Aspects for AGILE
6. Practical Security Aspects Relevant for AGILE
7. Security Implementation Status
8. Future Steps
2
4. What the Demo is About
•Role Based Access Control (by default)
• Used to decide who can create entities
• Who can set some attributes
•Users can still have the possibility to define who can access their
attributes
• Credentials are only readable to the user itself
• Administrators can set some attributes (such as role)
4
5. Steps
•We log in with two different users (an AGILE-LOCAL user and a Dropbox
user) both registered with AGILE-IDM
•We show how both have the possibility to add attributes to other users
(buttons shown in the UI)
•We show how even though the Dropbox user is admin, he cannot read
the credentials from the agile-local user (default policies for credentials
are meant for users only)
•We show that after removing the admin role from the Dropbox user, he
cannot set attributes and he cannot upgrade his privileges by setting
himself as admin
•After placing the role back to the Dropbox user, everything goes back to
normal.
5
12. Goals of the Security Work Package
1. Provide authentication (internal and external applications) and
Identity Management (IDM, Task 5.1)
2. Let users control by whom and under which circumstances their
data is used (inside the gateway) (UC, Task 5.2)
3. Let users store data (outside of the gateway) while protecting
confidentiality of their data as much as possible (DS, Task 5.3)
4. Provide security features in a flexible and understandable manner,
such that pilots and gateway adopters can use them. (PS, Task 5.4)
12
13. Research on Security Aspects for AGILE
•Analyze where data is located in IoT scenarios based on a Perimeter
•Perimeter contains trusted elements to process the data
•Smaller Perimeter => More “paranoid” user
Parra Juan, Schreckling Daniel and Posegga Joachim. Addressing Data-Centric Security
Requirements for IoT-Based Systems. In 2016 International Workshop on Secure Internet of
Things (SIoT), pages 1-10, September, 2016
13
14. Practical Aspects Relevant for AGILE (P1, P2)
Identity Management (IDM: Goal 1) – Delivered in M12 (D5.1)*
•IDM needs to include the path from Devices to Visualization Device
(including external systems)
•To ease integration we should include external Identity Providers
Delivered as AGILE Deliverable 5.1: First Prototype of the AGILE Identity Management System
14
15. Practical Aspects Relevant for AGILE (P1, P2)
Data Usage Control (UC: Goal 2) – To be Delivered in M20(D5.2)
•Data must be declassified before being delivered to (internal or
external) applications or systems.
•Policies should be flexible enough to specify aspects related to previous
access to the data to provide higher privacy guarantees (relates to diff.
privacy)
15
16. Practical Aspects Relevant for AGILE (P1, P2)
Secure Data Sharing (DS: Goal 3) – To be Delivered in M24 (D5.3)
Attempt to keep confidentiality guarantees:
•Even when attackers have physical access to the gateway
•Even when data is stored externally
16
17. Practical Applications for AGILE (P1, P2)
Pilot and Adopters Support (PS: Goal 4) – Task 5.4
•Strive to provide a security framework that is as generic as possible.
•A generic attribute-based security framework is the way to go here.
17
18. Security Implementation Status
D5.1 [M12] D5.2 [M20] D5.3 [M24]
D5.1. First Prototype of the AGILE Identity Management System
D5.2 Usage Control and Provenance Management
D5.3 Secure Data Sharing System
D5.4 Pilot Integration
M18
18
19. Security Implementation Status
Generic attribute-based IDM
•Defines a generic security model based a generic entity schema (Goals:
All)
•Defines a security model based on read and write policies (and meta-
policies) on entities’ attributes. (Goals: All)
•Currently it is configured by default to do Role-based access control
(admin and non admin users) (Goals: UC, PS)
•Authentication supports external providers: Local Authentication ,
Dropbox, Github, Google, PAM, WebID. (Goals: DS, PS)
(IDM: Identity Management, UC: Usage Control, DS: Secure Data Sharing, PS: Pilot Support)
Delivered as AGILE Deliverable 5.1: First Prototype of the AGILE Identity Management System
19
20. Security Implementation Status
Integration with User Interface
•Login functionality of Desktop-like framework integrated with IDM
(Goals: IDM, PS)
•Setting attributes in the Agile Control Panel (Goals: All, WP 4 Cloud
Integration)
•Visualization of Entities in the Agile Control Panel (Goals: All)
•Registration of Devices as entities when they are paired with the
gateway (Goals: All)
(IDM: Identity Management, UC: Usage Control, DS: Secure Data Sharing, PS: Pilot Support) 20
21. Security Implementation Status
Integration with Developers UI (Node-RED)
•Login information propagated to the Developer’s UI (Goals: All)
•Accessing authentication information for currently authenticated user
from Node-RED Workflows (Goals: IDM, WP 4 Cloud Integration)
•Reading entity’s attributes such as Cloud Credentials from Node-RED
Workflows (Goals: PS, WP 4 Cloud Integration)
(IDM: Identity Management, UC: Usage Control, DS: Secure Data Sharing, PS: Pilot Support) 21
22. Security Implementation Status
Integration with the AGILE SDK
•All security-relevant API calls are available through http and the agile-
sdk (Goals: PS)
(IDM: Identity Management, UC: Usage Control, DS: Secure Data Sharing, PS: Pilot Support) 22
23. Progress after M18 (June 2017)
Ongoing implementation of Usage Control (M20) Delivered in August*
•Usage control is now integrated in a Policy Decision API as well as in
IDM to decide policies on reading attributes based on the current user
(Goals: All)
•Provide generic ways to define policies on actions (performed on
entities) (Goals: UC, PS)
•Developed monitoring mechanisms to let users know when and by
whom their data is being accessed (Goals: UC, PS)
•Extend Data and Local Store component to track provenance of data
subscriptions and information (Goals: UC, PS)
Delivered as AGILE Deliverable 5.12 Usage Control and Provenance Management
(IDM: Identity Management, UC: Usage Control, DS: Secure Data Sharing, PS: Pilot Support) 23
24. Future Steps
Task Time Span Status
5.1. Identity Management M4 - M 12 Delivered in time
5.2 Usage Control and
Provenance
M11 -M 20 Delivered in time (next
review)
5.3 Secure Data Sharing M10 - M 24 Ongoing
5.4 Platform Integration M24 - M36 Ongoing
24
26. Future Steps Beyond M18 (Backup slide)
Secure Data Sharing (due in M24)
•Integrate services to enable gateway applications to rely on encrypted
external storage (Goals: DS, PS)
•Develop further a Lightweight one-time token generation schema
(Goals: DS, PS)
•Make the security aspects of the User Interface more generic and
improve them (Goals: PS)
•Provide support to pilots and analyze additional features needed by
them or the open call projects (Goals: PS)
(IDM: Identity Management, UC: Usage Control, DS: Secure Data Sharing, PS: Pilot Support)
26
27. Future Steps
D5.1 [M12] D5.2 [M20] D5.3 [M24]
D5.1. First Prototype of the AGILE Identity Management System
D5.2 Usage Control and Provenance Management
D5.3 Secure Data Sharing System
D5.4 Pilot Integration
MS1: Initial Design & Draft Framework
MS2: Agile Framework Release and Initial Integration
MS3: Agile Component Final Integration
MS4: Agile Integration with External Clouds
MS1[M9] MS2[M18] MS3[M24] MS5MS4[M30]
27