Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Research

95 views

Published on

Juan David parra / uni passau

Published in: Software
  • Be the first to comment

  • Be the first to like this

Security Research

  1. 1. AGILE M18 Review, 20 October 2017, Brussels (Belgium) Security Research JUAN DAVID PARRA / UNI PASSAU / WP 5 LEADER 1
  2. 2. Outline 1. Demo 2. Mapping within overall WP structure 3. Mapping within the overall Architecture 4. Goals of the Security Work Package 5. Research on Security Aspects for AGILE 6. Practical Security Aspects Relevant for AGILE 7. Security Implementation Status 8. Future Steps 2
  3. 3. DEMO
  4. 4. What the Demo is About •Role Based Access Control (by default) • Used to decide who can create entities • Who can set some attributes •Users can still have the possibility to define who can access their attributes • Credentials are only readable to the user itself • Administrators can set some attributes (such as role) 4
  5. 5. Steps •We log in with two different users (an AGILE-LOCAL user and a Dropbox user) both registered with AGILE-IDM •We show how both have the possibility to add attributes to other users (buttons shown in the UI) •We show how even though the Dropbox user is admin, he cannot read the credentials from the agile-local user (default policies for credentials are meant for users only) •We show that after removing the admin role from the Dropbox user, he cannot set attributes and he cannot upgrade his privileges by setting himself as admin •After placing the role back to the Dropbox user, everything goes back to normal. 5
  6. 6. Demo Setup 6 Admins https://youtu.be/z1V3E9Mo1Cw
  7. 7. WORK-PACKAGE MAPPING
  8. 8. Mapping to AGILE overall Work- Package structure 8
  9. 9. ARCHITECTURE MAPPING
  10. 10. Mapping to AGILE Architecture – Development View 10
  11. 11. MAIN CONTENTS
  12. 12. Goals of the Security Work Package 1. Provide authentication (internal and external applications) and Identity Management (IDM, Task 5.1) 2. Let users control by whom and under which circumstances their data is used (inside the gateway) (UC, Task 5.2) 3. Let users store data (outside of the gateway) while protecting confidentiality of their data as much as possible (DS, Task 5.3) 4. Provide security features in a flexible and understandable manner, such that pilots and gateway adopters can use them. (PS, Task 5.4) 12
  13. 13. Research on Security Aspects for AGILE •Analyze where data is located in IoT scenarios based on a Perimeter •Perimeter contains trusted elements to process the data •Smaller Perimeter => More “paranoid” user Parra Juan, Schreckling Daniel and Posegga Joachim. Addressing Data-Centric Security Requirements for IoT-Based Systems. In 2016 International Workshop on Secure Internet of Things (SIoT), pages 1-10, September, 2016 13
  14. 14. Practical Aspects Relevant for AGILE (P1, P2) Identity Management (IDM: Goal 1) – Delivered in M12 (D5.1)* •IDM needs to include the path from Devices to Visualization Device (including external systems) •To ease integration we should include external Identity Providers Delivered as AGILE Deliverable 5.1: First Prototype of the AGILE Identity Management System 14
  15. 15. Practical Aspects Relevant for AGILE (P1, P2) Data Usage Control (UC: Goal 2) – To be Delivered in M20(D5.2) •Data must be declassified before being delivered to (internal or external) applications or systems. •Policies should be flexible enough to specify aspects related to previous access to the data to provide higher privacy guarantees (relates to diff. privacy) 15
  16. 16. Practical Aspects Relevant for AGILE (P1, P2) Secure Data Sharing (DS: Goal 3) – To be Delivered in M24 (D5.3) Attempt to keep confidentiality guarantees: •Even when attackers have physical access to the gateway •Even when data is stored externally 16
  17. 17. Practical Applications for AGILE (P1, P2) Pilot and Adopters Support (PS: Goal 4) – Task 5.4 •Strive to provide a security framework that is as generic as possible. •A generic attribute-based security framework is the way to go here. 17
  18. 18. Security Implementation Status D5.1 [M12] D5.2 [M20] D5.3 [M24] D5.1. First Prototype of the AGILE Identity Management System D5.2 Usage Control and Provenance Management D5.3 Secure Data Sharing System D5.4 Pilot Integration M18 18
  19. 19. Security Implementation Status Generic attribute-based IDM •Defines a generic security model based a generic entity schema (Goals: All) •Defines a security model based on read and write policies (and meta- policies) on entities’ attributes. (Goals: All) •Currently it is configured by default to do Role-based access control (admin and non admin users) (Goals: UC, PS) •Authentication supports external providers: Local Authentication , Dropbox, Github, Google, PAM, WebID. (Goals: DS, PS) (IDM: Identity Management, UC: Usage Control, DS: Secure Data Sharing, PS: Pilot Support) Delivered as AGILE Deliverable 5.1: First Prototype of the AGILE Identity Management System 19
  20. 20. Security Implementation Status Integration with User Interface •Login functionality of Desktop-like framework integrated with IDM (Goals: IDM, PS) •Setting attributes in the Agile Control Panel (Goals: All, WP 4 Cloud Integration) •Visualization of Entities in the Agile Control Panel (Goals: All) •Registration of Devices as entities when they are paired with the gateway (Goals: All) (IDM: Identity Management, UC: Usage Control, DS: Secure Data Sharing, PS: Pilot Support) 20
  21. 21. Security Implementation Status Integration with Developers UI (Node-RED) •Login information propagated to the Developer’s UI (Goals: All) •Accessing authentication information for currently authenticated user from Node-RED Workflows (Goals: IDM, WP 4 Cloud Integration) •Reading entity’s attributes such as Cloud Credentials from Node-RED Workflows (Goals: PS, WP 4 Cloud Integration) (IDM: Identity Management, UC: Usage Control, DS: Secure Data Sharing, PS: Pilot Support) 21
  22. 22. Security Implementation Status Integration with the AGILE SDK •All security-relevant API calls are available through http and the agile- sdk (Goals: PS) (IDM: Identity Management, UC: Usage Control, DS: Secure Data Sharing, PS: Pilot Support) 22
  23. 23. Progress after M18 (June 2017) Ongoing implementation of Usage Control (M20) Delivered in August* •Usage control is now integrated in a Policy Decision API as well as in IDM to decide policies on reading attributes based on the current user (Goals: All) •Provide generic ways to define policies on actions (performed on entities) (Goals: UC, PS) •Developed monitoring mechanisms to let users know when and by whom their data is being accessed (Goals: UC, PS) •Extend Data and Local Store component to track provenance of data subscriptions and information (Goals: UC, PS) Delivered as AGILE Deliverable 5.12 Usage Control and Provenance Management (IDM: Identity Management, UC: Usage Control, DS: Secure Data Sharing, PS: Pilot Support) 23
  24. 24. Future Steps Task Time Span Status 5.1. Identity Management M4 - M 12 Delivered in time 5.2 Usage Control and Provenance M11 -M 20 Delivered in time (next review) 5.3 Secure Data Sharing M10 - M 24 Ongoing 5.4 Platform Integration M24 - M36 Ongoing 24
  25. 25. THANK YOU
  26. 26. Future Steps Beyond M18 (Backup slide) Secure Data Sharing (due in M24) •Integrate services to enable gateway applications to rely on encrypted external storage (Goals: DS, PS) •Develop further a Lightweight one-time token generation schema (Goals: DS, PS) •Make the security aspects of the User Interface more generic and improve them (Goals: PS) •Provide support to pilots and analyze additional features needed by them or the open call projects (Goals: PS) (IDM: Identity Management, UC: Usage Control, DS: Secure Data Sharing, PS: Pilot Support) 26
  27. 27. Future Steps D5.1 [M12] D5.2 [M20] D5.3 [M24] D5.1. First Prototype of the AGILE Identity Management System D5.2 Usage Control and Provenance Management D5.3 Secure Data Sharing System D5.4 Pilot Integration MS1: Initial Design & Draft Framework MS2: Agile Framework Release and Initial Integration MS3: Agile Component Final Integration MS4: Agile Integration with External Clouds MS1[M9] MS2[M18] MS3[M24] MS5MS4[M30] 27

×