This document summarizes a presentation about Anubis and Amon, which are open source tools for defining and enforcing data access and protection policies. Anubis allows defining access control policies using the WAC standard and decouples policies from APIs. Amon defines policies for data anonymization and encryption that are decoupled from applications. Both aim to give data owners control over policies for data residing across multiple systems and APIs. The presentation provides an overview of the tools' goals, policy formats, implementations, and adoption strategies to facilitate interoperability and data sovereignty in data sharing environments.
1. Vienna, Austria
12-13 June, 2023
#FIWARESummit
From Data
to Value
OPEN SOURCE
OPEN STANDARDS
OPEN COMMUNITY
Building Robust European Data Spaces:
Safeguard your Data with Anubis and Amon
Dr. Giovanni Rimassa
Chief Innovation Officer, Martel Innovate
2. Vienna, 12-13 June, 2023 | #FIWARESummit www.fiware.org
DATA SPACES CONTEXT
▪ Data spaces are more about collaboration than technology
• They configure a typical “united we stand, divided we fall” scenario
• Interoperability, federation, distribution, heterogeneity are all key
▪ Trust is central, from a societal but also from a technical point of view
• We need workable and agreed solutions to make Data Spaces happen!
▪ The Data Space Business Alliance acknowledges Technical Convergence
• Discussion Document – Version 2.0 (21st April 2023)
• Chapter 4 on Trust and Data Sovereignty
□ Section 4.3 and Section 4.4 on authorisation and access control
□ Emphasis on policies, distributed access management
3. Vienna, 12-13 June, 2023 | #FIWARESummit www.fiware.org
MARTEL CONTEXT – ORCHESTRA CITIES PLATFORM
IoT Agent
Manager
Context Broker
IoT Agent
API Gateway (Gravitee)
AAA
Manager
(Keycloak)
Dashboard
(Grafana/Urbo)
Admin UI
IoT Agent
IoT Agent
IoT Agent
Data Flow API
Analytics
Data Flow
UI
AMPQ
MQTT LORAWAN LWM2M
API
Manager
Timeseries API (QL)
Third Party Apps
Third Party APIs
Monitoring
4. Vienna, 12-13 June, 2023 | #FIWARESummit www.fiware.org
MARTEL CONTEXT – ORCHESTRA CITIES PLATFORM
IoT Agent
Manager
Context Broker
IoT Agent
API Gateway (Gravitee)
AAA
Manager
(Keycloak)
Dashboard
(Grafana/Urbo)
Admin UI
IoT Agent
IoT Agent
IoT Agent
Data Flow API
Analytics
Data Flow
UI
AMPQ
MQTT LORAWAN LWM2M
API
Manager
Timeseries API (QL)
Third Party Apps
Third Party APIs
Monitoring
7. Vienna, 12-13 June, 2023 | #FIWARESummit www.fiware.org
ANUBIS GOALS
▪ Decoupling API from resource protection
▪ Leverage standardised open access control policy vocabulary (WAC)
▪ Support decentralised control and audit of security & privacy data
policies by data owners
▪ Translated policies vocabulary to different languages to facilitate
interoperability
▪ Leverage state of the art in cloud-native policy management
8. Vienna, 12-13 June, 2023 | #FIWARESummit www.fiware.org
POLICY FORMAT (TODAY)
▪ actor: The user, group or role, that is linked to the policy
▪ action: The action allowed on this resource
(e.g. acl:Read for GET requests)
▪ resource: The urn of the resource being targeted
(e.g. urn:entity:x)
▪ resource_type: The type of the resource.
10. Vienna, 12-13 June, 2023 | #FIWARESummit www.fiware.org
ANUBIS - OPEN-SOURCE STRATEGY AND ADOPTION
▪ V0.7.1 on GitHub:
https://github.com/orchestracities/anubis
▪ Key features completed:
• Extension of WAC to ABAC
• Policy translation to and from WAC to
Anubis and to OPA
• Full implementation of Solid WAC
• Decoupling of data access policies
and an API format
• Example configuration for Orion
Context Broker and Anubis itself
• Keycloak integration for tenancies
• Policy distribution middleware
▪ W3C WAC
▪ W3C ODRL
▪ OAUTH2 and OIDC
▪ OPA
▪ LIBP2P.io
License: APACHE 2.0.
11. Vienna, 12-13 June, 2023 | #FIWARESummit www.fiware.org
Amon GOALS
▪ Define policies for data anonymisation and encryption
▪ Decouple the policies from the application of the encryption
and anonymisation techniques
▪ Attribute based
13. Vienna, 12-13 June, 2023 | #FIWARESummit www.fiware.org
POLICY FORMAT
▪ resource: The urn of the resource being targeted
(e.g. urn:entity:x)
▪ resource_type: The type of the resource.
▪ attributes: The set of attributes the protection applies to
▪ mode: The protection mode applied (in transit, at rest)
▪ technique: The protection technique applied (e.g. anonymise,
encrypt, …)
14. Vienna, 12-13 June, 2023 | #FIWARESummit www.fiware.org
AMON - OPEN-SOURCE STRATEGY AND ADOPTION
▪ V0.1 on GitHub:
https://github.com/orchestracities/amon
▪ Key features completed:
• Policy definition
• OIDC with Keycloak
▪ W3C WAC
▪ W3C ODRL
▪ OAUTH2 and OIDC
License: APACHE 2.0.
15. Vienna, 12-13 June, 2023 | #FIWARESummit www.fiware.org
Hosting Partner Keystone Sponsors
Media Partners
Find Us On Stay up to date Be certified and featured
JOIN OUR NEWSLETTER