trusted architecture for secure shared services with
play

Trusted Architecture for Secure Shared Services (with Privacy) and - PowerPoint PPT Presentation

Oct 27, 2023 •116 likes •1.02k views

TAS 3 Trusted Architecture for Secure Shared Services (with Privacy) and Personal Data Store Sampo Kellomki (sampo@zxidp.org) 13. May 2011, EIC 2011, Munich 11 EIC 2011 Munich, May 13, 2011 Sampo Kellomki: TAS3 Arch 11 2 TAS3 Trust

  1. TAS 3 Trusted Architecture for Secure Shared Services (with Privacy) and Personal Data Store Sampo Kellomäki (sampo@zxidp.org) 13. May 2011, EIC 2011, Munich 11

  2. EIC 2011 Munich, May 13, 2011 Sampo Kellomäki: TAS3 Arch 11 2

  3. TAS3 Trust Network Domains Audit Organization A Domains ... Organization B Domains Audit & Monitor Modelling & configuration Management Modelling & Runtime & Model configuration Enforcement Management EIC 2011 Munich, May 13, 2011 Sampo Kellomäki: TAS3 Arch 11 3

  4. 1 2 Identity Provider 1 Alumni Portal TN TN TAS3 TAS3 Please Login You have requested protected content, please login. Username: Using: IdP 1 Login Password: Login 3 Alumni Portal TN TAS3 Welcome, Alice! Here is your study plan. User ... (protected content) EIC 2011 Munich, May 13, 2011 Sampo Kellomäki: TAS3 Arch 11 4

  5. TAS 3 and Open Identity Trust Framework (1/2) • TAS 3 specifies architecture both at Trust Framework and Technical Protocol Level - Ticks all columns of Rainer Hörbe’s Trust Framework Capabili- ties: Identity, AuthN, Session, AuthZ, Accountablity, Privacy, User Control • TAS 3 promotes the concept of "Trust Framework", but does not get to the level of definition that Open Identity Trust Framework does • TAS 3 "Trust Network" covers many aspects of - Policy Setters - Trust Framework Provider - Trust Federation EIC 2011 Munich, May 13, 2011 Sampo Kellomäki: TAS3 Arch 11 5

  6. TAS 3 and Open Identity Trust Framework (2/2) • We foresee "Trust Convener" or Trust Network organizer that - Sets concrete policies, in broader context of policy setters (e.g. national law) - Has governance structure, usually with participation of mem- bers - Runs or outsources the "Trust Framework Provider" function - Runs or outsources the assessment and auditor functions - Is or specifies Trust Anchor - May run in some cases some core services such as IdP, Discovery, Audit, some aspects of Authorization, etc. EIC 2011 Munich, May 13, 2011 Sampo Kellomäki: TAS3 Arch 11 6

  7. TAS 3 Intro and Vision • EU FP7 research project runs until end of 2011 • Architecture - Identity Management, Authorization, and Audit plumbing - Holistic combination of existing technologies • Std based profiles (SAML2, Liberty ID-WSF2, UMA, XACML2, ...) • Reference implementation in open source (C/C++, PHP, Java, .Net) - zxid.org (Apache2 non-viral open source license) • Vision of empowering users and building trust networks - Pair-wise pseudonymous: uncorrelatable w/o user consent - Internet of Subjects Foundation: not-for-profit governance - Competitive Svcs Market Place: discover services you trust - Delegation: jobseeker to coach, represent organization - Trust scoring and trust building: make informed choices - Privacy Preserving: user in control, no unexpected correlation EIC 2011 Munich, May 13, 2011 Sampo Kellomäki: TAS3 Arch 11 7

  8. TAS³ Architecture Mini 2010 User is King Identity Provider (Authentication) = Access Controll and Authorization "Front Channel" SSO Self-audit Web Site 2 Web Site 1 Dashboard "Backchannel" Personal Service O Discovery C Web Service 4 Web Service 3 T Trust, Scoring, and Reputation Web Service 5 Audit (comprehensive and ecosystemwide) Governance & Interoperable Technology EIC 2011 Munich, May 13, 2011 Sampo Kellomäki: TAS3 Arch 11 8

  9. TAS3 Architecture 2010 Web Browser or Fat Client Client side app (e.g. AJAX) Component Overview v2.3 Organization Domain Runtime & Enforcement Modelling Payload Applications Core TAS3 Infrastructure TAS3 User Tools & Config. Mgmt User Audit Front End Identity Provider Trust Dashboard (e.g. Web GUI) Network Mgmt Business Process Policy Editor & Identity Processes Engine Consent Management Aggregator Config. Web Services Delegation Settings Trust & Reputation Data Biz. Proc. Models Core TAS3 Infrastructure Backchannel Policies Authorization Delegation Service ID Mapper Modelling Credentials & Policies Discovery Registry Ontology Handler Tools Negotiator Org. Level Event Bus Audit Events Management Events Ontology Audit & (Operation Monitoring) (Audit Analysis) Online Compliance Testing Monitor EIC 2011 Munich, May 13, 2011 Sampo Kellomäki: TAS3 Arch 11 9

  10. Built-in rules of the application Built-in rules of the service Service Client App Rules of the operator Rules of the operator Org D PDP Org C PDP Alice Bob TN PDP PEP Rs Out Rules of the TN PEP 1 2 Master Master Rq Out 4 3 PDP PDP Trust PDP PEP PEP Rq In Rs In Alice PDP Bob PDP Personal rules Personal rules Corp D Firewall Corp C Firewall 20100531 Sampo or Packet Filter or Packet Filter EIC 2011 Munich, May 13, 2011 Sampo Kellomäki: TAS3 Arch 11 10

  11. TAS 3 Intro and Vision • EU FP7 research project runs until end of 2011 • Architecture - Identity Management, Authorization, and Audit plumbing - Holistic combination of existing technologies • Std based profiles (SAML2, Liberty ID-WSF2, UMA, XACML2, ...) • Reference implementation in open source (C/C++, PHP, Java, .Net) - zxid.org (Apache2 non-viral open source license) • Vision of empowering users and building trust networks - Pair-wise pseudonymous: uncorrelatable w/o user consent - Internet of Subjects Foundation: not-for-profit governance - Competitive Svcs Market Place: discover services you trust - Delegation: jobseeker to coach, represent organization - Trust scoring and trust building: make informed choices - Privacy Preserving: user in control, no unexpected correlation EIC 2011 Munich, May 13, 2011 Sampo Kellomäki: TAS3 Arch 11 11

  12. Empowering user to take control of his data • Fully pair-wise pseudonymous design - Prevent correlation and collusion at all layers of deep SOA • Model where user gives his data from his Personal Data Store - User well positioned to impose policies when releasing data - Only store data once, and in place that user chooses • Personas, partial identities • Privacy protection through noncorrelatability, access control, and sticky policies • User self audit dashboard gives user visibility to use of his data - Independent means, to keep the service providers in check • Digitally signed audit trail to ensure legal enforeability EIC 2011 Munich, May 13, 2011 Sampo Kellomäki: TAS3 Arch 11 12

  13. TAS³ Architecture Mini 2010 User is King Identity Provider (Authentication) = Access Controll and Authorization "Front Channel" SSO Self-audit Web Site 2 Web Site 1 Dashboard "Backchannel" Personal Service O Discovery C Web Service 4 Web Service 3 T Trust, Scoring, and Reputation Web Service 5 Audit (comprehensive and ecosystemwide) Governance & Interoperable Technology EIC 2011 Munich, May 13, 2011 Sampo Kellomäki: TAS3 Arch 11 13

  14. TAS3 Layering Human Layer N.B. Not all architectural components are depicted. In particular none of the infrastructure related to authorization is shown. Web Browser User Agent Layer Client Side Application Front Channel Communication TAS3 Security Layer SSO Connector Frontend 1 User Policy Consent Aggregation Delegation Identity Dashboard Editor Manager & Discovery Settings Provider GUI Layer Web GUI Settings Application Layer Frontend Application TAS3 Security Layer TAS3 API Web Services Stack Layer Web Services Client Stack Back Channel Communication Layers (SOAP, HTTPS) Discovery Web Service Provider 2 Web Service Provider 3 Registry Web Services Stack Layer Web Services Provider Stack Web Services Client Stack Web Services Provider Stack & ID Mapper TAS3 Security Layer TAS3 API TAS3 API TAS3 API Application Layer Backend Application Backend Application Legacy / Data Layer Legacy Application 20100503 SK EIC 2011 Munich, May 13, 2011 Sampo Kellomäki: TAS3 Arch 11 14

  15. TAS3 Architecture 2010 Web Browser or Fat Client Client side app (e.g. AJAX) Component Overview v2.3 Organization Domain Runtime & Enforcement Modelling Payload Applications Core TAS3 Infrastructure TAS3 User Tools & Config. Mgmt User Audit Front End Identity Provider Trust Dashboard (e.g. Web GUI) Network Mgmt Business Process Policy Editor & Identity Processes Engine Consent Management Aggregator Config. Web Services Delegation Settings Trust & Reputation Data Biz. Proc. Models Core TAS3 Infrastructure Backchannel Policies Authorization Delegation Service ID Mapper Modelling Credentials & Policies Discovery Registry Ontology Handler Tools Negotiator Org. Level Event Bus Audit Events Management Events Ontology Audit & (Operation Monitoring) (Audit Analysis) Online Compliance Testing Monitor EIC 2011 Munich, May 13, 2011 Sampo Kellomäki: TAS3 Arch 11 15

  16. Built-in rules of the application Built-in rules of the service Service Client App Rules of the operator Rules of the operator Org D PDP Org C PDP Alice Bob TN PDP PEP Rs Out Rules of the TN PEP 1 2 Master Master Rq Out 4 3 PDP PDP Trust PDP PEP PEP Rq In Rs In Alice PDP Bob PDP Personal rules Personal rules Corp D Firewall Corp C Firewall 20100531 Sampo or Packet Filter or Packet Filter EIC 2011 Munich, May 13, 2011 Sampo Kellomäki: TAS3 Arch 11 16

Recommend

Trusted Architecture for Secure Shared Services (with Privacy), Future of Internet PPP, and

Trusted Architecture for Secure Shared Services (with Privacy), Future of Internet PPP, and

TAS 3 Trusted Architecture for Secure Shared Services (with Privacy), Future of Internet PPP, and Internet of Subject Personal Data Store Sampo Kellomki (sampo@zxidp.org) 11. October 2010, IIW London 09 TAS 3 Intro and Vision EU FP7

968 views • 75 slides
Trusted Architecture for Secure Shared Services (with Privacy) Sampo Kellomki (sampo@zxidp.org)

Trusted Architecture for Secure Shared Services (with Privacy) Sampo Kellomki (sampo@zxidp.org)

TAS 3 Trusted Architecture for Secure Shared Services (with Privacy) Sampo Kellomki (sampo@zxidp.org) 29. September, 2010, ICT, Brussels 05 TAS 3 Intro Visit TAS 3 booth in hall H (near Prime Life booth) Project runs until end of 2011

660 views • 54 slides
Four Layers to Build a Four Layers to Build a Trusted Architecture Trusted Architecture Danny

Four Layers to Build a Four Layers to Build a Trusted Architecture Trusted Architecture Danny

Trusted Architecture for Trusted Architecture for Securely Shared Services Securely Shared Services Four Layers to Build a Four Layers to Build a Trusted Architecture Trusted Architecture Danny De Cock K.U.Leuven ESAT/COSIC

369 views • 17 slides
Generic Architecture Architecture Generic for Securely Securely Managing Managing for

Generic Architecture Architecture Generic for Securely Securely Managing Managing for

Trusted Architecture for Trusted Architecture for Securely Shared Services Securely Shared Services Generic Architecture Architecture Generic for Securely Securely Managing Managing for Employability & Healthcare Employability &

161 views • 14 slides
Generic Architecture Architecture Generic to Securely Securely Manage Manage to

Generic Architecture Architecture Generic to Securely Securely Manage Manage to

Trusted Architecture for Trusted Architecture for Securely Shared Services Securely Shared Services Generic Architecture Architecture Generic to Securely Securely Manage Manage to Employability, Healthcare & Employability, Healthcare

813 views • 16 slides
A Secure Softw are A Secure Softw are Architecture Architecture Description Language

A Secure Softw are A Secure Softw are Architecture Architecture Description Language

A Secure Softw are A Secure Softw are Architecture Architecture Description Language Description Language Jie Ren, Richard N. Taylor Department of Informatics University of California, Irvine Software Security Assurance Tools, Techniques,

354 views • 22 slides
Trusted Network Communications Architecture 2.0 Overview 20 July 2017 1 Why are we talking

Trusted Network Communications Architecture 2.0 Overview 20 July 2017 1 Why are we talking

Trusted Network Communications Architecture 2.0 Overview 20 July 2017 1 Why are we talking about this? The TCGs Trusted Network Communications Workgroup is finalizing publication of the Trusted Network Communications Architecture for

402 views • 8 slides
Laying a Secure Foundation for Mobile Devices Stephen Smalley Trusted Systems Research National

Laying a Secure Foundation for Mobile Devices Stephen Smalley Trusted Systems Research National

Laying a Secure Foundation for Mobile Devices Stephen Smalley Trusted Systems Research National Security Agency Trusted Systems Research Trusted Systems Research Conduct and sponsor research to provide information assurance for national

775 views • 38 slides
Achieving the NZ DFFs vision: New Zealand is a world leader in the trusted use of shared

Achieving the NZ DFFs vision: New Zealand is a world leader in the trusted use of shared

Achieving the NZ DFFs vision: New Zealand is a world leader in the trusted use of shared data to deliver a prosperous, inclusive society - Implications for the public sector James Mansell & Miriam Lips 5 November 2014 John

579 views • 29 slides
A Shared Service Perspective From Morris County Shared Services April 7, 2009 A Shared Service

A Shared Service Perspective From Morris County Shared Services April 7, 2009 A Shared Service

A Shared Service Perspective From Morris County Shared Services April 7, 2009 A Shared Service Perspective Why Consider Shared Services? In February 2010, the Department of Community Affairs (DCA) announced the average property tax bill

663 views • 25 slides
COMP 590-154: Computer Architecture Shared-Memory Multi-Processors Shared-Memory Multiprocessors

COMP 590-154: Computer Architecture Shared-Memory Multi-Processors Shared-Memory Multiprocessors

COMP 590-154: Computer Architecture Shared-Memory Multi-Processors Shared-Memory Multiprocessors Multiple threads use shared memory (address space) SysV Shared Memory or Threads in software Communication implicit via loads

548 views • 40 slides
1 Singapores Efforts in developing Creating a Secure and Trusted infrastructure and

1 Singapores Efforts in developing Creating a Secure and Trusted infrastructure and

Presentation Outline E- -Business Implementation Business Implementation E Part 1 The Singapore Experience The Singapore Experience How Singapore Government Agency created a secure and trusted infrastructure for e-business By Tan Jin

790 views • 25 slides
Main principles of secure OS

Main principles of secure OS

Main principles of secure OS Trusted Flexible Secure Versatile modular Internet security

490 views • 26 slides
Administrative Services Transformation Overview Presentation for Shared Services April 2013

Administrative Services Transformation Overview Presentation for Shared Services April 2013

Administrative Services Transformation Overview Presentation for Shared Services April 2013 Table of Contents Introduction to Shared Services Project Overview In-Scope Processes AST Shared Services Project Team University Readiness AST

430 views • 27 slides
System Architectures and Techniques for Efficient, Secure, and Trusted Code Execution Mario

System Architectures and Techniques for Efficient, Secure, and Trusted Code Execution Mario

System Architectures and Techniques for Efficient, Secure, and Trusted Code Execution Mario Werner May 7, 2020 Graz University of Technology Why do we care about code? www.tugraz.at 10:20 July 18 W i r e l e s s - G A D S L G

599 views • 49 slides
Evolution of the ESC Providing Models of Shared Services since 1970 October 2019 The

Evolution of the ESC Providing Models of Shared Services since 1970 October 2019 The

10/21/2019 The ESC of Morris County Evolution of the ESC Providing Models of Shared Services since 1970 October 2019 The Shared Services Initiative Over the years, NJSBA has supported the idea of shared services as well as

383 views • 9 slides
GENERIC TRUSTED COMPONENT BRUNO VAVALA CMU / UL Nuno Neves Peter Steenkiste UL CMU

GENERIC TRUSTED COMPONENT BRUNO VAVALA CMU / UL Nuno Neves Peter Steenkiste UL CMU

SECURE IDENTIFICATION of ACTIVELY EXECUTED CODE on a GENERIC TRUSTED COMPONENT BRUNO VAVALA CMU / UL Nuno Neves Peter Steenkiste UL CMU IEEE/IFIP Conference on Dependable Systems & Networks (DSN16) outline Trusted Practical

663 views • 47 slides
Secure Architecture and Secure Architecture and Implementation of Xen Xen on ARM on ARM

Secure Architecture and Secure Architecture and Implementation of Xen Xen on ARM on ARM

Secure Architecture and Secure Architecture and Implementation of Xen Xen on ARM on ARM Implementation of for Mobile Devices for Mobile Devices Sang- -bum bum Suh Suh Sang sbuk.suh@samsung.com sbuk.suh@samsung.com SW Laboratories SW

598 views • 48 slides
Bringing scale to Shared Services Gert Engman Group Executive Vice President, CIO and Head of

Bringing scale to Shared Services Gert Engman Group Executive Vice President, CIO and Head of

Corporate Bank of the year 2003 Bringing scale to Shared Services Gert Engman Group Executive Vice President, CIO and Head of Shared Services, 1 Agenda Creation of a Shared Services Unit Current drivers and trends in IT IT and

362 views • 21 slides
Secure Messaging Lecture 23 Messaging Alice Bob Secure Messaging Corruption model

Secure Messaging Lecture 23 Messaging Alice Bob Secure Messaging Corruption model

Secure Messaging Lecture 23 Messaging Alice Bob Secure Messaging Corruption model Server/network is adversarial (but trusted identity registration needed) Windows of compromise when a party is under adversarial control (or readable

933 views • 14 slides
TOTALPRO SERVICES TOTALPRO SERVICES LTD LTD Secure your future I nternational Tax Planning

TOTALPRO SERVICES TOTALPRO SERVICES LTD LTD Secure your future I nternational Tax Planning

TOTALPRO SERVICES TOTALPRO SERVICES LTD LTD Secure your future I nternational Tax Planning Com pany Form ation and Adm inistration Legal Services Banking Services Accounting and Audit Services Virtual Office Services About us

159 views • 15 slides
Why dont we have a Secure and Trusted Inter-Domain Routing System? Geoff Huston, APNIC Why

Why dont we have a Secure and Trusted Inter-Domain Routing System? Geoff Huston, APNIC Why

Why dont we have a Secure and Trusted Inter-Domain Routing System? Geoff Huston, APNIC Why do we keep seeing these headlines? 1. The Meta Goal Can we devise changes to operational practices, or operational tools or routing technologies

572 views • 15 slides
Infrastructure & Shared Services Director Infrastructure & Shared Services Organisational

Infrastructure & Shared Services Director Infrastructure & Shared Services Organisational

Louise Marshall Brother UK Ltd Infrastructure & Shared Services Director Infrastructure & Shared Services Organisational Structure Infrastructure & Shared Services Louise Marshall Infrastructure & Shared Services

251 views • 24 slides
Is Your Brand Trusted? The science of building a trusted brand Dr Brent Coker DO YOU TRUST THE

Is Your Brand Trusted? The science of building a trusted brand Dr Brent Coker DO YOU TRUST THE

Is Your Brand Trusted? The science of building a trusted brand Dr Brent Coker DO YOU TRUST THE FINANCIAL SERVICES INDUSTRY? Yes 46% No Source: Mintel/Ipsos 2018; N = 1600 DO YOU TRUST THE FINANCIAL SERVICES INDUSTRY? 19% Yes No N = 838;

608 views • 49 slides

More recommend