trusted architecture for secure shared services with
play

Trusted Architecture for Secure Shared Services (with Privacy), - PowerPoint PPT Presentation

Aug 07, 2023 •207 likes •968 views

TAS 3 Trusted Architecture for Secure Shared Services (with Privacy), Future of Internet PPP, and Internet of Subject Personal Data Store Sampo Kellomki (sampo@zxidp.org) 11. October 2010, IIW London 09 TAS 3 Intro and Vision EU FP7

  1. TAS 3 Trusted Architecture for Secure Shared Services (with Privacy), Future of Internet PPP, and Internet of Subject Personal Data Store Sampo Kellomäki (sampo@zxidp.org) 11. October 2010, IIW London 09

  2. TAS 3 Intro and Vision • EU FP7 project runs until end of 2011 • Architecture - Identity Management, Authorization, and Audit plumbing - Holistic combination of existing technologies • STD based profiles (SAML2, Liberty ID-WSF2, UMA, XACML2, ...) • Reference implementation in open source (C/C++, PHP, Java, .Net) - zxid.org (Apache2 non-viral open source license) • Vision of empowering users and building trust networks - Pair-wise pseudonymous: uncorrelatable w/o user consent - Internet of Subjects Foundation: not-for-profit governance - Competitive Svcs Market Place: discover services you trust - Delegation: help your loved ones, accept help, represent org - Trust scoring and trust building: make informed choices - Privacy Preserving: user in control, no unexpect correlation IIW London, October 10, 2010 Sampo Kellomäki: TAS3 Arch., FI-PPP, and IoS PDS 09 2

  3. Empowering user to take control of his data • Fully pair-wise pseudonymous design - Prevent correlation and collusion at all layers of deep SOA • Model where user gives his data from his Personal Data Store - User well positioned to impose policies when releasing data - Only store data once, and in place that user chooses • Personas, partial identities • Privacy protection through noncorrelatability, access control, and sticky policies • User self audit dashboard gives user visibility to use of his data - Independent means, to keep the service providers in check • Digitally signed audit trail to ensure legal enforeability IIW London, October 10, 2010 Sampo Kellomäki: TAS3 Arch., FI-PPP, and IoS PDS 09 3

  4. TAS³ Architecture Mini 2010 User is King Identity Provider (Authentication) = Access Controll and Authorization "Front Channel" SSO Self-audit Web Site 2 Web Site 1 Dashboard "Backchannel" Personal Service O Discovery C Web Service 4 Web Service 3 T Trust, Scoring, and Reputation Web Service 5 Audit (comprehensive and ecosystemwide) Governance & Interoperable Technology IIW London, October 10, 2010 Sampo Kellomäki: TAS3 Arch., FI-PPP, and IoS PDS 09 4

  5. TAS3 Layering Human Layer N.B. Not all architectural components are depicted. In particular none of the infrastructure related to authorization is shown. Web Browser User Agent Layer Client Side Application Front Channel Communication TAS3 Security Layer SSO Connector Frontend 1 User Policy Consent Aggregation Delegation Identity Dashboard Editor Manager & Discovery Settings Provider GUI Layer Web GUI Settings Application Layer Frontend Application TAS3 Security Layer TAS3 API Web Services Stack Layer Web Services Client Stack Back Channel Communication Layers (SOAP, HTTPS) Discovery Web Service Provider 2 Web Service Provider 3 Registry Web Services Stack Layer Web Services Provider Stack Web Services Client Stack Web Services Provider Stack & ID Mapper TAS3 Security Layer TAS3 API TAS3 API TAS3 API Application Layer Backend Application Backend Application Legacy / Data Layer Legacy Application 20100503 SK IIW London, October 10, 2010 Sampo Kellomäki: TAS3 Arch., FI-PPP, and IoS PDS 09 5

  6. TAS3 Architecture 2010 Web Browser or Fat Client Client side app (e.g. AJAX) Component Overview v2.3 Organization Domain Runtime & Enforcement Modelling Payload Applications Core TAS3 Infrastructure TAS3 User Tools & Config. Mgmt User Audit Front End Identity Provider Trust Dashboard (e.g. Web GUI) Network Mgmt Business Process Policy Editor & Identity Processes Engine Consent Management Aggregator Config. Web Services Delegation Settings Trust & Reputation Data Biz. Proc. Models Core TAS3 Infrastructure Backchannel Policies Authorization Delegation Service ID Mapper Modelling Credentials & Policies Discovery Registry Ontology Handler Tools Negotiator Org. Level Event Bus Audit Events Management Events Ontology Audit & (Operation Monitoring) (Audit Analysis) Online Compliance Testing Monitor IIW London, October 10, 2010 Sampo Kellomäki: TAS3 Arch., FI-PPP, and IoS PDS 09 6

  7. Built-in rules of the application Built-in rules of the service Service Client App Rules of the operator Rules of the operator Org D PDP Org C PDP Alice Bob TN PDP PEP Rs Out Rules of the TN PEP 1 2 Master Master Rq Out 4 3 PDP PDP Trust PDP PEP PEP Rq In Rs In Alice PDP Bob PDP Personal rules Personal rules Corp D Firewall Corp C Firewall 20100531 Sampo or Packet Filter or Packet Filter IIW London, October 10, 2010 Sampo Kellomäki: TAS3 Arch., FI-PPP, and IoS PDS 09 7

  8. XACML SAML profile TAS3 Integration w/ZXID zxididp zxididp with TAS3 Trust extensions 20091016 SK SAML 2.0 TUE Discovery Trust PDP IdP 3 ID-WSF 2.0 Discovery with TAS3 Trust SP1: Frontend SP2: Web Service extensions Inter- Payload 1 ceptor Servlet CTX DB Inter- ID-WSF 2.0 7 JSESSION ceptor w/TAS3 ext ZXSES H A H WSPout PEP-rs-out P P W e S s e D P P T T t E E S t I S E e t E 2 T T t P P c C O P s c P C WSPin PEP-rs-in P r P User XACML SAML profile zxid_az() zxid_az() mod_auth_saml ZXID zxid_call() or ssoservlet ZXID zxid_wsp_decorate() Servlet AXIS2 Master Master KENT zxid_simple() KENT Filter PDP2 Module PDP1 zxid_wsp_validate() IIW London, October 10, 2010 Sampo Kellomäki: TAS3 Arch., FI-PPP, and IoS PDS 09 8

  9. Liberty Liberty Identity Service Interface Federation Specifications (ID-SIS) Framework Enables interoperable identity services such as ID-FF personal identity profile, contact book, SAML 2.0 presence, and so on Enables identity federation and management through Liberty Web Services features such as Framework (ID-WSF) identity/account linkage Simplified Sign-On, and simple session Provides the framework for building interoperable management. identity services, permissions based attribute sharing, identity service description and discovery, and the associated security profiles. Liberty specifications build on existing standards (SAML, SOAP, WS-Addressing, WS-Security, XML, etc.) Figure 1: Liberty Alliance Architecture (for comparison of similarity). IIW London, October 10, 2010 Sampo Kellomäki: TAS3 Arch., FI-PPP, and IoS PDS 09 9

  10. TAS 3 Data Sheet Ideas • What: Use the "TAS 3 Intro and Vision" slide • Diagram: Pick mini arch, use comp if there is space IIW London, October 10, 2010 Sampo Kellomäki: TAS3 Arch., FI-PPP, and IoS PDS 09 10

  11. TAS 3 Benefits (short) • User as an equal stakeholder enables more equal opportunity to participate in Internet based Services Economy - Easier to innovate economic activity (individuals, SMEs) - New kinds of markets, expansion, get out of zero-sum-game - Ubiquotus use: becomes part of way of life and the way to do things, eliminating haphazard and confusing point-solution sys- tems • Solid layer - Avoid fraud, avoid data handling accidents, increase trust - Increase usage and business - EU Regulatory Compliance on by default - Not repudiatable, accountable: Tie-in to legal system, strong authentication • Realistic and available now IIW London, October 10, 2010 Sampo Kellomäki: TAS3 Arch., FI-PPP, and IoS PDS 09 11

  12. - Standards based, reviewed, IPR safe, multivendor, plug and play - Open source reference implementation available ( zxid.org ) - Certification programs available - Has been deployed in real world IIW London, October 10, 2010 Sampo Kellomäki: TAS3 Arch., FI-PPP, and IoS PDS 09 12

  13. TAS 3 Benefits (long): User • User as an equal stakeholder enables more equal opportunity to participate in Internet based Services Economy - Control personal data - Even delete your data - Easier to innovate economic activity (self-employment, SMEs) - New kinds of markets, expansion, get out of zero-sum-game • Life in high trust societies tends to be easier and more pleasant • Easier to use technology that is adequately safe • Ubiquitous use: becomes part of way of life and the way to do things, eliminate haphazard, confusing, point-solution systems • Uniform user experience and data sharing practices lead to aware- ness and feeling of control (which feeling is based on real ability to control, not just impression) • Awareness leads to responsible action, which minimizes unin- tended consequences IIW London, October 10, 2010 Sampo Kellomäki: TAS3 Arch., FI-PPP, and IoS PDS 09 13

  14. TAS 3 Benefits (long): Service Provider (B2C) • Higher trust has network effect, enabling expansion • Operate on internet scale - Reach new audiences and markets - Reach bigger audiences - Find and address smaller, niche, audiences and markets prof- itably (long tail) - New kinds of markets, expansion, get out of zero-sum-game • Businesses can focus on business as the regulatory compliance is taken care of • Practical technology that works: it interoperates and you can buy it from multiple vendors • Lower costs from efficiencies • Control your risks IIW London, October 10, 2010 Sampo Kellomäki: TAS3 Arch., FI-PPP, and IoS PDS 09 14

Recommend

Trusted Architecture for Secure Shared Services (with Privacy) Sampo Kellomki (sampo@zxidp.org)

Trusted Architecture for Secure Shared Services (with Privacy) Sampo Kellomki (sampo@zxidp.org)

TAS 3 Trusted Architecture for Secure Shared Services (with Privacy) Sampo Kellomki (sampo@zxidp.org) 29. September, 2010, ICT, Brussels 05 TAS 3 Intro Visit TAS 3 booth in hall H (near Prime Life booth) Project runs until end of 2011

660 views • 54 slides
Four Layers to Build a Four Layers to Build a Trusted Architecture Trusted Architecture Danny

Four Layers to Build a Four Layers to Build a Trusted Architecture Trusted Architecture Danny

Trusted Architecture for Trusted Architecture for Securely Shared Services Securely Shared Services Four Layers to Build a Four Layers to Build a Trusted Architecture Trusted Architecture Danny De Cock K.U.Leuven ESAT/COSIC

369 views • 17 slides
Trusted Architecture for Secure Shared Services (with Privacy) and Personal Data Store Sampo

Trusted Architecture for Secure Shared Services (with Privacy) and Personal Data Store Sampo

TAS 3 Trusted Architecture for Secure Shared Services (with Privacy) and Personal Data Store Sampo Kellomki (sampo@zxidp.org) 13. May 2011, EIC 2011, Munich 11 EIC 2011 Munich, May 13, 2011 Sampo Kellomki: TAS3 Arch 11 2 TAS3 Trust

1.02k views • 90 slides
Generic Architecture Architecture Generic for Securely Securely Managing Managing for

Generic Architecture Architecture Generic for Securely Securely Managing Managing for

Trusted Architecture for Trusted Architecture for Securely Shared Services Securely Shared Services Generic Architecture Architecture Generic for Securely Securely Managing Managing for Employability & Healthcare Employability &

161 views • 14 slides
Generic Architecture Architecture Generic to Securely Securely Manage Manage to

Generic Architecture Architecture Generic to Securely Securely Manage Manage to

Trusted Architecture for Trusted Architecture for Securely Shared Services Securely Shared Services Generic Architecture Architecture Generic to Securely Securely Manage Manage to Employability, Healthcare & Employability, Healthcare

813 views • 16 slides
A Secure Softw are A Secure Softw are Architecture Architecture Description Language

A Secure Softw are A Secure Softw are Architecture Architecture Description Language

A Secure Softw are A Secure Softw are Architecture Architecture Description Language Description Language Jie Ren, Richard N. Taylor Department of Informatics University of California, Irvine Software Security Assurance Tools, Techniques,

354 views • 22 slides
Trusted Network Communications Architecture 2.0 Overview 20 July 2017 1 Why are we talking

Trusted Network Communications Architecture 2.0 Overview 20 July 2017 1 Why are we talking

Trusted Network Communications Architecture 2.0 Overview 20 July 2017 1 Why are we talking about this? The TCGs Trusted Network Communications Workgroup is finalizing publication of the Trusted Network Communications Architecture for

402 views • 8 slides
Laying a Secure Foundation for Mobile Devices Stephen Smalley Trusted Systems Research National

Laying a Secure Foundation for Mobile Devices Stephen Smalley Trusted Systems Research National

Laying a Secure Foundation for Mobile Devices Stephen Smalley Trusted Systems Research National Security Agency Trusted Systems Research Trusted Systems Research Conduct and sponsor research to provide information assurance for national

775 views • 38 slides
Achieving the NZ DFFs vision: New Zealand is a world leader in the trusted use of shared

Achieving the NZ DFFs vision: New Zealand is a world leader in the trusted use of shared

Achieving the NZ DFFs vision: New Zealand is a world leader in the trusted use of shared data to deliver a prosperous, inclusive society - Implications for the public sector James Mansell & Miriam Lips 5 November 2014 John

579 views • 29 slides
A Shared Service Perspective From Morris County Shared Services April 7, 2009 A Shared Service

A Shared Service Perspective From Morris County Shared Services April 7, 2009 A Shared Service

A Shared Service Perspective From Morris County Shared Services April 7, 2009 A Shared Service Perspective Why Consider Shared Services? In February 2010, the Department of Community Affairs (DCA) announced the average property tax bill

663 views • 25 slides
COMP 590-154: Computer Architecture Shared-Memory Multi-Processors Shared-Memory Multiprocessors

COMP 590-154: Computer Architecture Shared-Memory Multi-Processors Shared-Memory Multiprocessors

COMP 590-154: Computer Architecture Shared-Memory Multi-Processors Shared-Memory Multiprocessors Multiple threads use shared memory (address space) SysV Shared Memory or Threads in software Communication implicit via loads

548 views • 40 slides
1 Singapores Efforts in developing Creating a Secure and Trusted infrastructure and

1 Singapores Efforts in developing Creating a Secure and Trusted infrastructure and

Presentation Outline E- -Business Implementation Business Implementation E Part 1 The Singapore Experience The Singapore Experience How Singapore Government Agency created a secure and trusted infrastructure for e-business By Tan Jin

790 views • 25 slides
Main principles of secure OS

Main principles of secure OS

Main principles of secure OS Trusted Flexible Secure Versatile modular Internet security

490 views • 26 slides
Administrative Services Transformation Overview Presentation for Shared Services April 2013

Administrative Services Transformation Overview Presentation for Shared Services April 2013

Administrative Services Transformation Overview Presentation for Shared Services April 2013 Table of Contents Introduction to Shared Services Project Overview In-Scope Processes AST Shared Services Project Team University Readiness AST

430 views • 27 slides
System Architectures and Techniques for Efficient, Secure, and Trusted Code Execution Mario

System Architectures and Techniques for Efficient, Secure, and Trusted Code Execution Mario

System Architectures and Techniques for Efficient, Secure, and Trusted Code Execution Mario Werner May 7, 2020 Graz University of Technology Why do we care about code? www.tugraz.at 10:20 July 18 W i r e l e s s - G A D S L G

599 views • 49 slides
Evolution of the ESC Providing Models of Shared Services since 1970 October 2019 The

Evolution of the ESC Providing Models of Shared Services since 1970 October 2019 The

10/21/2019 The ESC of Morris County Evolution of the ESC Providing Models of Shared Services since 1970 October 2019 The Shared Services Initiative Over the years, NJSBA has supported the idea of shared services as well as

383 views • 9 slides
GENERIC TRUSTED COMPONENT BRUNO VAVALA CMU / UL Nuno Neves Peter Steenkiste UL CMU

GENERIC TRUSTED COMPONENT BRUNO VAVALA CMU / UL Nuno Neves Peter Steenkiste UL CMU

SECURE IDENTIFICATION of ACTIVELY EXECUTED CODE on a GENERIC TRUSTED COMPONENT BRUNO VAVALA CMU / UL Nuno Neves Peter Steenkiste UL CMU IEEE/IFIP Conference on Dependable Systems & Networks (DSN16) outline Trusted Practical

663 views • 47 slides
Secure Architecture and Secure Architecture and Implementation of Xen Xen on ARM on ARM

Secure Architecture and Secure Architecture and Implementation of Xen Xen on ARM on ARM

Secure Architecture and Secure Architecture and Implementation of Xen Xen on ARM on ARM Implementation of for Mobile Devices for Mobile Devices Sang- -bum bum Suh Suh Sang sbuk.suh@samsung.com sbuk.suh@samsung.com SW Laboratories SW

598 views • 48 slides
Bringing scale to Shared Services Gert Engman Group Executive Vice President, CIO and Head of

Bringing scale to Shared Services Gert Engman Group Executive Vice President, CIO and Head of

Corporate Bank of the year 2003 Bringing scale to Shared Services Gert Engman Group Executive Vice President, CIO and Head of Shared Services, 1 Agenda Creation of a Shared Services Unit Current drivers and trends in IT IT and

362 views • 21 slides
Secure Messaging Lecture 23 Messaging Alice Bob Secure Messaging Corruption model

Secure Messaging Lecture 23 Messaging Alice Bob Secure Messaging Corruption model

Secure Messaging Lecture 23 Messaging Alice Bob Secure Messaging Corruption model Server/network is adversarial (but trusted identity registration needed) Windows of compromise when a party is under adversarial control (or readable

933 views • 14 slides
TOTALPRO SERVICES TOTALPRO SERVICES LTD LTD Secure your future I nternational Tax Planning

TOTALPRO SERVICES TOTALPRO SERVICES LTD LTD Secure your future I nternational Tax Planning

TOTALPRO SERVICES TOTALPRO SERVICES LTD LTD Secure your future I nternational Tax Planning Com pany Form ation and Adm inistration Legal Services Banking Services Accounting and Audit Services Virtual Office Services About us

159 views • 15 slides
Why dont we have a Secure and Trusted Inter-Domain Routing System? Geoff Huston, APNIC Why

Why dont we have a Secure and Trusted Inter-Domain Routing System? Geoff Huston, APNIC Why

Why dont we have a Secure and Trusted Inter-Domain Routing System? Geoff Huston, APNIC Why do we keep seeing these headlines? 1. The Meta Goal Can we devise changes to operational practices, or operational tools or routing technologies

572 views • 15 slides
Infrastructure & Shared Services Director Infrastructure & Shared Services Organisational

Infrastructure & Shared Services Director Infrastructure & Shared Services Organisational

Louise Marshall Brother UK Ltd Infrastructure & Shared Services Director Infrastructure & Shared Services Organisational Structure Infrastructure & Shared Services Louise Marshall Infrastructure & Shared Services

251 views • 24 slides
Is Your Brand Trusted? The science of building a trusted brand Dr Brent Coker DO YOU TRUST THE

Is Your Brand Trusted? The science of building a trusted brand Dr Brent Coker DO YOU TRUST THE

Is Your Brand Trusted? The science of building a trusted brand Dr Brent Coker DO YOU TRUST THE FINANCIAL SERVICES INDUSTRY? Yes 46% No Source: Mintel/Ipsos 2018; N = 1600 DO YOU TRUST THE FINANCIAL SERVICES INDUSTRY? 19% Yes No N = 838;

608 views • 49 slides

More recommend