11 Disaster Risk Reduction Clouds: Challenges in Making Them Open Jan-Ming Ho and Jane W. S. Liu Institute of Information Science Academia Sinica, Taiwan IRDR Advanced Institute, October 25, 2012 John K. K. Zao Department of Computer Science National Chiao-Tung University, Taiwan

22 Disaster Risk Reduction Clouds 13:00 – 15:00 Welcome, introductions, and lecture  Motivation and challenges  State-of-the-art authorization and access control and privacy protection models, policies and software  State of the art on access control and privacy protection during emergencies and major disasters  Topics of discussion  Experiences & opinions on fostering open data culture & practices  Technical and non-technical assistance to enable open data  International collaboration opportunities 15:00 – 15:30 Coffee break 15:30 – 16:30 : Discussions and conclusion

33 Response Recovery Preparedness Reconstruction Prediction and warning Scenario development Emergency SOP development Education & training Preparedness Real-time monitoring, modeling, forecasting Scenario identification/situation awareness Dependable alert/alarm/warning delivery Effective use of alarm information Prediction and warning Connectivity diagnosis and repair Information dissemination Command and control decision support Resource dispatching Response Impact assessment Restoration of telecommunication, transportation & other infrastructures Recovery Mitigation and prevention Disaster management cycle

44 0% 100% 024h48h 72h Availability Impact On Power of Information “Information can save lives, livelihoods and resources.” – World Disasters Report, 2005 “Today, even mobile phones could be used as an effective medium to provide early warnings and thus save lives and property” – R. K. Pachauri, 2009 “Small advances in emergency informatics could significantly reduce deaths, accelerate damage assessment, and minimize economic downtime” – R. R. Murphy, 2010

55 Happenings Everywhere

66 OSIRIS and SANY in EU User information systems Operational services System services Sensor services Sensor Systems Generic  Display  Sensor tasking  Sensor Monitoring  Sensor man.  Proc./storage  Web mapping  Dataflow man.  Alarm service  Discovery  Access  Alert  Tasking.  Interface adaptor

77 Open SensorNet & DMIS Infrastructures in US DM-OPEN, IPAWS, CAP E911 & E911-IP

8 USA-Japan New (July 2012) Initiative To pursue fundamental advances in information technology in support of effective disaster management.

99

10

11

12 中央災害應變中 心分析研判組 災害防救應用服務平台 中央災害應變中 心分析研判組 資訊綜整共享運作機制 12 交通部 中央氣象局 交通部 中央氣象局 經濟部 水利署 經濟部 水利署 行政院農委會 水保局 行政院農委會 水保局 內政部營建署 內政部消防署 交通部 公路總局 交通部 公路總局 國家災害防救 科技中心 國家災害防救 科技中心 XML, KML 地方政府 民眾，記者 XML, KML 基本圖資 監測圖資 災情資訊 設施操作 … 基本圖資 監測圖資 災情資訊 設施操作 … 基本圖資 監測圖資 中央災害應變中心 指揮官 XML KML 災情資訊 設施操作 資訊綜整共享運作機制

13 Situation Assessment Cloud Emergency Response Support Information System A common limitation: Inability to access information in all sources

14 Common Limitations The systems do not make good use of information sources owned by businesses, organization, communities, and so on The systems do not exploit synergistically information from networks of things and crowd of people The systems are not sufficiently agile in response to changes in disaster situation The systems do not make effective use of early warnings to enhance preparedness

15  Interoperability: being addressed by Large projects e.g. US IPAWS-OPEN, EU SANY and LOD2, Japan-US SAVI and so on Standards & tools e.g., OGC SWE, ARCGIS, etc.  Privacy and confidentiality concerns: today’s topic of discussion State-of-the-art technologies for information access control and privacy protection Non-technical factors affecting information sharing cultures, policies and practices Roadblocks to Sharing

16 Authentication and Access Control For web services For databases

17 Use Scenario 1  Have you ever click on the “Like It” button on a web site?  Instantly, information you selected will be shared with others!  What happened? ― you’ve authorized that website using OAuth to post information on your FACEBOOK Timeline.

18 Use Scenario 2  Have you ever signed onto a new website using your FACEBOOK account?  When you’re done, you’ll find that website is already customized to your preferences! Where does the website get the information?  What happened? ― you’ve used FACEBOOK Single-Sign- On Service to provide your personal information to that website.

19 Federated Identity Management  Service providers & users may belong to different organization (administrative domains)  Users need to access across organization boundaries  No overarching infrastructure may exits to manage and authenticate identities & credentials A. Jøsang & S. Pope, “User Centric Identity Management”, AusCERT Isolated ID Management SSO ID Management Federated ID Management

20 OAuth Authorization Protocol  A web service authorization protocol for granting third-party access to users’ private resources without requiring users to disclose private information, e.g. passwords  Run over HTTPS and Web Service compatible protocol suits  Widely used by Google, Facebook, Yahoo, etc.  Components  Client  Server  Resource Owner  Protected Resources  Credentials – unique ID and secrets

21 Client Registration  Clients authenticate to server  Obtain client credentials from server

22 User Service Request Client use credential to obtain the temporary credential from server to identify the delegation request

23 User Authorization  Redirect user to authorize the request with server  User authorize temporary credential

24 Exchange Access Token Client use authorized temp credential to exchange access token with server

25 Obtain Resources Client accesses protected resource with access token

26 OpenID  OpenID  OpenID allow users to be authenticated in a decentralized way in order to sign into multiple websites without creating new passwords  Components End-user: Entity that wants to assert a particular identity Identifier or OpenID: End-user's URL/XRI identity OpenID provider (OP) : Service that registers OpenID URLs/XRIs and provides User Authentication Relying party (RP) :Site that requires to verify end-user's identity User-agent: Program used by end-user to access OpenID Provider or Relying Party

27 User Service Request User request for RP service with identity URL

28 User Authentication Redirect the user to authenticate with OP

29 Verify Authentication  Redirect back to RP and verify authentication assertion with OP  THEN, service user

30 OAuth versus OpenID 30 OpenID, Wikipedia, 12 September

31  Mechanisms  Role Based Access Control (RBAC)  Attribute Based Access Control (ABAC)  Components  Policy Enforcement Point (PEP)  Policy Information Point (PIP)  Policy Decision Point (PDP)  Policy Administration Point (PAP)  Policies  Use Role Policy Sets (RPS) to implement role hierarchies  Use Permission Policy Set (PPS) to implement multiple rules with enforcement constraints  Use Obligations to enforce action requirements A/RBAC

32 AzMan (Windows Authorization Manager)  AzMan  AzMan, an RBAC framework for Windows servers provides: Administrative Tools (as Microsoft Management Console snap-in) for users to manage authorization policies, Runtime Executives for applications to perform access checks against those policies,  Components Authorization Store: Policy Repository Application:Namespace Scope: Resources with same policy Role:RBAC Role Operation: RBAC Action Task: RBAC Action Set

33 PERMIS PrivilEge and Role Management Infrastructure Standards is a policy-based authorization system for implementing Attribute/Role Based Access Control (A/RBAC).  Access Control & Authorization Subject-Action-Target policy specification Role Hierarchies Trusted Credentials (X.509 Certificates) as attribute and policy carriers  Trust & Delegation Multiple Authentication Authorities Issuing different user attributes  Coordinated Decision Making Multi-domain policy specification & storage Centralized Policy Decision Point Distributed Policy Enforcement Points

34 Federated Web Service Security A distributed authentication and authorization framework for providing web services in cloud computing with multi- domain A/RBAC support Components  Federated Identity Management  Multi-Domain Authorization  Secure Web Communication

35 Selected References on Access Control 1.V. C. Hu, et al., “Assessment of access control systems,” NIST 7316, 2006, - presents commonly used and standard MAC models and mechanisms. 2.PERMIS (Privilege and Role Management Infrastructure Systems), - implements US NIST standard RBAC model. 3.AzMan, - presents Microsoft RBAC tools for Windows 7, Server 2003 and later versions introduces free Linux RBAC tools, including SELinux, RSBAC, & qrsecurity. 5.A. D. Brucker and H. Petritsch, “Extending access control models with break- glass,” SACMAT’09, June J. Alqatawna, et. al, “Overriding of access control in XACML,” POLICY’07, 2007 – describes a discretionary overriding mechanism. 7.M. Davis, “Health care requirement for emergency access”, Department of Veteran Affairs, January 2009.

36 Information Accountability Protection of shared data NICIAR projects include  Improving Program Security thru Traceable Dynamic Info Flow, MIT  Accountability for Information Flow via Explicit Formal Proof, CMU  Data Flow Analysis for Information Accountability, UT Austin Protection of privacy according to laws & regulations From “Transparency & Accountability: Policy Aware Web Design Strategies,” by Daniel J. Weitzner, October 2006

37 Accountability for Privacy Protection  Essential elements: Organization commitment and adoption of consistent internal and external criteria Mechanisms and tools to put privacy policies into effect Tools for internal oversight and external verification Transparency in information usage Means for remediation and external enforcement  Technical supports: Policy language framework to ensure interoperability of policies and coping with overlapping rules Policy reasoning tools for context sensitive judgments Policy-aware transaction logs Accountability appliances

38 HTTPA (Accountable HTTP) WebID Smart Client Web Server Verification Agent WebID Data transfer Provenance tracker Network (DHT) HTTPA Log Logs trails Logs  Data provider specifies usage restrictions based on consumer’s credential  Data consumer selects restrictions to abide  Provenance tracker logs the agreement and logs provenance trails  Verification agent is responsible for authenticate the parties

39 Data consumer Data producer Verification agent Provenance tracker HTTPA Authentication request WebID Protocol Usage restrictions Usage intentions Usage aware/ Data provenance log Credential check Accountability log Acknowledgment Sequence for a Data Creation Method Resource URI Usage Restrictions Timestamp WebID of accessor Source URI Derivative URI Accountability log record

40  Information accountability: Usage transparency, policy- aware logs, data provenance, and so on  Question: How well can an information accountability system work to prevent the following?  Jason Cipriani, a CNET Blog Network author: “my personal geo-tagged photos end up in Google search”, worse yet, in some online advertisements  Information on Alice’s online purchases of books on her child’s chronic illness causes concern for risk of expensive family health care and hence rejection of her job application – from D. J. Weitzner, et.al.  Surveillance camera locations released during an emergency enable well-planned burglaries afterwards Effectiveness ?

41 Selected References on Accountability 1.D. J. Weitzner, et al., “Information accountability,” ACM Comm. June 2008 – Gives a brief overview on accountability system. 2.O. Seneviratne, “Augmenting the web with accountability,” 2012, O. Seneviratne and L. Kagal, “Framework for usage tracking and provenance of web resources,” Semantic Web Conference, S. Peason and A. Chalesworth, “Accountability as a way forward for privacy in the cloud,” ClounCom 2009 – Advocates hybrid (legal, regulatory and technical) accountability mechanisms 5.R. H. Sloan and R. Warner, “Developing foundations of accountability systems: informational norms and context-sensitive judgments,” GTIP, December 2010 suggests using accountability systems for rule enforcement and conflict resolution 6.“Data protection accountability,” M. S. Alvim, et al., “Quantitative information flow and applications to differential privacy,” in Foundations of security analysis and design VI, 2011 – Introduces quantification of information flow.

42 Information Access During Emergencies Break-the-glass (BTG) extensions of existing authorization and access control models and systems TIBS (Trustworthy information brokerage service)  Proactive upload of information on points of service (POS)  Information release based on traceability and accountability Filters Scenario analysis SOPs & DSA workflows Information requirements Sources Filtered information Release and accountability causes Handle requests & enforce release policies POS

43  Definition: A means to allow users to override access control decisions, usually for use  On demand and in exceptional cases  To extend access rights with additional audit & logging  A solution:  Pre-staged accounts created in advance to be managed according to emergency mode policies and auditing  Timely distribution of pre-staged accounts in preparation or during emergencies  Security audit trails monitored closely and notifications sent as specified when such an account is activated  Pre-staged accounts cleaned up after emergency Break-Glass (BTG) Approach Security/privacy requirements versus availability

44 SecureUML BTG Extension From Brucker and Petritsch, SACMAT’09 paper “Extending Access control model with BG”  Objective: To enable override access decision on a per permission basis, not on a per role or per subject basis  Elements  A hierarchy of emergency policies {P, P’, … } derived from requirements for multiple levels of emergency.  Obligations attached to individual emergency policies Break-glass policy hierarchy, architecture and message flow

45 An Example: RBAC with BTG From Brucker and Petritsch, SACMAT’09 paper “Extending Access control model with BG” SecureUML policy alllowing every user to read patient data during an emergency

46 Typhoon Earthquake Scenarios … Trustworthy Information Brokerage Request-For-Information (what, when, purposes, criticalities, etc.) Gov. sources Non-government sources Filtered data R (Release) & A (Accountability) policies Filtered data Point of R & A Services Point of R & A Services Point of R & A Services Point of R & A Services Point of R & A Services DSA & SOP Workflows

47 User Registration Policy Management Event trackers Policy DB Audit Record Identity Record Admin Audit Record Policy DB PEP PDP R RRRR P Audit Record Audit Record Helper ICC RC 3 Admin Provider Helper Policy DB PEPPIP PDP R RRRR P A Audit Record Provider Components of Information Broker Admin

48  Experiences and opinions on fostering open data/information culture & practices  Laws, regulations, education and tools to enable open data and information  International collaboration opportunities 48 Topics of Discussion

49 Thank You!