Context-based Security & Compliance GE Features available as per 2 nd Major Release PRRS: Context-based Security & Compliance GE

Scope of the Context-Based Security & Compliance GE  To provide the security layer of FI-WARE with context-aware capabilities to support additional security requirements through the optional security enablers developed in FI-WARE (not provided by the generic FI-WARE security services (Security Monitoring, Identity Management, Privacy, Data Handling)): DBAnonymizer Secure Storage Service Malware Detection Service Content-based Security  To provide, together with optional security services search and deployment, run-time reconfiguration that will allow use cases both deal with unpredictable context changes and ensure the compliance with the security requirements

Main Features of the Context-Based Security & Compliance GE  Selection of security requirements that can be provided through PRRS framework by SecurityName SecuritySpec SecurityRules  Selection of optional security enablers to be deployed from FI-WARE Marketplace GE  Detection of anomalous behavior or non-conformances in end-user context environments: to monitor the status of the deployed security services to detect unavailability to monitor changes in the end-user context environment to detect validation rule violations  Deployment of the optional security enablers

Context-Based Security & Compliance Architecture (1)

Context-Based Security & Compliance Architecture (2)  PRRS Framework: core of the Generic Enabler controls the rest of the components of the GE by processing requests from end-user applications and orchestrating the deployment of the optional security enablers selected provides run-time support to end-users and client applications for performing dynamic selection & deployment of optional security enablers to support additional security requirements

Context-Based Security & Compliance Architecture (3)  Rule Repository: to allow the generic enabler to store and manage compliance requirements to trigger PRRS framework when some rule will be modified so that the framework could take the necessary actions in case of the modification must be taken into account on compliance measurements  Context Monitoring: to detect anomalous behavior or non-conformances in end-user context environments

Security Specifications and Security Rules  Security Specification: Any single security requirement that can be supported by a security service (encryption, authentication, accountability…). They are expressed with USDL-SEC vocabulary. For example: usdl-sec:hasSecurityGoal=anonymity  Security Rule: A set or security specifications that describes a complex security agreement that must be fulfilled commonly by two (or more) entities. They are expressed with USDL-SEC vocabulary and integrated in a SecurityProfile. For examples: Data Protection security rule to apply data protection laws from a country or FI Domain (such as Healthcare or Telecommunication).

How to use CBS&C?  Define your additional security requirements  Define your context/constraints: Preferences (e.g. usdl:hasSecurityProvider=ATOS) Configuration (e.g. OperativeSytem=Linux)  CBS&C will deploy the security service that better matches your requirements and will provide you the endpoint to access and its usdl. CBS&C request Context Monitoring Security Solutions

What are the advantages?  CBS&C automatically will search in the FI-WARE Marketplace available services and select one based on your security requirements, preferences and context.  CBS&C automatically will download and deploy the selected service if it is not running in the Service Provider facilities  CBS&C will monitor the selected services to check they are available and compliant with your requirements and context (which could have unpredictable changes)  In case of detecting not compliance or not availability, CBS&C automatically will reconfigure the service or substitute it by another with the same specifications in a transparent way for the user.

10 Demo of Context –based Security & Compliance GE

Request for Security Solution:  It is possible to indicate or select security requirements with one of the following options: By service name: DBAnonymizer By security rule: ReIdentificationRisk

Request for Security Solution (2):  It is possible to indicate or select security requirements with one of the following options (continue): By security specifications: securityGoal anonymity

Request for Security Solution (3):  It is possible to include a list of user-context constraints (which are optional) that must be considered by the PRRS in the selection of the security services: context information related to usdl attributes (not usdl-sec) provided as preferences by the user to be considered in the selection of services configuration parameters to be considered in the selection or deployment of the services context data published the user in the FI-WARE Context Broker GE

Context-based Security&Compliance Web Client  security request written in xml (must be included in the XML Request box): CBS </clientEndpoint  Do Post must be selected to send it to the PRRS Framework  Go! is pressed  Response frame with the URL where the implementation of the optional security enabler selected by the PRRS Framework is deployed and accessible.

Context-based Security&Compliance Web Client (2)

References  Context-based Security & Compliance Open Specifications: ware.eu/plugins/mediawiki/wiki/fiware/index.php/FIWARE.OpenSpecification.Security.Context- based_security_&_compliance  Context-based Security & Compliance-User’s and Programmer’s Guide: based_security_%26_compliance_-_User_and_Programmers_Guide  Context-based Security & Compliance-Installation and Administration Guide: based_security_%26_compliance_-_Installation_and_Administration_Guide