FYI: The Security Monitoring sequence diagram: http://dl.dropbox.com/u/165239/Screen%20Shot%202012-02-07%20at%2011.09.02.png From: Alex Glikson [mailto:GLIKSON at il.ibm.com] Sent: Tuesday, February 07, 2012 11:39 AM To: Edmonds, AndrewX; fiware-cloud at lists.fi-ware.eu Subject: RE: Security Thanks a lot, Andy! Looks good, no comments from my side. Team -- any comments regarding our response to Security team? Thanks, Alex From: "Edmonds, AndrewX" <andrewx.edmonds at intel.com<mailto:andrewx.edmonds at intel.com>> To: Alex Glikson/Haifa/IBM at IBMIL Date: 07/02/2012 01:29 PM Subject: RE: Security ________________________________ I've reviewed the WP4 related sequence diagram from the security guys. I've no issues with it right now. One thing however to bear in mind is that the interactions that they details are effectively ones that occur with the Identity Management GE (auth, access, id mgt events), hence the lack of immediate issues for us ;-) There are quite a number of question from the Security WP. it would be helpful if you can review these (or perhaps it makes sense to do so in the confcall). Security Monitoring: * For every GE, is it possible to make an inventory of security events with their source, frequency, dependency, volume (required resources)? o Yes however not within the timeframe of the first release. * What indicators and dashboards expected by the GE (Cloud Hosting, IOT, I2N, Applications/Services Ecosystem & Delivery Framework..)? o Subject to security review of base line assets and GEs from WP4. Unlikely within 1st release. * Are we able to quantify a vulnerability, taking into account its impact on addressed services, in the context of Cloud Hosting, IOT, I2N, Applications/Services Ecosystem & Delivery Framework..? o See previous * Can we prioritize countermeasures, taking into account the nature of service under attack? o See previous * Applicability of the attack paths approach to the context of the services recomposition? o ? * Applicability of the Residential customer monitoring to the GE? o Not sure of "residential". However, a user of a GE should have access to monitoring information related to their service instances. Privacy and Data Handling * Privacy threats already detected/considered in FI-WARE/FI-PPP by other WPs? o None yet. * Approaches to store personal data securely? o There was a discussion of how to securely store user credentials (e.g. ssh private keys) using other mechanisms other than a file system (currently the defacto method in IaaS) * Approaches to control the disclosure of personal data? o It was established that the DH GE would be used in the Object Storage GE to control the use of user-supplied data. * Which services require untraceability, unlinkability and anonymous access? o Currently this is not seen as a requirement in WP4. * What do the services need-to-know about their users before granting them access? o Currently it's assumed that only basic information is required: username and password. * Is revocation a requirement? o Revocation in the context of Identity Management is needed. Identity Management * On what levels will authentication be needed? o Mainly at the application/service level. There will also be the need to authenticate users on accessing a virtual machine (mechanisms include ssh, vnc, rdp) * Who will authenticate whom? o IDM will authenticate users and system services acting on the behalf of users (by proxy). * How will users be authenticated? o Username/password & API Keys, ssh public key pair or password for individual VM access. * How will services be authenticated? o API keys * How will things be authenticated? o Not currently considered/in scope * What protocols should the IDM support? o OAuth and OpenId are currently "nice to haves" * Who will implement the example services? o The service used will be those that implement the WP4 GEs. * Who will provide network security? o There will be some network security measured supplied by WP4 GEs - mainly firewall configuration. Andy ------------------------------------------------------------- Intel Ireland Limited (Branch) Collinstown Industrial Park, Leixlip, County Kildare, Ireland Registered Number: E902934 This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.fiware.org/private/old-fiware-cloud/attachments/20120207/2ec28035/attachment.html>
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy