Dear Andreas,
We have just finished our weekly audio conference on WP8 where we discussed among other comments you provided us with as per WP3 review (SAP, UDE & DT).
In the meantime I also asked my colleague Daniel as T8.1 Leader and Security Monitoring GE owner to answer concerns you had raised from your side with respect to this enabler. I'm pleased to see things have now been clarified from your side to some extent.
As for the rest we also agree as an outcome of our audio conf of today to add a question mark to M2 deliverable to clearly state we would be further working  on the topic in the coming months to definitely clarify things for what concerns USDL-Sec and event mangers in the context of security monitoring.
So we can we say we have agreement on this and would be willing to have a joint WP3-WP8 meeting starting first at next plenary meeting in September. Hope you support and it would feasible form an organization perspective. If not we would have to go for a separate meeting after this plenary. To be further discussed with you according to what best suit you.
Best Regards,
Pascal
De : Friesen, Andreas [mailto:andreas.friesen at sap.com]
Envoyé : mardi 12 juillet 2011 10:50
À : GIDOIN Daniel; BISSON Pascal
Cc : Juanjo Hierro; TRABELSI, Slim; Leidig, Torsten; Fiware-security at lists.fi-ware.eu; LELEU Philippe; SIEUX Corinne; Calin Curescu
Objet : RE: Review of the security chapter by Apps/Services Ecosystem and delivery
Dear Daniel,
many thanks for the clarification. Indeed, the security monitoring system you are striving to develop will be more powerful than conventional monitoring systems if it will be able to consume security-relevant information from FI-WARE specific event managers. For the M5 deliverable, we will have to develop a deeper understanding about the kinds of FI-WARE specific event managers you have in mind and the role of USDL-SEC (mentioned in Fig 3) in the context of security monitoring. Perhaps, it would be a good idea to add this as a question mark to the M2 deliverable.
With respect to Apps/Services Ecosystem and delivery, I would like to propose to address this issue in one of our regular meetings with the security WP.
Best regards,
Andreas
From: GIDOIN Daniel [mailto:daniel.gidoin at thalesgroup.com]
Sent: Dienstag, 12. Juli 2011 09:47
To: Friesen, Andreas; BISSON Pascal
Cc: Juanjo Hierro; TRABELSI, Slim; Leidig, Torsten; Fiware-security at lists.fi-ware.eu; LELEU Philippe; SIEUX Corinne
Subject: RE: Review of the security chapter by Apps/Services Ecosystem and delivery
Dear Andreas,
We should have no fear regarding integration/interaction with other FI-WARE components. Indeed, the interactions are very strong. On the one hand, the security monitoring GE exploits the events generated by these components.
It's a big difference with a conventional monitoring, only focused on events from the network and security components.
On the other hand, generated countermeasures  applies to these FI-WARE components, according to their criticality. Also,  It  raises alerts dedicated to these FI-WARE components.
Best regards
Daniel.
De : Friesen, Andreas [mailto:andreas.friesen at sap.com]
Envoyé : lundi 11 juillet 2011 15:47
À : BISSON Pascal
Cc : GIDOIN Daniel; Juanjo Hierro; TRABELSI, Slim; Leidig, Torsten; Fiware-security at lists.fi-ware.eu; LELEU Philippe; SIEUX Corinne
Objet : RE: Review of the security chapter by Apps/Services Ecosystem and delivery
Dear Pascal,
please don't get me wrong what concerns security monitoring. I don't say it is unnecessary, dispensable or useless. I only said that it is not FI-WARE related (in the sense that there are no explicitly mentioned specific integration/interaction points with other FI-WARE components) because from what I could read in the chapter it seems to rely on inputs from Intrusion Detection Systems, Firewalls, etc. At least in my understanding, security monitoring, as it is described in the security chapter, can be used to monitor any kind of system/network node protected by Intrusion Detection Systems, Firewalls or other security-relevant systems belonging to a deployment context of a software system to be protected.
Hence, my assumption is that it can be developed by security WP without further interaction with other FI-WARE WPs because it monitors the deployment  context of a system and not the system itself.
Is this assumption correct?
Best regards,
Andreas
From: BISSON Pascal [mailto:pascal.bisson at thalesgroup.com]
Sent: Montag, 11. Juli 2011 14:29
To: Friesen, Andreas
Cc: GIDOIN Daniel; Juanjo Hierro; TRABELSI, Slim; Leidig, Torsten; Fiware-security at lists.fi-ware.eu; LELEU Philippe; SIEUX Corinne
Subject: RE: Review of the security chapter by Apps/Services Ecosystem and delivery
Dear Andreas,
Thanks to have organized at WP3 level, review of our Security Chapter to D2.2b.
I already received the WP3 comments from DT.
As for the ones coming from SAP and UDE I will have a look at them with the rest of the Security team and answer them to you.
As for what you says regarding Security monitoring components that in your view don't directly relate to FI-WARE let me fully object here just because it would benefit to each of the other ATs( including yours although not limited to it) and is also highly desired for what concerns usage areas we know and are targeting (Smart City, Smart Grid, Smart Transport, ...). This without saying it is part of the approved DoW so this is directly related to FI-WARE and the major innovations which may result of the FI-WARE Project.
Best regards,
Pascal
De : Friesen, Andreas [mailto:andreas.friesen at sap.com]
Envoyé : lundi 11 juillet 2011 13:04
À : BISSON Pascal
Cc : GIDOIN Daniel; Juanjo Hierro; TRABELSI, Slim; Leidig, Torsten
Objet : Review of the security chapter by Apps/Services Ecosystem and delivery
Dear Pascal,
I asked all WP3 partners feeling qualified to build an opinion about security  to review the security chapter and received some feedback in the meantime. I will forward to you any additional reviews until today EOB should I receive them during the day.
Please find attached the reviewed security chapter from SAP and UDE. We did not change the text just added comments.
In general, the comments are mainly focused on getting a common understanding what will security chapter offer to other FI-WARE chapters in the end.
As you will see from the comments (except for the enablers corresponding to "2 Generic Security Enablers" in Fig.2 dealing with authentication, authorization, identity management, privacy, etc.) it is very difficult to assess (at least from the perspective of apps/services ecosystems so maybe an additional review from a different WP could be useful for you) at the moment how the rest of the security WP contributes to/can be used by other chapters in FI-WARE. Many of the described components are either too low level (e.g., database risk evaluation and anonymization service) or not directly related to FI-WARE (e.g., the security monitoring components).
Here are also some comments on the Security chapter with respect to WP3 issues provided by DT:
Security Monitoring Enabler
It is not clear which interfaces to services and composition environments are needed for the monitoring
process. Infos provided on pg 7 are very general: Firewalls, Intrusion Detection Systems, Security and Event Managers, ... wireless events agents ...
Especially business risk impact evaluation sounds interesting, but it is not part of the figure 3 and not clear how a relationship with a real business application produced e.g. by our composition tools could be realised.
At this level of description it's unclear how e.g. a sql intrusion attack on application level is monitored or the business risk is evaluated.
Identity Management
Are there also some group functionalities or are there only single identities for users and things?
PPL Engine
Is there an own grafical user interface for the end user to control his attributes? What are the interfaces to applications or services?
Context-based security and compliance
Not clear if this is related to WP3: Is it filter of security enablers (which one?) to fit with "very specific regulatory constraints" and monitoring of system performance?  If this is an USDL extension, what is the influence on applications which are described in USDL and consumed via the marketplace?
Optional security service enabler
Not understood, is it an extension of USDL with security features (see above)? "The goal is to make easily extendible the security service description for customized services. This functionality will encourage all developers to define and describe their won services through the USDL standard by adding new functionalities .." pg18
Are there any relations to applications and composition tools, what are the effects on applications or user security?
Best regards,
Andreas
From: fiware-wpl-bounces at lists.fi-ware.eu [mailto:fiware-wpl-bounces at lists.fi-ware.eu] On Behalf Of Juanjo Hierro
Sent: Mittwoch, 6. Juli 2011 12:27
To: fiware-wpl at lists.fi-ware.eu; fiware-wpa at lists.fi-ware.eu
Subject: [Fiware-wpl] Contents of chapters available and planning until official deliverable
Dear colleagues,
  You will find the .doc files of each of your chapters in the usual placeholders.  Now, the name associated to each of them adopts the following convention:
    "FI-WARE High-level Description - <name-of-chapter> Chapter v<x>.<y>"
  The integrated draft is available at:
https://forge.fi-ware.eu/docman/view.php/7/235/FI-WARE+High-Level+Description+integrated+draft+0.1+11-07-06.doc
  But we should keep working with separated files per chapter.
  I first action I would kindly ask all of you to perform is to check that all your stuff is there and I didn't miss anything during the integration :-)   If you find something missing, please let me know.
  Now, we should NOT relax and keep going to get the official release of the deliverable on time.  This was announced for mid July ... what mid July means is up to us, but I would suggest making it available on July 19th.
  What I would suggest now is that we carry out a peer review of each chapter, involving members of a given WP in reviewing the contents of those chapter with whom more inter dependencies may exist.
  In parallel, each group should try to finish what couldn't make for this first draft.   I know that the analysis of Security aspects, just to mention an example, is not closed for all the chapters.  I will try to send a summary of what I see pending per chapter later today.
  In respect to peer reviews, here you have my suggestions for a first round.  We would try to make another round before the deadline:
Chapter
Chief editors
Contacts
Suggested peer reviewer (team)
Cloud Hosting
IBM
GLIKSON at il.ibm.com<mailto:GLIKSON at il.ibm.com>
Interfaces to Networks & Devices
Data/Context Management
TID
jhierro at tid.es<mailto:jhierro at tid.es>
IoT Services Enablement
Apps/Services Ecosystem & Delivery
SAP
andreas.friesen at sap.com<mailto:andreas.friesen at sap.com>, torsten.leidig at sap.com<mailto:torsten.leidig at sap.com>
Security
IoT Services Enablement
Orange & NSN
Thierry.nagellen at orange-ftgroup.com<mailto:Thierry.nagellen at orange-ftgroup.com>, lorant.farkas at nsn.com<mailto:lorant.farkas at nsn.com>
Data/Context Management
Interfaces to Networks & Devices
TI &DT
pierangelo.garino at telecomitalia.it<mailto:pierangelo.garino at telecomitalia.it>, Hans.Einsiedler at telekom.de<mailto:Hans.Einsiedler at telekom.de>
Cloud Hosting
Security
Thales
pascal.bisson at thalesgroup.com<mailto:pascal.bisson at thalesgroup.com>, daniel.gidoin at thalesgroup.com<mailto:daniel.gidoin at thalesgroup.com>
Apps/Services Ecosystem & Delivery
  I would suggest that we define the following milestones linked to this first round unless I hear any objection:
 *   July 11 EOB, reviewers to send their comments (I suggest word files with changes under control)
 *   July 13 EOB, revision of comments by editors of each chapter and upload of new version by chief editors on FusionForge
  If you believe that there would be a better assignment for you, please also let me know and we'll try together to see if there is an alternative arrangement.
  Chief editors in the table above matches the WPLs and WPAs as you may already know.   WPLs are entitled to contact the chief editor of the chapter his team has been assigned to review so that you can agree on how to proceed.
  We can keep the procedure of managing the editor token by playing with the states linked to documents in the docman system so that whenever one file is in "pending" state means somebody is editing it.  Whenever one changes the state of a given document to "pending" it should announce it to the people involved.   Anyway, you should always download the last version from FusionForge (or check that the version you have is downloadable) whenever you decide to start editing a document and change it to "pending".
  A good strategy in some cases is that you split the chapter in several files, so that you keep control of those pieces that you believe are unstable and leave the rest for review.
  If you have still pending points, this procedure won't be perfect so each editor should probably edit his version in parallel someone is reviewing it, then manage how to integrate the comments.   But there is no much better ways to proceed unless you have a better idea.
  There are other things that we should start hard because we are behind the schedule.   An important part has to do with starting to bring content to the website and blogs.   It won't be that difficult now that we have quite a bit of content and nice stories to talk about :-)    I'll send an email with a plan proposal on the matter either today or tomorrow.
  ONE FINAL WORD AND RATHER IMPORTANT: PLEASE respect the styles and procedures for editing describing at the front matter of the documents.   Some of you have tried to respect them, and integration was rather easy.   BUT I HAVE TO SAY THAT OTHERS HAVE NOT.   And this creates a lot of burden.   I can tell you that I have lost almost one hour with one of the chapters just fixing the formats while I have spent just 15 mins with the chapters from those who followed the rules.   FOR THE NEXT ROUND, take it seriously, I will reject any file that contains prohibited styles or broken styles.   I know that it's pretty easy just to copy&paste from another document you may have written before or apart of this project or a web page, but that action breaks everything and has unpredictable consequences in MS Word.   It is also easier to create bullet lists or numbered lists using the buttons for doing so that MS Word offers to you at the upper tool bar, but that also has unpredictable consequences and means breaking an homogeneous style across the whole document (I will indeed try to find out how to prevent these buttons to appear :-)
  And that's all for this very long mail, I want to again thank you for all your efforts, good attitude and, overall, patience with my requests.
  Best regards,
-- Juanjo
________________________________
Este mensaje se dirige exclusivamente a su destinatario. Puede consultar nuestra política de envío y recepción de correo electrónico en el enlace situado más abajo.
This message is intended exclusively for its addressee. We only send and receive email on the basis of the terms set out at.
http://www.tid.es/ES/PAGINAS/disclaimer.aspx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.fiware.org/private/old-fiware-security/attachments/20110712/f83eab4e/attachment.html>
    You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy