[Fiware-security] FI-WARE: Review of Architecture and Open Specifications of Security Chapter

[GIDOIN Daniel]

Dear Pierangelo,

Please find bellow our answer to your comments  on the Security chapter:

Architecture:

*         Introduction:

1.       Comments 1 & 2: wording and example modified (TS)

*         Architecture Overview:

1.       Comment 3: sentence clarified;

2.       Comment 4: increasing readability (TS)

*         Security monitoring:

1.       Comment 5: very global rewriting of the page by TS;

2.       Comment 6: justification of the Security Monitoring approach with regard to ISO 27000 standard;

3.       Comment 7:  architecture clarified (I.e. origin of inputs)

*         Fuzzer:

1.       Comments 8 & 11: taken into account in the wiki page  (INRIA)

*         Countermeasures:

1.       Comment 9: taken into account by TCS

*         Visualization:

1.       Comment 10: review comment fixed by TRT

*         Context-based security & compliance (ATOS):

1.       Comment 12: Chapter wording has been revised

2.       Comment 13: Disclaimer wording revised

3.       Comment 14: wording revised

4.       Comment 15: As rule manager was part of our proposed (and not selected) EPICS for the second Open Call their features are still pending

5.       Comment 16: Wording revised

6.       Comment 17: Wording revised

7.       Comment 18: "Chapter" has been used instead of WP3.

8.       Comment 19: No changes at this moment, see answer to comment 15.

However we have still pending actions to this one:


FIWARE<https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/FIWARE.ArchitectureDescription.Security.Context-based_security_%26_compliance>.<https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/FIWARE.ArchitectureDescription.Security.Context-based_security_%26_compliance>ArchitectureDescription<https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/FIWARE.ArchitectureDescription.Security.Context-based_security_%26_compliance>.<https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/FIWARE.ArchitectureDescription.Security.Context-based_security_%26_compliance>Security<https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/FIWARE.ArchitectureDescription.Security.Context-based_security_%26_compliance>.<https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/FIWARE.ArchitectureDescription.Security.Context-based_security_%26_compliance>Context<https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/FIWARE.ArchitectureDescription.Security.Context-based_security_%26_compliance>
-<https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/FIWARE.ArchitectureDescription.Security.Context-based_security_%26_compliance>based<https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/FIWARE.ArchitectureDescription.Security.Context-based_security_%26_compliance> <https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/FIWARE.ArchitectureDescription.Security.Context-based_security_%26_compliance> security<https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/FIWARE.ArchitectureDescription.Security.Context-based_security_%26_compliance> & <https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/FIWARE.ArchitectureDescription.Security.Context-based_security_%26_compliance> compliance<https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/FIWARE.ArchitectureDescription.Security.Context-based_security_%26_compliance>


Pier  Garino


General comment to this page: The context-aware capabilities mentioned in the name of this GE call for some explanation about possible interactions (or about impossibility to have interactions) with context/data Management chapter (e.g.: aren't there GEs which might be exploited in the architecture of the Context-based security & compliance GE?). This should help dissipating some doubts which might arise in readers and adopters of FI-WARE architecture.


We do not understand this comment. Could be possible that Pierangelo Garino will provide more details about it?


*         USDL-SEC  (SAP)

1.       Comments 32, 33, 34
SAP: all comments have been addressed. However, some comments on USDL-SEC specification are probably incorrect, as Juanjo in one of his past emails wrote that no Open Specification template was provided for non-software products, which is the case.



*         Data Handling (SAP)

1.       Comments 21 to 30: all comments have been addressed


*         Identity Management (DT)

1.       All comments addressed


*         Optional security enablers

1.       Comment 31 addressed

Open Specifications:

*         Security Monitoring / Mulval Attack Path Engine

1.       Comment 35 addressed_ rewriting of the page


*         Security monitoring / OSSIM-SIEM  (ATOS)

1.       Page wording has been revised in order to make clear that Atos tasks will be:

2.       Configure OSSIM  according with FI-WARE monitoring GE needs

3.       Develop  an advance service level SIEM component on top of OSSIM. This advanced SIEM is going to be delivered on future releases of the security monitoring GE

*         SSS (TCS)

1.       Comments addressed

*         Identity Management (DT)

1.        Comments addressed

*         DB Anonymizer (SAP)

1.       Comments addressed

*         Data handling (SAP)

1.       Comments addressed

Best regards

Daniel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.fiware.org/private/old-fiware-security/attachments/20120912/883d6293/attachment.html>