goberlin a Trusted Cloud Marketplace for Governmental and Commercial Services

Transcription

1 goberlin a Trusted Cloud Marketplace for Governmental and Commercial Services Data Protection and Security Considerations in an egovernment Cloud in Germany Dr. Klaus-Peter Eckert Public Sector Cloud Forum London December 3 rd, 2014

2 Facts of the German Trusted Cloud Program Technology Program of the German Federal Ministry of Economics and Energy Goals: Develop innovative, secure and legal compliant Cloud Computing solutions Involve SMEs Demonstrate potential of Cloud Computing Develop innovation and market potential 14 projects (out of 116 proposals) have been selected and grouped in four clusters Development of basic technologies Applications for industry and craft Applications for health Applications for the public sector, e.g. goberlin Projects have started in 2011/12 and will run until end of 2014 Approx. 50 M from BMWi + 30 M from project partners Comprehensive research is done in four areas: Standardization, legal aspects, security, business models 3

3 Cluster - Public Sector The cluster "applications for the public sector" consists of two research projects with cloud-based services for citizens and public administrations for different application scenarios. Public administrations are entrusted with regulatory tasks and therefore have particularly high demands on the confidentiality, security and legal compliance of cloud applications. The two services are supporting the collaboration between government, businesses and citizens. Cloud Cycle provides a common standard for the entire lifecycle of cloud applications: from the cloud platform, which is used as a technical basis, via the creation of interoperable and portable applications to usage by the end user. (OASIS Topology and Orchestration Specification for Cloud Applications - TOSCA). Cloud Cycle develops an Education Cloud providing specific services for schools. goberlin builds a trustful app-marketplace that combines the services of the public administration with commercial offers of private enterprises. Apps are offered to citizens as SaaS and build by developers utilizing the PaaS support of goberlin. 7

4 Challenges Security, Trust Cloud service security, three perspectives Service provider perspective, e.g. iidentfy, authenticate, authorize service users Service user perspective, e.g. data privacy, SLA nonrepudiation Legal perspective, e.g. protection of data privacy Service specific security requirements Security as part of the marketplace infrastructure Security features to be integrated on demand Declarative security no hard-coded implementation Trust Credibility, Reliability Expectations Reputation 8

5 Matthias Heyde / / Fraunhofer FOKUS goberlin A trusted Service Marketplace in the Berlin City-Cloud goberlin orchestrates public and commercial eservices to Apps that are supporting citizens in their specific circumstances. Functional and non-functional components, especially authentication and authorization, are coupled utilizing SOA concepts incl. ESBpatterns. The project develops a prototypical implementation of the marketplace incl. orchestrated apps. goberlin runs in the cloud infrastructures of the project partners, especially in the Berlin City Cloud, operated by the Berlin data center ITDZ. The Castle in Berlin-Steglitz, a marketplace for public and commercial services 14

6 Cloud-based Service Marketplace Main Actors in goberlin eservice Providers from Public and Private Sector App Users (mainly Citizens) Service Marketplace Apps for Life Circumstances Transport Citizen Registration Mail Redirection Cloud Infrastructure App Developers and Providers Public Sector Marketplace and Cloud Operator 15

7 goberlin Marketplace High-level Architecture and Actors App Developer Portal Find and compose eservices; Publish apps Marriage App Transport eservice Proxy Relocation App Birth App Registration eservice Proxy Redirection eservice Proxy SaaS PaaS Adapters to Government and Business eservices Life Circumstances Portal for Citizens Find and use certified apps eservice Provider Portal Describe, register, and operate eservices Profile Mgmt Storage Identity Mgmt Accounting Computation IaaS Network Basic Services Marketplace Management Portal Operate Marketplace and Cloud Infrastructure 16

8 What will goberlin offer? Life Cirumstances from a Citizen s Perspective Support life circumstances such as birth, marriage, children or relocation Craftsmen Renovation Works egovernment ebusiness Change of Address Vehicle Registration Citizen Registration Office of deeds Moving Company Mail Redirection Estate Agent 17

9 What will goberlin offer? Apps support a workflow through government and business services Orchestrate government and business eservices Craftsmen Renovation Works Vehicle Registration Citizen Registration Office of deeds Moving Company Change of Address Mail Redirection Estate Agent 18

10 Approach Security and Trust Security-as-a-Service Identity management and security services are part of the PaaS base services User-centric identity management User manages personal data in a trusted and secure area User manages access to this area for apps and services Marketplace operated by a public authority Private cloud Certification of apps and services Have the security services been properly integrated? Is data passed to authorized service? Order Swaddling Clothes App Childbirth Encryption Authorization Signature Register Childbirth Identification 19

11 Approach Oligations of the goberlin Stakeholders App-Users control access to their personal profile data for apps and services App developers provide trustful apps Reloction App eservice providers operate their services in their local environment Marketplace is operated by a public authority Certification of apps and services Security-as-a-Service Identity management and security services are part of the PaaS infrastructure services Support for eid and eat cards Transport eservice Proxy Encryption Authorization Signature Registration eservice Proxy Identification Cloud infrastructure is operated by a public data center ITDZ Berlin 20

12 goberlin Marketplace Architecture Overview goberlin Marketplace App Marketplace Service Marketplace Life Circ. Portal App/Service Marketplace Portals Repositories Repositories Marketplace Services App Development Platform App Runtime Platform Marketplace Portal Marketplace Middleware Security Components Government and Business eservices Cloud Infrastructure Cloud Portal 22

13 Instance PP: Operational Instance Citizen-, App Developer-, esp-portals Citizen-App Register Login Browsing Entitlement profil, SA App-Frontend App-Logic Security Identity Management - Authentication Access Management Authorization ESB Interceptor, Logging, Monitoring Supporting Services BPM-Process Services Platform Services Admin-Portal es-wrapper Data Bases 25 Git & Build eservices

14 Linking of Security Components with Functional Components XACML concepts Access Control Services Portal / App WS-Trust X.509 Token + Username/Password WS-Trust SAML 2.0 Assertion 2. Identity Management Create Policy Enforcement Point - PEP Policy Administration Point - PAP Decide Publish Policy Decision Point - PDP Policy Information Point - PIP Retrieve extensible Access Control Markup Language SOAP X.509 Token 8. SOAP X.509 Token 7. SOAP X.509 Token + SAML 2.0 Assertion ESB SOAP X.509 Token + SAML 2.0 Assertion Application Server + WS-Stack SOAP X.509Token + XACML 2.0/3.0 Request SOAP X.509 Token + XACML 2.0/3.0 Response 5. Access Management Utilization of XACML concepts in goberlin 30

15 Security Zones in an egovernment-cloud Internet Public Sector Citizens Firewall Secured Zone Intranet Access Logic Data Employees egovernment Cloud DMZ Access Logic Data egovernment Cloud 33

16 Components of an egovernment-cloud Internet Firewall Shared Sevices Governmental Services Federated egovernment Bus Access AAA Services Data Bases 34

17 Components of the goberlin egovernment-cloud Internet Firewall eservices Supporting Services Apps Federated egovernment Bus Portals Identity & Access Management Data Bases 35

18 Trust in the goberlin egovernment-cloud Internet Firewall eservices Trusted Services Certified Apps Federated egovernment Bus Secure Access Universal Security Infrastructure Secured Storage 36

19 Outlook Transfer of Project Results Architectural Framework Business models Technical and organisational operations model golondon gokiel goschwerin gohamburg gobremen goberlin gohannover gopotsdam gomagdeburg Certification models godüsseldorf goerfurt godresden and much more gowiesbaden goluxemburg gomainz gosaarbrücken gostuttgart gomünchen 40

20 Thank you! Any questions? Dr. Klaus-Peter Eckert Fraunhofer Institute for Open Communication Systems Kaiserin-Augusta-Allee Berlin, Germany 41