goberlin a Trusted Cloud Marketplace for Governmental and Commercial Services

Similar documents
Leading by Example - Government Cloud Services from the UK, Germany and Japan

White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution

Open Data Center Alliance Usage: Infrastructure as a Service (IaaS) Privileged User Access rev. 1.0

An open source software tool for creating and managing patient consents electronically in IHE XDS.b environments

Oracle Reference Architecture and Oracle Cloud

White Paper The Identity & Access Management (R)evolution

Authentication and Authorization Systems in Cloud Environments

Open Data Center Alliance Usage: Single Sign On Authentication REv. 1.0

TECHNOLOGY TRANSFER PRESENTS MAX DOLGICER IT S ALL ABOUT CLOUD CONCEPTS, STRATEGIES, ARCHITECTURES, PLAYERS, AND TECHNOLOGIES

Software and Cloud Security

Open Data Center Alliance Usage: Identity Management Interoperability Guide rev. 1.0

OPENIAM ACCESS MANAGER. Web Access Management made Easy

Secure Identity Propagation Using WS- Trust, SAML2, and WS-Security 12 Apr 2011 IBM Impact

Flexible Identity Federation

NCTA Cloud Architecture

A Federated Authorization and Authentication Infrastructure for Unified Single Sign On

IGI Portal architecture and interaction with a CA- online

Cloud-Security: Show-Stopper or Enabling Technology?

ELM Manages Identities of 4 Million Government Program Users with. Identity Server

Entitlements Access Management for Software Developers

Mobile Identity and Edge Security Forum Sentry Security Gateway. Jason Macy CTO, Forum Systems

It s All About Cloud Key Concepts, Players, Platforms And Technologies

The Role of Identity Enabled Web Services in Cloud Computing

Sentinet for BizTalk Server SENTINET

Smart Government and Public Sector Modernization

Securely Managing and Exposing Web Services & Applications

Table of Contents. 1 Executive Summary SOA Overview Technology Processes and Governance... 8

White Paper Delivering Web Services Security: The Entrust Secure Transaction Platform

An Oracle White Paper Dec Oracle Access Management Security Token Service

A Service Oriented Security Reference Architecture

How To Understand And Understand Cloud Computing In Germany

Security Issues in Cloud Computing

D.I.M. allows different authentication procedures, from simple confirmation to electronic ID.

Description of Services for Support and Maintenance of erevenue License Solution (ICTA/GOSL/CON/CQS/2015/10)

Seamless adaptive multi-cloud management of service-based applications

This Working Paper provides an introduction to the web services security standards.

Creating a Strong Security Infrastructure for Exposing JBoss Services

XML Signatures in an Enterprise Service Bus Environment

Usage Control in Cloud Systems

<Insert Picture Here> Achieving Business & Government Interoperability through PaaS & SaaS

AquaLogic Service Bus

Secure Identity in Cloud Computing

CLOUD ARCHITECTURE DIAGRAMS AND DEFINITIONS

Core Feature Comparison between. XML / SOA Gateways. and. Web Application Firewalls. Jason Macy jmacy@forumsys.com CTO, Forum Systems

Introduction to Service-Oriented Architecture for Business Analysts

White paper. Planning for SaaS Integration

Identity, Privacy, and Data Protection in the Cloud XACML. David Brossard Product Manager, Axiomatics

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard

Singapore s National Electronic Health Record

Cloud Security Introduction and Overview

<Insert Picture Here> Oracle Web Services Manager (WSM)

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN

SAML:The Cross-Domain SSO Use Case

Access Control of Cloud Service Based on UCON

Secure Credential Federation for Hybrid Cloud Environment with SAML Enabled Multifactor Authentication using Biometrics

Enterprise Access Control Patterns For REST and Web APIs

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Identity in the Cloud Use Cases Version 1.0

NIST s Guide to Secure Web Services

Domain 12: Guidance for Identity & Access Management V2.1

XACML and Access Management. A Business Case for Fine-Grained Authorization and Centralized Policy Management

Access Control Framework of Personal Cloud based on XACML

Identity Security Using Authentication and Authorization in Cloud Computing

The increasing popularity of mobile devices is rapidly changing how and where we

PRIVACY AWARE ACCESS CONTROL FOR CLOUD-BASED DATA PLATFORMS

Enterprise Refactoring with Apache

Sentinet for Windows Azure SENTINET

Oracle SOA Suite Then and Now:

Validating Enterprise Systems: A Practical Guide

Contents at a Glance. 1 Introduction Basic Principles of IT Security Authentication and Authorization in

Defining Generic Architecture for Cloud Infrastructure as a Service Model

Role Based Identity and Access Management Basic Infrastructure for New Citizen Services and Lean Internal Administration

Expert Reference Series of White Papers. Understanding NIST s Cloud Computing Reference Architecture: Part II

SAML SSO Configuration

The XACML Enabled Gateway The Entrance to a New SOA Ecosystem

A Conceptual Technique for Modelling Security as a Service in Service Oriented Distributed Systems

Security & Cloud Services IAN KAYNE

Web Applications Access Control Single Sign On

Transcription:

goberlin a Trusted Cloud Marketplace for Governmental and Commercial Services Data Protection and Security Considerations in an egovernment Cloud in Germany Dr. Klaus-Peter Eckert Public Sector Cloud Forum London December 3 rd, 2014

Facts of the German Trusted Cloud Program http://trusted-cloud.de Technology Program of the German Federal Ministry of Economics and Energy Goals: Develop innovative, secure and legal compliant Cloud Computing solutions Involve SMEs Demonstrate potential of Cloud Computing Develop innovation and market potential 14 projects (out of 116 proposals) have been selected and grouped in four clusters Development of basic technologies Applications for industry and craft Applications for health Applications for the public sector, e.g. goberlin Projects have started in 2011/12 and will run until end of 2014 Approx. 50 M from BMWi + 30 M from project partners Comprehensive research is done in four areas: Standardization, legal aspects, security, business models 3

Cluster - Public Sector The cluster "applications for the public sector" consists of two research projects with cloud-based services for citizens and public administrations for different application scenarios. Public administrations are entrusted with regulatory tasks and therefore have particularly high demands on the confidentiality, security and legal compliance of cloud applications. The two services are supporting the collaboration between government, businesses and citizens. Cloud Cycle provides a common standard for the entire lifecycle of cloud applications: from the cloud platform, which is used as a technical basis, via the creation of interoperable and portable applications to usage by the end user. (OASIS Topology and Orchestration Specification for Cloud Applications - TOSCA). Cloud Cycle develops an Education Cloud providing specific services for schools. goberlin builds a trustful app-marketplace that combines the services of the public administration with commercial offers of private enterprises. Apps are offered to citizens as SaaS and build by developers utilizing the PaaS support of goberlin. 7

Challenges Security, Trust Cloud service security, three perspectives Service provider perspective, e.g. iidentfy, authenticate, authorize service users Service user perspective, e.g. data privacy, SLA nonrepudiation Legal perspective, e.g. protection of data privacy Service specific security requirements Security as part of the marketplace infrastructure Security features to be integrated on demand Declarative security no hard-coded implementation Trust Credibility, Reliability Expectations Reputation 8

Matthias Heyde / / Fraunhofer FOKUS goberlin A trusted Service Marketplace in the Berlin City-Cloud goberlin orchestrates public and commercial eservices to Apps that are supporting citizens in their specific circumstances. Functional and non-functional components, especially authentication and authorization, are coupled utilizing SOA concepts incl. ESBpatterns. The project develops a prototypical implementation of the marketplace incl. orchestrated apps. goberlin runs in the cloud infrastructures of the project partners, especially in the Berlin City Cloud, operated by the Berlin data center ITDZ. The Castle in Berlin-Steglitz, a marketplace for public and commercial services http://www.das-schloss-steglitz.de 14

Cloud-based Service Marketplace Main Actors in goberlin eservice Providers from Public and Private Sector App Users (mainly Citizens) Service Marketplace Apps for Life Circumstances Transport Citizen Registration Mail Redirection Cloud Infrastructure App Developers and Providers Public Sector Marketplace and Cloud Operator 15

goberlin Marketplace High-level Architecture and Actors App Developer Portal Find and compose eservices; Publish apps Marriage App Transport eservice Proxy Relocation App Birth App Registration eservice Proxy Redirection eservice Proxy SaaS PaaS Adapters to Government and Business eservices Life Circumstances Portal for Citizens Find and use certified apps eservice Provider Portal Describe, register, and operate eservices Profile Mgmt Storage Identity Mgmt Accounting Computation IaaS Network Basic Services Marketplace Management Portal Operate Marketplace and Cloud Infrastructure 16

What will goberlin offer? Life Cirumstances from a Citizen s Perspective Support life circumstances such as birth, marriage, children or relocation Craftsmen Renovation Works egovernment ebusiness Change of Address Vehicle Registration Citizen Registration Office of deeds Moving Company Mail Redirection Estate Agent 17

What will goberlin offer? Apps support a workflow through government and business services Orchestrate government and business eservices Craftsmen Renovation Works Vehicle Registration Citizen Registration Office of deeds Moving Company Change of Address Mail Redirection Estate Agent 18

Approach Security and Trust Security-as-a-Service Identity management and security services are part of the PaaS base services User-centric identity management User manages personal data in a trusted and secure area User manages access to this area for apps and services Marketplace operated by a public authority Private cloud Certification of apps and services Have the security services been properly integrated? Is data passed to authorized service? Order Swaddling Clothes App Childbirth Encryption Authorization Signature Register Childbirth Identification 19

Approach Oligations of the goberlin Stakeholders App-Users control access to their personal profile data for apps and services App developers provide trustful apps Reloction App eservice providers operate their services in their local environment Marketplace is operated by a public authority Certification of apps and services Security-as-a-Service Identity management and security services are part of the PaaS infrastructure services Support for eid and eat cards Transport eservice Proxy Encryption Authorization Signature Registration eservice Proxy Identification Cloud infrastructure is operated by a public data center ITDZ Berlin 20

goberlin Marketplace Architecture Overview goberlin Marketplace App Marketplace Service Marketplace Life Circ. Portal App/Service Marketplace Portals Repositories Repositories Marketplace Services App Development Platform App Runtime Platform Marketplace Portal Marketplace Middleware Security Components Government and Business eservices Cloud Infrastructure Cloud Portal 22

Instance PP: Operational Instance Citizen-, App Developer-, esp-portals Citizen-App Register Login Browsing Entitlement profil, SA App-Frontend App-Logic Security Identity Management - Authentication Access Management Authorization ESB Interceptor, Logging, Monitoring Supporting Services BPM-Process Services Platform Services Admin-Portal es-wrapper Data Bases 25 Git & Build eservices

Linking of Security Components with Functional Components XACML concepts Access Control Services Portal / App 3. 1. WS-Trust 1.3 + X.509 Token + Username/Password WS-Trust 1.3 + SAML 2.0 Assertion 2. Identity Management Create Policy Enforcement Point - PEP Policy Administration Point - PAP Decide Publish Policy Decision Point - PDP Policy Information Point - PIP Retrieve http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.doc extensible Access Control Markup Language SOAP 1.2 + X.509 Token 8. SOAP 1.2 + X.509 Token 7. SOAP 1.2 + X.509 Token + SAML 2.0 Assertion ESB SOAP 1.2 + X.509 Token + SAML 2.0 Assertion Application Server + WS-Stack 6. 4. SOAP 1.2 + X.509Token + XACML 2.0/3.0 Request SOAP 1.2 + X.509 Token + XACML 2.0/3.0 Response 5. Access Management Utilization of XACML concepts in goberlin 30

Security Zones in an egovernment-cloud Internet Public Sector Citizens Firewall Secured Zone Intranet Access Logic Data Employees egovernment Cloud DMZ Access Logic Data egovernment Cloud 33

Components of an egovernment-cloud Internet Firewall Shared Sevices Governmental Services Federated egovernment Bus Access AAA Services Data Bases 34

Components of the goberlin egovernment-cloud Internet Firewall eservices Supporting Services Apps Federated egovernment Bus Portals Identity & Access Management Data Bases 35

Trust in the goberlin egovernment-cloud Internet Firewall eservices Trusted Services Certified Apps Federated egovernment Bus Secure Access Universal Security Infrastructure Secured Storage 36

Outlook Transfer of Project Results Architectural Framework Business models Technical and organisational operations model golondon gokiel goschwerin gohamburg gobremen goberlin gohannover gopotsdam gomagdeburg Certification models godüsseldorf goerfurt godresden and much more gowiesbaden goluxemburg gomainz gosaarbrücken gostuttgart gomünchen 40

Thank you! Any questions? Dr. Klaus-Peter Eckert klaus-peter.eckert@fokus.fraunhofer.de Fraunhofer Institute for Open Communication Systems Kaiserin-Augusta-Allee 31 10589 Berlin, Germany www.fokus.fraunhofer.de 41

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information