Aniketos project demonstration Secure and Trustworthy Composite Services H3G – Dec 21 st, 2012.

Aniketos project demonstration

Secure and Trustworthy Composite Services

H3G – Dec 21st, 2012

H3G demo event – Dec 21st, 2012

Contents and Objectives

Presentation General concepts Platform description Case studies

Demo Demo scenario Overview of Aniketos front-end Tools usage (live session)

Discussion and feedback Overall impression (benefits/drawbacks) Appeal of telco case study and business model Suggestions for partnerships and relationships


Aniketos Project

EU (FP7/2007-2013) funded project (grant no. 257930) The project includes 17 partners from 10

different European countries. Period: Aug 2010 – Jan 2014 (42 months

duration) Aiming to achieve

Provide service developers and providers with a secure service development framework that includes methods, tools and security services that supports the design-time creation and run-time composition of secure dynamic services, where both the services and the threats are evolving

See http://aniketos.eu for more info

http://aniketos.eu/


Aniketos Concepts Focusing on web services

Services offered ‘in the cloud’ from multiple service providers

Aniketos plus and key challenges Constantly maintaining the security and

trustworthiness in a service-oriented environment evolving in the cycle of designing, provisioning, delivering and using services

Security and trustworthiness Design Time (DT) service composition Run-Time (RT) service (re)composition Services will be designed according to

organizational and business views

Service Provider(s)

Service end user

Trust ?Security ?


Aniketos Positioning


Platform Overview

Trustworthiness definitionand evaluation

Trustworthiness monitoringand evaluation

Security property definitionand evaluation

Runtime validation of secure service behaviour

Composite service analysis and preparation

Composite service adaptation and recomposition

Design-time support Runtime support

The Aniketos platform

Community support

Reference architecture and patterns

End user trust and assurance

Threat analysis and notification

Aniketos market place

Service Developers

• Use community support (design, threat analysis)

• Service discovery & composition

• Ensure trust & security

Service Providers

• Use community support (submit, threat notification)

• Monitor trust & security

• Perform adaptation

Service end users

• Certification programme

• Single point of trust


Future Telecom Services


User Story A1 (part 1)

The end user (Bob) owns a mobile device which is equipped with a GPS receiver and a presence enabled VoIP client when accessing the web portal of his TLC Operator.

The services involved are: a. WebShop for general electronic commerce access; b. StoreLocator for letting users to choose the store where to get the items selected.

Bob accesses the WebShop application in order to purchase an electronic item he wishes.

Bob asks for help of an assistant by starting a click-to-call VoIP communication.

The StoreLocator service gives users two options:1) a manual selection of the stores that can

be selected from an offered list; 2) letting StoreLocator service propose a list

of closest stores.

Converged SIP/HTTPapplication

SIP servlets

Application Server Platform

Then, he decides to purchase the item of interest.

…to collect Bob’s current position information and to generate maps and addresses of the stores which are closer to Bob.

Bob selects option (2) for automatic store localization. By doing so a service re-composition is started…

12

3

45

6 7

Bob is finally asked to confirm his mail address retrieved through the IdP to inform him when he can get the purchased item .

8


User Story A1 (part 2)

Bob connects to the WebTravel application in order to book a hotel and the tickets for his next business trip.

WebTravel is an application built using a composite service made up of two service components: 1. a web service to book the hotel; 2. a web service to buy the tickets for

the trip.

Bob accesses the WebTravel by pressing the “Plan your trip” button.

The system detects, through the presence information, that Bob is currently using a smartphone.

Bob accepts and allows the retrieval of this information from the IdP in a secure manner.

In this case, IdP is used for secure exchange of user’s data inside the federation.

12

3

45

6

Converged SIP/HTTP application

SIP servlets

Application Server PlatformIn order to complete the hotel reservation, an electronic form must be filled with personal data.

The form is filled in automatically with Bob’s personal data.

Bob is asked (optional) to give authorization for the automatic compilation of the reservation form.


User Story A2

openAM

HSS

Presence enablerIMS

- T

elc

o

Inte

rne

t

Resource layer Aniketos layer

Attribute Provider

Enabler Provider

IdMProvider

atomic service

User Profile

REST / SAML

Diameter

SIP/XCAP

OMA Enabler(s)atomic service

atomic service

Identity Providercomposite web service(s)

- Bridging IMS and Internet identities

- Single Sign On

- Multi-factor authentication

- IMS Service Exposure (e.g. user’s attributes and presence)

Marketplace


Aniketos Benefits

Aniketos provides a powerful platform for secure service developments that will bring benefits to: Service Designers / Developers: to support the creation and

the delivery of new innovative services. In general, these developments are commissioned by Service Providers

Service Providers: to enhance their portfolio of services and consequently increase the chance for incrementing revenues by attracting new customers or increasing customer retention

End Users: to increase the appeal for services that are intrinsically secure and reliable, having a single point-of-trust with a clear customer’s relationship


Aniketos Business Prospective

Delivering of Aniketos in the cloud as PaaS "Security as a Service“

Business models and actors Brokerage model (Providers)

Service Providers need to pay some fee in order to make their services (security descriptors) available in Aniketos Marketplace

Pay-per-use (Consumers) Service Developers will pay in order to create and deploy composite

services by using the platform from the Aniketos Provider End Users will pay for invocation of Aniketos composite services

Aniketos Provider that manages the Marketplace holds a remunerative and important asset

Aniketos Demo:

Design of a trustworthy composite service


Demonstration goals

The demo aims to show the exploitation of the Aniketos front-end for the secure service composition in order to: express the security requirements over the services involved

in the composition build the service specification of business process to realize

the composite service with BPMN perform service discovery, validation and deployment

Application of the design-time process to a real example taken from an industrial case study Realization of composite service (InfoService)


InfoService overview

Point of Interests

Geocoding

Weather forecast

Map

Web Page Info collector

Service Designer aims to create a service that takes in input a street address and shows on a web page some information related to the provided location.


The Service Provider wants the service to be trustworthy, so the Service Designer will use:

STS-tool for the specification of security and trustworthiness requirements

SCF tool for the design of the composite service

SRE for the execution of the composite service

Reference scenario


Design Time Process analysis Design-time processes

Generic design-time composition

Establish contracts

Discov er serv ice

component candidates

Deploy serv ice

Assemble serv ice

Select serv ice

components

Validate serv ice

Specify serv ice

Serv ice dev eloper


Run-time Process


Aniketos modules

Socio-technical security modelling tool

Model transformation module

Trustworthiness Component

Verification Component

Security property determination module

Secure composition planner module

Security policy monitoring module

Threat response recommendation

module

Service threat monitoring module

Notification module

Community support module

Threat repository module

Marketplace

Service composition framework

Training material module

Service runtime environment

Identity management service

Interaction Layer

Data Access Layer

Business Logic Layer

Security-by-Contract Component

Security Requirements Compliance Module


Socio Technical Security (STS) language & tool Express security needs at organizational level Role- and goal-oriented requirements modeling language (STS-

ml) Graphical notation tool

Aniketos front-end tools


Extended set of supported security needs no-Repudiation (noRep - 3 types), no-Delegation (noDel),

Redundancy (Red - 4 types), integrity of transmission separation of duties (SoD), binding of duties (BoD) authorization: usage (U), modification (M), production (P),

disclosure (D), scope of usage (NtK), transferability

Automatic derivation of Security Requirements Document Analysis (on-going)

consistency analysis: check model against semantics of STS-ml security analysis: identify violations of security needs

Open-source available (http://www.sts-tool.eu) for Windows/Linux/Mac

22

STS-tool features (ver 1.3)

http://www.sts-tool.eu/


STS-tool utilization

Modeling Activities

Phase 1. Model the Social ViewStep 1.1 Identify stakeholders Step 1.2 Identify assets and interactions Step 1.3 Express security needsPhase 2. Model the Information ViewStep 2.1 Identify information and its ownerStep 2.2 Represent information structurePhase 3. Model the Authorization ViewStep 3.1 Model authorizations to info

Phase 4. Automated analysisStep 4.1 Consistency analysisStep 4.2 Security analysis

Phase 5. Derive Security RequirementsStep 5.1 Derive security requirements document

refinement needed

error/warning analysis


STS-tool utilization STS-tool live session ...


Aniketos front-end tools

Secure Composition Framework (SCF) Design time module available in

the Aniketos environment Used by service designers to

build executable composition plans

Authentication is needed - once authenticated, service designers can start the BPMN modelling


BPMN model of InfoService

From the description of the service in terms of functionality, the service designer will use different atomic services and compose them according to the BPMN drafted in the SCF editor


The service designer is in charge of designing a composite service with a specific requirement on trusthworthiness value

The trustworthiness requirement is expressed as a consumer policy (XML file) written in ConSpec grammar

The file location is included in an extensionElements tag in the XML representing the BPMN

BMPN model annotated with trustworthiness requirement


An excerpt of the resulting XML for the annotated BPMN is shown below:

Annotated BPMN (1 of 2)


SRS document is generated by the STS-tool BPMN model is generated by using the SCF tool MTM will process both informations to generate an

annotated BPMN model (EABPMN) MTM not available at this stage of the project (mapping under

development) Currently, a manual intervention from the Service Designer is

necessary

Annotated BPMN (2 of 2)


In order to make the composition plans the SCF has to bind real web services to the service tasks in the BPMN

Binding process entails the following steps:1. Discovery of services using the ServiceType as search filter

SCF shows the operations offered by the web services matching the request based on the ServiceType

2. Selection of the specific operation that the service designer wants to use in order to build the composite service InfoService If the same operation is offered by different atomic services the

service designer will see just one operation

Service discovery and selection of the service operation


Discovery and selection: GeoCoding example (1/2)


and selects getCoordinates ( )

Discovery and selection: GeoCoding example (2/2)

The service designer discovers operations offered by GeoCoding type services ( )

1

2

The service designer is not aware of how many web services offer that operation - SCF tool will bind the different services to the service task when making composition plans


Creation of composition plans

Once the service designer has selected an operation for each service task the SCF is ready to create the composition plans

When the service designer clicks on “Create composition plans” button, the SCF shows a set of functionally valid composition plans


SCF created 12 composition plans: this is explained by the number of web

services offering the same operation: Geocoding type: bound to 2 web services PointOfInterest type: bound to 3 web

services WeatherForecast type: bound to 1 web

service Map type: bound to 2 web services WebPageInfoCollector type: bound to 1

web service ... thus the number of composition plans is

2 X 3 X 1 X 2 X 1 = 12

Composition plans created by the SCF


Composition plans ensure functionality but do not consider the trustworthiness requirement

Composition plans have to be checked against the requirements specified for the trustworthiness value

This check is performed by the Secure Composition Planner Module (SCPM) which receives the composition plans from the SCF and returns those ones that fulfill the trustworthiness requirement

SCPM invokes the Trustworthiness prediction module (TM) to evaluate the trustworthiness value for the set of composition plans received from the SCF

Selection of trustworthy composition plans


Trustworthiness value of the composite service is evaluated by using the weakest link principle: Trustworthiness module evaluates the trustworthiness value for

each service taking part in the composition Lowest value is returned as the trustworthiness value of the

composite service

Trustworthiness value is evaluated by TM as a combination of: Cognitive trust of the user, based on the service and service

provider reputation Non-cognitive trust, based on objective and measurable properties

of the service like QoS attributes (e.g. reliability, performance, availability)

Trustworthiness prediction for composite services


Service designer clicks on “Verify All” button the SCPM in order to select all the composition plans that fulfil the requirement on trustworthiness

Trustworthy composite services

Service designer selects “Order By” Trustworthiness and clicks on “Order/Rank” button in order to visualize the Trustworthiness value of the composition plans


Last steps: upload and deploy

Finally, service designer selects one of the trustworthy composition plans in order to: Upload the BPMN to an Activiti

Engine Deploy to a web application

server


SCF tool utilization SCF tool live session ...


Thanks for your attention

[email protected]@selexelsag.com

mailto:[email protected]

mailto:[email protected]

Aniketos project demonstration Secure and Trustworthy Composite Services H3G – Dec 21 st, 2012.

Documents