1 / 21

May 30 th 2013

FI-WARE Demo . May 30 th 2013. Content Based Security Optional Generic Enabler. Richard Egan, Thales UK, R&T richard.egan@uk.thalesgroup.com Adrian Waller, Thales UK, R&T adrian.waller@uk.thalesgroup.com. My Infosphere. What do users really need?. Protection Characteristics:

anneke
Télécharger la présentation

May 30 th 2013

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FI-WARE Demo May 30th 2013 Content Based Security Optional Generic Enabler • Richard Egan, Thales UK, R&T • richard.egan@uk.thalesgroup.com • Adrian Waller, Thales UK, R&T • adrian.waller@uk.thalesgroup.com

  2. My Infosphere

  3. What do users really need? Protection Characteristics: • Medium independent – disk, laptop, phone, web site..... • Content independent – text file, still image, mp3, web page... • Channel independent – courier, Internet, mpeg stream..... • At rest or in flight – on a server, on the wire, over the air..... • Control from cradle to grave • Sticky policies for sharing – role/ID, clearance, organisation... • Fine grain control – whole item, frames of video, paragraph... • Scalability • Standards based

  4. Content Based Security OGE • Applies protection by encrypting the application layer data items • Medium, content and channel independent • At rest or in flight • Fine grain • Cryptographically attaches metadata to data items • Cradle to grave • Sticky policies • Controls access using policy based authorisation • I let you have the key for information I want to share with you • I just let you see the metadata for information I don’t want to share with you • I put the information that I don’t want you to know that I don’t want to share with you inside another layer of protection. CBS controls access to content in an information container, rather than controlling possession of the information container

  5. Broker CBS OGE Architecture (1) • 3 Key Architectural Components: • Content Producer • Content Consumer • Broker

  6. CBS OGE Architecture (2) Content Producers and Content Consumers may not be in the same administrative domain –> federated brokers

  7. What does the system look like? • Content Provider: • Creates key • Encrypts data object • Adds header to form container Content Producing Application Policy GUI CBS Content Provider Policy GUI Content Consuming Application CBS Broker CBS Consumer Rules Engine Main exposed OGE i/fs Not currently exposed i/fs

  8. What does the system look like? • Content Provider: • Creates key • Encrypts data object • Adds header to form container Content Producing Application Policy GUI CBS Content Provider Policy GUI Content Consuming Application CBS Broker CBS Consumer Rules Engine • Consumer: • Receives container and sends header information plus credentials to broker (SSL secured) • Decrypts data object and passes it to application. Main exposed OGE i/fs Not currently exposed i/fs

  9. What does the system look like? • Content Provider: • Creates a key • Encrypts data object • Adds header to form container Content Producing Application Policy GUI CBS Content Provider • Broker: • Checks received information against policies (global & specific) • Creates key (or retrieves key from provider’s broker) • Returns key to consumer Policy GUI Content Consuming Application CBS Broker CBS Consumer Rules Engine • Consumer: • Receives container and sends header information plus credentials to broker (SSL secured) • Decrypts data object and passes it to application. Main exposed OGE i/fs Not currently exposed i/fs

  10. Main Interfaces • Protect interface • App provides raw data • App provides metadata • CBS OGE provides protected data • Unprotect interface • App provides protected data • App/User provides credentials • CBS OGE provides raw data • CBS OGE provides metadata (optional) • Other interfaces need not be exposed by CBS OGE e.g. Credential Management, Policy Decisions, Policy Editing.

  11. Demonstration Protecting and removing protection from a file

  12. Protecting data

  13. Protecting data

  14. Policies

  15. Removing Protection - success

  16. Removing Protection - success

  17. Removing Protection - success

  18. Removing Protection - failure

  19. Removing Protection - failure

  20. Removing Protection - failure

  21. Removing Protection - failure

More Related