Monday, December 15, 2014

The Italian Digital Identity Initiative: SPID

Last week was published in the Gazzetta Ufficiale, the Decree of the President of the Council of Ministers (DPCM 24 ottobre 2014) about the regulations to implement the Italian Digital Identity Initiative, called "Sistema Pubblico di Identit√† Digitale" (SPID).

SPID is a set of credentials to access to the public administration online service, and also to private sector online service (i.e. e-commerce company) if they will adhere to the initiative.

SPID defines a Federated Identity Management system, based on SAMLv2 standard, where are involved Citizens, Service Providers (SP), Identity Providers (IdP), Attribute Providers(AA) and the Digital Agency for Italy, in the role of accreditation and registry authority.
The following picture describes a high level architecture and flow of  SPID-ready access to a online service.

  1. Access request.
  2. Redirect to Identity Provider.
  3. Credential request.
  4. Authentication.
  5. Redirect to the Service Provider with the Authentication Assertion (SAMLv2).
  6. Attributes request.
  7. Response with verified attributes.

Technical specification and interface (draft) are available here (Italian).

Wednesday, November 26, 2014

Protecting Personal Data in an IoT Network with UMA

Digital technologies are changing the game of customer interactions, with new rules and possibilities that ware unimaginable only a view years back.
Networked devices and sensors make up the fabric of the Internet of Things (IoT). Leveraging mobile devices, sensors, and wearables is the future of identity and personal data.
The risk about the use of personal data is the lose of trust between individual and organization.
"Fully 78% of consumers think it is hard to trust companies when it comes to use of their personal data.” 
Orange, The Future of Digital Trust, 2014

For balancing between individuals privacy and unlock innovation through the new digital technologies is needed a new approach to protect personal data.
The Word Economic Forum has provided an interesting report about "Rethinking Personal Data: A New Lens for Strengthening Trust" to address this requirement.

IoT complexity

The nature and the complexity of IoT environment is opening interesting discussion about how the authorization and access control mechanisms can be applied to this context. 
In respect of the classic definition of authorization process, which is a process for granting approval to a system entity to access a system resource, in IoT environment we have to consider different aspects and complexities (not exhaustive): limited resources, decentralized and distributed network,  relationship between objects and ownership. 
In order to proof how UMA (User-Managed Access) can be suitable to address specific IoT requirements we propose a healthcare scenario, which is, for his nature, well known for strong presence of Internet of Things (medical devices), and it combines interesting security and privacy aspects related to patient’s data.

Patient-Centric Use Case

The following diagram represents a healthcare scenario related to a patient-centric use case.
The doctor (Bob) is a user of Patient Monitor (Resource Server). The patient (Alice) uses is bedside remote as a Client to access to the Patient Monitor. Bob’s electronic stethoscope is a intelligence thing owned by Bob that can be temporarily paired with the patient monitor with Alice’s authorization. For safety, Bob’s stethoscope also has an RFID chip as a proximity sensor (Dump Thing).

Security and Privacy Goals

The following diagrams describes the security domains across the whole authorization process and  the actors involved in each domain, including IoT.

In the scenario, UMA provides the fundamental capabilities to prevent unauthorized things connection to the Resource Server (Patient Monitor), and allow to the patient to control and get visibility for authorising and share healthcare data.

For more details about the use case and UMA approach, please see the slideshare presentation (below), shown at Kantara Initiative Workshop at Dublin the 3rd of November 2014.

Thursday, July 10, 2014

Enterprise Mobility: Secure Containerization

Last week, I've presented at the event “Small Device - Big Data: sicurezza in un mondo senza fili” organized by
department of Computer Science of the Sapienza University of Rome, related to the Master in Information Security.

My speech was about the enterprise mobility and Bring Your Own Device (BYOD) paradigm. I’ve introduced the new challenges related the enterprise mobility, the risks associate with devices mobile and the new security requirements that the enterprise needs to address, including the main aspects of the secure containerization: application wrapping, secure communication, encryption at rest and Data Leakage prevention (See slideshare presentation below).

Monday, June 23, 2014

User-Managed Access awarded 2014 Best Innovation in Information Security

I'm happy to announce that User-Managed Access (UMA) has won the 2014 Best Innovation/New Standard in Information Security award from the European Identity & Cloud Conference (EIC). More details about the award are available at Kantara press release page.
After almost a year since I've published a blog post about how UMA can be applied to the Life Management Platforms (LMPs) concept, last May, I presented, along with Maciej Machulak, Vice-chair at UMA WG (on the right in the picture below), this approach at the European Identity and Cloud Conference (EIC) 2014, in the track session "Standards for an Open Life Management Infrastructure", with the title "User-Managed Access: key to Life Management Platforms".
During the session, we have given a complete vision and an architectural approach how UMA fits very well with the new emerging trends related to Personal Clouds and in particularly to LMPs, as authorisation system for online personal data sharing model (see slideshare below).

I'm very happy for helping the UMA WG to receive the award!