• No results found

Integrated trust, governance and access

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Integrated trust, governance and access"

Copied!
6
0
0

Loading.... (view fulltext now)

Download now ( 6 Page )

Full text

(1)

Integrated trust, governance and access

Introduction

A major problem with many information infrastructures is the management and control of information sharing from within and beyond organisational boundaries. Traditionally this will be controlled through a security policy and implemented using either network controls and/or in-built software controls, defined and managed by each data access portal; but the scope of these policies are often just defined within that organisation. As more and more information crosses organisation and domain boundaries, it becomes increasingly difficult to manage the number of possible ways that information can be shared and aggregated. A key element of this is the increasing requirement for trust between organisations and units, especially with the move towards cloud-based services.

The Symphonic product overcomes these problems by creating a formal structure for the abstraction, governance and implementation of trust relationships and security policies. It enables disparate systems and domains to open up access to their services in a highly governed and secure manner, confident in the knowledge that the services/data specified in their own managed Trust Framework can be accessed only by those with the necessary claims to gain permission.

Symphonic can be used as a full end-to-end solution for policy abstraction, implementation and controlled access to services, or can integrate each of the elements “as a Service” to existing applications.

Symphonic Suite

The Symphonic Suite

consists of three core components, each of which can operate as stand-alone

products or can work with each other or existing systems to provide end-to-end integration. The core components are:

Symphonic Trust

- This is a trust framework tool which enables the abstraction of roles, services,

trust levels and defines their trust relationship. The export from this component provides the requirements for the information sharing/service aggregation policy.

Symphonic Governance

- This takes, as an input, the abstraction of the trust framework, and

provides a highly efficient rules engine to quickly and securely determine if an entity has the rights to access a given service based on their claims. This crosses domain boundaries and enables

authentication and attribute provision from multiple identity and attribute providers.

Symphonic Gateway

- This takes the rules from the governance engine, and implements them within

(2)

Integrated trust, governance and access

Features

Figure 1 outlines some of the key features of Symphonic. These include:

Extendable Governance Policy.

This allows for governance policies to be created which can define micro and macro relationships of individuals, roles and relationship to services. The data owner can have full rights to how data is then used within aggregated services. Overall, Symphonic abstracts trust relationships into domain boundaries where the relationship between each boundary is abstracted, and with the implementation of governance rules for the trust relationship.

Integrated Trust Framework.

This abstracts each of the accesses to data into well-managed services, which have defined exactly how the service can be used by other domains.

Novel Modelling of Governance Policy.

Symphonic has patent pending technology which models the governance rules for their operation, including for rule shadowing, anomalies, and so on.

Real-time Implementation and Control of Rules.

The rules either run in a filtering engine or as-a-Service for other applications. This allows the governance of trust relationships to be changed in real-time, especially to add new services or to cope with security issues.

Role, Consent, Relationship and Delegation.

This involves the integration of a full use case of rights of trust, governance and access, including for role, consent, relationship and delegation.

Integrated Federated Identity Provision.

This allows for a range of identity/attribute providers to be built into the trust, governance and access relationships, and allocates levels of trust to each of the services.

Static and dynamic rules.

Symphonic implements both static rules which are defined for role-based trust and access, and can also implement dynamic rules which allow users to create their own trust relationship.

Integration of full-rights infrastructure.

Symphonic uses a data bucket concept where each element of data has an owner and the rights of access to the data as it is aggregated into other services is control by the data owner. This gives users complete control of their own data.

Plug-in integration.

Symphonic can be used as-a-Service or can implement a full integration of trust, governance and access.

(3)

Integrated trust, governance and access

Pseudonyms used for rule definitions.

The governance rules use pseudonyms in order to obfuscate the roles, and identities of the targets.

Inter- and intra-domain rights.

Symphonic can be used to define the rights of access within a domain and between domains, each defined in separate contracts.

Extendable Governance

Policy - Micro to macro.

- Cross domain.

Novel Modelling of Governance Policy - Rule Shadowing. - Anomolises. etc Integration of Full-rights Infrastructure

- Data bucket integration supports end-to-end rights for service

aggregation.

Full use case rights

- Integration of role, consent, relationship and delegation.

Integrated Trust Framework - Full service definition Integrated Federated Identity Provision Rules defined in structure English format Foundation built on an Ontology of the Domain Interfaces Pseudonyms used for all rule

defines Health Care Data Social Care Data Education Data Police Data Strong Governance Infrastructure Real-time Implementation and Control of Rules Plug-in Integration - “aaS - As a Service” or part/ full framework Static and Dynamic Rules - System creates rights as required

Inter- and Intra-domain rights - Full definition of

rights

(4)

Integrated trust, governance and access

Trust, Governance and Access

In modern service-oriented infrastructures a user must gather claims to consume a service. Too often the service is bound to a specific authentication infrastructure which limits the scalability of the provision of the service. For more dynamic infrastructures there is no direct communication between the service and the gathering of the claims around identity and the attributes required to consume a service. Figure 2 outlines this process, where there are Terms of Service (ToS) between a user and their identity and attribute provider, another ToS between them and the service, and so on. It is the focus of the Trust and Governance infrastructure to define a contract which binds these terms of service together. This contract pre-defines the requirements for the claims to the service, and then is trusted to actually issue the contract for the user to consume the service.

Symphonic thus abstracts the trust relations from well-defined policies. A trusted broker will then pass the requirements for a user to consume a service, and the Trust Framework will provide back the claims that are required to be able to consume the service. The user will then gather the claims, and the broker then passes these to the Governance Engine for it to check its running rules for rights to the service. If these are acceptable it will issue a service token to consume the service, which can be given back to the user, via the broker (or the service can be invoked on their behalf, and the link to the service can be returned to the user).

A key element of the Trust Framework is the concept of role, relationship, consent and delegation, where an access can claim rights of access to a referrer. In this way the owner of the data can have rights of access based on their role (such as whether they are a GP), their relationship (such as whether they are the GP of a specific patient), their consent (whether someone has given them rights), or their delegation (where they have given delegation of authority to another person).

Service (RP) Referrer ID Access ID Relationship, Consent, Delegation IDP AtrP Terms of Service Terms of Service Trusted Broker Contract Portal Governance Engine Trust Framework Terms of Service Policy Policy

(5)

Integrated trust, governance and access

Trust and Governance as a Service

With the complex relationships that organisations have in rights of access to services, it is becoming increasing important to abstract and fully define the trust and the levels of access to services. Symphonic provides the ability to extract the trust relationship between two domains, and then implement this as a set of rules. These are then defined in the Trust Framework and the Governance Engine, which can be easily integrated into existing applications. Figure 3 outlines a basic use case, where a broker deals with the requests from a user. It will then use the Trust Framework to define the requirements of the claim to a service, and the Governance Engine to check these rights against the actual rules of access to a service. Dynamic trust relationships can be built up for identity and attribute providers, and how these map to the role, relationship, consent or delegation that an individual has to consume a service. The service itself can be invoked by the broker or a service token can be sent back to the user for them to give to the service. In this way both legacy services and new trusted services can be integrated into the infrastructure.

Service (RP) Referrer ID Access ID Trusted Broker Governance Engine Trust Framework Relationship, Consent, Delegation 3. Service Requirements 4. Claims Requirement 8. Claims 9. Rights

10. Service Invoke [ID,Items]

1. Service Access 5. Claim Requirements IDP AtrP Trusted IDP/Atrp 6. Claims collection 7. Claims 2. Access ID Database

(6)

Integrated trust, governance and access

Symphonic Gateway Engine

Symphonic can also implement a filtering gateway which takes the rules from the Governance Engine, and runs them with a Gateway Engine, which then directly runs the rules, in a similar way that a network firewall will implement the filtering of network packets. Figure 4 outlines the full integration where the abstraction of the trust relationships are used to create the rules, which are then implemented within a gateway, which in turn provides securely controlled access to the services based on the trust

relationships defined back in the trust framework. This type of architecture fully implements an end-to-end solution for trust relationships, where the requirements can be audit and reviewed, with control of each stage. It can also integrate with a wide range of stakeholders, using trusted identity infrastructures.

Domain A Referrer ID Governance Rules Trust Framework Policy Definition IDP AtrP Trusted IDP/Atrp Domain B SPoC (Gateway) Access ID Service (RP) Referrer ID Access ID Trusted Broker Governance Engine Trust Framework Relationship, Consent, Delegation 3. Service Requirements 4. Claims Requirement 8. Claims 9. Rights 10. Service Invoke [ID,Items]

1. Service Access 5. Claim Requirements IDP AtrP Trusted IDP/Atrp 6. Claims collection 7. Claims 2. Access ID Database Relationship, Consent, Delegation Services Domain Ontology Service Definition

Figure 4: Full integration

Symphonic technology is the culmination of over 5 years research and development within Edinburgh Napier University, through collaborations with both commercial and other academic partners, aimed at

References

Download now ( PDF - 6 Page - 406.02 KB )

Related documents

Strategies of postminimalism in my recent music

Because I have two independent processes running through the piece (the pitch rotations and the IP) applied to material which does not consist of the same number of elements,

Transaction Security. Training Academy

ID modules ID Management in the Public Domain ID Management European Digital Tachograph Electronic Documents Secure Smart Metering Smart Metering Energy Trusted

A History of Kenyan Theatre: The Intersections between Culture and Politics

Priority attention was also given to outstanding theatre initiatives such as Kamiriithu, the Kenya Schools Drama Festivals and performance spaces such as the KNT as well as

INVESTMENT IN WIND ENERGY IN VIETNAM: THE RIGHT TIME HAS COME?

• As long as EVN remains the monopoly in the sector, there is no guarantee of fair price for wind energy projects as well as fair competition in the market. • Grid and

Policy trends in training and evaluation of teachers in higher education in Spain

Su apuesta por el apoyo a la mejora de la calidad de la docencia, claramente formulada desde los años 80 y 90 del siglo anterior, se encuentra ahora con un profesorado que

Domestic legislation and international human rights standards: the case of mental health and incapacity

The Convention on the Rights of Persons with Disabilities and Coercive Treatment under Queensland’s Mental Health Act 2000’, Laws 4 (2015): 173-200; Piers Gooding, ‘Navigating

Free Convection Boundary Layer Flow Over Cylinders of Elliptic Cross Section with Constant Surface Heat Flux

The steady laminar free convection boundary layer flow over horizontal cylinders of elliptic cross section when the major axis is both horizontal (blunt elliptic cylinder) and

The role of anomalous SST and surface fluxes over the Southeastern North Atlantic in the explosive development of windstorm Xynthia

This fact along with the overall reduced DHR in the sensitivity experiments corroborates our hypothesis that anomalously high values of SST over the subtropical North Atlantic and