210 likes | 400 Views
FI-WARE Demo . May 30 th 2013. Content Based Security Optional Generic Enabler. Richard Egan, Thales UK, R&T richard.egan@uk.thalesgroup.com Adrian Waller, Thales UK, R&T adrian.waller@uk.thalesgroup.com. My Infosphere. What do users really need?. Protection Characteristics:
E N D
FI-WARE Demo May 30th 2013 Content Based Security Optional Generic Enabler • Richard Egan, Thales UK, R&T • richard.egan@uk.thalesgroup.com • Adrian Waller, Thales UK, R&T • adrian.waller@uk.thalesgroup.com
What do users really need? Protection Characteristics: • Medium independent – disk, laptop, phone, web site..... • Content independent – text file, still image, mp3, web page... • Channel independent – courier, Internet, mpeg stream..... • At rest or in flight – on a server, on the wire, over the air..... • Control from cradle to grave • Sticky policies for sharing – role/ID, clearance, organisation... • Fine grain control – whole item, frames of video, paragraph... • Scalability • Standards based
Content Based Security OGE • Applies protection by encrypting the application layer data items • Medium, content and channel independent • At rest or in flight • Fine grain • Cryptographically attaches metadata to data items • Cradle to grave • Sticky policies • Controls access using policy based authorisation • I let you have the key for information I want to share with you • I just let you see the metadata for information I don’t want to share with you • I put the information that I don’t want you to know that I don’t want to share with you inside another layer of protection. CBS controls access to content in an information container, rather than controlling possession of the information container
Broker CBS OGE Architecture (1) • 3 Key Architectural Components: • Content Producer • Content Consumer • Broker
CBS OGE Architecture (2) Content Producers and Content Consumers may not be in the same administrative domain –> federated brokers
What does the system look like? • Content Provider: • Creates key • Encrypts data object • Adds header to form container Content Producing Application Policy GUI CBS Content Provider Policy GUI Content Consuming Application CBS Broker CBS Consumer Rules Engine Main exposed OGE i/fs Not currently exposed i/fs
What does the system look like? • Content Provider: • Creates key • Encrypts data object • Adds header to form container Content Producing Application Policy GUI CBS Content Provider Policy GUI Content Consuming Application CBS Broker CBS Consumer Rules Engine • Consumer: • Receives container and sends header information plus credentials to broker (SSL secured) • Decrypts data object and passes it to application. Main exposed OGE i/fs Not currently exposed i/fs
What does the system look like? • Content Provider: • Creates a key • Encrypts data object • Adds header to form container Content Producing Application Policy GUI CBS Content Provider • Broker: • Checks received information against policies (global & specific) • Creates key (or retrieves key from provider’s broker) • Returns key to consumer Policy GUI Content Consuming Application CBS Broker CBS Consumer Rules Engine • Consumer: • Receives container and sends header information plus credentials to broker (SSL secured) • Decrypts data object and passes it to application. Main exposed OGE i/fs Not currently exposed i/fs
Main Interfaces • Protect interface • App provides raw data • App provides metadata • CBS OGE provides protected data • Unprotect interface • App provides protected data • App/User provides credentials • CBS OGE provides raw data • CBS OGE provides metadata (optional) • Other interfaces need not be exposed by CBS OGE e.g. Credential Management, Policy Decisions, Policy Editing.
Demonstration Protecting and removing protection from a file