Aniketos project presentation Secure and Trustworthy Composite Services Wind – July 13 th,2012.

Aniketos project presentation

Secure and Trustworthy Composite Services

Wind – July 13th,2012

Wind demo event – July 13th, 2012

Contents

Project overview Aniketos concepts

Security and trust in service composition Application realms (industrial case studies)

Aniketos platform Service lifecycle Capabilities: DT and RT Stakeholders

Aniketos Demo Design of a trustworthy composite service


Aniketos Project

EU (FP7/2007-2013) funded project (grant no. 257930). The project includes 17 partners from 10

different European countries. Period: Aug 2010 – Jan 2014 (42 months

duration). Aiming to achieve

Provide service developers and providers with a secure service development framework that includes methods, tools and security services that supports the design-time creation and run-time composition of secure dynamic services, where both the services and the threats are evolving.

See http://aniketos.eu for more info.

http://aniketos.eu/


Aniketos Concepts Focusing on web services

Services offered ‘in the cloud’ from multiple service providers.

Aniketos plus and key challenges Constantly maintaining the security and

trustworthiness in a service-oriented environment evolving in the cycle of designing, provisioning, delivering and using services.

Security and trustworthiness Design Time (DT) service composition Run-Time (RT) service (re)composition Services will be designed according to

organizational and business views.

Service Provider(s)

Service end user

Trust ?Security ?


Run-TimeDesign Time

Aniketos Service lifecycleService

Providers

Service

Developers

Compose

Provide

Service

end users

Invoke

Adapt/Recompose

Component changeChange of threatsChange of environment

Discovery and composition support based on trustworthiness, security properties and metrics

Trust and security monitoringThreat notification

End user trust assurance and acceptance Identification of responsible party

Self-protectionTrust evaluationSecurity validation


Platform Overview

Trustworthiness definitionand evaluation

Trustworthiness monitoringand evaluation

Security property definitionand evaluation

Runtime validation of secure service behaviour

Composite service analysis and preparation

Composite service adaptation and recomposition

Design-time support Runtime support

The Aniketos platform

Community support

Reference architecture and patterns

End user trust and assurance

Threat analysis and notification

Aniketos market place

Service Developers

• Use community support (design, threat analysis)

• Service discovery & composition

• Ensure trust & security

Service Providers

• Use community support (submit, threat notification)

• Monitor trust & security

• Perform adaptationService end users

• Certification programme

• Single point of trust


Design Time Service Composition analysis Design-time processes

Generic design-time composition

Establish contracts

Discov er serv ice

component candidates

Deploy serv ice

Assemble serv ice

Select serv ice

components

Validate serv ice

Specify serv ice

Serv ice dev eloper


Involved modules (1 of 2)

Socio-technical security modelling tool

Model transformation module

Trustworthiness Component

Verification Component

Security property determination module

Secure composition planner module

Security policy monitoring module

Threat response recommendation

module

Service threat monitoring module

Notification module

Community support module

Threat repository module

Marketplace

Service composition framework

Training material module

Service runtime environment

Identity management service

Interaction Layer

Data Access Layer

Business Logic Layer

Security-by-Contract Component

Security Requirements Compliance Module


Involved Modules (2 of 2) STS-tool: to express security needs and requirements on

trustworthiness MTM will provide the mapping between security

requirements specification (SRS) in the STS-model and existing BPMN. The output will be a security EABPM

IdM: to use the framework the service designer must be authenticated

SCF: to design service compositions using Marketplace for store/retrieval of atomic services

Marketplace to support services discovery/announcement SCPM: to receive the composition plans from the SCF and

return those ones that fulfill the trustworthiness requirement TM: to check for the level of trustworthiness


Aniketos Case Studies

SESAR

Future telecom services

eGovernance: land buying

Air traffic service pool


Future telecom services


User story A1

The end user (Bob) owns a mobile device which is equipped with a GPS receiver and a presence enabled VoIP client when accessing the web portal of his TLC Operator.

The services involved are: a. WebShop for general electronic commerce access; b. StoreLocator for making users choose the store where to pick up items selected;

Bob accesses the WebShop application in order to purchase an electronic item he wishes.

Bob requests the help of an assistant by starting a click-to-call VoIP communication

The StoreLocator service gives users two options, 1) a manual selection of the pick-up stores that

can be selected from an offered list; 2) letting StoreLocator service propose a list of

closest stores.

Converged SIP/HTTPapplication

SIP servlets

Application Server Platform

He decides to purchase the item he was interested in

…to collect Bob’s current position information and to generate maps and addresses of the stores which are closer to Bob

Bob selects option 2) for automatic store localization. By doing so a service recomposition is started…

12

3

45

6 7Bob is finally asked to confirm his mail address (that was retrieved through the IdP) to inform him when he can pick-up the purchased item


User story A2

openAM

HSS

Presence enablerIM

S -

Tel

co

In

tern

et

Resource layer Aniketos layer

Attribute Provider

Enabler Provider

IdMProvider

atomic service

User Profile

REST

Diameter

SIP/XCAP

OMA Enabler(s)atomic service

atomicservice

Identity Providercomposite web service

- Bridging IMS and Internet identity

- Single Sign On

- Multi-factor authentication

- IMS Service Exposure (e.g. user’s attributes and presence)

Marketplace


Aniketos Benefits

Aniketos provides a powerful platform that will bring benefits to the main actors involved (and related stakeholders) Service Designers / Developers: to support the creation and the delivery

of new innovative services. In general, these developments are commissioned and sponsored by projects funded by Service Providers.

Service Providers: to enhance their portfolio of services and consequently increase the chance for incrementing revenues by attracting new customers or increasing customer retention.

End Users: to increase the appeal for services that are intrinsically secure and reliable, having a single point-of-trust with a clear customer’s relationship.

The exploitation of the project’s results is an important part of the project, since Aniketos set up 4 work packages dedicated to outreach: training, demonstration, communities and dissemination.


Aniketos Market Segments

Public market: on-line and social shopping but in general all e-Business environments that will offer and deliver services fulfilling security and trustworthiness constraints (i.e. Tourism, Banking, …)

Industry: convergence of ICT and Telco domains, supporting the growing demand for new advanced services to be sold by Service Providers to their customers.

Central and local government: public administrations will face the growing need for offering services to citizens in perfect synergy with the European directives.

Given the nature and potential of the platform we could envisage a gradual introduction in the market either by adopting a pay-per-use mechanism or a periodic fee for Aniketos services offered by the Service Provider to its customers (PaaS could be a possible form of future commercialization).

Aniketos Demo:

Design of a trustworthy composite service


Demonstration goals

Secure web service composition tools The demo aims to show the exploitation of the secure

composition design time modules: STS-ml & tool: to express the trustworthiness as constraint over

the atomic services involved in the composition Service Composition Framework: to build the business process

to realize the composite service

Application of the design time process to real example Screencast


Composite service workflow

Point of Interests

Geocoding

Weather forecast

Map

Web Page Info collector

Aim: the Service Designer wants to create a service that takes in input a street address and shows on a web page some information related to the provided location.


STS language & tool Brief introduction Tool application example

Secure web service composition tools


STS modelling language (STS-ml)

Socio Technical Security modelling language (STS-ml) Consists of a set concepts that can be used to analyze security

requirements for a wide range of applications (including Service Oriented Applications)

Rationale Security should be investigated early in the development process Security requirements before security solutions/mechanisms

Express security needs and requirements at organizational (business/operational) level, by modelling:

Social/Technical actors and their goals Interactions among those actors in achieving goals Security requirements and trust properties that stakeholders

express.


STS-ml perspectives

Interaction among stakeholders in

achieving their goals

Information (documents) and

relationships

Authorization granted for exchange and

manipulate information

List of security requirements derived from security needs expressed in the business view


STS-tool utilization

Scenario modelling steps

i. Identify principal stakeholders (actors)

ii. Identify and analyze the goals of each actor

iii. Define interactions among the actors

iv. Express the requirements on security and trustworthiness


Design of a composite service that takes in input the geographical position (street address) of a user and shows in a webpage a set of informations A map showing the position Weather information Point of interests in the surroundings

The Service Provider wants the service to be trustworthy, so he asks the Service Designer to exploit the tools from the Aniketos platform STS-tool for the specification of security requirements and

trustworthiness

Reference scenario: STS-tool utilization


Design of InfoService (1 of 7)

scope

goal

resource

provision

delegation









scopegoal decomposition

resource


So

cia

l Vie

wDesign of InfoService (3 of 7)




No-RepudiationRedundancy

Trustworthiness constraint (tc)

Re-delegation


Info

rma

tio

n V

iew



Au

tho

riza

tio

n V

iew


U: use

M: modify

P: produce

D: distribute




Re-delegation

Non-disclosureIntegrity

NeedTo

Know


The STS-tool will generate SRS from the information contained in 3 views (business view) Automatic generation is supported by the tool

Security Req Specs (SRS)


Service Composition Framework (SCF) Tool application example

Secure web service composition tools


A service provider wants to offer a service that takes in input the geographical position of a user and shows in a webpage a set of information: A map showing the position Weather information Point of interests in the surroundings

The service provider wants the service to be trustworthy, so he asks the service designer to exploit the tools made available through the Aniketos platform SCF tool is used in order to design the composite service

Reference scenario: SCF utilization


The trustworthiness value is evaluated by the Trustworthiness Prediction module (TM) and is a combination of: Cognitive trust of the user, based on the service and service

provider reputation Non-cognitive trust, based on objective and measurable properties

of the service such as QoS attributes (reliability, performance, availability).

About trustworthiness in Aniketos…


Service Composition Framework (SCF)

The SCF is a design time module available in the Aniketos environment allowing a service designer to build executable composition plans

To use the framework the service designer must be authenticated


SCF: get started with BPMN modelling

Once authenticated, the service designer can start the BPMN modelling


BPMN model of InfoService

From the description of the service in terms of functionality, the service designer decides to use different atomic services and compose them according to the BPMN drafted in the SCF editor


The service designer is in charge of designing a composite service with a specific requirement on trusthworthiness value

The trustworthiness requirement is expressed as a consumer policy (XML file) written in ConSpec grammar

The file location is included in an extensionElements tag in the XML representing the BPMN

BMPN annotated with trustworthiness requirement


An excerpt of the resulting XML for the annotated BPMN is shown below:

Annotated BPMN (1 of 2)


SRS document is generated by the STS-tool BPMN model is generated by using the SCF tool MTM will process both informations to generate an

annotated BPMN model (EABPMN) MTM not available at this stage of the project (mapping under

development) Currently a manual intervention from the Service Designer is

necessary

Annotated BPMN (2 of 2)


To make the composition plans the SCF has to bind real web services to the service tasks in the BPMN

The binding process entails: Service discovery using the ServiceType as search filter

The SCF shows the operations offered by the web services matching the request based on the ServiceType

Selection of the specific operation the service designer wants to use in order to compose the InfoService

If the same operation is offered by different atomic services the service designer will see just one operation

Service discovery and selection of the service operation


Discovery and selection: GeoCoding example (1/2)


and selects getCoordinates ( )

Discovery and selection: GeoCoding example (2/2)

The service designer discovers operations offered by GeoCoding type services ( )

1

2

The service designer isn’t aware of how many web services offer that operation, it’s the SCF which will bind the different services to the service task when making composition plans


Creation of composition plans

Once the service designer has selected an operation for each service task the SCF is ready to create the composition plans

When the service designer clicks on “Create composition plans” button, the SCF shows a set of functionally valid composition plans


The SCF has created 12 composition plans: this is explained by the number of web

services offering the same operation: Geocoding type: bound to 2 web services PointOfInterest type: bound to 3 web services WeatherForecast type: bound to 1 web

services Map type: bound to 2 web services WebPageInfoCollector type: bound to 1 web

services Thus the number of composition plans is 2 X

3 X 1 X 2 X 1 = 12

Composition plans created by the SCF


The composition plans ensure functionality but do not consider the trustworthiness requirement

The composition plans have to be checked against the requirements specified for the trustworthiness value

This check is performed by the Secure Composition Planner Module which receives the composition plans from the SCF and returns those ones that fulfill the trustworthiness requirement

Selection of trustworthy composition plans


The SCPM invokes the Trustworthiness prediction module to evaluate the trustworthiness value for the set of composition plans received from the SCF

The trustworthiness value of the composite service is evaluated by using the weakest link principle The Trustworthiness module evaluates the trustworthiness value

for each service taking part in the composition The lowest value is returned as the trustworthiness value of the

composite service

Trustworthiness prediction for composite services


When the service designer clicks on “Verify All” button the SCPM selects the composition plans that fulfils the trustworthiness requirement

Trustworthy composite services

In order to visualize the Trustworthiness value of the composition plans the service designer selects “Order By” Trustworthiness and clicks on “Order/Rank” button


Last steps: upload and deploy

The service designer selects one of the trustworthy composition plans and can upload the BPMN to an Activiti

Engine Deploy it to a web application

server


Screencast (Demo summerSOC2012.avi) Presented at Summer School on Service Oriented

Computing (SOC) – July 2-5, 2012 – Crete (Greece).

Demo

Aniketos project presentation Secure and Trustworthy Composite Services Wind – July 13 th,2012.

Documents

Transcript of Aniketos project presentation Secure and Trustworthy Composite Services Wind – July 13 th,2012.