Wiki

Clone wiki

doc / spt

The aim of the Security, Privacy & Trust framework of the FIspace platform is to provide secure and reliable access and, where needed, exchange of confidential business information and transactions using secure authentication and authorization methods that meet required levels of security assurance. Authentication, authorization and accounting technologies will provide user management & access control features.

The main features of the SPT framework have been driven by an initial analysis of the SPT functionalities that will be required by industrial actors that will be users of the FIspace platform, and industrial technology suppliers who will exploit the FIspace plat-form to provide Apps and associated services to the industrial actors. The main feature categories that have been considered in the design of the SPT framework for FIspace are:

  • Identity and Trust: Current situation is that often two business actors establish identity and trust to ex-change information based on some previous knowledge of one another, having been in physical communication. In more advanced and even-tually more common scenarios, actors will not be able to rely on having physical contact with other FIspace actors, and strategies such as exploiting online profiles, reputation (ranking), certification or registration data bases, etc. will be supported.
  • Access Control: This will include features in order to validate a user’s identify and thus only allow individuals and organizations that are authorized to connect and that they can only access the information and data they are allowed to access.
  • Authentication: This will include facilities for authenticating individual users, third-party systems, networked resources, and it will need to go down to fine-grained events, and data objects to ensure that only authentic entities are allowed to connect and communicate with the FIspace platform.
  • Data Security: Those mechanisms will ensure that data is being encrypted and does not leave the FIspace premises unencrypted, as well as that data can only be accessed by users with the respective credentials;
  • Security Assurance: FIspace will provide strong security assurance that commer-cial information and transactions are secure, can be trusted and are not vulnerable to malicious actions. FIspace will use a compositional security assurance and ac-counting process, separating concerns where possible. In a component based de-sign process, independently developed components are assessed and matched to specific system security requirements to determine if they meet the system security objectives. For independently developed components such as Apps it is possible to provide assurance provided we can verify an App adheres to a set of system-wide and App-specific security policies. As the cost of full verification of independent Apps is costly and time consuming, FIspace complements the verification of security policy adherence by Apps with monitoring mechanisms to detect and prevent unac-ceptable or unexpected App behaviour;
  • Developer support to ensure correct usage of necessary security mechanisms in FIspace: SPT patterns and guidelines underlie the Sofwtare Development Toolkit to ensure that SPT issues are considered by App developers.

Concerning privacy and data ownership, one important design consideration that should be mentioned is that operational and business data per se is typically not stored persis-tently in the FIspace platform (i.e., in the Cloud). Rather data resides with the data owner (and on its premises) but FIspace will provide access to this data (programmatic and access rights) to the entities that require to get access to this data. Typically, only “meta-data” such as events about actual data objects that have changed (change event) will be stored and managed by the platform, as well as user registration information.

DOCUMENTATION

You can find the FIspace SPT technical manual here.

How to Implement OAuth to your Application Backend using Keycloak

How to Secure Widget and provide SSO

Using Administrative Interface Layer (AIL) to manage oauth clients, companies, users and roles

Updated