2004), mechanisms for ensuring trust and security (Kippert & Swiercz, 2007; Garrison & Posey, 2006), easy-to-use environments, social computing,
Computer security Checklist for Non-Security Technology Professionals, Journal of International Technology and Information management, 15 (3), 87-91.
In ICT, how will we manage the security and privacy of personal data with global digital content doubling every eighteen months,
and zero breaches of security. This will also lead to many Zero initiatives like zero emails, zero time business incubation,
Combined with an increasing desire for energy security at a country level this has triggered a global dash to find the energy sources
Includes the entire smart solutions ecosystem in energy, infrastructure, transportation, buildings, security, governance, education and healthcare.
nuclear power will continue to present significant opportunities for players that can successfully address the dominant issues of safety and security.
Energy Control Community ICT Cyber security Renewables Energy efficiency Storage Electric Vehicles Stabilisation & Balancing NEDOMIZUHO Cyber Defence Hitachi Hawaii Electric Maui Electric
The ICT sector currently lacks people with the right skills to accomplish a number of functions, from developing software applications and security systems,
Varying national rules on taxation and data protection ran the risk of stifling the growth these tech businesses can create,
This leads to the risk of digital issues falling through the cracks, while politicians such as Kroes argue it should be hardwired into all policymaking.
Of course there are risks, and there will be challenging questions for us to answer as we enter this new reality,
or when new opportunities and threats indicate a need for reinvention (Johnson et al. HBR 2008.
and, ultimately, prospects for economic growth, national security and the quality of life. Not since the opening of the atomic age, with its promises of power too cheap to meter and threats of nuclear incineration, has a technology so deeply captured the imagination of the public.
Indeed, not since that era have hopes and doubts about the social usefulness of a new technological departure been coupled so closely as has been the case
or more employees via their website were company introduction (90.5%),privacy policy statement or certification related to website security (65.2%)and access to catalogues and price lists (52.8%).
related to website security 65.2 Access to product catalogues or price lists 52.8 Links or references to the social media profiles of the company 34.7 Possibility of electronic submission of complaint forms 26.4 Posting vacancies
%the risk of corporate security holes (31%)and the high price of Could Computing services (27.8%).
and possessing the ability to exchange helps eliminate the inhibitor of change. the risks involved in change.
When a person certain risks associated with the expected change in personal group or organization,
The ability to take risks, tolerance for ambiguity inherent in innovation, resistance to stress are reduced.
5, 6, 7-positive reactions to change Very few people are prepared to give up ideas for your loved obvious risks.
and threats in a convincing manner and particularly the EU would achieve it aware of the need for change
the remaining 39,82%saw the change as a threat Manifestations of resistance to change Unfortunately 74,72%of employees show an active resistance to change Frequency of using tactics to reduce resistance to change-actions of senior managers on change Reducing resistance
as the acquisition of investment usually brings high capital costs and risks. Enhanced cooperation between different actors will help to improve income sources and also the opportunities for more investment in the field
yet, there are risks and limitations associated with citizen engagement, and further research is needed to understand the impact of participation on society and individuals.
First, the term risks becoming a buzzword, leading to a loss of credibility and support,
rather there are associated risks and challenges. For instance, the value of engagement tends to be contingent on the form and practice of that activity
and the risks associated with a low quality version of it spreading. Receptive contexts Lastly, we emphasise the significance of receptive contexts.
or the financial risks that acquiring external growth capital brings, social innovators tend to favour it.
Further research is needed to analyse ways to exploit investment models through more effective mechanisms of reducing investment capital costs which are the main barrier for this form of financing.
'and others involved in resourcing social innovation may share risks, allocate costs, and distribute benefits more effectively.
a signi cant level of economic risk; a minimum amount of paid work. The social dimension consists of three as well:
and business skills to exploit market opportunities to set up and grow a social enterprise (although we also know that the people in charge lack these very skills very often).
First, the term risks becoming a buzzword or a passing fad, as many organisations adopt the concept without really embracing the practice.
marked by a high degree of risk and uncertainty due inter alia to the specific context wherein they appear social innovations are, in a significant way,
Whether or not they can be seen as better (more effective/social/democratic) is a question of its own that can only be answered in retrospective. 85 High degree of risk
and other procedures in 2007 following cases such as the withdrawal of Merck's painkiller Vioxx in 2004 after it was shown that the drug increased the risk of a heart attack.
Investors and financial analysts can use the Scoreboard to assess investment opportunities and risks. 18 Investing in research:
Gradual recovery, external risks, IP/13/1025 of 05/11/2013, http://europa. eu/rapid/press-release ip-13-1025 en. htm. 16 The samples
Der spiegel, 19 april 2013, http://www. spiegel. de/international/business/lack-of-skilled labor-could-pose-future-threat-to-german-economy-a-894116. html country (number of statements
and security as defined in the regulation on data protection and processes it only for the explicit and legitimate purposes declared
of which underlie the Commission's security decisions and provisions established by the Directorate of Security for these kind of servers and services.
The information you provide will be treated as confidential and aggregated for analysis. Data verification and modification In case you want to verify the personal data
1996) and Carrier (1994) mentionexplicit strategiestoincreaseandstimulateinternalcreativityand risk takingbehavior. Yetanotherinternalvariableis investmentsinr&d (Birchalletal. 1996; Oerlemansetal. 1998). ) Amongotherinternalfactorsthatwerefoundtobe importantdeterminantsofsuccessofinnovativeeffortsare the natureofthecommercializationandmarketingeffort, thedegreeofmarketinginvolvementinproductplanning and firmcompetenceintheareaoftechnologystrategyand technologymanagement (Hoffman etal.
and A Culture of Innovation mean that the global population is need increasingly in of the necessary education to harness and maximise the potential benefits while minimising risks of globalisation and innovation.
the organisation has been one of the first and most active promoters of the development of sustainable knowledge societies, identifying potential threats to,
such as interactions with the real world through sensor/actuator networks, network virtualization and cloud computing, enhanced privacy and security features and advanced multimedia capabilities.
Foundations-Architectural Issues-Socioeconomic Issues-Security and Trust-Experiments and Experimental Design Future Internet Areas-Networks-Services-Content Applications FIA Budapest will be the seventh FIA
Security and Trust Introduction to Part III...163 Security Design for an Inter-Domain Publish/Subscribe Architecture...
167 Kari Visala, Dmitrij Lagutin, and Sasu Tarkoma Engineering Secure Future Internet Services...177 Wouter Joosen, Javier Lopez, Fabio Martinelli,
and Fabio Massacci Towards Formal Validation of Trust and Security in the Internet of Services...
security including trust and privacy. The content of this area includes eight chapters covering some of the above architectural research in Future Internet.
privacy, licensing, security, provenance, consistency, versioning and availability; it glues together reusable information fragments into meaningful structured and integrated documents without the need of a predefined schema.
In case data protection/encryption methods are employed (even using asymmetric encryption and public key methods), data cannot be stored efficiently/handled.
On the other hand, lack of encryption, violates the user and data privacy. More investigations into the larger privacy and data protection ecosystem are required to overcome current limits of how current information systems deal with privacy and protection of information of users,
Lack of data integrity, reliability and trust, targeting the security and protection of data; this issue covers both unintended disclosure and damage to integrity from defects or failures,
and vulnerabilities to malicious attacks. iv. Lack of efficient caching & mirroring: There is no inherited method for on-path caching along the communication path
Security requirements of the transmission links: Communications privacy does not only mean protecting/encrypting the exchanged data
It is not sufficient to just protect/encrypt the data (including encryption of protocols/information/content,
v. Security of the whole Internet Architecture. The Internet architecture is not intrinsically secure and is based on add-ons to, e g. protocols,
On the other hand, mobility is realized still in most cases by means of dedicated/separated architectural components instead of Mobile IP. see Subsection 3. 5. Point 6 Accountability of resource usage and security without impeding
see Subsection. 3. 5. Point. 2 Security: see Subsection. 3. 5 point 5, Subsection 3. 1. Point. 2 and 3. Generality e g. support of plurality of applications
Trust and Security. The authors would like to acknowledge and thank all members of the group for their significant input and the EC Scientific Officers Isidro Laso Ballesteros, Jacques Babot, Paulo De Sousa, Peter Friess, Mario Scillia
and promises security and increased manageability. We define In-Network clouds as an integral part of the differentiated Future Internet architecture,
Applications compliant with these framework services share common security metadata, administration, and management services. The DOC enables the following functions across the orchestration plane:
Since each domain may have different SLAS, security and Towards In-Network Clouds in Future Internet 23 administrative policies,
therefore essential in guaranteeing both a degree of self management and adaptation as well as supporting context-aware communications that efficiently exploit the available network resources.
the CE meets the requirements of context collection, context dissemination, interfaces with the Context Information Base and supports for access control.
In practice, the CP creates meta-context from context using mechanisms that exploit the business requirements
monitoring and measuring, road safety, security/identity checking, video surveillance, etc. Predictions state that there will be 225 million cellular M2m devices by 2014 with little traffic per node but resulting significant growth in total,
because current Qos assurance mechanisms in the IP world require improvements to replace the Layer 2 Qos schemes of the tradi 48 L. Bokor, Z. Faigl,
However, from a management system perspective, the scope of this scenario rely in the fact on how the use of semantic models capturing knowledge relating to security functionality
delegation of management authority to network management systems and decentralised assurance of service delivery in a home area are important too. 7 Summary
Proc. of the 13th International security Protocols Workshop, Cambridge, UK (April 2005) 27. Jennings, B.,et al.:
Access control functionality is essential to ensure that only authorized resource users are able to access the resources.
and addressing functionality and associated security mechanisms that are required to enable dynamic looselycoupled systems. The number of participants can be m:
A comprehensive security framework provides functions for the realization of a variety of different trust relationships.
This is centered on a security token service for resource users and AAA (Authentication, Authorization and Accounting) service to enforce access at the access controlled entities covering resources and framework functions.
Role-based access control for individual middleware components N/A EPC and value-added sensing EPCIS standard SENSEI Execution manager responsible for maintenance of long lasting requests
Security token service for resource users and AAA service to enforce access at the access controlled entity resource access proxy service for crossdomain access auditing for AAA service to perform accounting and authorized use SENSEI
ontology based context model) Session management Access control Auditing and billing Underlying Resource model Underlying context model 80 A. Gluhak et al. 5 Concluding Remarks The chapter presents a blueprint for design of systems capable of capturing information from and about the physical world and making it available
privacy, licensing, security, provenance, consistency, versioning and availability; it glues together reusable information fragments into meaningful structured and integrated documents without the need of a predefined schema.
privacy, licensing, security, provenance, consistency, versioning and availability 5. IDN glues together reusable information fragments into meaningful structured and integrated documents without the need of a predefined schema.
when the exponential growth of small and/or mobile devices and sensors, of services and of security requirements began to show that current Internet is becoming itself a bottleneck.
The follow-up of Nets, Netse 5 proposes a clean-state approach to properly meet new requirements in security, privacy and economic sustainability.
This claims for an evolution towards closed-loop algorithms and procedures which are able to properly exploit appropriate real-time network measurements.
A so-called Supervisor and Security Module (not shown for clarity reason in Fig. 2) is embedded in each Cognitive Manager supervising the whole Cognitive Manager and,
at the same time, assuring the overall security of the Cognitive Manager itself (e g.,, including end-to-end encryption, Authentication, Authorization and Accounting (AAA) at user and device level, Service Security, Intrusion Detection, etc..
Another key role of this module is to dynamically decide, consistently with the application protocols,
but they cannot tell the transport layer its needs of encryption or mobility. It is possible to change the paradigm of client-server communication and the structure of the intermediate layers of the TCP/IP,
Low latency, low jitter, bandwidth, addressing, delivery guarantee, management, mobility, Qos and security. The changing needs of the entities may vary depending on the context of the entities in communication,
OVM (Ontology for Vulnerability Management) to support security needs 35; Netqosont (Network Qos Ontology) to meet the needs of service quality 27;
Payload Size Control equal to 84 Bytes; and; Delivery Guarantee request. In this context, this need is informed, to the Service Layer,
and studies concerning the unique identification of the entities and the formalization of security mechanisms for the Entity Title Model.
IEEE/IFIP New Technologies, Mobility and Security Conference (2009) 24 Pereira, J. H. S.,Kofuji, S. T.,Rosa, P. F.:
IEEE/IFIP New Technologies, Mobility and Security Conference (2009) 25 Pereira, J.,Sato, L.,Rosa, P.,Kofuji, S.:
An Ontological Approach to Computer system Security. Information security Journal: A Global Perspective (2010) 36 Wong, W.:
et al.:An Architecture for Mobility Support in a Next Generation Internet. In: The 22nd IEEE International Conference on Advanced Information, Networking and Applications-AINA (2008) Part II:
estimating, and understanding the risks, challenges, and usability aspects of this network of networks. As collected by the FISE (Future Internet Socioeconomics) working group within the FIA on its wiki, the following general aspects of socioeconomics,
6) The investigation of (European) regulation for e-services markets and security regulations;(7) The investigation of the physical environment of e-services in terms of availability, worldwide vs. highly focused (cities),
since detailed and specific security demands, electronic identities, or Quality-of-Experience (Qoe) will outline societal requirements to be met by technological support means,
Both approaches, due to the offering of extra capacity resources, exploit the native self-organizing incentive-based mechanisms of overlays to increase the level of traffic locality within ISPS.
and has some security benefit. As a counterexample, IPV6 deployment has a cost to the end host to support the dual stack,
But for some protocols the wider scenario requires extra critical functionality for example, security features, if the initial scenario is trusted within a domain.
The framework also ignores factors such as risks (deployment is harder if the associated risk is higher),
regulatory requirements and the role of hype and group think. When there are competing proposals (which should be selected for deployment?)
because signalling in the payload is more likely to get traumatised by some middleboxes. -There is a separate connection-level sequence number,
One reason that MPTCP uses TCP-Options for signalling (rather than the payload) is that it should simplify offloading by network cards that support MPTCP,
These factors reduce the deployment risk, especially as it should also be easier to roll back
and CRAMM (CCTA Risk Analysis and Management Method) 7 have similar objectives to our methodology.
and quantifying security risks in organizations. The situations analyzed by the aforementioned methodologies are associated often with certain kinds of tussles.
technology literacy and expectations, openness to risk and innovation. Furthermore, it should be studied whether and how these attributes,
For instance, impact assessment (3a) could be performed by mathematical models for assessing risk or utility, as well as providing benchmarks like the price of anarchy ratio.
On the other hand, risk assessment techniques seem more relevant for the second tussle since high congestion can have an impact on ISP's plans to offer other real-time services.
Risk assessment techniques could be used in this case, as well as models for estimating social welfare loss. A side-effect of this tussle is innovation discouragement
then setting-for example-a low price would increase his risk of being selected by the least profitable customers.
and care are suggested as a countermeasure for moral hazard issues. Similarly the proposed way for mitigating the effects of adverse selection is for the less informed party to gather more information (called signaling)
that persons should be secure from unwarranted surveillance. However, the issue turns into a tussle over the very definition of
what constitutes unwarranted surveillance, and when surveillance may be warranted in ways that individual users are willing to forego their privacy concerns in the interest of broader societal concerns.
Governments frequently argue that in order to protect national security, they must be given access to network communication data.
Furthermore, ISPS and other companies such as Google and Amazon have increasingly been able to monetize their user transaction data and personal data.
few people were interested in debating the societal risks and values surrounding a platform that could potentially distribute previously secret documents.
and politicians as well as security and trust experts. 4 Survey of Work on Social and Economic Tussles as Highlighted in FP7 Projects In this section, SESERV looks at specific projects in the FP7 Future Networks project portfolio,
The Trilogy project also studied the social tussles surrounding phishing the attempt to acquire sensitive personal data of end-users by masquerading as a trustworthy entity,
but no mechanism has been suggested to deal with this security problem and the fears that it raises among end-users.
who are considered often to be easy targets for such phishing attempts. The ETICS project (Economics and Technologies for Inter-Carrier Services) 8 studies a repurposing tussle arising
when an ISP (the provider) requests a share of an ASP's revenues (the consumer) due to its higher investment risks and operational costs.
and economic mechanisms that will allow network providers to offer inter-domain Qos assurance and obtain higher bargaining power during negotiations for service terms (e g. pricing).
Security and Trust Part III: Future Internet Foundations: Security and Trust 163 Introduction If you are asking for the major guiding principles of Future Internet technology and applications,
the answer is likely to include sharing and collaboration. Cloud computing, for instance, is built on shared resources and computing environments,
it also raises security and privacy concerns and introduces additional protection needs. The Future Internet is characterized by deliberate exposure of precious information
in addition, change the threat model and increase the attack surface. An attack can potentially be launched by a malicious or fake service provider, service consumer,
The challenge is to design security and trust solutions that scale to Future Internet complexity and keep the information and resource owner in control, balancing potentially conflicting requirements while still supporting flexibility and adaptation.
as well as providing assurance about security properties of exposed services and information. 164 Part III: Future Internet Foundations:
Security and Trust The chapters presented in the Security and Trust section of this volume look at the challenges mentioned above from three different angles.
which address potential security issues from the beginning, but also imply the need for novel solutions like integrity and availability.
The chapter, Security Design for an Inter-domain Publish/Subscribe Architecture by K. Visala et al. looks into security implications of a data-centric approach for the Future Internet,
The authors introduce a security architecture based on self-certifying name schemes and scoping that ensure the availability of data
It is a good example of how clean-slate approaches to the Future Internet can support security needs by design,
The second group of chapters investigates the provision of assurance of the security properties of services and infrastructures in the future Internet.
The provision of evidence and a systematic approach to ensure that best security practices are applied in the design
Such a discipline is required to particularly emphasize multilateral security requirements, the composability of secure services,
the provision of assurance through formal evidence and the consideration of risk and cost arguments in the Secure Development Life cycle (SDLC).
The authors propose security support in programming and execution environments for services, and suggest using rigorous models through all phases of the SDLC, from requirements engineering to model-based penetration testing.
Their considerations lead to the identification of Future Internet specific security engineering research strands. One of the major ingredients of this program, the provision of security assurance through formal validation of security properties of services, is investigated in detail in the chapter‘Towards Formal Validation of Trust and Security in the Internet of Services by R
. Carbone et al. They introduce a language to specify the security aspects of services and a validation platform based on model-checking.
A number of distinguished features ensure the feasibility of the approach to Future Internet scenarios and the scalability to its complexity:
The two chapters demonstrate the way towards rigorous security and trust assurance in the future Internet addressing one of the major obstacles preventing businesses
and users to fully exploit the Future Internet opportunities today. While engineering and validation approaches provide a framework for the secure design of Future Internet artifacts adapted to its characteristics, the third group of Part III:
Security and Trust 165 chapters looks into specific instances of the information sharing and collaboration principle and introduces novel means to establish their security.
The chapter Trustworthy Clouds underpinning the Future Internet of R. Glott et al. discusses latest trends in cloud computing and related security issues.
but also faces new security risks, from the breach of separation between tenants to the compliance challenge in case of distribution over different regulatory domains.
The authors discuss these risks and provide an outlook to their mitigation, embedded in a systematic security risk management process.
In cloud computing, but also in most other Future Internet scenarios like the Internet of Services, the need for data exchange leads to sensitive data, e g.,
With the three groups of chapters, this section of the book provides directions on how security
and trust risks emerging from the increased level of sharing and collaboration in the future Internet can be mitigated,
The Author (s). This article is published with open access at Springerlink. com. Security Design for an Inter-Domain Publish/Subscribe Architecture Kari Visala1, Dmitrij Lagutin1,
In this paper we present a security design through the network stack for a data-centric pub/sub architecture that achieves availability, information integrity,
and allows application-specific security policies while remaining scalable. We analyse the solution and examine the minimal trust assumptions between the stakeholders in the system to guarantee the security properties advertised.
Keywords: Future Internet, publish/subscribe networking, network security 1 Introduction Data-centric pub/sub as a communication abstraction 2, 3,
4 reverses the control between the sender and the receiver. Publication in the middle decouples the publisher from the subscriber and there is no direct way of sending a message to a given network,
and the security design presented here covers all these as a whole. In this paper we refine and extend our work in 5
and S. Tarkoma support many types of application-specific security policies. Some of the techniques used in our architecture
Our security goals concur with 1 except that confidentiality and privacy are expected to be handled on top of the network layer
The security goals are: Availability, which means that the attackers cannot prevent communication between a legitimate publisher and a subscriber inside a trusted scope.
Application-specific security policies, which mean that the architecture can cater for the specialized security policies of different types of applications
while partially same resources can be shared by them. In addition to aforementioned goals, the solution is restricted by the requirements of scalability and efficiency.
At some point in time, a data source may then publish the publication inside a set of scopes that determine the distribution policies such as access control
The Security Design for an Inter-Domain Publish/Subscribe Architecture 169 scope must be trusted by the communicating nodes to function as promised and much of the security of our architecture is based on this assumption as we explain in 5. Scopes are identified with a special type
that is used for the payload communication. The data-centric paradigm is a natural match with the communication of topology information that needs to be distributed typically to multiple parties
and the ubiquitous caching considerably reduces the initial latency for the payload communication as popular operations can be completed locally based on cached data.
A graphlet defines the network resources used for the payload communication and it can be anything from the path of an IP packet to private virtual circuits.
Some protocols may require an additional phase for the reservation of a graphlet before the payload communication.
Here the security model only guarantees the integrity of the association between an identifier and its content.
Confidentiality of publications can be achieved by encryption of the content and/or the labels. Fig. 1 depicts a simplified example of My movie edit meta-data publication that has Rid (PN
but they are assumed not to have a long life-time as the security mechanism is coupled with the identifier.
Because it is not feasible to use traditional cryptographic solutions like RSA on a per-segment basis in the payload communication,
Security Design for an Inter-Domain Publish/Subscribe Architecture 171 Fig. 1. Publications can refer to other publications persistently using long-term Aids.
and the client (e g. a subscriber) and returns the information to the client that can then use this information to join a graphlet (e g. a delivery tree) that can then be used for the fast-path payload communication.
in order to keep the publica Security Design for an Inter-Domain Publish/Subscribe Architecture 173 tion data or pending subscription alive.
We refer to our work in 5 for a detailed description of the rendezvous security mechanisms.
Thus we claim that the deployment of new transport functionality in the network to be run at branching points of graphlets can be done scalably. 5 Related Work This section covers related work for publish/subscribe systems and network layer security solutions.
Security issues of the content-based pub/sub system have been explored in 7. The work proposes secure event types
Security Design for an Inter-Domain Publish/Subscribe Architecture 175 5. 1 Security Mechanisms Most of existing network layer security proposals utilize hash chains
Accountable Internet Protocol (AIP) 11 aims to improve security by providing accountability on the network layer.
Identity-based encryption and signature scheme (IBE) 12 allows a label, e g.,, the user's e-mail address to be used as user's public key,
Security issues and requirements for Internet-scale publish-subscribe systems. In: HICSS'02, Hawaii, USA (2002) 2. Visala, K.,Lagutin, D.,Tarkoma, S.:
Roles and Security in a Publish/Subscribe Network architecture. In: ISCC'10, Riccione, Italy (2010) 6. Clark, D.,Wroclawski, J.,Sollins, K.,Braden, R.:
of service engineering and security engineering. Generic solutions that ignore the characteristics of Future Internet services will fail,
Such a life cycle support must deliver assurance to the stakeholders and enable risk and cost management for the business stakeholders in particular.
in order to jointly enable the security and trustworthiness of Future Internet services. 1 Introduction 1. 1 Future Internet Services The concept named Future Internet (FI) aggregates many facets
Yet this also creates more vulnerabilities and risks as the number of trust domains in an application gets multiplied,
the size of attack surfaces grows and so does the number of threats. Furthermore, the Future Internet will be an intrinsically dynamic
and evolving paradigm where, for instance, end users are empowered more and more and therefore decide (often on the spot) on how content
as both risks and assumptions are hard to anticipate. Moreover, both risks and assumptions may evolve;
thus they must be monitored and reassessed continuously. 1. 2 The Need for Engineering Secure Software Services The need to organize,
and security breaches in these services may lead to large financial loss and damaged reputation. 1. 3 Research Focus on Developing Secure FI Services Our focus is on the creation and correct execution of a set of methodologies, processes and tools for secure software development.
We need to enable assurance: approving that the developed software is secure. Assurance must be based on justifiable evidence,
and the whole process designed for assurance. This would allow the uptake of new ICT-services according to the latest Future Internet paradigms,
where services are composed by simpler services (provided by separate administrative domains) integrated using third parties infrastructures and platforms.
Thus, embedding risk/cost analysis in the SDLC is currently one of the key research directions
in order to link security concerns with business needs and thus supporting a business case for security matters.
bearing in mind that the discovery and remediation of vulnerabilities during the early development stages saves resources.
1) security requirements for FI services,(2) creating secure service architectures and secure service design,
and compose-able services,(4) enabling security assurance, integrating the former results in (5) a risk-aware and cost-aware software development life-cycle (SDLC),
and (6) the delivery of case studies of future internet application scenarios. The first three activities represent major and traditional stages of (secure) software development:
Both the security assurance programme and the programme on Risk and Cost aware SDLC will interact with each of the initial three activities,
and techniques that we consider useful for engineering secure Future internet services. 2 Security Requirements Engineering The main focus of this research strand is to enable the modeling of high-level requirements that can be expressed in terms of
The need for assurance in the future Internet demands a set of novel engineering methodologies to guarantee secure system behavior and provide credible evidence that the identified security requirements have been met from the point of view of all stakeholders.
The security requirements of Future Internet applications will differ considerably from those of traditional applications.
and each one will have his own security requirements. Hence, eliciting, reconciling, and modeling all the stakeholders'security requirements become a major challenge 5. Multilateral Security Requirements Analysis techniques have been advocated in the state of the art 14
but substantial research is needed still. In this respect, agent-oriented and goal-oriented approaches such as Secure Tropos 12 and KAOS 8 are recognized currently well as means to explicitly take the stakeholders'perspective into account.
Furthermore, it is important that security requirements are addressed from a higher level perspective, e g.,, in terms of the actors'relationships with each other.
Unfortunately, most current requirements engineering approaches consider security only at the technological level. In other words current approaches provide modeling and reasoning support for encryption, authentication, access control, non-repudiation and similar requirements.
However, they fail to capture the high-level requirements of trust, privacy, compliance, and so on. Engineering Secure Future Internet Services 181 This picture is complicated further by the vast number
Such deployments inherit security risks from the classical Internet and, at the same time create new and more complex security challenges.
Examples include illicit tracking of RFID tags (privacy violation) and cloning of data on RFID tags (identity theft).
The definition of techniques for the identification of all stakeholders (including attackers), the elicitation of high-level security goals for all stakeholders,
and the identification and resolution of conflicts among different stakeholder security goals; The refinement of security goals into more detailed security requirements for specific services and devices;
The identification and resolution of conflicts between security requirements and other requirements (functional and other quality requirements;
The transformation of a consolidated set of security requirements into security specifications. The four objectives listed above obviously remain generic by nature,
one should bear in mind though that the forthcoming techniques and results will be applied to a versatile set of services,
so security enforcement mechanisms are indispensable. The design phase of the software service and/or system is a timely moment to enforce
and reason about these security mechanisms, since by that phase one must have grasped already a thorough understanding of the application domain
The security architecture for the system must enforce the visible security properties of components and the relationships between them.
assess and reason about security mechanisms at an early phase in the software development cycle. The research topics one must focus on in this subarea relate to model-driven architecture and security, the compositionality of design models and the study of design patterns for FI services and applications.
The three share the common ambition to maximize reuse and automation while designing secure FI services and systems.
So, it would be possible to specify a first high-level model with some high-level security policies.
which the security policies become more detailed, closer to the enforcement mechanisms that will fulfil them.
The integration of security aspects into this paradigm is called the so modeldriven security 6, leading to a design for assurance methodology in
which every step of the design process is performed taking security as a primary goal. A way of carrying out this integration includes first decomposing security concerns,
so that the application architecture and its security architecture is decoupled. This makes possible for architects to assess more easily tradeoffs among different security mechanisms,
simulate security policies and test security protocols before the implementation phase, where changes are typically far more expensive.
In order to achieve this, it is needed first to convert the security requirements models into a security architecture by means of automatic model transformations.
These transformations are interesting since whilst requirements belong to the problem-domain, the architecture and design models are within the solution-domain,
so there is an important gap to address. In the context of security modeling, it is extremely relevant to incept ways to model usage control (e g.,
, see 21,22, 18), which encompasses traditional access control, trust management and digital rights management and goes beyond these building blocks in terms of definition and scope.
Finally, by means of transformation patterns, it is required to research on new ways to map the high-level policies established at requirements stage into low-level
further research is necessary to find out what kind of security architecture is required in the context and how to carry out the decomposition of such fairly novel architectures.
Until this point in the software and service development process, different concerns security among them of the whole application have been separated into different models,
each addressing different concerns even different security sub-architectures for different security requirements it is required to assure that the composition of all these architectures is accomplished
so threats in the environment may change along the time and some reconfiguration may be required to adapt to that changes.
reducing costs and risks usually arisen by uncertainty, leveraging a risk and cost-aware. There are large catalogues and surveys on security patterns available 26,13,
but the FI applications yet to come and the new scenarios enabled by FI need to extend
and tailor these catalogues. In this context, the first step is studying the patterns currently available and, what is more important,
both from a general perspective and from a security perspective for security-critical software systems. 4 Security Support in Programming Environments Security Support in Programming Environments is not new;
The search for security support in programming environments has to take this context in account.
The requirements and architectural blueprints that will be produced in earlier stages of the software engineering process cannot deliver the expected security value
unless the programs (code) respect these security artefacts that have been produced in the preceding stages. This sets the stage for model driven security in which transformations of architecture and design artefacts is essential,
as well as the verification of code compliance with various 184 W. Joosen et al. properties. Some of these properties have been embedded in the security specific elements of the software design;
other may simply be high priority security requirements that have articulated such as the appropriate treatment of concurrency control and the avoidance of race conditions in the code,
as a typical FI service in the cloud may be deployed with extreme concurrency in mind. Supporting security requirements in the programming code level requires a comprehensive approach.
The service creation means must be improved and extended to deal with security needs. Service creation means both aggregating
and composing services from preexisting building blocks (services and more traditional components), as well as programming new services from scratch using a state-of-the-art programming language.
One could argue that security support for service creation must focus on and enable better static verification.
and building blocks that facilitate effective security enforcement at run-time. Dependent on the needs and the state-of-the-art this may lead to interception and enforcement techniques that simply ensure that the application logic consistently interacts with underpinning security mechanisms such as authentication or audit services.
Otherwise, the provisioning of the underpinning security mechanisms and services (e g. supporting mutual non repudiation, attribute based authorization in a cloud platform etc.)
will be required as well for many of the typical FI service environments. Next we further elaborate on the needs
and hosted by various organizations and providers), each with its own security characteristics. The business compositions are very dynamic in nature,
including their security policies, and tools to generate code for service compositions that are able to fulfil these requirements based on the available services.
composition languages must support means to preserve at least the security policy of those services being composed. The research community needs to consider the cases where only partial
Secure Service Programming Many security vulnerabilities arise from programming errors that allow an exploit. Future Internet will further reinforce the prominence of highly distributed and concurrent applications,
making it important to develop methodologies that ensure that no security hole arises from implementations that exploit the computational infrastructure of the Future Internet.
are one of the most effective approaches to exploit multi-core parallelism. These algorithms are hard to design
and revisit methods from language-based security, in particular type systems, to enforce best-practises currently used
and similar vulnerabilities associated with web-based distributed applications. Obviously, the logical rationales underlying such best-practises must be articulated,
while still maintaining security. 4. 3 Platform Support for Security Enforcement Future Internet applications span multiple trust domains,
and the hybrid aggregation of content and functionality from different trust domains requires complex cross-domain security policies to be enforced,
In effect, the security enforcement techniques that are triggered by built-in security services and by realistic in the FI setting,
and on the enforcement of fine-grained security policies via execution monitoring. 186 W. Joosen et al. Secure Cross-Domain Interactions.
and from a security perspective, the SOP is not strong enough to achieve the appropriate application isolation.
Trustworthy applications need run-time execution monitors that can provably enforce advanced security policies 19,3 including fined-grained access control policies usage control policies
Supporting Security Assurance for FI Services. Assurance will play a central role in the development of software based services to provide confidence about the desired security level.
Assurance must be treated in a holistic manner as an integral constituent of the development process
seamlessly informing and giving feedback at each stage of the software life cycle by checking that the related models
and artefacts satisfy their functional and security requirements and constraints. Obviously the security support in programming environments that must be delivered will be essential to incept a transverse methodology that enables to manage assurance throughout the software and service development life cycle (SDLC.
The next section clarifies these issues. 5 Embedding Security Assurance and Risk management during SDLC Engineering secure Future Internet services demands for at least two traversal issues,
security assurance and risk and cost management during SDLC. 5. 1 Security Assurance The main objective is to enable assurance in the development of software based services to ensure confidence about their trustworthiness.
Our core goal is to incept a transverse methodology that enables to manage assurance throughout the software development life cycle (SDLC.
The methodology is based on two strands: A first sub-domain covers early assurance at the level of requirements, architecture and design.
A second sub-domain includes the more conventional and complementary assurance techniques based on implementation. Assurance during the Early Stages of SDLC.
Early detection of security failures in Future Internet applications reduces development costs and improves assurance in the final system.
This first strand aims at developing and applying assurance methods and techniques for early security verification.
These methods are applied to abstract models that are developed from requirements to detailed designs. One main area of research is stepwise refinement of security
by developing refinement strategies, from policies down to mechanisms, for more complex Engineering Secure Future Internet Services 187 secure protocols, services, and systems.
This involves the definition of suitable service and component abstractions (e g.,, secure channels) and the setup of the corresponding reasoning infrastructure (e g.,
, facts about such channels. Moreover, we need to extend the refinement framework with compositional techniques for model-based secure service development.
where functional and security-related design aspects can be refined independently. Model composition must preserve the refinement relation and component properties.
Our aim is to offer developers support for smoothly integrating security aspects into the system development process at any step of the development.
when possible, automated) reasoning about the security policies models. The methodologies must be supported by automatic protocol verification tools,
but also the ability to deal with more complex primitives and security properties. Moreover, the Dolev-Yao attacker model 9 used by these tools needs to be extended to include new attack possibilities such as adaptive corruptions
In addition, for assurance, there is the need to extend model checking methods to enable automatic generation of protocol correctness proofs that can be verified independently by automated theorem proving.
Security Assurance in Implementation. Several assurance techniques are available to ensure the security at the level of an implementation.
Security policies can be implemented correctly by construction through a rigorous secure programming discipline. Internet applications can be validated through testing.
In that case, it is possible to develop test data generation that specifically targets the integration of services
access control policies or specific attacks. Moreover, implementations can be monitored at run-time to ensure that they satisfy the required security properties.
Complementing activities are related to secure programming. This strand addresses a comprehensive solution for program verification,
automated generation in XML-based input data to maximize the efficiency in the security testing process,
The latter part will focus on access control policies. i Finally, an important set of activities relates to run-time verification.
and testing in order to provide the final assurance that the latter cannot deliver, be it for scientific and technological reasons,
Security concerns are specified at the business-level but have to be implemented in complex distributed and adaptable systems of FI services.
We need comprehensive assurance techniques in order to guarantee that security concerns are taken correctly into account through the whole SDLC.
A chain of techniques and tools crossing the above areas is planned. Security Metrics. Measurements are essential for objective analysis of security systems.
Metrics can be used directly for computing risks (e g.,, probability of threat occurrence) or indirectly (e g.,
, time between antivirus updates. Security metrics in the future Internet applications become increasingly important. Service-oriented architectures demand for assurance indicators that can explicitly indicate the quality of protection of a service,
and hence indicate the effective level of trustworthiness. These metrics should be assessed and communicable to third parties.
Clients want to be sure that their data outsourced to other domains, which the clients cannot control,
are protected well. We need to define formal metrics and measurements that can be calculated practically. Compositional calculation approaches will be studied in this context.
Many of the proposed metrics will be linked to and determined by the various techniques in the Engineering process. 5. 2 Risk
and Cost Aware SDLC There is the need of the creation of a methodology that delivers a risk and cost aware SDLC for secure FI services.
Such a life cycle model aims to ensure the stakeholders'return of investment when implementing security measures during various stages of the SDLC.
We can envision several aspects of this kind of SDLC support (see also 4). Process: The methodology for risk
and cost aware SDLC should be based on an incremental and iterative process that is accommodated to an incremental software development process.
While the software development proceeds through incremental phases, the risk and cost analysis will undergo new iterations for each phase.
In order to support the propagation of analysis results through the phases of the SDLC Engineering Secure Future Internet Services 189 one needs to develop methods and techniques for the refinement of risk analysis documentation.
Such refinement can be obtained both by refining the risk models e g. by detailing the description of relevant threats and vulnerabilities,
and by accordingly refining the system and service models. Aggregation: In order to accommodate to a modular software development process,
one needs to focus on a modular approach to the analysis of risks and costs. In a compositional setting, also risks become compositional
and should be analysed and understood as such. This requires, however, methods for aggregating the global risk level through risk composition
which will be investigated. Evolution: The setting of dynamic and evolving systems furthermore implies that risk models
and sets of chosen mitigations are dynamic and evolving. Thus, in order to maintain risk and cost awareness,
there is a need to continuously reassess risks and identify cost-efficient means for risk mitigation as a response to service
or component substitution, evolving environments, evolving security requirements, etc.,both during system development and operation.
Based on the modular approach to risk and cost analysis one needs methods to manage the dynamics of risks.
In particular, the process for risk and cost analysis is highly iterative by supporting updates of global analysis results through the analysis of only the relevant parts of the system as a response to local changes and evolvements.
Interaction: The methodology of this strand spans the orthogonal activities of security requirement engineering, secure architecture and design,
secure programming as well as assurance and the relation to each of these ingredients must be investigated. During security requirements engineering risk analysis facilitates the identification of relevant requirements.
Furthermore, methods for risk and cost analysis offer support for the prioritization and selection among requirements through e g. the evaluation of trade-off between alternatives or the impact of priority changes on the overall level of risks and cost.
In the identification of security mechanisms intended to fulfil the security requirements risk and cost analysis can be utilized in selecting the most cost efficient mechanisms.
The following architecture and design phase incorporates the security requirements into the system design. The risk and cost models resulting from the previous development phase can at this point be refined
and elaborated to support the management of risks and costs in the design decisions. Moreover, applying cost metrics to design models
and architecture descriptions allows early validation of cost estimates. Such cost metrics may also be used in combination with security metrics for the optimization of the balance between risk and cost.
The assurance techniques can therefore be utilized in providing input to risk and cost analysis, and in supporting the identification of means for risk mitigation based on security metrics. 190 W. Joosen et al. 6 Conclusion We have advocated in this paper the need
and the opportunity for firmly establishing a discipline for engineering secure Future Internet Services, typically based on research in the areas of software engineering, security engineering and of service engineering.
We have clarified why generic solutions that ignore the characteristics of Future Internet services will fail:
the peculiarities of FI services must be reflected upon and be addressed in the proposed and validated solution.
The various lines of research and the strands within each of research line have been articulated while founding the NESSOS Network of Excellence (www. nessosproject. eu). Clearly,
the needs and challenges sketched in this paper reach beyond the scope and capacity of a closed consortium.
The topics listed above should and will be shared and tackled by an entire and open research community.
Acknowledgments. We would like to thank the anonymous reviewers for the helpful comments. Work partially supported by EU FP7-ICT project NESSOS (Network of Excellence on Engineering Secure Future Internet Software Services and Systems) under the grant agreement n. 256980.
The AVISPA tool for the automated validation of internet security protocols and applications. In: Etessami, K.,Rajamani, S. K. eds.
Composing security policies with polymer. SIGPLAN Not. 40,305 314 (2005) 4. Braber, F.,Hogganvik, I.,Lund, M. S.,Stølen, K.,Vraalsen, F.:
Model-based security analysis in seven steps a guided tour to the coras method. BT Technology Journal 25,101 117 (2007) 5. Bresciani, P.,Perini, A.,Giorgini, P.,Giunchiglia, F.,Mylopoulos, J.:
Model-driven security in practice: An industrial experience. In: Schieferdecker, I.,Hartman, A. eds. ECMDAFA 2008.
and analysis of security protocols. In: Gupta, A.,Malik, S. eds. CAV 2008. LNCS, vol. 5123, pp. 414 418.
On the security of public key protocols. In: Proceedings of the 22nd Annual Symposium on Foundations of Computer science, WASHINGTON DC, USA, pp. 350 357.
Proceedings of the 2000 IEEE Symposium on Security and Privacy, WASHINGTON DC, USA, pp. 246 255.
Modelling security and trust with secure tropos. In: Integrating Security and Software engineering: Advances and Future Vision, IDEA (2006) 13.
Group, O.:Security design pattern technical guide, http://www. opengroup. org/security/gsp. htm 14.
G urses, S f.,Berendt, B.,Santen, T.:Multilateral security requirements analysis for preserving privacy in ubiquitous environments.
In: Proc. of the Workshop on Ubiquitous Knowledge discovery for Users at ECML/PKDD, pp. 51 64 (2006) 15.
Extracting relations among security patterns. In: SPAQU'08 (Int. Workshop on Software Patterns and Quality)( 2008) 18.
Usage control in computer security: A survey. Computer science Review 4 (2), 81 99 (2010) 19. Le Guernic, G.,Banerjee, A.,Jensen, T.,Schmidt, D. A.:
Security services architecture for secure mobile grid systems. Journal of Systems Architecture. In Press (2010) 24.
Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21 (1), 2003 (2003) 25.
A survey on security patterns. Progress in Informatics 5, 35 47 (2008) Towards Formal Validation of Trust and Security in the Internet of Services Roberto Carbone1, Marius Minea2, Sebastian Alexander M odersheim3
, Serena Elisa Ponta4, 5, Mathieu Turuani6, and Luca Vigan`o7 1 Security & Trust Unit, FBK, Trento, Italy 2 Institute e-Austria, Timi¸soara, Romania 3 DTU, Lyngby
, Denmark 4 SAP Research, Mougins, France 5 DIST, Universit`a di Genova, Italy 6 LORIA & INRIA Nancy Grand Est, France 7
and security impact of an option, a minor change, a combination of functionalities, etc.,due to the subtle and unforeseeable situations and behaviors that can arise from this panoply of choices.
The formal verification of trust and security of the Internet of Services will significantly boost its development
techniques and tools are provided to ensure security. Deploying services in future network infrastructures entails a wide range of trust and security issues
but solving them is extremely hard since making the service components trustworthy is not sufficient:
composing services leads to new, subtle and dangerous, vulnerabilities due to interference between component services and policies, the shared communication layer,
however, do not provide automated support for the discovery of important vulnerabilities and associated exploits that are already plaguing complex web-based security-sensitive applications,
and thus severely affect the development of the future internet. Moreover, security validation should be carried out at all phases of the service development process,
in particular during the design phase by the service designers themselves or by security analysts that support them in their complex tasks,
so as to prevent the production and consumption of already flawed services. Fortunately, a new generation of analyzers for automated security validation at design time has been recently put forth;
this is important not just for the results these analyzers provide, but also because they represent a stepping stone for the development of similar tools for validation at service provision and consumption time,
thereby significantly improving the all-round security of the Ios. In this chapter, we give a brief overview of the main scientific and industrial challenges for such verification tools,
the AVANTSSAR Validation Platform (or AVANTSSAR Platform for short) is integrated an toolset that has been developed in the context of the AVANTSSAR project (www. avantssar. eu, 4) for the formal specification and automated validation of trust and security of service
and service infrastructures, enhance their security and robustness, and thus increase the development and public acceptance of the Ios. We proceed as follows.
some of the main features of specification languages and automated validation techniques that have been developed for the verification of trust and security of services.
and reasoning about trust and security of SOAS is complex due to three main characteristics of service orientation.
Towards Formal Validation of Trust and Security in the Internet of Services 195 Second, SOAS are also distributed systems,
SOAS and their security requirements are continuously evolving: services may be composed at runtime, agents may join or leave,
and client credentials are affected by dynamic changes in security policies (e g.,, for incidents or emergencies. Hence, security policies must be regarded as part of the service specification
and as first-class objects exchanged and processed by services. The security properties of SOAS are,
moreover, very diverse. The classical data security requirements include confidentiality and authentication/integrity of the communicated data.
More elaborate goals are structural properties (which can sometimes be reduced to confidentiality and authentication goals) such as authorization (with respect to a policy), separation or binding of duty,
and accountability or non-repudiation. Some applications may also have domainspecific goals (e g.,, correct processing of orders.
Various languages have been proposed to model trust and security of SOAS, e g.,, BPEL 24, p calculus 19, F#5, to name a few.
One needs a language fully dedicated to specifying trust and security aspects of services, their composition,
++which we have defined to be close to specification languages for security protocols/services and to procedural and object-oriented programming languages.
they can be used to describe service workflows and steps in security protocols. For instance, an employee (Alice) changing group membership at the command of her manager (Peter) can be formalized as:
Finally, we need to model the security properties. While this can be done by using different languages,
we may require a separation of duty property, namely that for privacy Towards Formal Validation of Trust and Security in the Internet of Services 197 purposes,
Rather, novel and different validation techniques are required to automatically reason about services, their composition, their required security properties and associated policies.
and the heterogeneous security contexts is to integrate different technologies into a single analysis tool,
and implement a variety of e-business scenarios possibly bound to complex security policies. When security constraints are to be respected,
it can be very complex to discover or even to describe composition scenarios. This motivates the introduction of automated solutions to scalable services composition.
and our main motivation is to take into account the security policies while computing an orchestration. The AVANTSSAR Platform, for example, implements an idea presented in 11 to automatically generate a mediator.
and is constructed with respect to security goals using the techniques we developed for the verification of security protocols. 3. 2 Model Checking of SOAS Model checking 13 is a powerful and automatic technique for verifying concurrent systems.
and, more recently, important results have been obtained for the analysis of security protocols. In the context of SOAS, a model-checking problem is the problem of determining
whether a given model representing the execution of the service under scrutiny in a hostile environment enjoys the security properties specified by a given formula.
these security properties can be complex, requiring an expressive logic. Most model-checking techniques in this context make a number of simplifying assumptions on the service
Yet we might be interested in establishing the security of a service that relies on a less insecure channel.
In fact, services often rely on transport protocols enjoying some given security properties (e g. TLS is used often as a unilateral or a bilateral communication authentic and/or confidential channel
thus important to develop model-checking techniques that support reasoning about communication channels enjoying security-relevant properties, such as authenticity, confidentiality, and resilience.
by supporting reasoning about LTL formulae, allows one to reason about complex trace-based security properties.
In particular, the AVANTSSAR Platform integrates a bounded model-checking technique for SOAS 1 that allows one to express complex security goals that services are expected to meet as well as assumptions on the security offered by the communication channels. 3. 3 Channels
It is, Towards Formal Validation of Trust and Security in the Internet of Services 199 of course,
For instance, Tulafale 6, a tool by Microsoft Research based on Proverif 7, exploits abstract interpretation for verification of web services that use SOAP messaging, using logical predicates to relate the concrete
and security requirements of a goal service and a description of the available services (including a specification of their security-relevant behavior,
in order to build an orchestration of the available services that meets the security requirements stated in the policy.
and a security goal formally specified in ASLAN, and automatically checks whether the orchestration meets the security goal.
If this is the case, then the ASLAN specification of the validated orchestration is given as output,
otherwise a counterexample is sent back to the Orchestrator (where a failed validation means the existence of vulnerabilities that need to be fixed).
Towards Formal Validation of Trust and Security in the Internet of Services 201 Vulnerability: Policy:
Trust and Security CS: Composed Service CP: Composed Policy S: Service insecure P Policy Composed service/policy CP CS Secured service/policy TS Wrapper CS CP secure Services feedback BPMN
and Industry Migration The landscape of services that require validation of their security is very broad.
it is necessary to factor out the access control policies and meta-policies from the possible workflow,
and the security mechanisms that implement them independently of their use in particular workflows. There is thus a clear advantage in having a language allowing the specification of policies via clauses (e g.,
Classes of properties that have been verified include authorization policies, accountability, trust management, workflow security, federation and privacy.
the OASIS SAML security standard is written in natural language that is often subject to interpretation. Since the many configuration options, profiles, protocols, bindings, exceptions,
it is hard to establish which message fields are mandatory in a given Towards Formal Validation of Trust and Security in the Internet of Services 203 profile and
The vulnerability was detected by the SATMC backend of the AVANTSSAR Platform and the attack was reproduced in an actual deployment of SAML-based SSO for Google Apps.
Google and the US Computer Emergency Readiness Team (US-CERT) were informed and the vulnerability was kept confidential until Google developed a new version of the authentication service
and Google's customers updated their applications accordingly. The severity of the vulnerability has been rated High in a note issued by the National Institute of Standard and Technology (NIST.
Moreover, as shown in 2, the SATMC backend of the AVANTSSAR Platform also allowed us to detect that the prototypical SAML SSO use case (as described in the SAML technical overview) suffers from an authentication flaw that,
has automatically found vulnerabilities in PKCS#11-based products by Aladdin, Bull, Gemalto, RSA, and Siemens among others.
PKCS#11 specifies an API for performing cryptographic operations such as encryption and signature using cryptographic tokens (e g.,
to perform the same security-critical operations as the legitimate token user. Formal validation of trust and security will become a reality in the Internet of Services
only if and when the available technologies will have migrated to industry, as well as to standardization bodies (which are driven mostly by industry 204 R. Carbone et al
First, in the trail of the successful analysis of Google's SAML-based SSO, an internal project has been run to migrate AVANTSSAR results within SAP Netweaver Security
and identity provider services fulfill the expected security desiderata in the considered SAP relevant scenarios.
All discovered risks and flaws in the SAML protocol have been addressed in NW-NGSSO implementation and countermeasures have been taken.
The results have been collected in tables that can be used by SAP in setting-up the NW-NGSSO services on customer production systems.
For instance, the authentication flaw in the SAML standard helped SAP business units to get major insights in the SAML standard than the security considerations described in Towards Formal Validation of Trust
and Security in the Internet of Services 205 there and helped SAP Research to better understand the vulnerability itself
The AVANTSSAR technology has been integrated also into the SAP Net-Weaver Business Process Management (NW BPM) product to formally validate security-critical aspects of business processes.
and development of a security validation plug-in that enables a business process modeler to easily specify the security goals one wishes to validate such as least privilege
A scalability study has also been conducted on a loan origination process case study with a few security goals
These results show that the AVANTSSAR technology can provide a high level of assurance within industrial BPM systems,
as it allows for validating all the potential execution paths of the BP under-design against the expected security desiderata.
In particular, the migration activity succeeded in overcoming obstacles for the adoption of model-checking techniques to validate security desiderata in industry systems by providing an automatic generation of the formal model on
as well as highlighting the model-checking results as a comprehensive feedback to a business analyst who is neither a model-checking practitioner nor a security expert.
the security validation plug-in is listed currently in the productization road-map of SAP products for business process management. 6 Conclusions
and security of the Ios. The research innovation put forth by AVANTSSAR aims at ensuring global security of dynamically composed services
Together, all these research efforts will result in a new generation of tools for automated security validation at design time
These advances will significantly improve the all-round security of the Ios, and thus boost its development and public acceptance.
LTL Model Checking for Security Protocols. Journal of Applied Non-classical logics, special issue on Logic and Information security, 403 429 (2009) 2. Armando, A.,Carbone, R.,Compagna, L.,Cu'ellar, J.,Pellegrino
, G.,Sorniotti, A.:From Multiple Credentials to Browser-based Single Sign-on: Are We More Secure?
Proceedings of the 6th ACM Workshop on Formal Methods in Security Engineering (FMSE 2008), pp. 1 10.
Automated Validation of Trust and Security of Service-Oriented Architectures. FP7-ICT-2007-1, Project No. 216471, http://www. avantssar. eu, 01.01.2008 31.12.2010 5. Bhargavan, K.,Fournet, C.,Gordon, A d.:
Verified Reference Implementations of WS-Security Protocols. In: Bravetti, M.,N'u nez, M.,Zavattaro, G. eds.
A security tool for web services. In: de Boer, F. S.,Bonsangue, M m.,, Graf, S.,de Roever, W.-P. eds.
Proceedings of the 14th IEEE Computer security Foundations Workshop, pp. 82 96. IEEE Computer Society Press, Los Alamitos (2001) 8. Bodei, C.,Buchholtz, M.,Degano, P.,Nielson, F.,Nielson, H r.:
Static validation of security protocols. Journal of Computer security 13 (3), 347 390 (2005) 9. Boichut, Y.,H'eam, P.-C.,Kouchnarenko, O.:
TA4SP (2004), http://www. univ-orleans. fr/lifo/Members/Yohan. Boichut/ta4sp. html 10. Bortolozzo, M.,Centenaro, M.,Focardi, R.,Steel, G.:
Attacking and Fixing PKCS#11 Security tokens. In: Proceedings of the 17th ACM conference on Computer and Communications security (CCS 2010), pp. 260 269.
ACM Press, New york (2010) 11. Chevalier, Y.,Mekki, M. A.,Rusinowitch, M.:Automatic Composition of Services with Security policies.
In: Proceedings ofweb Service Composition and Adaptation Workshop (held in conjunction with SCC/SERVICES-2008), pp. 529 537.
Proceedings of 23rd IEEE Computer security Foundations Symposium, pp. 322 336. IEEE Computer Society Press, Los Alamitos (2010) 13.
Safely composing security protocols. Formal Methods in System Design 34 (1), 1 36 (2009) 16.
Proceedings of the 19th MFPS, ENTCS 83, Elsevier, Amsterdam (2004) Towards Formal Validation of Trust and Security in the Internet of Services 207 17.
On the Security of Public-Key Protocols. IEEE Transactions on Information theory 2 (29)( 1983) 18.
Abstraction by Set-Membership Verifying Security Protocols and Web Services with Databases. In: Proceedings of 17th ACM conference on Computer and Communications security (CCS 2010), pp. 351 360.
ACM Press, New york (2010) 22. M odersheim, S.,Vigan`o, L.:Secure Pseudonymous Channels. In:
The Open-source Fixed-Point Model Checker for Symbolic Analysis of Security Protocols. In: Aldini, A.,Barthe, G.,Gorrieri, R. eds.
The Transport Layer Security (TLS) Protocol, Version 1. 2. IETF RFC 5246 (Aug. 2008) 27.
This article introduces upcoming security challenges for cloud services such as multi-tenancy, transparency and establishing trust into correct operation,
and security interoperability. For each of these challenges, we introduce existing concepts to mitigate these risks
and survey related research in these areas. 1 Cloud computing and the Future Internet Cloud computing is expected to become a backbone technology of the Future Internet that provides Internet-scale
and security architectures and mechanisms. 4 For which the Internet pioneer Vint Cerf has suggested recently the term Intercloud J. Domingue et al.
Trust and security are regarded often as an afterthought in this context, but they may ultimately present major inhibitors for the cloud-of-clouds vision.
and discuss the complex trust and security requirements. Furthermore, we survey existing components to overcome these security and privacy risks.
We will explain the state-of-the-art in addressing these requirements and give an overview of related ongoing international,
and Security Limitations of Global Cloud Infrastructures 2. 1 Cloud Security Offerings Today According to the analyst enterprise Forrester research and their study Security and the Cloud 17 the cloud security market is expected to grow to 1
and to approach 5%of overall IT SECURITY spending. Whereas today identity management and encryption solutions represent the largest share of this market,
particular growth can be expected in three directions: 1. securing commercial clouds to meet the requirements of specific market segments 2. bespoke highly secure private clouds 3. a new range of providers offering cloud security services to add external security to public clouds
Trustworthy Clouds Underpinning the Future Internet 211 An example for the first category is the Google gov. app cloud launched in September 2009 that offers a completely segregated cloud targeted exclusively at US government customers.
Other cloud providers also adapt basic service security to the needs of specific markets and communities.
This allows tailor made solutions to specific security concerns-in particular in view of the needs of larger customers.
In the same way, the base security of Microsoft public cloud services is adapted to the targeted market.
cloud services for more sensitive markets (such as Microsoft Health Vault) use SSL encryption by Default on the other hand commodity public cloud services such as the Amazon EC2 are still growing
even though they offer only limited base security and largely transfer responsibility for security to the customer.
Therefore in parallel to the differentiated security offerings via bespoke private or community clouds, there is also a growing complementary service market to enable enhanced security for public clouds.
Here a prime target is the small to mid-size enterprise market. Examples for supplementary services are threat surveillance (e g.
Alertlogic), access-and identity management (e g.,, Novell, IBM), virtual private networking (e g.,, Amazon Virtual Private cloud), encryption (e g.,
, Amazon managed encryption services) and web traffic filtering services (e g.,, Zscaler, Scansafe. 2. 2 Today's Datacenters as the Benchmark for the Cloud Using technology always constitutes a certain risk.
If the IT of any given business failed, the consequences for most of today's enterprises would be severe.
Even if multiple lines of defense are used (e g.,, firewalls, intrusion defense, and protection of each host), all systems usually contain errors that can be exploited found
For the security objectives when adopting clouds for hosting critical systems we believe that today's datacenters are the benchmark for new cloud deployments.
Overall, the benefits need to outweigh the potential disadvantages and risks. While the cost and flexibility benefits of using clouds are easy to quantify,
potential disadvantages and risks are harder to qualitatively assess or even quantitatively measure. An important aspect for this equation is perceived the level of uncertainty:
Today, uncertainty about the actual availability does not allow enterprises to make such risk management decisions
For security this argument leads to two requirements for cloud adoption by enterprises: The first is that with respect to security and trust,
new solutions such as the cloud or cloud-of-clouds will be compared and benchmarked against existing solutions such as enterprise or outsourced datacenters.
cloud providers must enable enterprises to integrate cloud infrastructures into their overall risk management. We will use these requirements in our subsequent arguments. 3 New Security
and Privacy Risks and Emerging Security Controls Cloud computing being a novel technology introduces new security risks 7 that need to be mitigated.
As a consequence cautious monitoring and management of security risks 13 is essential (see Figure 1 for a sketch following 12.
We now survey selected security and privacy risks where importance has been increased by the cloud and identify potential security controls for mitigating those risks. 1. Survey of Risks 2. Design of Controls 3. Implement. of Controls 4. Monitoring of Effectiveness Fig. 1. Simplified Process for Managing
Security Risks 12) Trustworthy Clouds Underpinning the Future Internet 213 3. 1 Isolation Breach between Multiple Customers Cloud environments aim at efficiencies of scale by increased
sharing resources between multiple customers. As a consequence, data leakage and service disruptions gain importance and may propagate through such shared resources.
An important requirement is that data cannot leak between customers and that malfunction or misbehavior by one customer must not lead to violations of the service-level agreement of other customers.
Fig. 2. Multi-tenancy at Multiple Levels 25. Traditional enterprise outsourcing ensures the so-called multi-tenant isolation through dedicated infrastructure for each individual customer
In order to mitigate this risk in a cloud computing environment, multi-tenant isolation ensures customer isolation. A principle to structure isolation management is One way to implement such isolation is labeling
mechanisms such as access control that ensures that machines and applications of one customer cannot access data
and moderate all undesired information flows 19.214 R. Glott et al. 3. 2 Insider Attacks by Cloud Administrators A second important security risk is the accidental
This risk is hard to mitigate since security controls need to strike a balance between the power needed to administrate
and the security of the administrated systems. A practical approach to minimize this risk is to adhere to a least-privilege approach for designing cloud management systems.
This means that cloud management systems should provide a fine-grained role hierarchy with clearly defined separation of duty constraints.
The goal is to ensure that each administrator only holds minimized privileges to perform the job at hand.
or transported Data security administrators can design and define policies but cannot play any other roles.
Due to the corresponding logging, the security auditors can later determine which employee has held what privileges at any given point in time.
and Guarantees While the proposed mechanisms to mitigate the identified risks are important, security incidents are largely invisible to a customer:
Data corruption may not be detected for a long time. Data leakage by skilled insiders is unlikely to be detected. Furthermore, the operational state and potential problems are communicated usually not to the customer except after an outage has occurred.
However, run-time attestation solution still remains an open and challenging problem. 3. 5 What about Privacy Risks?
the right to correction and deletion as well as the necessity of reasonable security safeguards for the collected data.
the user as well as the data subject might face risks of data loss, corruption or wiretapping due to the transfer to an external cloud provider.
Transparency, technical and organizational security safeguards and contractual commitments (e g.,, Service Level Agreements, Binding Corporate Rules.
which security measures are deployed. Therefore, the utmost transparency Trustworthy Clouds Underpinning the Future Internet 217 regarding the processes within the cloud is required to enable the user to carry out his legal obligations.
Also, the cloud service provider could prove to have an appropriate level of security measurements by undergoing acknowledged auditing
These may also extend to the level of technical solutions, such as encryption, data minimization or enforcement of processing according to predefined policies. 4 Open Research Challenges Today's technology for outsourcing
and cost-efficient schemes to mitigate the risk of insider fraud. The goal is to minimize the set of trusted employees for each customer through implementing a rigorous least privilege approach as well as corresponding controls to validate employee behavior.
Security Integration and Transparency. The third challenge is to allow customers to continue operating a secure environment.
This means that security infrastructure and systems within the cloud such as intrusion detection event handling and logging, virus scans,
and access control need to be integrated into an overall security landscape for each individual customers. Depending on the type of systems,
but may also require security technology within the cloud. One example is intrusion detection: In order to allow customers to'see'intrusions on the network within the cloud and correlate these intrusions with patterns in the corporate network,
From a security perspective, this will raise new challenges. Customers need to provide a consistent security state over multiple clouds
and provide means to securely fail-over across multiple clouds. Similarly, services will be composed from underlying services from other clouds.
As such, it can rely on security and privacy mechanisms that were developed for service-oriented architectures and outsourcing.
We surveyed security risks that gain importance in this setting and surveyed potential solutions. Today, demand for cloud security has increased
but the offered security is limited still. We expect this to change and clouds with stronger security guarantees will appear in the market.
Initially they will focus on security mechanisms like isolation, confidentiality through encryption, and data integrity through authentication.
However, we expect that they will then move on to the harder problems such as providing verifiable transparency,
to integrate with security management systems of the customers, and to limit the risks imposed by misbehaving cloud providers and their employees.
Acknowledgments. We thank Ninja Marnau and Eva Schlehahn from the Independent Centre for Privacy Protection Schleswig-Holstein for substantial and very helpful input to our chapter on privacy risks.
We thank the reviewer for helpful comments that enabled us to improve this chapter. This research has been supported partially by the TCLOUDS project http://www. tclouds-project. eu funded by the European union's Seventh Framework Programme (FP7/2007-2013) under grant agreement number ICT-257243.
Open Access. This article is distributed under the terms of the Creative Commons Attribution Noncommercial License
Virtualizing networking and security in the cloud. SIGOPS Oper. Syst. Rev. 44,86 94 (2010), doi:
Towards automated security policy enforcement in multi-tenant virtual data centers. J. Comput. Secur. 18,89 121 (2010) 220 R. Glott et al. 5. Chien, E.:
ACM Workshop on Cloud computing Security (CCSW'09), pp. 85 90. ACM Press, New york (2009) 7. Cloud Security Alliance (CSA:
Top threats to cloud computing, version 1. 0. March 2010), http://www. cloudsecurityalliance. org/topthreats/csathreats. v1. 0. pdf 8. Computer and Communication
Industry Association (CCIA: Cloud computing (2009), http://www. ccianet. org/CCIA/files/cclibraryfiles/Filename/000000000151/Cloud computing. pdf 9. Gentry, C.:
Proceedings of the 2010 ACM workshop on Cloud computing security workshop, Chicago, Illinois, USA. CCSW'10, pp. 77 86.
Information security management system (ISMS) standard (Oct 2005), http://www. 27000. org/iso-27001. htm 13.
Toward risk assessment as a service in cloud environments. In: Proceedings of the 2nd USENIX conference on Hot topics in cloud computing. pp. 13 13.
Security and the cloud: Looking at the opportunity beyond the obstacle. Forrester research (October 2010) 18.
Proceedings of the 16th ACM conference on Computer and communications security, Chicago, Illinois, USA. CCS'09, pp. 199 212.
Privacy and data security risks in cloud computing. Electronic commerce & Law Report 15,186 (2010) 23. Van dijk, M.,Juels, A.:
Cloud computing and security. Lecture Univ. Stuttgart (November 2009) 26. Weichert, T.:Cloud computing und Datenschutz (2009), http://www. datenschutzzentrum. de/cloud-computing/Data Usage Control in the future Internet Cloud Michele Bezzi and Slim Trabelsi SAP Labs
In addition, the risk, for personal data to travel across boundaries and business domains, is that the usage conditions agreed J. Domingue et al.
specifying obligations and integrating access control policies. Providing the data owner with a user-friendly way to express their preferences,
1 www. primelife. eu 226 M. Bezzi and S. Trabelsi Access control: PPL inherits from the XACML 8 language the access control capabilities that express how access to which resource under
which condition can be achieved. Data Handling: the data handling part of the language defines two conditions:
The access control engine: it checks if there is any access restriction for the data before sending it to any server.
and acts as a user-side engine invoking access control and matching modules, and the third party plays the role of data collector invoking the obligation engine
However, these new capabilities may entail privacy risks. From the user perspective, the risk is that of losing control of his personal information once they are released in the cloud.
In particular, when personal data are consumed by multiple services, possibly owned by different entities in different locations, the conditions of the data usage,
and minimize the risk of violating the agreed privacy policy. The concept of sticky policy may be used to address some of the privacy requirements of the cloud scenario.
A privacy-aware access control system. J. Comput. Secur. 16,369 397 (2008) 2. Ashley, P.,Hada, S.,Karjoth, G.,Powers, C.,Schunter, M.:
Economics of Information security and Privacy, pp. 121 167. Springer, New york (2010) 4. Bussard, L.,Neven, G.,Preiss, F. S.:
extensible access control markup language (xacml) version 3. 0, extensible access control markup language (xacml) version 3. 0, oasis (August 2008) 9. Shostack, A.,Syverson, P.:
Economics of Information security, Advances in Information security, vol. 12, pp. 129 142. Springer, New york (2004) 10.
Panlab, experimental testing, resource federation, Future Internet 1 Introduction Future Internet research results in new experimental infrastructures for supporting approaches that exploit extend
On top of this a wide variety of applications has different requirements with regard to quality, reliability and security from the underlying networks.
The control and verification of service level agreements (SLAS) between domains as well as inter-domain security have to be addressed in federated testbeds as well as in the real Internet.
and data exchange among providers (e g. 8). Intrusion detection systems can increase situation awareness (and with this overall security) by sharing information.
Applications, Security, Safety, and Architectures. IEEE Communications Surveys 2 (1)( 1999), http://www. comsoc. org/pubs/surveys/1q99issue/psounis. html 17.
Trust Management and Security, privacy and data protection mechanisms of distributed data. An addressing scheme, where identity and location are embedded not in the same address.
Support of security, reliability, robustness, mobility, context, service support, orchestration and management for both the communication resources and the services'resources.
even greater challenges appear, with many concerns relevant to privacy, security and governance and with a diversity of issues related to Internet's effectiveness and inclusive character.
security and data protection with transparent and democratic governance and control of offered services as guiding principles (10,11). 1. 1 Autonomicity
Dependability and security; scalability; services (i e.:cost, service-driven configuration, simplified services composition over heterogeneous networks, large scale and dynamic multi-service coexistence, exposable service offerings/catalogues;
In addition, security risks currently present in network environments request for immediate attention. This could be achieved by building trustworthy network environments to assure security levels
and manage threats in interoperable frameworks for autonomous monitoring. 1. 2 The Vision of a Modern Self-Managing Network The future vision is that of a self-managing network
whose nodes/devices are designed in such a way that all the so-called traditional network management functions, defined by the FCAPS management framework (Fault, Configuration, Accounting, Performance and Security) 14,
as well as the fundamental network functions such as routing, forwarding, monitoring, discovery, fault-detection and fault-removal,
vi) Mechanisms, tools and methodology construction for the verification and assurance of diverse self-capabilities that are guiding systems and their adaptations, correctly;
security, reliability and Enhanced Network Self-Manageability in the Scope of Future Internet Development 283 robustness.
service levels and application management, security, ongoing maintenance, troubleshooting, planning, and other tasks ideally all coordinated and supervised by an experienced and reliable entity (known as the network administrator).
In this context, we argue that the performance, control, security and manageability issues, considered as non-priority features in the 70s 3 should be addressed now 6. In this chapter,
and Qos, including manageable security services. A new layered architecture for the Control and Management Plane that allows dynamic services composition
The proposed architecture also addresses two major security aspects: secure operation of the VI provisioning process,
and provisioning dynamic security services, to address challenge#5. Fig. 1 shows the reference model of our architecture as it has been modeled in the context of the GEYSERS project.
performance, quality of data security, cost aspect, feasibility, etc. Our architecture will result in a new role for telecom operators that own their infrastructure to offer their optical network integrated with IT infrastructures (either owned by them or by thirdparty providers) as a service to network operators.
security, compute power and energy efficiency. In order to enable realistic and effective reasoning at provisioning and run time,
Management, Mobility, Qoe, Qos and Security. This ontology at the intermediate layers is represented in FINLAN by the Net-Ontology and the DL-Ontology (Data link) layers.
One application example is the encryption for security at the intermediate layer. In this example in the actual TCP IP protocols architecture, the layers 3 and 4 are not able to understand the security need in a context
and its complexities usually must be controlled by the Application layer. However, in FINLAN, the Application layer can inform semantically this security need to the Net-Ontology layer.
By this, the related complexities can be handled at the Net-Ontology layer level, instead of the Application layer level.
delivery guarantee, Qos, security and others. 2. 1 Collaboration to the Autoi Planes One of the Autonomic Internet project expectations is to support the needs of virtual infrastructure management to obtain self management
which can cover heterogeneous networks and services like mobility, reliability, security and Qos. The FINLAN project can contribute in its challenges,
to handle requests for services related to bandwidth, storage, encryption, location, indexing and others. Related to the content-centric it is presented in 19 the difficulties of the current networks to support the objects concept.
Through the FINLAN Net-Ontology layer, requirements such as Qos and Security, can be requested to the network,
Security"/>owl: Individual><owl: Individual rdf: about="&entity; Multimediaconference"><rdf: type rdf: resource="&entity; Content"/>hasneedof rdf:
IEEE/IFIP New Technologies, Mobility and Security Conference (2009) 8 Pereira, J. H. S.,Kofuji, S. T.,Rosa, P. F.:
IEEE/IFIP New Technologies, Mobility and Security Conference (2009) 9 Pereira, J. H. S.,Kofuji, S. T.,Rosa, P. F.:
A large number of additional specifications such as WS-Addressing, WS-Messaging and WS-Security complement the stack of technologies.
The architecture also relies on autonomous systems to supply users with the necessary infrastructure and a security framework.
with Qos assurance is seen. A flexible way of usage based on virtualised overlays can offer a strong support for the transportation of multimedia flows.
media caching, security, etc. Thus, the HB, which can be seen as the evolution of today's Home Gateway,
routing/forwarding and security. The goal of the Virtual CAN layer is to offer to higher layers enhanced connectivity services,
which together with the associated managers and the other elements of the ecosystem, offer content-and context-aware Quality of Service/Experience, adaptation, security,
allowing association with the correct CAN. 3. 2 Content-Aware Networks (CAN) The SPS may request the CANP to create multi-domain VCANS in order to benefit from different purposes (content-aware forwarding, Qos, security
Specialization of VCANS may exist (content-type aware), in terms of forwarding, Qos level of guarantees Qos granularity, content adaptation procedures, degree of security, etc.
VCAN ID Content description metadata Application Payload Classif Content aware flow classification SM@SP MANE CANMGR@AS1 Intranrm@AS1 3. MANE
and offer Qos specific treatment. 3. 3 CAN Layer Security The aim of the security subsystem within the CAN Layer is twofold:
and 2) intelligent and distributed access control policy-based enforcement. The first objective is characterized by offering, to the Service Provider (SP),
a selection of three degrees of security, being: public traffic, secret content, and private communications.
In public traffic no security or privacy guarantees are enforced. Secret content addresses content confidentiality and authentication by applying common cryptographic techniques over the packets'payload.
Private communications is to be adopted when the confidentiality and authenticity of the entire packets, including headers,
The adopted strategy is to evaluate the required end-to-end security along all CAN domains and discretely apply the security mechanisms only where necessary to guarantee the required security level,
with respect to the security degree invoked. The evaluation algorithm considers the user flow characteristics CAN policies and present network conditions.
In order to attain the required flexibility, the related security architecture was designed according to the hop-by-hop model 7 on top of the MANES routers.
The second objective will pursue a content-aware approach that will be enforced by MANE routers over data in motion.
Such security enforcement will be done accordingly to policies and filtering rules obtained from the CANMGR. In turn, CANMGR will compute policies
and traffic filtering rules by executing security related algorithms over information gathered by the monitoring subsystem.
Content-aware security technologies typically perform deep content inspection of data traversing a security element placed in a specific point in the network.
MANE's related security functions are then to perform attacks'identification (e g. port-scan, IP spoofing,
CANMGR carries out collaborative work with homologous entities in order to implement access control policies definition and distribution
security, and monitoring features, in cooperation with the other elements of the ecosystem. The chapter has indicated also the novel business opportunities that are created by the proposed Media-Ecosystem.
A broad assortment of such applications can be found in these days, e g. as video streaming, video conferencing, surveillance, broadcast, e-learning and storage.
including assessment of impact and risks. In this paper, we intend to further elaborate on these challenges.
Users will be able to get access control over optical devices like optical switches, to configure important properties of its cards and ports.
but also meaning the negative/dark sides of cyberspace, cybercrime, tracking, identification, military control over cities. Digital cities, from digital representation of cities, virtual cities, digital metaphor of cities, cities of avatars, second life cities, simulation (sim) city.
and reduce the risk of poverty. Other hot societal issues are sustainable development, reducing greenhouse gases emissions and improving the energy efficiency of urban infrastructure.
security and privacy as well as IPR protection; operation and research monitoring as well as experiment control; and the issue of defining
with to the aim of blending the fruition of the city's natural 442 H. Schaffers et al. and cultural heritage with safety and security in urban spaces.
and prioritisation of the cultural heritage in their city and also to an exploration of the privacy and security issues that are central to the acceptance and success of Future Internet services for the safety of urban environments.
The extensive use of ICT is also empowering the development of essential services for health, security, police and fire departments, governance and delivery of public services.
Specific information management policies should also be addressed to ensure the required level of security and privacy of information.
and manage water consumption, heating, air-conditioning, lighting and physical security. This can allow the development of smart utilities grids with bidirectional flow in a distributed generation scheme requiring real-time exchange of information.
and health information exchanges in remote assistance and medical surveillance for disabled or elderly people.
Public Safety and Security: sensor-activated video surveillance systems; locationaware enhanced security systems; estimation and risk prevention systems (e g. sensitivity to pollution, extreme summer heating.
Remote working and e-commerce services for businesses, entertainment and communications for individuals. Advanced location based services, social networking and collaborative crowdsourcing collecting citizens'generated data.
By analyzing these different Smart Cities application scenarios, together with the need of a broadband communication infrastructure that is becoming,
or starting to be considered, the 4th utility (after electricity, gas and water), two major ICT building blocks of a Smart City can be identified among the main pillars that the FI provides:
as well as security, privacy, and trust 12 13. Cross-domain NG Iot platforms may foster the creation of new services taking advantage of the increasing levels of efficiency attained by the reuse of deployed infrastructures.
trust, security, and privacy) in a standard, easy and flexible way. Now that a number of different approaches towards future GSDP are being addressed in several EU research projects such as SOA4ALL, SLA@SOI, MASTER, NEXOF-RA, etc.
many Smart City services will rely on continuously generated sensor data (for example for energy monitoring, video surveillance or traffic control.
Telco2. 0 (TID) Common Testbed/Gateway Testbed management Testbed Access Interface Testbed Portal Overlay Enabler Security, Privacy and Trust Smart Santander
Node WISELIB User Developed App Tinyos Contiki Sunspot Opencom Middleware Mobility support Horizontal support Federation support Security, Privacy and Trust Fig
i) Access control and IOT Node Security subsystem, ii) Experiment Support Subsystem, iii) the Facility Management Support Subsystem,
Overtext Web Module V3.0 Alpha
Copyright Semantic-Knowledge, 1994-2011