Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
I4T Workshop 4th April 2016
Berlin, Germany
2
ACIO will enhance and unify the access control (AC) in organizations from the usability and security perspectives, combining several mechanisms which will improve the efficiency and fluency of a real time control and monitoring, making use of internal information of the organization in addition to other external attributes, and combining physical and logical enforcement points
.. enabling an holistic access control
Access Control In Organizations
Access Control: Future Enterprise
3
An Internet of Everything brings together people, process, data and things to make networked connetions turning information into actions more valuable and relevant
New Networking Levels
4
Future Enterprise Evolution
5
Access Control: Future Enterprise
6
Sensing Enterprise Business Processes
A new generation of business processes: OSMOTIC business processes in a sensing enterprise.
7
Sensing Enterprise
How to deal with Access Control in this DATA-CENTRIC scenario?
Reference Architecture Interop. Template
8
Sensing Enterprise
Real World
Virtual World
Digital World
9
The scope
Seaports
10
The Problem
Port processes under stress
throughput must be improved 2 or 3 times
WITHOUT infrastructure investments
AND full traceability of people & assets,
keeping and evolving legacy systems
11
The Problem
Port processes under stress
throughput must be improved 2 or 3 times
WITHOUT infrastructure investments
AND full traceability of people & assets,
keeping and evolving legacy systems
12
The Solution
Digital port business processes efficiency
Port efficiency challenge:
Access control slows down
business process
execution
Usability challenge:
Physical-Digital world data
synchronisation & exchange
Access control challenge:
Multi-domain, context-sensitive seamless access
control for fast decision making
13
The Approach
• Automate data acquisition (people, goods, vehicles, services).
• Accelerate (muti-domain) cross system and cross platform data exchange.
• Fast & easy (multi-factor) access control policy delegation with traceability.
• Big data context-related segmentation for fast analysis. • Seamless Physical-digital world cloud-based data
exchange management. • Digital evidence management and auditing.
14
The Reference Architecture
OSMOTIC Enterprise Reference Architecture
15
The Business Processes
OSMOTIC Enterprise Reference Architecture
16
Motivation: Legal provisions on port security
• International ISPS Code (SOLAS Convention, 12 December 2002) Regulation (EC) 725/2004 of the Parliament & Council of 31 March 2004 on
enhancing ship & port facility security Directive 2005/65/EC of the Parliament & Council of 26 October 2005 on enhancing
port security Customs Trade Partnership Against Terrorism (C-TPAT) Container Security Initiative (CSI), 2002 Radioactive Risk Detection System (MEGAPORTS), 2008
• National (Spain) Royal Decree 145/89 (Spain) Dangerous goods in Spanish ports Law 48/2003 (Spain), 26 November Rule of Public Works Department (Spain), of 17 June 2004 Royal Decree 1617/2007 (Spain), of 7 December, setting measures to improve
protection of ports and maritime transport.
16
17
Seaports’ needs and challenges(I)
17
4. Transport companies can inform about drivers, other companies inform about employees or other workers, but
currently this information is optional.
3. Insufficient definition in information systems (PCS or other) to enter information for access control of people.
2. Lack of control of other vehicle passengers (copilot seat)
1. Weak physical access control of people (drivers, passengers, port employees or other workers, visitors and
ship crews), as stated in Directive 2005/65/EC
18
Seaports’ needs and challenges(II)
18
5. Port authorities need fluidity in access points in order to not slow down traffic and commercial activity.
6. Access requirements may vary depending on the port sub-area and security levels.
7. Need to make a liaison with cargo control, vehicle and driver.
8. Different authorizer agent for each type of subarea (port terminal, port authority, depot, warehouse, etc.)
9. Different information provider for each element (logistic operator for containers and cargo, transport company for vehicles and drivers,
shipper for passengers, companies for employees, etc.)
19
There is a problem
19
... Port of Valencia is required to identify the daily 4000 users, by Spanish Authorities
20
A real problem
20
21
Valencia Port in figures
21
Valencia Port is the leading container port in the Western Mediterranean…
…and has experienced the fastest growth rates among West Mediterranean ports
22
Valencia Port in figures
22
…10th port in EU, in number of tons (Eurostat, 2011)
23
• The Port Authority manages a physical space, where there are many businesses and organizations, which in turn must implement their own security and protection mediated. • Existing safety study and an emergency plan. • Lots of rules to comply (directly or enforcing) by the different casuistry of the port area (various port companies, subject to fulfilling different rules depending on its activity). • Very different risk typology to control. • Continuous expansion and modification of managed port space and search for new businesses and activities • Continuous appearance of new regulations to be applied. • Over 10.000 vehicles (in – out premises) with and without merchandise. • More than 820.000 passengers (embarked and disembarked) • Over 450 Port Community System user companies.
Current situation in Valencia Port
24
• The Port Authority manages a physical space, where there are many businesses and organizations, which in turn must implement their own security and protection mediated. • Existing safety study and an emergency plan. • Lots of rules to comply (directly or enforcing) by the different casuistry of the port area (various port companies, subject to fulfilling different rules depending on its activity). • Very different risk typology to control. • Continuous expansion and modification of managed port space and search for new businesses and activities • Continuous appearance of new regulations to be applied. • Over 10.000 vehicles (in – out premises) with and without merchandise. • More than 820.000 passengers (embarked and disembarked) • Over 450 Port Community System user companies.
Current situation in Valencia Port
25
Port Community System • A Port Community System (PCS) is…
– …a technological platform that allows information interchange between public and private agents in order to increase the competitiveness of a port community
– …a system that optimize, manages and automates the port and logistics processes with an intelligent implementation of information flows
• Information flows around a modern port are very complex, involving a large number of agents.
• Each TEU movement requires multiple communications among members of the port community, thus creating a complex information network
26
PCS objective • A Port Community System (PCS) is…
– …an technological platform that allows information interchange between public and private agents in order to increase the competitiveness of a port community
– … a system that optimize, manages and automates the port and logistics processes with an intelligent implementation of information flows
• Information flows around a modern port are very complex, involving a large number of agents.
• Each TEU movement requires multiple communications among members of the port community, thus creating a complex information network
All the Port Community at the same Virtual Table
27
valenciaportpcs.net in figures
In operation since 2006
+400 user companies
+100 million of transactions
Savings in time and cost
Activity Companies Freight forwarders 122 Shipping agents 64 Truck carrier 224 Container terminals 5 Other terminals 8 Depots 17 Total 440
Checking a 5000 movements list takes only 3 minutes (4 hours before
having this tool)
28
ACIO in Seaports
29
Authorized workers access control
Freight operations
communica-tions access
control
Freight transport access control
Outsourced workers and
visitors access control
Port authority activity
awareness
Passengers access control
ACIO tackled business process
...looking at usability and AC effectiveness
30
Registration
Identification
Authentication
Authorization
Accounting
Auditing ..looking at usability and AC effectiveness
31
Registration
Identification
Authentication
Authorization
Accounting
Auditing
Isolation derived usability lacks
Repetitive and heavy trust building process
No fluency and no mobility
Multiple credentials and checking points
Slow control and no context consideration
Handmade incomplete tracking
Poor compliance evidence
32
Registration
Identification
Authentication
Authorization
Accounting
Auditing
Effectiveness and usability gains
Repetitive and heavy trust building process
No fluency and no mobility
Multiple credentials and checking points
Slow control and no context consideration
Handmade incomplete tracking
Poor compliance evidence
Once agile process
Multifactor, unified and mobile
Cross domain single sign on Transparent context based dynamic policy decision making Complete traceability and awareness Automated governance and compliance evidence
33
Registration
Identification
Authentication
Authorization
Accounting
Auditing
Effectiveness and usability gains
Repetitive and heavy trust building process
No fluency and no mobility
Multiple credentials and checking points
Slow control and no context consideration
Handmade incomplete tracking
Poor compliance evidence
Once agile process
Multifactor, unified and mobile
Cross domain single sign on Transparent context based dynamic policy decision making Complete traceability and awareness Automated governance and compliance evidence
34
1) In motion people identification
2) Multiple device identification (smartphones, smart cards, etc.): multifactor, multi-mode
3) Dynamically adjustment of the security level to the particular conditions of each situation
4) Other verification mechanisms and measurements integration, such as geolocation
5) Usability enhancement (e.g: SSO for users and services, agile registration, flexible manageability, right accountability, awareness and deviation detection)
ACIO access control mechanisms, will open opportunities for potential mobility and scalable cloud solutions, allowing:
User Client
35
Perimetral physical access control: • Identification: driver, smartphone, vehicle, container • Operation checker as a service • Notifications and reactions: open fencing, registering
process, etc.
On the way: location monitoring and fencing
Terminal physical access control: • Identification: driver, smartphone, vehicle, container • Operation checker as a service • Internal notifications and reactions: lane/area conduction,
etc.
36
Terminal logical access control: • Identification: driver, smartphone, etc. • Terminal Info AC policy decision as a service • Internal notifications and reactions: accounting, etc.
Per domain user registration and identity profile provisioning
Per domain AC policy edition
Port Authority AC monitoring • Activity accounting report • Forensic analysis capabilities • Anomalous activity detection
37
ACIO Solution blocks
ACIO in-motion Identification System
Authorization System
Enforcement System
Contextual Information
System
GeoLocation System
Data analysis
Physical and logical integration Physical logical
38
ACIO Solution deployment scenario
39
ACIO Solution modular deployment in several domains
ACIO in-motion Identification
System
Enforcement System
GeoLocation System
Contextual Information
System
Authorization System
Data Analysis
ACIO in-motion Identification
System
Enforcement System
Authorization System
Contextual Information
System
40
Expected Results (I)
Technologically innovative security systems with the main objective of controlling access to the port, both vehicles and people, providing fluency in transits.
Advanced system for port infrastructure management, as well as its own business, providing integration, high efficiency and process reliability of the various actors involved in their exploitation
Communications that allow interaction between different systems, providing them with protection mechanisms against undesirable intrusions.
41
ACIO will create collaborative environments, unifying the management of operations in exceptional situations and
improving the usability from the point of view of the end user and security.
Results will be focused on the logistics and transport sector, and particularly in the management of critical port infrastructures.
However, these results will also be extrapolated to other sectors.
Expected Results (II)
ACIO will optimize the control of access to resources and services by including Access Control Services in the cloud.
42
Competitive advantage
ACIO goes beyond SotA
2. Extending XACML 3.0 architecture to collaborative, multi-domain, federated sources of policy information points (PIP).
1. In motion identification technology.
3. Segmenting and federating XACML policy administration point (PAP).
4. Deriving XACML obligations execution connections.
5. Alternating RBAC and CapBAC models.
6. Behavioural activity learning.
ACIO adopts, tries and stresses standards and good practices
2. Enabling both SAML and OAuth2 authentication
1. Bigdata approach for data analysis process
3. Identity provisioning support
4. Based on IoT enabling “advanced messaging queueing protocols”
5. HTTP light technologies: Rest/JSON
43
Tight enforcement
Usability and fluency
Policy manageability
Awareness
Anomaly detection
Auditability
Forensic analysis
Expected impact: innovation and beneficts
In motion identification
Multifactor authentication
Centralized, dynamic and holistic AC related decision making system
Smart enforcers
Multidomain context integration in AC decision
Real time sensoring integration in AC decision
Activity tracking and processing
Cloud oriented architecture