Jorge Bernal Bernabé

Semantic-aware multi-tenancy authorization system for cloud architectures

Cloud computing is an emerging paradigm to offer on-demand IT services to customers. The access control to resources located in the cloud is one of the critical aspects to enable business to shift into the cloud. Some recent works provide access control models suitable for the cloud; however there are important shortages that need to be addressed in this field. This work presents a step forward in the state-of-the-art of access control for cloud computing. We describe a high expressive authorization model that enables the management of advanced features such as role-based access control (RBAC), hierarchical RBAC (hRBAC), conditional RBAC (cRBAC) and hierarchical objects (HO). The access control model takes advantage of the logic formalism provided by the Semantic Web technologies to describe both the underlying infrastructure and the authorization model, as well as the rules employed to protect the access to resources in the cloud. The access control model has been specially designed taking into account the multi-tenancy nature of this kind of environment. Moreover, a trust model that allows a fine-grained definition of what information is available for each particular tenant has been described. This enables the establishment of business alliances among cloud tenants resulting in federation and coalition agreements. The proposed model has been validated by means of a proof of concept implementation of the access control system for OpenStack with promising performance results.

SAFIR: Secure access framework for IoT-enabled services on smart buildings

Abstract Recent advances on ubiquitous computing and communication technologies are enabling a seamless integration of smart devices in the Internet infrastructure, promoting a new generation of innovative and valuable services for people. Nevertheless, the potential of this resulting ecosystem may be threatened if security and privacy concerns are not properly addressed. In this work, we propose an ARM-compliant IoT security framework and its application on smart buildings scenarios, integrating contextual data as fundamental component in order to drive the building management and security behavior of indoor services accordingly. This framework is instantiated on a holistic platform called City explorer, which is extended with discovery and security mechanisms. Such platform has been validated in a reference smart building, where reasonable results of energy savings, services discovery and authorization are achieved.

Editorial: Detection of semantic conflicts in ontology and rule-based information systems

Nowadays, managers of information systems use ontologies and rules as a powerful tool to express the desired behaviour for the system. However, the use of rules may lead to conflicting situations where the antecedent of two or more rules is fulfilled, but their consequent is indicating contradictory facts or actions. These conflicts can be categorised in two different groups, modality and semantic conflicts, depending on whether the inconsistency is owing to the rule language expressiveness or due to the nature of the actions. While there exist certain proposals to detect and solve modality conflicts, the problem becomes more complex with semantic ones. Additionally, current techniques to detect semantic conflicts are usually not considering the use of standard information models. This paper provides a taxonomy of semantic conflicts, analyses the main features of each of them and provides an OWL/SWRL modelling for certain realistic scenarios related with information systems. It also describes different conflict detection techniques that can be applied to semantic conflicts and their pros and cons. Finally, this paper provides a comparison of these techniques based on performance measurements taken in a realistic scenario and suggests a better approach. This approach is then used in other scenarios related with information systems and where different types of semantic conflicts may appear.

Semantic-based authorization architecture for Grid

There are a few issues that still need to be covered regarding security in the Grid area. One of them is authorization where there exist good solutions to define, manage and enforce authorization policies in Grid scenarios. However, these solutions usually do not provide Grid administrators with semantic-aware components closer to the particular Grid domain and easing different administration tasks such as conflict detection or resolution. This paper defines a proposal based on Semantic Web to define, manage and enforce security policies in a Grid scenario. These policies are defined by means of semantic-aware rules which help the administrator to create higher-level definitions with more expressiveness. These rules also permit performing added-value tasks such as conflict detection and resolution, which can be of interest in medium and large scale scenarios where different administrators define the authorization rules that should be followed before accessing a resource in the Grid. The proposed solution has been also tested providing some reasonable response times in the authorization decision process.

Privacy-Preserving Security Framework for a Social-Aware Internet of Things

As smart objects are getting part of our personal space, the new associated services must tackle both, the inherent requirements of IoT and the needs of citizens using such services. Security, trust and privacy concerns are the cornerstone requirements of a social Internet of Things, where users want to share and obtain information in a huge opportunistic environment of connected devices and services. The paper presents an IoT security framework, being devised in the scope of SOCIOTAL EU project, which is based on the Architecture Reference Model (ARM) of IoT-A EU project. The framework extends the traditional ARM putting strong emphasis on security, trust and privacy concerns in order to cope with more opportunistic and secure sharing models required in a social-aware IoT scenarios, where users can set up dynamically communities and bubbles of devices and users.

Preserving Smart Objects Privacy through Anonymous and Accountable Access Control for a M2M-Enabled Internet of Things

As we get into the Internet of Things era, security and privacy concerns remain as the main obstacles in the development of innovative and valuable services to be exploited by society. Given the Machine-to-Machine (M2M) nature of these emerging scenarios, the application of current privacy-friendly technologies needs to be reconsidered and adapted to be deployed in such global ecosystem. This work proposes different privacy-preserving mechanisms through the application of anonymous credential systems and certificateless public key cryptography. The resulting alternatives are intended to enable an anonymous and accountable access control approach to be deployed on large-scale scenarios, such as Smart Cities. Furthermore, the proposed mechanisms have been deployed on constrained devices, in order to assess their suitability for a secure and privacy-preserving M2M-enabled Internet of Things.

ARMY: architecture for a secure and privacy-awar e lifecycle of smar t objects in the internet of my things

The emergence of the Internet of Things paradigm promises a multi-disciplinary revolution covering different spheres of our daily lives. However, the ubiquitous nature of IoT requires inclusive approaches in order to agree on a common understanding about its implications. Particularly, in order to unlock its huge potential and maximize its benefits, it is necessary to minimize the risks that are associated with security and privacy concerns. In this work, we propose a comprehensive architectural design to capture the main security and privacy requirements during the lifecycle of a smart object. The resulting architecture has been designed, instantiated, and implemented within the scope of different European IoT initiatives, in order to promote the design and development of secure and privacy-aware IoT-enabled services.

Taxonomy of trust relationships in authorization domains for cloud computing

Cloud computing is revealing a new scenario where different cloud customers need to collaborate to meet client demands. The cloud stack must be able to support this situation by enabling collaborative agreements between cloud customers. However, these collaborations entail new security risks since participating entities should trust each other to share a set of resources. The management of trust relationships in the cloud is gaining importance as a key element to establish a secure environment where entities are given full control in the definition of which particular services or resources they are willing to share. Entities can cooperate at different levels of trust, according to their willingness of sharing information. This paper analyses these collaboration agreements defining a taxonomy of different levels of trust relationships among customers for the cloud. Privacy concerns, assumed risk, as well as easiness in the definition of the trust relationships have been taken into account. A set of different trust relationships have been identified and modeled, enabling entities to control the information they share with others in the cloud. The proposed model has been validated with a prototypical implementation. Likewise, some examples to illustrate the application of these trust models to common cloud collaboration scenarios are provided.Cloud computing is revealing a new scenario where different cloud customers need to collaborate to meet client demands. The cloud stack must be able to support this situation by enabling collaborative agreements between cloud customers. However, these collaborations entail new security risks since participating entities should trust each other to share a set of resources. The management of trust relationships in the cloud is gaining importance as a key element to establish a secure environment where entities are given full control in the definition of which particular services or resources they are willing to share. Entities can cooperate at different levels of trust, according to their willingness of sharing information. This paper analyses these collaboration agreements defining a taxonomy of different levels of trust relationships among customers for the cloud. Privacy concerns, assumed risk, as well as easiness in the definition of the trust relationships have been taken into account. A set of different trust relationships have been identified and modeled, enabling entities to control the information they share with others in the cloud. The proposed model has been validated with a prototypical implementation. Likewise, some examples to illustrate the application of these trust models to common cloud collaboration scenarios are provided.

Analyzing the security of Windows 7 and Linux for cloud computing

We review and analyze the major security features and concerns in deploying modern commodity operating systems such as Windows 7 and Linux 2.6.38 in a cloud computing environment. We identify the security weaknesses and open challenges of these two operating systems when deployed in the cloud environment. In particular, we examine and compare various operating system security features which are critical in providing a secure cloud. These security features include authentication, authorization and access control, physical memory protection, privacy and encryption of stored data, network access and firewalling capabilities, and virtual memory.

Holistic Privacy-Preserving Identity Management System for the Internet of Things

Security and privacy concerns are becoming an important barrier for large scale adoption and deployment of the Internet of Things. To address this issue, the identity management system defined herein provides a novel holistic and privacy-preserving solution aiming to cope with heterogeneous scenarios that requires both traditional online access control and authentication, along with claim-based approach for M2M (machine to machine) interactions required in IoT. It combines a cryptographic approach for claim-based authentication using the Idemix anonymous credential system, together with classic IdM mechanisms by relying on the FIWARE IdM (Keyrock). This symbiosis endows the IdM system with advanced features such as privacy-preserving, minimal disclosure, zero-knowledge proofs, unlikability, confidentiality, pseudonymity, strong authentication, user consent, and offline M2M transactions. The IdM system has been specially tailored for the Internet of Things bearing in mind the management of both users’ and smart objects’ identity. Moreover, the IdM system has been successfully implemented, deployed, and tested in the scope of SocIoTal European research project.