Monday, April 30, 2007

PhD Presentation - Reloaded

Last week I was together with my colleagues from the institute, our professors and also the PhD students of Prof. Stiller in Sonthofen, Germany, where we have our yearly doctoral retreat.

On this occasion I presented the current status of my PhD thesis. I uploaded the presentation here.

I always appreciate feedback!!!

Monday, February 05, 2007

PhD Presentation

Friday I did a presentation about my PhD thesis at the university.

The presentation looks cool, you can find it here. Unfortunately there are still things to do ...

---
Neubiberg, UniBW

Tuesday, December 19, 2006

OWS4 is over! Long live my vacation!

At the beginning of December I was in New Jersey for the demonstration event of the OWS4 project. This weekend I finally finished recording our implementation in this project. The movie can be found here.

There is also a website documenting what we implemented in this project: http://iisdemo.informatik.unibw-muenchen.de/ows4/


---
Written from at home / Munich / while trying to get over the jet lag

GITA Conference 2007

Next year at the beginning of March, I will be organizing a 4 hour seminar that will be part of the 30th Annual GITA Conference (Thank You GITA! for asking me to organize it) . The seminar is entitled "Security for GeoWeb Services: From Problem Statement to Implementation". Please check the website! I'm really enthusiastic about it, I'm definitively sure that it will be a good one!

Yesterday I finished an overview of the tutorial and thought it might be a good idea to post this here. I'm really happy with how it came out. Do feel free to give me feedback on this!


--------------------------------------------------------

Introduction

When it comes to security a lot of people have misconceptions about it. For example, a popular one is that the only goal of computer security is secrecy – keeping the names of the secret agents away from the enemy. In the case of Web services, the emphasis is on sharing and interoperability – which is totally the opposite of secrecy. So, how could this be? Is it actually possible to have secure Web services?

Security in different flavors

The tutorial starts by introducing the different aspects of security: computer security, communications security, physical security. In a Service Oriented world, communications security is important, and this is the type of security that this tutorial focuses on. Because too often it happens that people think that security and access control are one and the same, we continue the by presenting the different challenges that security has to deal with: (1) Authentication – Who the user is?, (2) Authorization (also known as Access Control) – What the user is allowed to do?, (3) Integrity – Ensuring that exchanged data is safe while in transit, (4) Confidentiality – Ensuring that data is not eavesdropped while in transit, (5) Non-Repudiation - Ensuring that a transferred message has been sent / received by the parties claiming to have sent / received the message. Furthermore, in some cases a successful security implementation also needs to deal with the following issues: Identity Management, Delegation, Privacy, Availability and Accounting.

To illustrate all these problems and show how they relate to the geospatial world and geospatial Web services, we developed a scenario (see fig. 1) which is based on real-world applications. In this scenario we introduced four businesses offering services to two clients. The businesses are: a Surveying Agency offering base maps (for profit), an Environment Protection Agency serving maps with different ecological maps (for free), an Electricity Company serving maps with its cable network and a Cadastre Agency serving cadastre information. There are two clients: the (Dumb) Citizen that has different needs and requires data the first three businesses and a Public Notary that requires data from the Cadastre Agency. As it will be seen there are different security requirements for each of the businesses which are driven by various factors such as business model, legislation, etc.

Fig. 1 – Scenario inspired from real-world applications

Security and the existing IT standards & technologies

The second part of the tutorial will be oriented on more technical aspects and will show how the exiting mainstream solutions from the general IT industry can be used to solve some of the requirements identified in the first part of our tutorial. For this part we will focus on securing Web services described by the Open Geospatial Consortium (such as WMS, WFS, WCS, CSW, etc.).

The starting point for this part of the tutorial is the remark that in many aspects geospatial Web services are just like other Web services, and therefore security technologies and standards from organizations such as W3C, IETF and OASIS that are used in the broader IT industry can be successfully applied to the geospatial world. Although there are plenty of standards to choose form, sometimes it is not possible to simply use an existing standard. In order to accommodate the geospatial dimension, sometimes existing standards need to be extended / profiled. We will show existing approaches for this.

As a guide to securing geospatial Web services, we will use the OSI stack (see picture). We will start from the Psychical Layer and go all the way up to the Application Layer and SOAP messaging showing how existing protocols can be leveraged to fulfill security requirements without modifying the protocols specified by the OGC. The following technologies will be showed in practice: SSL/TLS, VPN, Firewalls, HTTP Authentication, Cookies, SOAP and WS-Security, XML Encryption, XML Digital Signature, SAML, XACML / GeoXACML. For each of the presented technologies we will explain which of the requirements identified in the first part it addresses and which of the four businesses from our scenario can make use of it.

Figure 2 – The OSI Protocol Stack

Figure 3 – Security Standards: Plenty to choose from!

Security and the OGC

Within the OGC, security was not an issue until April 2004 when the GeoDRM (Geospatial Digital Rights Management) Working Group was formed. The main achievement of the group is the “Geospatial Digital Rights Management Reference Model (GeoDRM-RM)” which currently awaits approval to become an OGC Abstract Specification in early 2007. It gives the ground for the upcoming activities of the group, which will focus on Implementation Specifications.

Upon maturing concepts for putting together the GeoDRM-RM, it was realized that it is essential to have a strong security system in place that supports the DRM system. So, in June 2006 the Security Working Group was formed. The mission of the WG is to provide a security system for the OGC Reference Architecture, which includes the support for the DRM system, by using existing standards wherever possible.

To support the GeoDRM-RM, two different OGC Web Services Initiatives have been completed: in OWS-3 (2005), the objective was to develop a click-through mechanism for OGC Web Services. Following this initiative, OWS-4 (finished in December 2006) focused on a variety of aspects: from License negotiation to using End-User-Licenses for performing transactions on a Web Feature Service in order to manipulate stored features.

Both initiatives completed the mission under the motto “change OGC specifications as little as possible” and used existing (IT-) standards wherever possible. A lot of the standards described in the second section of the tutorial (WS-Security, WS-Trust, WS-Policy, SAML, XACML) have been used to provide to enhance OGC services with authentication and authorization.

Conclusions

This seminar will introduce the subject of security on the Web including spatial data infrastructure, security requirements for geospatial Web services, communications security and standards, data integrity, and confidentiality. Many facets of the behind-the-scenes activities that exist and function on the Web will be examined. This presentation will take this potentially technical and complex arena and demystify and describe it for all audience levels. Participants will come away with a newfound understanding and an increased comfort level of using Web-based applications.

OGC Newsletter

In the OGC Newsletter for this month, one of my posts is mentioned! Cool!

Trusted Geoservices IPR

I came back from the OGC meeting in San Diego this weekend. Even though this is my third night in Munich, I'm still having difficulties adjusting to the time zone. Yesterday I tried counting sheep and it did not work out, today I'll try to do things I always forget doing (as for example posting my latest presentations on my blog).

Here is the link for it. The presentation describes an Interoperability Program Report (I'm the editor of this document): Trusted Geoservices IPR.

Friday, December 08, 2006

Authentication for OGC Web Services

Next week the OGC's Technical Committee Meeting will be held in San Diego, California. I'm really looking forward for the nice warm weather there. I will be making two presentations next week, so I just thought it might be nice to post them.

The slides for the presentation I'll be holding on Monday morning within the Security Working Group can be found here. I'm always happy on feedback, so don't be shy! The presentation is entitled "Authentication for OGC Web Services" and presents the results of the OGC Web Services Testbed 4.

I'll be also presenting within the GeoDRM Working Group meeting on Wednesdays. The slides for this presentation will follow (when I'll be ready with it).

---
Written from Jersey City / USA

Sunday, November 05, 2006

Trend Analysis INTERGEO 2006

At the beginning of October, Munich hosted this year's INTERGEO fair (see www.intergeo.de). This is probably the most important fair in Germany where technologies related to the geospatial world are presented. I visited the fair and I was asked to write a "trend analysis" for security (I wrote a similar one last year together with my colleague Andreas). Since I spent a couple of hours writing it I thought this is an interesting thing to post. Please feel free to give me feedback!

-----

In the last years security has grown in importance and this can be seen in both the general IT industry and the Geospatial industry. The first one is demonstrated by the fact that the SYSTEMS fair which shortly followed INTERGEO at the Fair Center Munich (23 -27 October) dedicated one of the six exhibition halls to security. The latter can be seen by the increase in the security-related activities within the Open Geospatial Consortium: in May this year the OGC published for review and comments the GeoDRM Abstract Model which is meant to provide guidance for further Digital Rights Management implementations; the Abstract Model has been approved and will be published as a new topic in the OGC abstract specification. Furthermore, at the OGC Meeting in June in Edinburgh two new working groups have been created: The Security Working Group which will address issues such as Authentication, Authorization, Digital Signature and Encryption and the Ordering Working Group which will focus on the more business related aspects. Finally, this year, one of the 7 threads of the OWS4 initiative (OGC Web Services Test Bed 4) is GeoDRM, where several participants are working together to address issues such as authentication, authorization and licensing.

As part of the trend analysis we asked both the product development companies as well as the data providers. The following five questions were asked: Is security of Geospatial Applications an important aspect for your company? Which security aspects do you think are important? Are you already using / developing products that implement security features? Do you have any future plans for this? Do you think that security is more important this year than it was in the past?

To the first question most of the interviewed persons answered that security is of medium importance for their company. To the second question a lot of the interviewed persons answered yes. However, as in the last year, the lack of security standards in the geospatial industry could be remarked. Because little guidance is available for how security should be applied to geospatial applications most of the interviewed companies said that they use either Intranet applications or Portal solutions, where interoperability at the security layer is not a requirement. Furthermore there were companies that presented security solutions for services; however these services showed no interoperability with one another. When asked about the future, the answers varied: some of the interviewed persons expect more guidance from standards organizations such as OGC, so that issues such as authentication, authorization and digital signature can be addressed in an interoperable way, other hope that not-technical aspects such as pricing models will evolve in the future, while others were simply hoping that security would not be too much of an overhead for their company.

To summarize, security has gained more terrain in the geospatial world, but this is still just the beginning. There is still a long way to go until security will be ubiquitous. And, to cite one of the interviewed persons, we should not forget that security is only one of the many requirements that customers have, and therefore it shouldn’t be either expensive to implement nor complicated to use / deploy.

First Post

This is my first posting. I intend to express some of my personal opinions and some of my own thoughts in this blog. I will probably post more things related to technology, but who knows, maybe I'll be in the mood of writing about something else.