Description
The goal of KIARA is to provide a “Middleware for efficient and QoS/Security- aware invocation of services and exchange of messages”for the FI-PPP program and beyond. KIARA builds on top of a well-established, proven, and high-performance product RTI-DDS from RTI and combines it with innovative research results to provide an advanced middleware layer that targets the specific requirements of the Future Internet.
Functionality
(a) KIARA provides radical improvements in performance and scalability not only for traditional Web services, but also for distributed applications in general – ranging from tiny devices in the Internet of Things to high-performance computing applications; (b) KIARA improves developer productivity and greatly simplifies application integration using a simple- to-use IDL for specifying the communication contract between peers as well as a novel API that allows applications to communicate in terms of their own data structures; (c) KIARA dynamically and transparently selects the optimal communication mechanisms, protocols, and data representations to be used between two peers, including the traditional SOAP/REST protocols but also optimized binary formats and mechanisms like pointer forwarding, shared memory, and the use of specialized network infrastructures; (d) KIARA uses simple, high-level specifications of QoS and security requirements from the application for automatically selecting the best communication strategy, thus clearly separating the high-level concerns of the application/developer from the concrete and varying technical details, such as the available network and other capabilities and resources; (e) KIARA, for the first time, uses a “Secure By Design" approach for of the communication architecture, thus trying to eliminate network connections as the dominant source of security threats.
Use in services and applications
Today, it is fair to say that nearly any application depends on distributed and service-based computing of some sort. This is most apparent in the mobile and cloud computing areas but this trend is quickly affecting essentially all areas of computing.
Advantages
The baseline asset of the current FI-WARE advanced middleware release (DDS) is already well established in real-time and reliability sensitive industries like military, aviation, air traffic control, etc. It provides robust (no single point of failure), efficient (minimum latency) communication and some QoS features to shape the data flow and deliver predictable results. It also supports multiple communication pattern like publish/subscribe, point-to-point or request/reply for more efficient communication. Release 1 of the advanced middleware GE also contains support for RPC over DDS to provide the well known Remote Procedure Call client/server communication in a simple and efficient way. The standardization process for
RPC over DDS by the OMG is still ongoing. The final release of the GE will support more efficient dynamic data handling and additional communication transports for high- performance applications, backward compatibility to RESTfull web services and advanced
security features.
4.3
(Gateway) Data Handling SOL-CEP
Description
SOL/CEP is a fast, versatile Complex Event Processor, able to collect vast amounts of asynchronous events of different types and correlate them into single events, called Complex Events. It can read from and write to numerous different channels using various different protocols. It is driven using a domain specific language called “Dolce”
Functionality
The Gateway Data Handling GE is fully integrated with the other enablers of FI-WARE, especially using the Open Mobile Alliance (OMA) Next Generation Service Interface Context Enabler (NGSI 9 / NGSI 10) which is a very useful and easy format to encapsulate all data and events from RFID tags, Zigbee or IETF devices, as many other smart things.
Use in services and applications
In the Internet of Things, systems will have to deal with an ever growing amount of data from hundreds and thousands of sensors and devices. Millions of readings of a heterogeneous nature, such as temperature, status or any type of readings have to be processed to meaningful information. The Gateway Data Handling GE is also the first stage of intelligence transforming data into events using smart rules. Applications are now able to collect in real- time large amounts of data, but only relevant data avoiding boring and asynchronous data analysis.
Advantages
None
4.4
(Gateway) Protocol Adapter
Description
It is capable to handle ZPA (ZigBee Protocol Adapter), which enables the communication with IoT Devices implementing the ZigBee specification. The goal of a Gateway Protocol Adapter GE is to translate a specific protocol (in the case of ZPA is ZigBee) into a unique internal language,
which normalizes the different communication protocols (in the case of ZPA is the Generic Device API).
Functionality
The ZigBee specifications of the ZigBee Gateway Device, on which this implementation of the Gateway Protocol Adapter GE is based, can be found via the following link in the official ZigBee Alliance website:
http://www.zigbee.org/Standards/ZigBeeNetworkDevices/Overview.aspx
Use in services and applications
The ZPA implementation is needed of a Gateway Protocol Adapter GE when one has a ZigBee WSN (Wireless Sensor Network) that wants to integrate in the FI-WARE Eco-system
Advantages
It holds an official certification from ZigBee Alliance of compliance with the standard, which means that ZPA is guaranteed to interoperate with a plethora of products from more than 100 companies worldwide.
The product has been embedded into several telecom devices, including the Broadband Access Gateway and the Cubo device of Telecom Italia.
The product has been successfully tested with several chip manufacturers, including Ember, Texas and Freescale
4.5
(Gateway) Device Management – Gateway Device Management
Description
It is the "core" part of the gateway being the main interface towards other gateway GEs, performing basic communication capabilities towards the backend/devices, and hosting resource descriptions. It implements an HTTP REST API based on the IETF CoRE open specification for the northbound communcation with the IoT backend.
Functionality
It registers all devices which are directly connected with a COAP interface and proposes a Generic Device Interface to plug other Protocol Adapters and manage many other families of devices
Use in services and applications
It takes the role of connecting and integrating IoT and legacy end devices towards the Internet and an IoT backend (service enablement environment).
Advantages
It provides, from an application point of view, a simple access to the relevant smart thing for the application.
5
Generic Enablers in the Security Chapter
5.1
Security Monitoring - Service Level SIEM
Description
It offers two services, which can be used independently of one another: (a) MulVAL Attack Paths Engine; (b) Service Level SIEM
Functionality
MulVAL Attack Paths Engine Component is an end-to-end framework and reasoning system that conducts multihost, multistage vulnerability analysis on a network. Attack graph presents a qualitative view of security discrepancies: (a) It shows what attacks are possible, but does not tell you how bad the problem is; (b) It captures the interactions among all attack possibilities in your system. The Service Level SIEM Component provides extended correlation capabilities to the Security Monitoring GE, in terms of performance and adaptability, of huge amount of incoming security events. In the context of FI-WARE this high-performance and scalable event correlation engine is built on top of an existing open source SIEM (in particular OSSIM). OSSIM is a security event monitor system. It will check the network for latent problems, or for hints of what will turn in potential problems in the future.
Use in services and applications
MulVAL Attack Paths Engine and Service Level SIEM (SLS) are contributing risk management of IT infrastructure. MuVAL Attack Paths Engine allows you evaluating the security risk assessment, the potential attack paths and improves the capability to detect security breach and the cyber-resilience of infrastructures. The SIEM allows you to raise alarms, the correlation of security events having highlighted a situation of risk (abnormal behavior, unforeseen events, action mischievous). Limitations of current SIEM (Security Information and Event Management) systems are mainly in line with performance and scalability leading to the
inability to process vast amounts of diverse data in a short amount of time. Next generation of SIEM solutions should overcome these performance limitations of its predecessors allowing in this way to monitor more systems, to process more complex rules or even to correlate events at different layers. To achieve the above commented goals, the Service Level SIEM (SLS) included in FI-WARE incorporates a high performance parallel correlation engine that will improve drastically the correlation capabilities of the current SIEM solutions available in the market.
Advantages
Security Monitoring will: (a) overcome SIEM (Security Information and Event Management) systems limitations (mainly in line with performance and scalability leading to the inability to process vast amounts of diverse data in a short amount of time). As such Service Level SIEM feature of Security Monitoring GE will overcome these performance limitations of its predecessors allowing in this way to monitor more systems, to process more complex rules or even to correlate events at different layers. (b) will not only offer unique features such as attack paths computation & visualization, scoring of computed attack paths/graphs and remediations computation but will also use all these features conjointly to provide tools for proposing cost-sensitive remediations and evaluating effects, thus supporting/enabling informed decision making. This is seen as true competitive advantage to what is offered today since addressing not only risk but also impact.
5.2
Identity Management - GCP
Description
It is a fully managed Software-as-a-Service offer covering typical identity- customer- and contract-management functionality needed for digital services.
Functionality
The GCP is using OpenID and the OAuth protocol. The GCP allows its business customers or partners to offer their digital services to end users without having to manage technical processes such as user-registration, login, customer-self-care or management. The GCP is a white-label platform and can be fully adapted to the brand of the partner such that it integrates with the partner’s general customer experience. It can be integrated using standard technologies and interfaces, both on a user-interaction level as well as on a server-to-server communication level to enable technical integration.
Use in services and applications
The GCP covers all parts of the customer lifecycle as well as of identity management by providing both (skinnable) user-interfaces as well as technical (back-end) interfaces. One can concentrate on the development of his/her application and easily integrate an identity management system, which enables him/her to authenticate and authorises the access to his/her application
.
Advantages
None
5.3
Identity Management - One-IDM
Description
Identity Management encompasses a number of aspects involved with users' access to networks, services and applications, including secure and private authentication from users to devices, networks and services, Authorisation & Trust management, User Profile management, Single Sign-On (SSO) to service domains and Identity Federation towards applications.
Functionality
The Identity Manager is the central component that provides a bridge between IdM systems at connectivity-level and application-level. It also delivers a multi-tenant user and profile management solution that allows Enterprises to manage consumers of their (Web based) services in the Cloud securely. Instead of developing and operating the user and profile management by themselves, it can be hosted in the Cloud as a tenant instance and will be delivered on demand.
Use in services and applications
Identity Management is used in multiple scenarios spanning from Operator oriented scenarios towards Internet Service Providers (ISP). End users benefit from having simplified and easy access to services (User Centric Identity Management).
Advantages
There is a unique market position for Identity Management systems linking user accounts at services in the internet to identifiers of the user at the communication service provider. Thus, bridging the internet and the telecommunication world. In addition, the Identity Management
system can serve as the platform enabling privacy for the user by restrictive handling of personal attributes according to the user’s needs.
5.4
Data Handling - PPL
Description
It mainly focuses on revealing certain attributes according to specific privacy and security conditions. It supports integrated data handling, in particular through two-sided detailed data handling, that takes into account specific preferences/policies expressed using the PPL language, based on XACML.
Functionality
Data usage purpose must always be declared, as it is a relevant part of the policy that must be expressed, as well as downstream usage, i.e., whether one can disclose collected data with third parties. The PPL language supports the enforcement of a number of obligations that are bound tightly to data. For instance, one can impose a specific retention period, as well as the production of user's notifications and/or logging under certain conditions.
Use in services and applications
When private and sensitive data is sent and stored into external web or cloud servers, there is no real control by the owner. This lack of control is due to the absence of mechanisms and methods that provide access and usage control to the stored data during its life time. This generic enabler provides the framework and the necessary tools to give the control to the data owner by imposing obligations on the data and restrictions.
Advantages
PPL is a usage control tool that can be used by peers in order to ensure that data operations take place in a well-regulated way. Therefore, it permits to enforce prescriptions on data usage that can be relevant especially for sharing confidential and personal data. PPL can be used to enforce compliance with law directives, like for instance and most notably the EU Directive 95/46/EC on privacy and data protection. PPL represents an unique attempt to provide a generic service for regulating data usage. No generic access/usage control service exists, even if a part of its functionalities can be implemented to some extent in specific applications. Given the flexibility of the interaction model, that can potentially cope with any data format, and the generic implementation (i.e., data control is regulated by user-specified policies, and not by fixed templates PPL offers a significant competitive advantage for the FI- WARE platform.