![Page 1: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/1.jpg)
Secure Event Management
SEI 2 Smart Factory
Salvatore Piccione (TXT e-solutions S.p.A.)
Secure Event Management 115/11/2013
![Page 2: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/2.jpg)
Outline
• Why?
• What?
– Secure Event Management components
• So what?
15/11/2013 Secure Event Management 2
![Page 3: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/3.jpg)
Why?
• Multitude of smart objects and services
• Demand for event-driven interactions
• Controlled access to production data by internal and external subjects
15/11/2013 Secure Event Management 3
![Page 4: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/4.jpg)
What?
15/11/2013 Secure Event Management 4
Remote maintenanceoperatorsMES CEP Engines
Worker
Secure EventAccess Manager
Corporate domain border
![Page 5: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/5.jpg)
Events’ namespace
• Taxonomy of the events conveyed by the event bus
• Conventions– Leaf nodes represent event producers
– Intermediate nodes allow consumers to select a specific set of events
– Patterns to select paths or portions within the namespace• Special characters: * (exactly one node), # (zero or
more nodes)
15/11/2013 Secure Event Management 5
![Page 6: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/6.jpg)
Events’ namespace - example 1
Shop floor events
15/11/2013 Secure Event Management 6
WashingMachineManufacturer
ProductionPlant1
ProductionLine1
…
…
…
Station2
Thickness
Informational
Status
…
…
…
Station 6
Welding
Informational
Status
Station9
Marriage
Informational
Status
ProductionLine2 ProductionLine3
![Page 7: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/7.jpg)
Events’ namespace - example 1
Shop floor events
15/11/2013 Secure Event Management 7
WashingMachineManufacturer
ProductionPlant1
ProductionLine1
…
…
…
Station2
Thickness
Informational
Status
…
…
…
Station 6
Welding
Informational
Status
Station9
Marriage
Informational
Status
ProductionLine2 ProductionLine3
WashingMachineManufacturer.ProductionPlant1.ProductionLine1.Station2.Status
![Page 8: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/8.jpg)
Events’ namespace - example 1
Shop floor events
15/11/2013 Secure Event Management 8
WashingMachineManufacturer
ProductionPlant1
ProductionLine1
…
…
…
Station2
Thickness
Informational
Status
…
…
…
Station 6
Welding
Informational
Status
Station9
Marriage
Informational
Status
ProductionLine2 ProductionLine3
WashingMachineManufacturer.ProductionPlant1.ProductionLine1.*.Status
![Page 9: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/9.jpg)
Events’ namespace - example 1
Shop floor events
15/11/2013 Secure Event Management 9
WashingMachineManufacturer
ProductionPlant1
ProductionLine1
…
…
…
Station2
Thickness
Informational
Status
…
…
…
Station 6
Welding
Informational
Status
Station9
Marriage
Informational
Status
ProductionLine2 ProductionLine3
WashingMachineManufacturer.ProductionPlant1.ProductionLine1.#
![Page 10: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/10.jpg)
Events’ namespace - example 2
Notifications
15/11/2013 Secure Event Management 10
WashingMachineManufacturer
Alerting
ProductionPlant1
ProductionLine1
…
Station2
…
Station6
…
Station9
…
QualityAssurance
ProductionPlant1
ProductionLine1
…
Station2
…
Station 6
…
Station9
…
![Page 11: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/11.jpg)
Namespace Manager
15/11/2013 Secure Event Management 11
![Page 12: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/12.jpg)
Capability-based security
A capability is a communicable and unforgeabletoken of authority.
By owning it, a process/subject can access the resource/service uniquely identified in the token
and exercise the rights stated in it.
15/11/2013 Secure Event Management 12
![Page 13: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/13.jpg)
Capability token
• Digitally signed XML document
• Based on standards for access control policies(XACML, SAML)
• Two types: Root and non-Root
15/11/2013 Secure Event Management 13
![Page 14: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/14.jpg)
Anatomy of a capability token
• Issuer (who issues the capability)
• Subject (who the rights are granted to)
• Resource ID (URI of the resource)
• Validity Condition (validity time frame )
• Issuer’s capability
• Granted rights and their delegability
• Signature
15/11/2013 Secure Event Management 14
![Page 15: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/15.jpg)
Capability-based security in action
15/11/2013 Secure Event Management 15
Plant 1 ManagerProduction Line 1
Manager
Station 2 Manager
Station 2 WorkerSecure Event
Access Manager
Production Plant 1Production Line 1Station 2
trusttrust
trust
trust
access
![Page 16: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/16.jpg)
Cap#1 (Root)Rights: Pub/Sub (delegable)Namespace: ShopFloorEventsPattern: WashingMachineManufacturer. ProductionPlant1. ProductionLine1.Station2.*
Capability-based security in action
15/11/2013 Secure Event Management 16
Production Line 1 Manager
Station 2 Manager
Station 2 WorkerSecure Event
Access Manager
trusttrust
trust
![Page 17: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/17.jpg)
Capability-based security in action
15/11/2013 Secure Event Management 17
Plant 1 ManagerProduction Line 1
Manager
Station 2 Manager
Station 2 Worker
Cap#2 (Non-Root)Rights: Pub/Sub (delegable)Namespace: ShopFloorEventsPattern: WashingMachineManufacturer. ProductionPlant1. ProductionLine1.Station2.*
Secure EventAccess Manager
trusttrust
trust
trust
![Page 18: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/18.jpg)
Capability-based security in action
15/11/2013 Secure Event Management 18
Plant 1 Manager
Station 2 Manager
Station 2 WorkerSecure Event
Access Manager
trusttrust
trust
trust
Production Line 1 Manager
Cap#3 (Non-Root)Rights: Pub/Sub (delegable)Namespace: ShopFloorEventsPattern: WashingMachineManufacturer. ProductionPlant1.ProductionLine1.Station2.*
![Page 19: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/19.jpg)
Capability-based security in action
15/11/2013 Secure Event Management 19
Plant 1 Manager
Station 2 Manager
Station 2 WorkerSecure Event
Access Manager
trusttrust
trust
trust
Production Line 1 Manager
Cap#4 (Non-Root)Rights: SubNamespace: ShopFloorEventsPattern: WashingMachineManufacturer. ProductionPlant1.ProductionLine1.Station2.*
![Page 20: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/20.jpg)
Capability-based security in action
15/11/2013 Secure Event Management 20
Plant 1 ManagerProduction Line 1
Manager
Station 2 Manager
Station 2 Worker
Access request
Secure EventAccess Manager
Production Plant 1Production Line 1Station 2
trusttrust
trust
trustCap#4 (Non-Root)Rights: SubNamespace: ShopFloorEventsPattern: WashingMachineManufacturer. ProductionPlant1.ProductionLine1.Station2.*
![Page 21: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/21.jpg)
Anatomy of a capability revocation
• Issuer
• Issuer’s capability
• Unique identifier of the revoked capability
• Revocation starting date
• Revocation scope
– Only the capability
– All derived capabilities
– The capability together with all derivedcapabilities
15/11/2013 Secure Event Management 21
![Page 22: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/22.jpg)
Why are capabilities so cool?
• Principle of Least Authority (PoLA)
• Less security issues (e.g. Confused Deputy problem)
• Arbitrary granularity of access rights
• Distribution of the authorization management
• Independence from complexity and dynamics of identity management
• Full auditability
• Revocability15/11/2013 Secure Event Management 22
![Page 23: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/23.jpg)
Capability wizard
15/11/2013 Secure Event Management 23
![Page 24: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/24.jpg)
Event bus
• Based on AMQP (Advanced Message Queueing Protocol)
• Secure Event Access Manager
– capability-based security
– RESTful interface
15/11/2013 Secure Event Management 24
![Page 25: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/25.jpg)
Access to event streams by clients
• Managed by the Secure Event Access Manager
• How it works
1. Session setting up
2. Session usage (publish/subscribe)
3. Session closing
15/11/2013 Secure Event Management 25
![Page 26: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/26.jpg)
AMQP in a nutshell
15/11/2013 Secure Event Management 26
Queue #1
Exchange Queue #2
Queue #3
a.b.c.
Publisher
Subscribers
binding(a.b.*)
Routing key ≡ Pattern
![Page 27: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/27.jpg)
AMQP in a nutshell
15/11/2013 Secure Event Management 27
Queue #1
Exchange Queue #2
Queue #3
a.b.c
a.b.*
a.#
Publisher
Subscribers
a.b.c.
![Page 28: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/28.jpg)
AMQP in a nutshell
15/11/2013 Secure Event Management 28
Queue #1
Exchange Queue #2
Queue #3
a.b.c
a.b.*
a.#
a.b.c.
a.b.c.
a.b.c.
Publisher
Subscribers
![Page 29: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/29.jpg)
Queue #2Exchange
AMQP in a nutshell
15/11/2013 Secure Event Management 29
Queue #1
Queue #3
a.b.c
a.b.*
a.#
a.b.x
Publisher
Subscribers
![Page 30: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/30.jpg)
Queue #2Exchange
AMQP in a nutshell
15/11/2013 Secure Event Management 30
Queue #1
Queue #3
a.b.c
a.b.*
a.#
a.b.x
a.b.x
Publisher
Subscribers
![Page 31: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/31.jpg)
Queue #2Exchange
AMQP in a nutshell
15/11/2013 Secure Event Management 31
Queue #1
Queue #3
a.b.c
a.b.*
a.#
a.y.z
Publisher
Subscribers
![Page 32: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/32.jpg)
Queue #2Exchange
AMQP in a nutshell
15/11/2013 Secure Event Management 32
Queue #1
Queue #3
a.b.c
a.b.*
a.#
a.y.z
Publisher
Subscribers
![Page 33: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/33.jpg)
AMQP in a nutshell
15/11/2013 Secure Event Management 33
Virtual Host #2 Virtual Host #nVirtual Host #1
Broker
![Page 34: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/34.jpg)
Integrated Management Console
15/11/2013 Secure Event Management 34
Management of the brokers
![Page 35: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/35.jpg)
Integrated Management Console
15/11/2013 Secure Event Management 35
Management of the virtual hosts
![Page 36: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/36.jpg)
Integrated Management Console
15/11/2013 Secure Event Management 36
Management of the virtual hosts-namespaces mapping
![Page 37: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/37.jpg)
So what?
• Complete decoupling of event sources and consumers (asynchronous interactions, timeliness)
• Dynamic and smooth addition of new events’ sources and consumers (zero downtime, scalability, flexibility)
• Bringing data to the interested consumersinstead of bringing consumers to data
• Advanced, flexible, scalable access control
15/11/2013 Secure Event Management 37
![Page 38: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/38.jpg)
Thanks for your attention!
Q & A
15/11/2013 Secure Event Management 38
![Page 39: Secure Event Management - SEI 2 Smart Factory](https://reader035.vdocuments.mx/reader035/viewer/2022062303/554dd850b4c905d10e8b4e6d/html5/thumbnails/39.jpg)
Follow Us!
• Fitman website: http://www.fitman-fi.eu/
• Twitter: @FitmanFI
• Specification of this SE: http://catalogue.fitman.atosresearch.eu/enablers/secure-event-management
15/11/2013 Secure Event Management 39