Securing the Personal Cloud – What Should Be Best Parctices?
Session Topic: Securing the Personal Cloud
Wednesday 3I
Convener: Peter Davis, Dan Blum
Notes-taker(s): Dan Blum
Tackling this discussion with the definition of the interfaces from figure 1 assumption: architectural relationship between Fred's personal cloud with his services and Lisa and her services
personal data repository is an example of one of these services the interfaces
table the issues of multiple personas and devices
the security objectives - confidentiality, integrity, availability, privacy - trust boundaries
1 - client application and devices 2 - channel between app and cloud service 3 - service 4 - service to service 5 - service to lisa's service 6 - service to third party
objectives
- confidentiality
- integrity
- privacy
- availability
aspects of security
- user identity
- source (invocation) identity
- target identity
- target user
- access control / policy - need defaults
miscellaneous
need to describe service robustness (catch all for non-identity and other protocol- related requirements)
threat modelling needed
personal trust framework will state these requirements for these interfaces and
there will some requirement for attestation (self-assertion and audit)
johannes - what are the implications of mobility
- example to check out - liberty audit framework
internet of things - today these things communicate with manufacturer (3rd party)
portability - interesting issues like apps expressing their portability needs as metadata to iaas
what about family "federations" (household versus individual personal cloud)