Securing the Personal Cloud – What Should Be Best Parctices?

From IIW

Session Topic: Securing the Personal Cloud

Wednesday 3I

Convener: Peter Davis, Dan Blum

Notes-taker(s): Dan Blum

Tackling this discussion with the definition of the interfaces from figure 1 assumption: architectural relationship between Fred's personal cloud with his services and Lisa and her services

personal data repository is an example of one of these services the interfaces

table the issues of multiple personas and devices

the security objectives - confidentiality, integrity, availability, privacy - trust boundaries

1 - client application and devices
2 - channel between app and cloud service
3 - service
4 - service to service
5 - service to lisa's service
6 - service to third party

objectives

  • confidentiality
  • integrity
  • privacy
  • availability

aspects of security

  • user identity
  • source (invocation) identity
  • target identity
  • target user
  • access control / policy - need defaults


miscellaneous

need to describe service robustness (catch all for non-identity and other protocol- related requirements)

threat modelling needed


personal trust framework will state these requirements for these interfaces and there will some requirement for attestation (self-assertion and audit)


johannes - what are the implications of mobility

  • example to check out - liberty audit framework

internet of things - today these things communicate with manufacturer (3rd party)

portability - interesting issues like apps expressing their portability needs as metadata to iaas

what about family "federations" (household versus individual personal cloud)