Upload
asish-biswas
View
215
Download
0
Embed Size (px)
Citation preview
7/29/2019 Mohammad Zaifullah Fraunhofer Master Thesis Proposal
1/15
IdM Framework for Life Management Platform
A Thesis Proposal
Submitted to the
Fakultat fur Informatik
Technische Universitat Munchen
by
Mohammad Zaifullah
Fakultat fur Informatik
Technische Universitat Munchen
07 January 2013
Supervisor:
Prof. Claudia Eckert
Technische Universitat Munchen
i
7/29/2019 Mohammad Zaifullah Fraunhofer Master Thesis Proposal
2/15
Outline
1 Introduction 2
1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.2 Problem diagnosis and relevance of the work . . . . . . . . . . . . . . . . . 21.3 Research question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.4 Hypothesis and research objective . . . . . . . . . . . . . . . . . . . . . . . 41.5 Preview on what the readers will find in this thesis . . . . . . . . . . . . . . 4
2 Progress beyond the state-of-the-art 5
2.1 Related research concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.1.1 Vendor relationship management . . . . . . . . . . . . . . . . . . . . 62.1.2 Customer relationship management . . . . . . . . . . . . . . . . . . . 62.1.3 Supplier relationship management . . . . . . . . . . . . . . . . . . . 62.1.4 Personal data storage . . . . . . . . . . . . . . . . . . . . . . . . . . 62.1.5 Social networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2 Related application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2.1 ProjectVRM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.2.2 Personal.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.2.3 Connect.me . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.2.4 Qiy.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3 Related standard bodies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.3.1 ISO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.3.2 OASIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.3.3 Kantara Initiative . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.3.4 IETF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.3.5 ITU-T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3 Methods 8
3.1 Research design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83.2 Measures and sources of information . . . . . . . . . . . . . . . . . . . . . . 83.3 Techniques of analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.3.1 Graphical analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83.3.2 Numerical analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83.3.3 Comparative analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.4 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93.5 Critique . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4 Delimitations of the thesis 10
5 Thesis outline 11
6 Thesis schedule 13
1
7/29/2019 Mohammad Zaifullah Fraunhofer Master Thesis Proposal
3/15
1 Introduction
1.1 Background
Every person has lot of information in her daily life which needs to be managed and shared.And a lot of this information has to be managed in a secure way and shared in a controlled,directed way. Some people may think differently on some of that information. Some culturesmight rate the need for privacy and security different for some of that information. Thequestion kept coming up on how to share Personally Identifiable Information (PII) [2] thatsatisfy personal and legal privacy requirements across international boundaries. Though,information will be always used too frequently to remain paper-based and which is toosensitive to deal with in the way todays social networks [3] are doing. It becomes obviousthat many people are not willing to share all that information in the way many of todayssocial networks suggest that information should be shared. That is where Life ManagementPlatform come into play: Providing the tools to manage the essential information of everypersons life and making it usable for other parties through privacy-enhanced applications,thus meeting the privacy and security requirements. The individuals decide on which in-
formation they provide to whom. They decide about what is shared and what not [1].
Life Management Platform will change the way individuals deal with sensitive informationlike their health data, insurance data, and many other types of information - informationthat today frequently is paper-based or, when it comes to personal opinions, only in themind of the individuals. They will enable new approaches for privacy and security-awaresharing of that information, following the concept of minimal disclosure and avoiding theloss of control of this data. They support concepts which allow sharing information withother parties in a way that avoids any data leakage, mainly based on a new concept ofprivacy- and security-aware apps which process information from both parties without giv-ing any of the parties involved access to information provided by any other party without
explicit consent [1].
1.2 Problem diagnosis and relevance of the work
When you think about to manage your daily life, it requires an enormous quantity of data-everything from bank details and family book numbers to what sort of cleaning fluid doesbest on your floor, what pressure your car tyres need to be at and which brands of gluten-sugar-lactose-nut-free cereal bar your six-year-old can stomach [4].
Some years from now, we will want to access our car through a virtual key which is storedin our private domain, together with all information relevant for the usage and maintenance
of that car. Someone can think about this as like as a digital drivers book, which wouldeven report an engine fail to your garage if you wish it to do so (and only then).
We may also need to find the best health insurance based on the information which is storedin a common platform. Individuals can request offers from insurance brokers without un-veiling all that data and then pick the policy which fits best without details from eachinsurance company leaking to other insurance companies and without sensitive personaldata from the individual leaking to insurance brokers or insurance companies he doesntchose [1].
2
7/29/2019 Mohammad Zaifullah Fraunhofer Master Thesis Proposal
4/15
Some years later, we may want to receive just only targeted information, based on thecurrent personal interests, wishes and desires of a person - all the details people never willunveil in a social network or on any platform owned by a content provider. We also wantto manage our virtual salary statement from our employer [1].
When looking at todays Internet, it becomes clear that many of the approaches we findtherein fulfill the requirements of neither the users nor their counterparts like vendors,providers, and other parties. Overall, IT is driven by some major evolution.
If we look at in figure 1, we will find some modern evolution of IT. First of all the Social
Figure 1: The evolutionary area of todays IT affecting everydays life.[1]
Computing [5] which provides a tighter interaction between individuals and organizationsbased on sharing information in some way between publicly available information and adirected, controlled flow of information [1].
Another evolution is Mobile Computing [6], which allowing access to a broad range of ser-vices through the Internet from different devices. As a result of that an increasing numberof persons have device and network access available at virtually any point of time [1].
And finally the Cloud Computing [7], which aims to share data, calculations, and servicestransparently among users of a massive grid. It became a hot issue for its advantages such asreduce costs, increase business flexibility and/or provide business continuity. Cloud
Computing refers to both the applications delivered as services over the Internet and thehardware and systems software in the data-centers that provide those services. The servicesthemselves have long been referred to as Software as a Service (SaaS) [ 8]. The data-centerhardware and software is what we will call a Cloud. When a Cloud is made available in apay as-you-go manner to the general public, which called a Public Cloud; the service beingsold is Utility Computing.
Information Technology (IT) fundamentally is affected by all of these trends. The Con-sumerization and De-perimeterization [9] of IT are logical consequences. IT is available to
3
7/29/2019 Mohammad Zaifullah Fraunhofer Master Thesis Proposal
5/15
virtually everyone and virtually everywhere. Now a days it is not a business-to-businesstechnology anymore, and has not been for quite a while. It is for sure that the mentionedevolutions drive the consumerization of IT to a new level. De-perimeterization is anotherlogical consequence. Once formerly closed networks open up, there is no perimeter anymore.That not only affects the way Information Security has to be implemented, it also means
that the borderlines between different organizations and between organizations and theircounterparts in the form of individuals customers, users, tenants, citizens, etc.- are not asclearly defined anymore.
1.3 Research question
This research is aimed to build a such platform which is based on the combination of apersonal domain holding all information securely and the ability to use this data in aprivacy- and security-aware way. The study attempts to answer the research questions:
How individuals can maintain privacy and security-aware sharing of their daily lifesensitive information, following the concept of minimal disclosure and avoiding the
loss of control of that data?
1.4 Hypothesis and research objective
Currently there is no platform which allows individuals to consolidate all relevant data fromdaily life, in particular data which is sensitive and typically paper-bound today, like bankaccount information, insurance information, health information, or the key number of theircar. Notably they are not limited to such data but support everything which should be usedin a privacy- and security-aware way with, for example, the car manufacturers, the dealers,and the garages (and maybe some other parties). It is hypothesized that Life ManagementPlatform can be designed in such a way so that users can get full control and flexibilityover the management of their personal information. It is also hypothesized that security
and privacy can be supported through the use of standard protocol.
1.5 Preview on what the readers will find in this thesis
This report describes the core concepts of Life Management Platform. It provides the inputall interested parties need to work on that concept as user, as platform provider, or asservice provider. Virtually all business models which rely on sharing sensitive informationwith individuals will fundamentally change with the rise of Life Management Platform. Thatwill challenge existing business models and IT infrastructures, but it provides fantastic newopportunities not only for new business models, but also for cost savings and better servicefor virtually all organizations. Understanding this fundamental shift today is the foundationfor successful business in the future.
4
7/29/2019 Mohammad Zaifullah Fraunhofer Master Thesis Proposal
6/15
2 Progress beyond the state-of-the-art
There are several concepts and providers out there which are related to the idea of Life Man-agement Platform in one way or another. Unfortunately, none of the platforms of todayfulfills all the requirements of Life Management Platform. That becomes even more obviouswhen looking at different technologies provided by the industry. The art of successfully deal-ing with Life Management Platform from a provider perspective is in fact simple: Provideservices and offers that are sufficiently attractive and dont rely on knowing things aboutthe individuals you shouldnt know or do not need to know. From customer requirementsperspective, providers have to deal with the challenges like:
People want to keep their life data managed in both the digital and non-digital world
They want to ensure privacy
They start thinking about which price to pay: Privacy or money?
They want to control their relationships and their data
When looking at VRM (Vendor Relationship Management), end user is able to share herinformation with vendors of choice in a controlled way, one of the most prominent butlimited cases, this becomes clear. That example points out several of the shortcomingsof todays approaches including CRMs and Social Networks and especially most of themarketing and customer interaction initiatives relying on Social Networks. VRM allows thecustomer to share what she currently assumes to be relevant which might be very differentfrom what she found relevant in the past.
Organizations today (and tomorrow) need to
Know their customer
Interact closely with her
Ensure that their competitors dont know too much about her and your relationshipwith her
Ensure that they stay in touch with them over time, building a customer relation-ship/binding
Tighten the relationships
However, todays social networks define the border line between privacy and publicity. Theirprivacy-ignorant approach violates some of the customer requirements like customer definetheir own privacy. By knowing your customer, your competitor most likely will easily gainknowledge about them as well. With respect to the fourth bullet point, staying in touch
with her quickly might become a one-way road where organizations put in a lot of effort andno one listens anymore. It might even become a dead end quickly, once the social networkloses its popularity.
2.1 Related research concepts
There are several concepts out there which are related to the idea of Life ManagementPlatform in one way or another. But there is no single concepts which implemented LifeManagement Platform. Here we discuss some relevant ideas:
5
7/29/2019 Mohammad Zaifullah Fraunhofer Master Thesis Proposal
7/15
2.1.1 Vendor relationship management
When looking at concepts, VRM (Vendor Relationship Management) is one of the mostinfluential ones. VRM, a concept developed by Harvard professor Doc Searls some yearsago, focuses on the relationship between vendors and customers. It turns things upsidedown in the sense of customers being in control of their data and what they want to share
with which vendors. However, VRM is by name and original design too focused on oneaspect of Life Management Platform. Nevertheless, looking at VRM is valuable due to the(relatively) long history of that concept [1].
2.1.2 Customer relationship management
Customer relationship management (CRM) is a huge information resource of modern busi-ness activity, and almost all the information required in business activity comes from CRM.At the same time, the development of E-Commerce makes CRM become more importantto the corporation [10].
2.1.3 Supplier relationship management
2.1.4 Personal data storage
2.1.5 Social networking
2.2 Related application
For an emerging market, it is always more of a hunch than a logical deduction to givepredictions on when things will happen. Life Management Platform will most likely becomea major topic and big thing in the Internet soon. The current situation with an increasingnumber of vendors entering that market is a very clear indicator of that [ 1].
2.2.1 ProjectVRM
ProjectVRM is a research and development project of the Berkman Center for Internet &Society at Harvard University [11]. It has two purposes:
To encourage development of tools by which individuals can take control of theirrelationships with organizations especially in commercial marketplaces.
To conduct research on VRM-related theories, usage of VRM tools, and effects asadoption of VRM tools takes place.
The project was created by Doc Searls when he became a fellow at the Berkman Center in
2006. Since then it has grown to become the central institution in an active developmentcommunity.
2.2.2 Personal.com
Another actor in the market is personal.com, even while they are more a Personal DataStore than a real life management platform, lacking the app concept in an appropriateway. However, personal.com starts turning things upside down and giving control back tousers [1].
6
7/29/2019 Mohammad Zaifullah Fraunhofer Master Thesis Proposal
8/15
2.2.3 Connect.me
Another model is connect.me which is a reputation network. This is connected to LifeManagement Platform indirectly in the sense of reputation becoming an important factorfor trust. That helps in deciding on what to share with whom if you share using a LifeManagement Platform [1].
2.2.4 Qiy.com
One of the most advanced models around Life Management Platform is qiy.com. Theconcept is 1 software, 1 credential, 1 place to manage anything personal you might wantto manage with a computer. Qiy itself is a foundation providing the knowledge of personalcontainers where your information is secure and where you can use 3rd party apps to dosomething with your information. Apps are provided by Qiy framework members, addingtrust framework capabilities to the Life Management Platform part of Qiy [1].
2.3 Related standard bodies
This section provides an idea about the standard bodies who are working with this newconcepts.
2.3.1 ISO
2.3.2 OASIS
2.3.3 Kantara Initiative
2.3.4 IETF
2.3.5 ITU-T
7
7/29/2019 Mohammad Zaifullah Fraunhofer Master Thesis Proposal
9/15
3 Methods
3.1 Research design
Following picture depicts the structure of the proposed Life Management Platform. For the
Figure 2: Life Management Platform.[12]
identity management, OpenID Connect protocol will be used. Customer has full controlover her sensitive personal data.
3.2 Measures and sources of information
Information will be gathered from scholarly research databases like IEEE, ACM, ScienceDi-rect, etc. Other online resources, books, etc. will be considered as an information sourcewhich are closely related with this research. Also results will be submitted to FraunhoferAISEC.
3.3 Techniques of analysis
3.3.1 Graphical analysis
Analysis of graphical flow of the system will be done.
3.3.2 Numerical analysis
Time performance of the system will be measured.
3.3.3 Comparative analysis
Proposed solution will be compared to solution currently working in the market.
8
7/29/2019 Mohammad Zaifullah Fraunhofer Master Thesis Proposal
10/15
3.4 Documentation
After completing the above analysis, I will write up the thesis to document the work I havecompleted.
3.5 Critique
The idea of Life Management Platform is very nice but i think it may be also very goodif i implemented it as Life Management Apps as in Marcels QIY system. In my mind themain difference between a platform and an app is that the app does not store the data thatis pertinent to the intention of the person.
9
7/29/2019 Mohammad Zaifullah Fraunhofer Master Thesis Proposal
11/15
4 Delimitations of the thesis
This thesis only cover the customer control and privacy over her sensitive personal data.
10
7/29/2019 Mohammad Zaifullah Fraunhofer Master Thesis Proposal
12/15
5 Thesis outline
1. Front matter (4-5 pages)
Title
Acknowledgments
Contents
List of figures and tables
List of abbreviations
Glossary
2. Introduction (6-7 pages)
Background
Problem diagnosis and relevance of the work
Research question
Hypothesis and research ob jective
Preview on what the readers will find in this thesis
3. Progress beyond the state-of-the-art (14-15 pages)
Related research concepts
Vendor relationship management
Customer relationship management
Supplier relationship management
Personal data storage
Social networking Related applications
ProjectVRM
Personal.com
Connect.me
Qiy.com
Related standard bodies
ISO
OASIS
Kantara Initiative
IETF
ITU-T
4. Identity management (6-7 pages)
Identities
Persona
User-centric IdM
11
7/29/2019 Mohammad Zaifullah Fraunhofer Master Thesis Proposal
13/15
Authentication technologies
Authorization technologies
The security triad
Confidentiality
Integrity Availability
Privacy technologies
Trust
5. Life management platform architecture (9-10 pages)
Profile management
Social profile
Business profile
Professional profile
Usability issues
6. Philosophy of approach (4-5 pages)
RESTfull architecture
JWT
OpenID Connect
7. Implementation of LMP (20-25 pages)
Technique and methods
Security mechanism
Tools and frameworks used
Access to personal information
8. Analysis of results (4-5 pages)
Graphical analysis
Numerical analysis
Comparative analysis
9. Conclusions and future research (1-2 pages)
Conclusions Future research
10. Bibliography (1-2 pages)
11. Appendices (4-5 pages)
12
7/29/2019 Mohammad Zaifullah Fraunhofer Master Thesis Proposal
14/15
6 Thesis schedule
Figure 3: Thesis schedule.
13
7/29/2019 Mohammad Zaifullah Fraunhofer Master Thesis Proposal
15/15
Bibliography
[1] Martin Kuppinger, KuppingerCole Advisory Note Life Management Platforms: Controland Privacy for Personal Data - Report No.: 70608, 2012.
[2] Erika McCallister; Tim Grance; Karen Scarfone; , Guide to Protecting the Confiden-
tiality of Personally Identifiable Information (PII), NIST Special Publication 800-122,2010.
[3] Jaakkola, H.; Linna, P.; Henno, J.; Makela, J.; , (Social) networking is coming Arewe ready?, MIPRO, 2011 Proceedings of the 34th International Convention, IEEE,pp.1133-1139, 23-27 May 2011
[4] G.L., Personal data: A life-management platform?,http://www.economist.com/blogs/babbage/2011/11/personal-data, The Economist,2011.
[5] Wang, Fei-Yue; Carley, Kathleen M.; Zeng, Daniel; Mao, Wenji; , Social Computing:
From Social Informatics to Social Intelligence, Intelligent Systems, IEEE , vol.22, no.2,pp.79-83, March-April 2007.
[6] Hans J (Jochen) Scholl, Mobile computing in the public sector: practices, opportunities,and arduous challenges. In Proceedings of the 10th Annual International Conference onDigital Government Research: Social Networks: Making Connections between Citizens,Data and Government (dg.o 09), Soon Ae Chun, Rodrigo Sandoval, and Priscilla Regan(Eds.). Digital Government Society of North America 361-363, ACM, 2009.
[7] Xu Wang; Beizhan Wang; Jing Huang; , Cloud computing and its key techniques,Computer Science and Automation Engineering (CSAE), 2011 IEEE International Con-ference on , vol.2, no., pp.404-410, 10-12 June 2011.
[8] Olsen, E.R.; , Transitioning to Software as a Service: Realigning Software EngineeringPractices with the New Business Model, Service Operations and Logistics, and Infor-matics, 2006. SOLI 06. IEEE International Conference on , vol., no., pp.266-271, 21-23June 2006.
[9] Jeremy Hilton; Pete Burnap, Self Protecting In-formation for Deperimeterised Electronic Relationships,https://collaboration.opengroup.org/jericho/hilton SPC Infosec SPIDER.pdf.
[10] Ma Jibin; Sun Yonghao; Wu Xuyan; Chen Xiaoyan; , Research of the Customer Rela-tionship Management in Enterprise under the E-Commerce, Computer and Communi-cations Security, 2009. ICCCS 09. International Conference on , vol., no., pp.131-134,5-6 Dec. 2009.
[11] Doc Searls, ProjectVRM, http://blogs.law.harvard.edu/vrm/.
[12] Mario Hoffmann, Fraunhofer AISEC.
14