Mohammad Zaifullah Fraunhofer Master Thesis Proposal

7/29/2019 Mohammad Zaifullah Fraunhofer Master Thesis Proposal

1/15

IdM Framework for Life Management Platform

A Thesis Proposal

Submitted to the

Fakultat fur Informatik

Technische Universitat Munchen

by

Mohammad Zaifullah

Fakultat fur Informatik


[email protected]

07 January 2013

Supervisor:

Prof. Claudia Eckert


i


2/15

Outline

1 Introduction 2

1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.2 Problem diagnosis and relevance of the work . . . . . . . . . . . . . . . . . 21.3 Research question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.4 Hypothesis and research objective . . . . . . . . . . . . . . . . . . . . . . . 41.5 Preview on what the readers will find in this thesis . . . . . . . . . . . . . . 4

2 Progress beyond the state-of-the-art 5

2.1 Related research concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.1.1 Vendor relationship management . . . . . . . . . . . . . . . . . . . . 62.1.2 Customer relationship management . . . . . . . . . . . . . . . . . . . 62.1.3 Supplier relationship management . . . . . . . . . . . . . . . . . . . 62.1.4 Personal data storage . . . . . . . . . . . . . . . . . . . . . . . . . . 62.1.5 Social networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.2 Related application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.2.1 ProjectVRM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.2.2 Personal.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.2.3 Connect.me . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.2.4 Qiy.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.3 Related standard bodies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.3.1 ISO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.3.2 OASIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.3.3 Kantara Initiative . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.3.4 IETF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.3.5 ITU-T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3 Methods 8

3.1 Research design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83.2 Measures and sources of information . . . . . . . . . . . . . . . . . . . . . . 83.3 Techniques of analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

3.3.1 Graphical analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83.3.2 Numerical analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83.3.3 Comparative analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 8

3.4 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93.5 Critique . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

4 Delimitations of the thesis 10

5 Thesis outline 11

6 Thesis schedule 13

1


3/15

1 Introduction

1.1 Background

Every person has lot of information in her daily life which needs to be managed and shared.And a lot of this information has to be managed in a secure way and shared in a controlled,directed way. Some people may think differently on some of that information. Some culturesmight rate the need for privacy and security different for some of that information. Thequestion kept coming up on how to share Personally Identifiable Information (PII) [2] thatsatisfy personal and legal privacy requirements across international boundaries. Though,information will be always used too frequently to remain paper-based and which is toosensitive to deal with in the way todays social networks [3] are doing. It becomes obviousthat many people are not willing to share all that information in the way many of todayssocial networks suggest that information should be shared. That is where Life ManagementPlatform come into play: Providing the tools to manage the essential information of everypersons life and making it usable for other parties through privacy-enhanced applications,thus meeting the privacy and security requirements. The individuals decide on which in-

formation they provide to whom. They decide about what is shared and what not [1].

Life Management Platform will change the way individuals deal with sensitive informationlike their health data, insurance data, and many other types of information - informationthat today frequently is paper-based or, when it comes to personal opinions, only in themind of the individuals. They will enable new approaches for privacy and security-awaresharing of that information, following the concept of minimal disclosure and avoiding theloss of control of this data. They support concepts which allow sharing information withother parties in a way that avoids any data leakage, mainly based on a new concept ofprivacy- and security-aware apps which process information from both parties without giv-ing any of the parties involved access to information provided by any other party without

explicit consent [1].

1.2 Problem diagnosis and relevance of the work

When you think about to manage your daily life, it requires an enormous quantity of data-everything from bank details and family book numbers to what sort of cleaning fluid doesbest on your floor, what pressure your car tyres need to be at and which brands of gluten-sugar-lactose-nut-free cereal bar your six-year-old can stomach [4].

Some years from now, we will want to access our car through a virtual key which is storedin our private domain, together with all information relevant for the usage and maintenance

of that car. Someone can think about this as like as a digital drivers book, which wouldeven report an engine fail to your garage if you wish it to do so (and only then).

We may also need to find the best health insurance based on the information which is storedin a common platform. Individuals can request offers from insurance brokers without un-veiling all that data and then pick the policy which fits best without details from eachinsurance company leaking to other insurance companies and without sensitive personaldata from the individual leaking to insurance brokers or insurance companies he doesntchose [1].

2


4/15

Some years later, we may want to receive just only targeted information, based on thecurrent personal interests, wishes and desires of a person - all the details people never willunveil in a social network or on any platform owned by a content provider. We also wantto manage our virtual salary statement from our employer [1].

When looking at todays Internet, it becomes clear that many of the approaches we findtherein fulfill the requirements of neither the users nor their counterparts like vendors,providers, and other parties. Overall, IT is driven by some major evolution.

If we look at in figure 1, we will find some modern evolution of IT. First of all the Social

Figure 1: The evolutionary area of todays IT affecting everydays life.[1]

Computing [5] which provides a tighter interaction between individuals and organizationsbased on sharing information in some way between publicly available information and adirected, controlled flow of information [1].

Another evolution is Mobile Computing [6], which allowing access to a broad range of ser-vices through the Internet from different devices. As a result of that an increasing numberof persons have device and network access available at virtually any point of time [1].

And finally the Cloud Computing [7], which aims to share data, calculations, and servicestransparently among users of a massive grid. It became a hot issue for its advantages such asreduce costs, increase business flexibility and/or provide business continuity. Cloud

Computing refers to both the applications delivered as services over the Internet and thehardware and systems software in the data-centers that provide those services. The servicesthemselves have long been referred to as Software as a Service (SaaS) [ 8]. The data-centerhardware and software is what we will call a Cloud. When a Cloud is made available in apay as-you-go manner to the general public, which called a Public Cloud; the service beingsold is Utility Computing.

Information Technology (IT) fundamentally is affected by all of these trends. The Con-sumerization and De-perimeterization [9] of IT are logical consequences. IT is available to

3


5/15

virtually everyone and virtually everywhere. Now a days it is not a business-to-businesstechnology anymore, and has not been for quite a while. It is for sure that the mentionedevolutions drive the consumerization of IT to a new level. De-perimeterization is anotherlogical consequence. Once formerly closed networks open up, there is no perimeter anymore.That not only affects the way Information Security has to be implemented, it also means

that the borderlines between different organizations and between organizations and theircounterparts in the form of individuals customers, users, tenants, citizens, etc.- are not asclearly defined anymore.

1.3 Research question

This research is aimed to build a such platform which is based on the combination of apersonal domain holding all information securely and the ability to use this data in aprivacy- and security-aware way. The study attempts to answer the research questions:

How individuals can maintain privacy and security-aware sharing of their daily lifesensitive information, following the concept of minimal disclosure and avoiding the

loss of control of that data?

1.4 Hypothesis and research objective

Currently there is no platform which allows individuals to consolidate all relevant data fromdaily life, in particular data which is sensitive and typically paper-bound today, like bankaccount information, insurance information, health information, or the key number of theircar. Notably they are not limited to such data but support everything which should be usedin a privacy- and security-aware way with, for example, the car manufacturers, the dealers,and the garages (and maybe some other parties). It is hypothesized that Life ManagementPlatform can be designed in such a way so that users can get full control and flexibilityover the management of their personal information. It is also hypothesized that security

and privacy can be supported through the use of standard protocol.

1.5 Preview on what the readers will find in this thesis

This report describes the core concepts of Life Management Platform. It provides the inputall interested parties need to work on that concept as user, as platform provider, or asservice provider. Virtually all business models which rely on sharing sensitive informationwith individuals will fundamentally change with the rise of Life Management Platform. Thatwill challenge existing business models and IT infrastructures, but it provides fantastic newopportunities not only for new business models, but also for cost savings and better servicefor virtually all organizations. Understanding this fundamental shift today is the foundationfor successful business in the future.

4


6/15

2 Progress beyond the state-of-the-art

There are several concepts and providers out there which are related to the idea of Life Man-agement Platform in one way or another. Unfortunately, none of the platforms of todayfulfills all the requirements of Life Management Platform. That becomes even more obviouswhen looking at different technologies provided by the industry. The art of successfully deal-ing with Life Management Platform from a provider perspective is in fact simple: Provideservices and offers that are sufficiently attractive and dont rely on knowing things aboutthe individuals you shouldnt know or do not need to know. From customer requirementsperspective, providers have to deal with the challenges like:

People want to keep their life data managed in both the digital and non-digital world

They want to ensure privacy

They start thinking about which price to pay: Privacy or money?

They want to control their relationships and their data

When looking at VRM (Vendor Relationship Management), end user is able to share herinformation with vendors of choice in a controlled way, one of the most prominent butlimited cases, this becomes clear. That example points out several of the shortcomingsof todays approaches including CRMs and Social Networks and especially most of themarketing and customer interaction initiatives relying on Social Networks. VRM allows thecustomer to share what she currently assumes to be relevant which might be very differentfrom what she found relevant in the past.

Organizations today (and tomorrow) need to

Know their customer

Interact closely with her

Ensure that their competitors dont know too much about her and your relationshipwith her

Ensure that they stay in touch with them over time, building a customer relation-ship/binding

Tighten the relationships

However, todays social networks define the border line between privacy and publicity. Theirprivacy-ignorant approach violates some of the customer requirements like customer definetheir own privacy. By knowing your customer, your competitor most likely will easily gainknowledge about them as well. With respect to the fourth bullet point, staying in touch

with her quickly might become a one-way road where organizations put in a lot of effort andno one listens anymore. It might even become a dead end quickly, once the social networkloses its popularity.

2.1 Related research concepts

There are several concepts out there which are related to the idea of Life ManagementPlatform in one way or another. But there is no single concepts which implemented LifeManagement Platform. Here we discuss some relevant ideas:

5


7/15

2.1.1 Vendor relationship management

When looking at concepts, VRM (Vendor Relationship Management) is one of the mostinfluential ones. VRM, a concept developed by Harvard professor Doc Searls some yearsago, focuses on the relationship between vendors and customers. It turns things upsidedown in the sense of customers being in control of their data and what they want to share

with which vendors. However, VRM is by name and original design too focused on oneaspect of Life Management Platform. Nevertheless, looking at VRM is valuable due to the(relatively) long history of that concept [1].

2.1.2 Customer relationship management

Customer relationship management (CRM) is a huge information resource of modern busi-ness activity, and almost all the information required in business activity comes from CRM.At the same time, the development of E-Commerce makes CRM become more importantto the corporation [10].

2.1.3 Supplier relationship management

2.1.4 Personal data storage

2.1.5 Social networking

2.2 Related application

For an emerging market, it is always more of a hunch than a logical deduction to givepredictions on when things will happen. Life Management Platform will most likely becomea major topic and big thing in the Internet soon. The current situation with an increasingnumber of vendors entering that market is a very clear indicator of that [ 1].

2.2.1 ProjectVRM

ProjectVRM is a research and development project of the Berkman Center for Internet &Society at Harvard University [11]. It has two purposes:

To encourage development of tools by which individuals can take control of theirrelationships with organizations especially in commercial marketplaces.

To conduct research on VRM-related theories, usage of VRM tools, and effects asadoption of VRM tools takes place.

The project was created by Doc Searls when he became a fellow at the Berkman Center in

2006. Since then it has grown to become the central institution in an active developmentcommunity.

2.2.2 Personal.com

Another actor in the market is personal.com, even while they are more a Personal DataStore than a real life management platform, lacking the app concept in an appropriateway. However, personal.com starts turning things upside down and giving control back tousers [1].

6


8/15

2.2.3 Connect.me

Another model is connect.me which is a reputation network. This is connected to LifeManagement Platform indirectly in the sense of reputation becoming an important factorfor trust. That helps in deciding on what to share with whom if you share using a LifeManagement Platform [1].

2.2.4 Qiy.com

One of the most advanced models around Life Management Platform is qiy.com. Theconcept is 1 software, 1 credential, 1 place to manage anything personal you might wantto manage with a computer. Qiy itself is a foundation providing the knowledge of personalcontainers where your information is secure and where you can use 3rd party apps to dosomething with your information. Apps are provided by Qiy framework members, addingtrust framework capabilities to the Life Management Platform part of Qiy [1].

2.3 Related standard bodies

This section provides an idea about the standard bodies who are working with this newconcepts.

2.3.1 ISO

2.3.2 OASIS

2.3.3 Kantara Initiative

2.3.4 IETF

2.3.5 ITU-T

7


9/15

3 Methods

3.1 Research design

Following picture depicts the structure of the proposed Life Management Platform. For the

Figure 2: Life Management Platform.[12]

identity management, OpenID Connect protocol will be used. Customer has full controlover her sensitive personal data.

3.2 Measures and sources of information

Information will be gathered from scholarly research databases like IEEE, ACM, ScienceDi-rect, etc. Other online resources, books, etc. will be considered as an information sourcewhich are closely related with this research. Also results will be submitted to FraunhoferAISEC.

3.3 Techniques of analysis

3.3.1 Graphical analysis

Analysis of graphical flow of the system will be done.

3.3.2 Numerical analysis

Time performance of the system will be measured.

3.3.3 Comparative analysis

Proposed solution will be compared to solution currently working in the market.

8


10/15

3.4 Documentation

After completing the above analysis, I will write up the thesis to document the work I havecompleted.

3.5 Critique

The idea of Life Management Platform is very nice but i think it may be also very goodif i implemented it as Life Management Apps as in Marcels QIY system. In my mind themain difference between a platform and an app is that the app does not store the data thatis pertinent to the intention of the person.

9


11/15

4 Delimitations of the thesis

This thesis only cover the customer control and privacy over her sensitive personal data.

10


12/15

5 Thesis outline

1. Front matter (4-5 pages)

Title

Acknowledgments

Contents

List of figures and tables

List of abbreviations

Glossary

2. Introduction (6-7 pages)

Background

Problem diagnosis and relevance of the work

Research question

Hypothesis and research ob jective

Preview on what the readers will find in this thesis

3. Progress beyond the state-of-the-art (14-15 pages)

Related research concepts

Vendor relationship management

Customer relationship management

Supplier relationship management

Personal data storage

Social networking Related applications

ProjectVRM

Personal.com

Connect.me

Qiy.com

Related standard bodies

ISO

OASIS

Kantara Initiative

IETF

ITU-T

4. Identity management (6-7 pages)

Identities

Persona

User-centric IdM

11


13/15

Authentication technologies

Authorization technologies

The security triad

Confidentiality

Integrity Availability

Privacy technologies

Trust

5. Life management platform architecture (9-10 pages)

Profile management

Social profile

Business profile

Professional profile

Usability issues

6. Philosophy of approach (4-5 pages)

RESTfull architecture

JWT

OpenID Connect

7. Implementation of LMP (20-25 pages)

Technique and methods

Security mechanism

Tools and frameworks used

Access to personal information

8. Analysis of results (4-5 pages)

Graphical analysis

Numerical analysis

Comparative analysis

9. Conclusions and future research (1-2 pages)

Conclusions Future research

10. Bibliography (1-2 pages)

11. Appendices (4-5 pages)

12


14/15

6 Thesis schedule

Figure 3: Thesis schedule.

13


15/15

Bibliography

[1] Martin Kuppinger, KuppingerCole Advisory Note Life Management Platforms: Controland Privacy for Personal Data - Report No.: 70608, 2012.

[2] Erika McCallister; Tim Grance; Karen Scarfone; , Guide to Protecting the Confiden-

tiality of Personally Identifiable Information (PII), NIST Special Publication 800-122,2010.

[3] Jaakkola, H.; Linna, P.; Henno, J.; Makela, J.; , (Social) networking is coming Arewe ready?, MIPRO, 2011 Proceedings of the 34th International Convention, IEEE,pp.1133-1139, 23-27 May 2011

[4] G.L., Personal data: A life-management platform?,http://www.economist.com/blogs/babbage/2011/11/personal-data, The Economist,2011.

[5] Wang, Fei-Yue; Carley, Kathleen M.; Zeng, Daniel; Mao, Wenji; , Social Computing:

From Social Informatics to Social Intelligence, Intelligent Systems, IEEE , vol.22, no.2,pp.79-83, March-April 2007.

[6] Hans J (Jochen) Scholl, Mobile computing in the public sector: practices, opportunities,and arduous challenges. In Proceedings of the 10th Annual International Conference onDigital Government Research: Social Networks: Making Connections between Citizens,Data and Government (dg.o 09), Soon Ae Chun, Rodrigo Sandoval, and Priscilla Regan(Eds.). Digital Government Society of North America 361-363, ACM, 2009.

[7] Xu Wang; Beizhan Wang; Jing Huang; , Cloud computing and its key techniques,Computer Science and Automation Engineering (CSAE), 2011 IEEE International Con-ference on , vol.2, no., pp.404-410, 10-12 June 2011.

[8] Olsen, E.R.; , Transitioning to Software as a Service: Realigning Software EngineeringPractices with the New Business Model, Service Operations and Logistics, and Infor-matics, 2006. SOLI 06. IEEE International Conference on , vol., no., pp.266-271, 21-23June 2006.

[9] Jeremy Hilton; Pete Burnap, Self Protecting In-formation for Deperimeterised Electronic Relationships,https://collaboration.opengroup.org/jericho/hilton SPC Infosec SPIDER.pdf.

[10] Ma Jibin; Sun Yonghao; Wu Xuyan; Chen Xiaoyan; , Research of the Customer Rela-tionship Management in Enterprise under the E-Commerce, Computer and Communi-cations Security, 2009. ICCCS 09. International Conference on , vol., no., pp.131-134,5-6 Dec. 2009.

[11] Doc Searls, ProjectVRM, http://blogs.law.harvard.edu/vrm/.

[12] Mario Hoffmann, Fraunhofer AISEC.

14

Documents

Mohammad Zaifullah Fraunhofer Master Thesis Proposal