Research & Development – Security
The Research & Development unit, in the Security sector, is working on “Spidasec – SPID Advanced Security”, which won a “POR CALABRIA FESR-FSE 2014-2020” loan.
Spidasec is a system which aims to improve the security of SPID. SPID allows users and companies to login to the online services of public administration and companies undertakings with a unique digital identity using different devices. Besides, Spidasec aims to improve the “trust” between the parties involved.
In this adventure Consulthink is not alone, its partners are the University of Calabria, the companies Catenate and Coremuniti, the “Istituto di Calcolo e Reti ad Alte Prestazioni del Consiglio Nazionale delle Ricerche (ICAR-CNR)” and also Poste Italiane.
Then, the objective of Spidasec is to improve the security side of SPID, the public Italian system of digital identity. SPID wishes to simplify the relationship between citizens and services offered by the public administration. Thanks to SPID, every user has his own digital identity and he can login to the online services of public administration and companies that have joined SPID. The advantage of digital identity is that people will not remember and use many passwords and usernames to access the various services, they will just remember those of their digital identity.
To obtain the digital identity, the user must demand it to one of the 8 currently accredited providers, between them there is also Poste Italiane S.p.A. The provider verifies user’s identity and releases him his credentials.
SPID system has many advantages both for the user and for the service provider. In fact, the user can access numerous online services with unique identification credentials; the service provider, instead, will not have to conduct a census of the users, it will only get the user data which is strictly necessary to complete that specific transaction, it will not have any burden related to the conservation of personal data and will not have to worry about possible cyberattacks for the theft of credentials. In addition, Service Providers will have profiles with a sure identity, eliminating the so-called “false profiles”, and univocal, eliminating duplicates.
Which are Spidasec goals? SPID has some limits, especially on the security side and Spidasec desires overcome them. In SPID identity theft is simple due to the mechanism used to identify the user. In fact, by exhibiting a false document, a citizen can get all the information and services of other citizen. For this reason, Spidasec introduces “Social Trust” algorithms to deal with this vulnerability. These systems can use open sources, such as social channels. The collected data may contain information concerning the user to identify, such as images and position. By correlating this information, a level of trust can be obtained on the identity of the user. Using concepts of Trust and Reputation it is possible to define appropriate security policies based on increasing levels of risk.
Two other security problems concern the use of SAML (Security Assertion Markup Language) and the certificates of SSL protocol. Regarding the use of SAML, the protocol makes assertions and once these are verified, it does not repeat the control for some time. The problem is that if a browser is infected, improper requests could start from the browser and these requests would be equally satisfied. Regarding the use of certificates in the SSL protocol, instead, these may be outdated or badly configured, in this way the security of data transmission is not guarantee.
Another objective of Spidasec is promote the diffusion of the service: few public administrations use SPID and few private companies offer their services online. Currently the online services that public administrations offer are: payments of Tasi and car tax, health services, INPS file, redemption of the degree, application for family allowances, payment via web of regional taxes and of school canteen. However, this integration and communication in a single environment is not simple and can lead to a mediocre usability of the platform. Therefore, Spidasec is the solution to the limits of SPID!
For more information about the project, you can visit the Italian Spidasec website.
In the picture, Spidasec logo.
In the first quarter of 2018, SPID has more than 2 million digital identities released and over 4,000 active public administrations. Despite the obligation for public administrations to join SPID by the end of 2017, few of them have chosen it as the only way of identification and they are those that had not other identification systems, while the others public administrations prefer to continue to propose the “traditional” methods already used. Investing in SPID, however, is crucial: in the coming years, this identification system will become increasingly used thanks to the work that Consulthink is pursuing with Spidasec.
Technical components of the platform
– infrastructure for access to services through SPID in the University of Calabria;
– a component for the integration and management of different data sources (service access logs, open data, system monitoring data and others);
– analytical module that interfaces with the data management component and allows to apply algorithms for user profiling and scoring of actions and accesses;
– dashboards to evaluate the level of security of the platforms and services distributed by service providers and the warning, in case of the discovery of unknown threats and vulnerabilities, of the need to implement appropriate re-entry plans and countermeasures;
– near real-time module to identify and monitor anomalies in the use of SPID system;
– use of machine learning algorithms: these algorithms will allow to implement effective user protection strategies to detect new forms of attack in order to provide a reliable and secure system which responds to the different needs of the citizen towards the public administration.
Trust & Reputation
The different services with which the user interacts daily are considered as entities that grant him a certain degree of “trust”. Based on this value, it will be possible to calculate the reputation of the user who operats in the system and to adopt effective control and monitoring strategies. The reputation value calculated by machine learning algorithms integrated into the platform could be exploited from different points of view:
– to define appropriate security policies with different levels of risk;
– to update the trust value of the services integrated into the platform;
– for the calculation of indicators related to the correct use of the platform.
Recognition of individuals
To recognize an individual, there are various methods in literature:
– correspondence of name, surname, date and place of birth, tax code;
– fingerprint analysis;
– retinal scan;
– use of usernames and passwords;
– facial recognition;
– analysis of data and behavior of individuals.
The latter is the method that Spidasec wants to use because in this way it will be possible to recognize an individual based on the actions he performs daily. Naturally this solution is not free from problems such as data acquisition and storage, the variety and dispersion of data to analyze and the variation in user behavior over time.
The project is divided into 6 work packages (WP), 4 of industrial research and 2 of experimental development.
WP1 analyzes the level of criticality and security of the services based on digital identity (identification of cases of use and analysis of security issues). The purpose of WP1 is the collection of standards, national and international norms, policies, corporate guidelines applicable to digital identity services; the reorganization of them based on thematic groups (for example governance, procedures, technical controls); the creation of a “meta-standard” that uniforms the security/compliance requirements of the various regulations and company guidelines; the analysis of current digital identity services (AS-IS), both existing and experimental. Furthermore, by analyzing the problems of each single current scenario, it will be possible to devise what could be the characteristics and problems of future scenarios in which innovative solutions could be applied in the Identity Cooperation or Social Identity.
Logical-functional requirements are analyzed and modules for the collection, analysis and processing of data are designed. These modules are integrated into the SPID infrastructure.
Metrics, from a point of view of computational automatism, are collected and analyzed. Later, these metrics can be used to identify the technologies used for the development of the web application which is the object of the analysis. Successively, the collection activity will give a great benefit to the analysis of the known vulnerabilities with respect to the technology used. WP2 will also allow to design the most suitable technological architecture for the working framework. Furthermore, basic behaviors in the use of the web application will be analyzed in order to successively switch them to threshold elements for the identification of any anomalous uses of the web application. All this will raise the level of security of SPID.
Machine Learning and Data Analytics techniques are defined to analyze the risks of the entities involved in the SPID infrastructure and the improper uses of the infrastructure.
Information regarding the entities of the SPID platform are integrated, aggregated and combined. In the dataset that will be produced, there must be: behaviors not previously recognizable to the user, institutional open data or data collected from the web (such as social data, blogs and Google Analytics). Data Analytics techniques are defined to identify the main risk profiles of users and of all entities involved in the SPID platform. It will be possible to divide users into various profiles according to their characteristics and their behavior. The goal is to easily identify anomalous behaviors in the use of the platform to intervene promptly.
The research activity to identify the algorithms useful for user profiling is a very delicate task since the algorithms must be able to work even in the conditions in which the information about the users has missing data, a frequent situation.
Study of SPID integration models in university services and use case definition.
The information systems of the University of Calabria with reference to the current authentication and authorization mechanisms, become the experimentation environment for the techniques and algorithms of the workpackages activities.
Models of integrated credential management will be studied. These models will be added to the current procedures of user authentication of UNICAL systems with the respective public digital identities based on SPID.
Besides, it will be ascertained that what has been achieved during these activities is coherent with the previsions of the “Agenda Digitale AGID” (Digital Agenda).
Regarding the methodologies used, techniques to analyze the requirements (to understand the needs of end users), reverse engineering (for the functioning of legacy systems), methodologies of design, development and release based on the method of continuous development and delivery (DevOps) will be used.
For improper uses of digital identity, software for near real time detection will be designed.
This software will be available in “as a service” mode for an easier integration and usability of the service. The purpose is to ensure the correct use of the services distributed, identifying in time the possible anomalies to block or report them immediately to business analysts. WP5 also includes the creation of documentation material of the product, both illustrative and informative to be delivered to business analysts.
The software product will be developed with Agile methodology strongly oriented to Test Driven Development (TDD). This approach guarantees a continuous feedback of the actors involved and the limitation of regression bugs. A series of simple interrogable APIs will be produced to maximize the reusability of the code and minimize its duplication.
Creation of a software system for the automatic verification of potential vulnerabilities of the IT platforms involved in the distribution of SPID services.
The tests made by the software will be extended to different fields: web applications, web servers, applications and/or servers connected to this. The final aim of the product is the security of critical infrastructures, identifying in time the possible flaws of the system and ensuring data availability, integrity and confidentiality.
The product, developed following Agile methodology, follows the principles of the Test Driven Development model, the cornerstone of the eXtreme Programming methodology. United and integration tests will have a particular importance to reduce the effort related to bug fixing and to facilitate acceptance tests.
The software product will be created by dividing it into several application modules that can be installed separately on different virtual containers in order to maximize their scalability.
Consulthink partners for Spidasec: the University of Calabria
The University of Calabria will distribute Athens services to students and teachers using SPID.
The University of Calabria has always been a promoter of innovation thanks to the technological transfer of research results and collaboration with other public and private organizations, both national and international.
Consulthink partners for Spidasec: Catenate
Catenate focuses on the design and implementation of information technology solutions. It is specialized in middleware platforms, IT architectures such as Services Oriented Architecture (Soa) and analytical business solution. Its solutions can be used in many sectors: telecommunications, motoring, finance, energy and public administration. It is the largest partner of TIBCO Software Inc. In recent years, Catenate has specialized in machine learning and Big Data processing.
Consulthink partners for Spidasec: Coremuniti
The name of Coremuniti is linked with Mozaiko platform, a platform for sharing computing resources. It is simple to use, safe and fast and allows who works on 3D rendering sector to save money, time and energy if they need a large and low-cost computational resources. The goal is to create a peer-to-peer network where nodes can decide how much resources to share. Mozaiko finds its ideal habitat in the 3d scene rendering sector. In fact, in this sector, users’ computers are generally busy for several hours or days.
Consulthink partners for Spidasec: the “Istituto di Calcolo e Reti ad Alte Prestazioni del Consiglio Nazionale delle Ricerche (ICAR-CNR)”
The research activities of the ICAR-CNR are related to 5 macro-areas (Cognitive Systems, Distributed Systems, IoT, Knowledge and Data, Bioinformatics). The results of research activities carried out are the subject of scientific dissemination, through the publication in international journals and the participation in national and international conferences and workshops. The themes of innovative and complex research range from cognitive systems, to robotics, to human-computer interaction, to cloud computing, to parallel and distributed computing environments and to advanced Internet technologies. Besides, the “Istituto di Calcolo” is the promoter of many successful start-ups. For Spidasec, ICAR-CNR uses its Data Analytics solutions to ensure users’ safety and to prevent and detect threats to digital privacy and identity.