OPENi presentation entitled "Implementing a User-Centric Datastore with Privacy Aware Access Control for Cloud-based Data Platforms" at OWASP AppSecEU 2015, May 2015

1. Open-Source, Web-Based, Framework for Integrating Applications with Cloud-based
Services and Personal Cloudlets.
Open-Source, Web-Based, Framework for Integrating Applications with Cloud-based
Services and Personal Cloudlets.
“Open-Source, Web-Based, Framework for Integrating
Applications with Social Media Services and Personal
Cloudlets”
www.openi-ict.eu
IMPLEMENTING A USER-CENTRIC DATASTORE WITH
PRIVACY AWARE ACCESS CONTROL FOR CLOUD-
BASED DATA PLATFORMS
Paul Malone, Waterford Institute of Technology

2. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
OPENi Project
The OPENi research project aims to inspire innovation in the
mobile applications industry through the development of an
open-source platform for consumer-centric mobile cloud
applications.
AppSecEU 2015

3. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
AppSecEU 2015
OPENi project software is released as PEAT (http://peat-platform.org)

4. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
AppSecEU 2015
Architecture

5. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Mobile Client Library
To provide convenient access to the API, security,
and Personal Cloudlet frameworks, OPENi provides
the following mobile client libraries.
 A cross-platform HTML/JavaScript library for use in
HTML5 and Apache Cordova mobile web-apps
 A native Android client library.
AppSecEU 2015

6. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Security framework
The security framework is responsible for access
control functionality and is tightly coupled with the
Cloudlet and API Frameworks.
It provides users more control over their personal
data and the cloud-based services that they interact
with.
AppSecEU 2015

7. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
API framework
 An open framework that is capable of
interoperating with a variety of cloud-based
services.
 Promotes innovation by offering application
developers a framework that will enable them to
design and build complex applications involving
the combinations of independent cloud-based
services.
AppSecEU 2015

8. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Personal Cloudlet framework
 Provides application consumers with a single
location to store and control their personal data.
 In conjunction with the security framework,
empowers application consumers to remain in
control of their data.
 Consumers are assured their data is not being
used without their consent.
AppSecEU 2015

9. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Personal Cloudlet Objectives
1. To build key technological enablers to ensure the
practical applicability and efficient use of the OPENi
platform.
2. To deliver an open source platform that will allow
application consumers to create, deploy and manage
their personal space in the cloud (Personal Cloudlet).
Each Personal Cloudlet constitutes an entity that will be
linked to its user's identity.
AppSecEU 2015

10. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Personal Cloudlet Objectives
3. To provide and promote a novel, consistent, user-centric
application experience of cloud-based services not only
across different devices but also across different
applications.
4. To ensure the OPENi platform maintains a low barrier to
entry for application developers and service providers.
AppSecEU 2015

11. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
How should a secure and privacy concerned web based
framework be developed in order to provide user-centric
management to dynamic data and APIs, while providing
the developer with the ability to access the data in a
privacy concerning manner?
AppSecEU 2015

12. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Implementation
AppSecEU 2015

13. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Key Technologies
 JavaScript/Node.js
 Mongrel2 (Web server)
 ZMQ (Message Bus)
 JWT (State)
 Swagger (REST
Definitions)
 CouchBase (NoSQL
Datastore)
 JSON (Data format, used
in transport and at rest)
 Micro-services/Distributed
Application
AppSecEU 2015

14. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Personal Cloudlet Framework
AppSecEU 2015

15. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Data Storage Component
 Capable of storing user, app-specific, and internal
cloudlet data.
 Data may be in various forms such as text, graphical,
audio etc. therefore the data storage component of the
cloudlet framework is capable of accommodating binary
files as well as structured JSON data.
AppSecEU 2015

16. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Notification
 This component is responsible for communicating with
the platform’s users. Current message transport
mechanisms supported are:
 email
 SMS
 REST call
 Server Side Events (SSEs)
 Google Cloud Messaging(GCM)
AppSecEU 2015

17. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Authentication, Authorisation, and
Accounting
 Authentication and authorisation mechanisms are
handled by the security framework, however accounting
and auditing is handled in the cloudlet framework.
 The details of all access requests, subsequent actions and
cloudlet responses is monitored and logged by the
accounting component. These logs are available in the
cloudlet GUI for the cloudlet owner to inspect.
AppSecEU 2015

18. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Data Access
 All data is accessed via a set of APIs, namely Data API
and Type API. They ensure a consistent access point for
all services such as apps, the API framework, and 3rd
party services.
 In conjunction with the Authentication, Authorisation,
Accounting component and permissions, the cloudlet
owner is in full control of who and what can access each
piece of data in their Personal Cloudlet.
AppSecEU 2015

19. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Cloudlet GUIs
 To empower Cloudlet owners in the management of
their cloudlets they have a standalone GUI, separate to
the on app interface. GUI features include:
 access logs viewing
 preference editing
 permissions editing.
AppSecEU 2015

20. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
User Centric & Privacy Preserving Features
 JSON Web Tokens
 Base64 encoded JSON objects
 Enable REST based frameworks manage sessions and claims
 In OPENi used to apply context to 3rd
party access to
personal cloudlets
AppSecEU 2015

21. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Types of Tokens
 Session Token: user and
developers can log into
the system and interact
with the data in their
cloudlets
 Auth token is generated
through the SDK.
Combined user and
developer login. User
through GUI &
developer through API
and secret keys.
AppSecEU 2015

22. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Types of Tokens
AppSecEU 2015
 Auth token restricts data access
to data common to both app
developer and user as dictated
through permissions mechanism.

23. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
User Centric & Privacy Preserving Features
 Data Reusability; App Interoperability
 Data persisted in a NoSQL document store
 Cloudlet is composed of a set of JSON Objects
 All objects (user data) adhere to a predefined OPENi Type
 All types are public and can be reused by developers across
applications
AppSecEU 2015

24. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Data Reusability - Types
 User data is stored as JSON
objects.
 Types describe and set rules for
objects.
 Types are used by the system
to validate data as is it added
 Types are used to give users
better understanding of their
data.
AppSecEU 2015

25. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Data Reusability - Types
 @reference is a human readable description
of the type e.g. “User profile”
 @context contains an array of object
members and their rules.
 Dictates if the member is required, if it is a
single value or an array, it can even restrict
the possible values.
 The members primitive type must also be
listed.
 Supports int, string, data, timestamp, float,
base64, url, gps, and other Types.
 @context is a human readable description of
the object member.
AppSecEU 2015

26. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Data Reusability - Types
 Types are public and reusable by the developer
community.
 Types are immutable, once they are created they cannot
be altered.
 Types are tightly integrated with the Auth dialogs and
permissions mechanism.
 A Type Builder GUI is provided to make it easier to build
types. (Next Slide)
AppSecEU 2015

27. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Type Builder
AppSecEU 2015

28. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
User Centric & Privacy Preserving Features
 Fine Grained Access Control
 Cloudlet objects have an associated permissions object
 Permissions objects provide information on which apps are
allowed access the object
 App developer can request access by object or type
 Requests can be be scoped by app and cloudlet
 Cloudlet owner can edit permissions based on type, app etc
AppSecEU 2015

29. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
AppSecEU 2015

30. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
User Centric & Privacy Preserving Features
 User Dashboard
 Data Browsing
 View data categorised by type or app
 Auditing
 A view of access request/response
 Permissions
 View and edit permissions
 Notifications
 Set notifications for data access requests
AppSecEU 2015

31. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Use Case: Ayda Fertility Tracker
 Ayda is IoT startup which
deals with private
personal data.
 Wearable device monitors
users body.
 Daily device log is
augmented with user
provided information.
 Data persisted to
OPENi/PEAT backend
AppSecEU 2015

32. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Ayda Android App Integration
 Use utility classes to persist data
to the backend.
 User Auth and session
management is automatically
handled by the client lib.
 Add a number of types through
admin portal.
 Create permissions manifest with
types.
 Include client lib in android
application
AppSecEU 2015

33. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Ayda Android App: Sample
Types
AppSecEU 2015

34. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Permissions Dialog
 Permissions combined
with data in type objects
to build meaningful auth
dialogs.
 User can choose to
approve or cancel
request.
 Approval can be revoked
later through user
dashboard.
AppSecEU 2015

35. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
User Dashboard
 Link to User Dashboard
embedded in SDK. Swipe
to the right to bring up
menu.
 The user is taken off app
for security reasons.
 Data displayed on a per
type basis.
 Information is presented in
a more user friendly
manner by using the
content of the the Types.
AppSecEU 2015

36. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
User Dashboard  User can
manipulate their
data and
permissions
directly through
the dashboard
AppSecEU 2015

37. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
User Dashboard
 Permissions are listed on
a per application basis.
 Piwik analytics engine
was integrated into the
platform.
 Applied it in a non-
traditional manner.
Instead of showing app
developers how often a
user engages with their
service we inform users
when app developers
access their data.
AppSecEU 2015

38. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open Source
 Website
 http://peat-platform.org/
 GitHub:
 https://github.com/peat-platform/
 Cloudlet deployment script:
 https://github.com/peat-platform/peat-deploy-script
AppSecEU 2015

39. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Conclusion
 OPENi has developed a Personal Cloudlet Framework
 Developers can define (or reuse pre-existing ) types and
permissions manifests for those types per application
 Users can view and edit permissions on a per-app or per-
cloudlet level
 Users can view access requests and responses
 Open source implementation
 (http://peat-platform.org)

40. Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Open-AppSecEU 2015
Source, Web-Based, Framework for Integrating Applications with Cloud-based Services
and Personal Cloudlets.
Thank You
?
AppSecEU 2015