88 Copyright © 2010 Open Geospatial Consortium, Inc. Security Measure\Threat Data destruction Unauthorized creation of malicious subscriptions Unauthorized modification and corruption of data Non-repudiation Yes Provide a proof that certain operations related to data deletion actually happened e.g. secure log, notarization, signatures.... Yes Provide a proof that certain operation related to subscription creation actually happened e.g. secure log, notarization, signatures.... Yes Provide a proof that certain operation related to data modification and corruption actually happened e.g. secure log, notarization, signatures.... Data confidentiality No Encrypted data can be deleted. No Encryption is not applicable here. No Certain encryption algorithms allow modification of data without actually decrypting data. Data integrity Yes The Event Service can provide a proof that data or part of the data has been deleted e.g. storage, processing and transmission of data by applying certain cryptographic techniques. NA Integrity of subscriptions is ensured by authorization. Yes The Event Service can provide a proof that data or part of the data has been modified e.g. storage, processing and transmission of data by applying certain cryptographic techniques. Availability No No No Privacy No No No Copyright © 2010 Open Geospatial Consortium, Inc. 89 Security Measure\Threat Data destruction Unauthorized creation of malicious subscriptions Unauthorized modification and corruption of data Communication security Yes Ensure data transported between endpoints is not deleted. Yes Ensure data transported between endpoints is not modified. Yes Ensure data transported between endpoints is not modified. Table 36: Mapping security measures to threats – part two Security Measure\Threat Theft and loss of data Unauthorized disclosure of data Service disruptions affecting SLA Authentication Yes Verify the identity of the entity attempting to view data. Yes Verify the identity of the entity attempting to receive data. Yes Verify the identity of the entity attempting to perform certain operations affecting availability of service. Authorization Yes Ensure that only authorized entities can access data. Yes Ensure that only authorized entities can receive data. Yes Ensure that only authorized entities can perform certain operations affecting availability of service e.g. creating a number of subscriptions with complex filter.... 90 Copyright © 2010 Open Geospatial Consortium, Inc. Security Measure\Threat Theft and loss of data Unauthorized disclosure of data Service disruptions affecting SLA Non- repudiation Yes Provide a proof that certain operation related to theft and loss of data actually happened e.g. secure log, notarization, signatures. Yes Provide a proof that certain operation related to access and disclosure of data actually happened. e.g. secure log, notarization, signatures. Yes Provide a proof that certain operation related to service interruption actually happened. Data confidentiality Yes Every entity in the system can protect data flow, data processing and data storage against unauthorized access or viewing by applying certain cryptographic techniques e.g. encryption decryption. Yes Every entity in the system can protect data flow, data processing and data storage against unauthorized access or viewing by applying certain cryptographic techniques e.g. encryption decryption. No Encrypted data does not affect availability. Data integrity No Signed data can be viewed. No Signed data can be stolen and viewed. No Signed data can be viewed by unauthorized third party. Availability No No Yes Ensure that access to the Event Service by authorized entities cannot be denied. Copyright © 2010 Open Geospatial Consortium, Inc. 91 Security Measure\Threat Theft and loss of data Unauthorized disclosure of data Service disruptions affecting SLA Privacy No Yes Privacy measure may allow data publishers and subscribers to determine what information the Event Service may collect, store and disclose related to those entities. For example, the Event Service might not be able to collect IP address and geographic location of subscribers or statistics about various entities. No Communication security Yes Ensure data transported between endpoints is not intercepted. Yes Ensure data transported between endpoints is not diverted. No Availability is not affected by using secure communication.

8.1.5 Threat Mitigation in WS- Environment

This section explains which technologies can be used in a WS- environment to realize the security measures discussed in section 8.1.3. Table 37: Realization of security measures in a WS- environment Security measure Realization Authentication The entities may include message signatures in messages as specified by WS-Security [4],[6],[7]. WS-Trust [5] defines secure token service for managing and distribution of security tokens in distributed environment. WS-Security provides the means to attach security tokes in the message. These security tokens can be usernamepassword, SAML tokens [10], X.509 certificates... 92 Copyright © 2010 Open Geospatial Consortium, Inc. Security measure Realization Authorization WS-Security provides the means to attach various tokens in the message. WS-Trust defines secure token service for managing and distribution of security tokens which may include authorization attributes in distributed environment. For example, SAML 2.0 profile of XACML 2.0 [11] may provide security token with certain authorization obligations. One can also use X.509 attribute certificates and certificate authorities. In addition, WS-Federation [9] provides authorization claims between federated partners. Non-repudiation XML signatures and WS-ReliableMessaging [2] may provide non- repudiation service. WS-ReliableMessaging defines ordered delivery, duplicate elimination, and guaranteed receipt while XML signatures ensures integrity of those artifacts – also see section 8.2 Data confidentiality Messages can be encrypted as specified by WS-Security. WS- Security allows encryption of any combination of body blocks, header blocks, and any of sub-structures by either a common symmetric key shared by the producer and the recipient or a symmetric key carried in the message in an encrypted form. For example, XML encryption can be used to encrypt XML contents. Data integrity Include message signatures in messages as specified by WS- Security. For example, XML signatures can be used. Availability WS-Trust and WS-Federation provides a mean of brokering identity management. This would ensure that only authenticated and authorized users can access certain information and perform operations. Privacy WS-Federation provides protection of the privacy claims across organizational boundaries. For example, WS-Federation defines a parameter to request a security token message that indicates which claims are requested to be protected. It provides a standard for confidential tokens, parameter confirmation, obtaining privacy statements Communication security WS-SecureConversation [8] defines security context establishment, sharing, and session key derivation. Example of using security transport protocol is SOAP over HTTPS.

8.1.6 Threat Mitigation in RESTful Environment

This section explains which technologies can be used in a RESTful environment to realize the security measures discussed in section 8.1.3.