82 Copyright © 2010 Open Geospatial Consortium, Inc.

8.1.2.1.4 Spoof of identity

Spoof of identity is an attack where an entity pretends to be a different entity. This attack is usually used with some other forms of attacks. For example, an authorized entity with few privileges may use a false identity to obtain extra privileges by impersonating an entity that has those privileges.

8.1.2.1.5 Intermediary network devices

The proxy devices, firewalls, NAT network address translators are devices that act as intermediaries for data flow between various entities. These devices may prevent incoming data flow to be passed to its final destination or other intermediaries in case of a multihop system e.g. data passes thought multiple devices or hops until it reaches its destination. This situation happens but is not limited to delivering notifications to subscribers. For example, a firewall might be configured to only accept a data flow as a response to a request originated from a domain protected by the device itself. NAT device might hide private IP addresses from being exposed into public IP domain. In addition, these problems might be aggravated by frequent usage of DHCP service dynamic IP addressing which allows IP address to be leased from a pool of IP addresses over certain amount of time or per session basis, DNS service i.e. resolving URL symbolic address to actual IP address and any combination of devices, services mentioned above or network topology. This kind of problems could be mitigated by configuring those devices to allow certain types of traffics andor using static IP addresses. For example, NAT static address mapping entry could be added to allow incoming data flow from an entity e.g. Event Service which has a fixed public IP address to be translated to a private IP address of the destination entity e.g. subscriber. A firewall could be configured to allow incoming traffic from entities using fixed IP addresses to be propagated to the final destination. Some protocols could be better designed to handle firewall problems transparently e.g. SOAP over HTTP while some people may argue that is not a good practice.

8.1.2.1.6 Trojan horse type of attacks

Trojan horse attack usually consists of authorized and unauthorized operations and is usually combined with other threats and attacks like unauthorized disclosure of data and message reply. For example, a subscriber may request notifications to be delivered to an entity that is not authorized to receive them.

8.1.3 Security measures

Security features usually increases the system costs. The cost could be reflected in system performance degradation and in increased complexity for implementing, configuring and maintaining the system. Each security threat and vulnerability should be analyzed to determine whether or not an appropriate security measure is required. In addition, some threats might not be realized in practice due to system deployment environment e.g. network topology and trade-off between effort and risks that a particular threat will be exploited. Copyright © 2010 Open Geospatial Consortium, Inc. 83 There are eight security measures identified to address particular aspects of security threats. They are discussed in the following sections.

8.1.3.1 Authentication

The authentication measure serves to confirm the identities of communicating entities. The authentication ensures the validity of the claimed identities of the entities participating in Event Service communication e.g. publishers, subscribers, brokers.... One common requirement in such an environment is the authentication of the participants in the system that communicate with each other as the information that is exchanged must come from trusted sources. This requires that two communication entities have to authenticate with each other no matter in which topologic position in the system they are. This could be achieved by exchanging security tokens between the entities to prove their identity or using some kind of distributed identity management system e.g. brokered trust relationships to manage identities within a particular domain or cross domains. A security token is essentially a collection of claims. The most common security tokens are UsernamePassword combination, SAML tokens and X.509 Public Key Infrastructure PKI or any combination of them. The PKI provides a standard for strong authentication, based on public key certificates and certification authorities. SAML is the framework for communicating user authentication, authorization, and attribute information in a distributed Web Services environment. SAML allows entities to make assertions regarding the identity, and attributes of a subject to other entities. The authentication can be on a transaction, session, temporal or some other basis. For example, in case of distributed identity management the entity might obtain security tokens and establish security context for certain limited time period or session duration. In the context of the Event Service the authentication process may be performed when a data provider registers a data source with the Event Service andor with every data event that is send to the Event Service. Often, a subscriber needs to authenticate itself with the Event Service in order to be allowed access to certain events and operations. It is important to note that the authentication security measure not only addresses user authentication but also has to authenticate the individual services that participate in the Event Service notification distributed processing.

8.1.3.2 Authorization or access control

The authorization measure protects against unauthorized access to certain resources e.g. data, operations. The authorization measures ensure that only authorized entities e.g. personnel, device, software agent... are allowed access to stored information, information flows and services. The authorization requirement in a SOA environment supporting the Event Service determines who can do what on which service under certain conditions. Authorization policies can be attached to the subject that wants to access a service e.g. Role Based Access Control or assigned to the target that the subject wants to access e.g. Resource Based or both. The implementation of the authorization security can be