Entity data cannot be separated for security.

[hide-hayashi]

Hi,We try to run Fogflow using "UseCase on Anomaly Detection". When I get entity data from Fog Flow Broker, all entity data are Accessible, I think It contains security risks. What is the way for separating entity data like Orion by Fiware-Service and Fiware-ServicePath?

[showersky]

Right now we are extending the intent-based programming model to support data usage control in FogFlow. In that case, FogFlow will use some policy-based data usage control, based on some token-based data access control. I also do not think the way to use FIWARE-SERVICE AND FIWARE-SERVICEPATH is a good design to deal with this issue.

[hide-hayashi]

Thank you for replying. In your response, I understood that access control is supported in the intent-base version. However, please tell us why the design by FIWARE-SERVICE and FIWARE-SERVICEPATH is not suitable.

Since FogFlow is a component of FIWARE, are there any interchangeability problems by making it different from Orion?

[rahafrouz]

Just my personal opinion: I think the security in general can become quit complicated when it comes to a distributed system such as fogflow with different components. Security also depends on the policies. For a specific use-case, broker data could be sensitive, while for another use-case maybe not. So, I think "security risks" is subjective.

If you think of possible fogflow components (broker, worker, master, rabbitmq, discovery, operators, docker-registry, possible iot-agents, ... ) the interaction between each of the components could be secured. each interaction can be secured to ensure confidentiality and integrity, and there are normal ways to do so. You can go ahead and implement one!

However, there are so many interesting challenges in fog/edge computing that are still unsolved that FiWARE has the potential to be an answer to. I think for now the focus of fogflow has been about the these amazing features (which not so many platforms support).

Regarding the orion security mechanism, the interoperability of FiWARE components means that they should stick to the contract/standards, which in FIWARE case is NGSI. Orion can implement security features as they want, but that is not a standard, unless they publish it and we all agree that every FiWARE component uses that approach. (It could be very nice, but I don't know anythign about it).

There are good things about FogFlow that other platforms lack. For example, performance of FiWARE broker is much better than Orion, but it may not be totally complete in terms of implementation. (According to a specific use-case that I compared few months ago, so I am very scientific here :D )

I know that there was an example operator developed in FogFlow for connecting to Orion, but I didn't test it. If security is important for you maybe you can take a look there?

[hide-hayashi]

Thank you for replying. Could you please as bellows URL. I would like to refer it.

I know that there was an example operator developed in FogFlow for connecting to Orion, but I didn't >test it. If security is important for you maybe you can take a look there?

[showersky]

In terms of security, we have already implemented the secured communication between FogFlow cloud node and FogFlow edge nodes, which is based on HTTPs. This feature has been tested. Of course, this is mainly for the secured communication between cloud nodes and edge nodes. It is not for data access control or data usage control. For these two topics, we have some ongoing internal project to address these two issues.

[hide-hayashi]

Thank you for your kind explanation.