Development of cloud services using SEMIRAMIS

STRATEGIC framework has integrated the SEMIRAMIS [1] results with the aim of providing trusted and secure components to cloud services provided by the public administrations. These trust and secure components included in the cross-border attribute exchange service has been integrated in the cloud Certificate of Residence Service provided by both the StariGrad and the Genoa municipalities.
Next we can demonstrate how the public bodies can take advantage of the European projects results giving citizens more secure and trusted cross-border online services.
European public administrations need to be adapted to a dramatic changing world where the necessity to communicate each other to exchange information, not only at local or regional level but also in a cross-border scenario, are increasingly growing. In this sense the public bodies are covering the increased citizens’ demands of online services. In this context ICT helps the administrations to provide more secure and trusted services.
Leveraging SEMIRAMIS outcomes the Certificate of Residence service can improve the secure access to information and the exchange of information in cross–border scenarios.
During the project a prototype comprising two components, the Federation Proxy (FP) and the Identity Aggregator (IA), was implemented. During the last stage of the project these components were improved:
• Allowing the use of “attribute release” policies applicable to the FP, which establishes which attributes may not be released by the federation;
• Providing integrity of the data using a more secure connection between the different components.

Benefits for Public administrations
Public administrations can leverage the trust chain and the flexibility SEMIRAMIS infrastructure provides for exchanging information and attributes between each other.
The following figure outlines the different possibilities that SEMIRAMIS components allow. The FP component allows public bodies belonging to a specific European federation to establish a trust interaction between different countries across Europe. It means, for instance, that any Italian municipality joined to the Italian Municipality Federation can exchange data with other municipality belonging to the Serbian Municipality Federation, as the pilot developed during the STRATEGIC project shows.
image002
The IA not only allows the public bodies to interact with the FP for a cross-border interaction, but allows the public body to interact with other public administration belonging to the same federation in the same country. Indeed allows a public administration interacts with another joined public administration belonging to a different federation. For instance an Italian municipality such as Genoa can exchange data with the municipality of Rome based on the already established trust relationship. Based on the same trust relationship the municipality of Genoa can exchange data with an Italian University. This communication between different federations is not limited to the country boundaries; thanks to the IA can establish a trusted relationship with both the IA and the FP component.

SEMIRAMIS components in action
Basically the following picture describes the general process where the IA and the FP are involved providing a secure and trusted cross-border environment.

image004
Particularly the Municipality of Stari Grad in Belgrade, and the city of Genoa agreed to give the citizens of the foreign country to register online using the SEMIRAMIS infrastructure. The following picture shows how this process is developed when a Serbian citizen uses the cloud based Genoese Certificate of Residence service for registering in the city of Genoa.

image006
Thanks to SEMIRAMIS components a trusted and secure chain is establish between both municipalities assuring the integrity of the user data provided by the counterfeit service.

Benefits for developers
Not only the public administrations can take advantage of SEMIRAMIS outcomes, but developers willing to integrate these services. Besides the SEMIRAMIS services components (IA and FF) an additional component called IA client is provided for integrating the Certificate of Residence (COR) service into the SEMIRAMIS service. This client must be embedded into the COR service for accessing the IA component and facilitates the developers’ implementation work.
Additionally mock attribute provider and authentication services are also provided to the pilots for both testing and implementation purposes.
Even though the integration process for developers comprises just a few steps, in order to facilitate the integration of SEMIRAMIS components a training session with developers and technical staff is recommended. In this way a couple of technical session has been developed with the two pilot partners, clarifying and supporting the integration process.
[1] SEMIRAMIS project: http://semiramis-cip.atosresearch.eu/

Development of cloud services using STORK

STRATEGIC framework has integrated the STORK [1] results with the aim of providing trusted and secure component to cloud services provided by the public administrations. The Cross-Border Authentication (CBA) service has been integrated in the cloud Open Market Business Service provided by the municipality of Genoa.
The use of the electronic identity (eID) for accessing securely online public administration services is being promoted by the European Commission, not only at country level but extending the use of the online services from other EU Member States in a secure way. Leveraging STORK outcomes these services can provide a secure interoperable authentication in cross-border scenarios, enabling STORK to perform authentication on their behalf.
During the project the STORK component was updated for a better integration with the service of the cloud based Genoese business service. During the final stage of the project this component was improved including:

  • Non-repudiation improvement: This was assured storing the signed assertions encrypted as a proof of the use of the Business activities engine.
  • Integrity of the data: using secure connections between the different components.

Benefits for Public administrations

STORK infrastructure represents the main identity management initiative in Europe establishing a European eID interoperability platform that will allow citizens to authenticate to across borders, using their national eID.
The use of STORK allows a European public administration provides online services in a cross-border scenario. In this case the Open Market Business service provided by the municipality of Genoa uses CBA component for accessing STORK network, giving European citizens the opportunity to securely use foreign services using their eIDs.
The following figure describes the communication structure and the different components the STORK network is built up.

image007

The figure shows two PEPS, one in the country of the user (called citizen), one in the country of the service provider. In STORK, the former is called C-PEPS (Citizen-PEPS), the latter S-PEPS (Service-Provider-PEPS). The authentication process is as follows:

  1. The process starts with the user accessing a STORK service provider.
  2. The STORK service provider makes issues a call to the CBA component which issues an authentication request to the S-PEPS. This request declares the required attributes applying the national attribute domain of the service provider.
  3. The S-PEPS translates the required attributes to the attribute domain of the citizen’s country (a step called “mapping” in STORK), locates the responsible PEPS for the citizen (i.e., C-PEPS), and forwards the authentication request.
  4. In response, after authenticating the user via the Authentication Portal, C-PEPS sends a SAML assertion back to S-PEPS who then applies the inverse attribute translation and issues a new assertion containing these translated attributes.
  5. The service provider, on receiving this assertion, grants access to the resource.

This kind of STORK services is not restricted for cross-border authentication; Italian citizens also can take advantage of the Italian STORK network.

In summary, the use of the CBA component gives online public bodies services the access to the STORK network taking advantage of its trusted and security features.

STORK component in action

During the project the CBA component was integrated into the cloud based Genoese Business service.
The following picture shows how an Spanish citizen tries to apply for a business opening license to the Business Genoese service. For this purpose the Spanish citizen needs to provide her identity using the Spanish IdP belonging to the STORK network.

image008

Benefits for developers

The integration of STORK network into the cloud STRATEGIC platform is an easy process and involves the deployment of the CBA on the managed cloud, and the configuration of this STORK service.
Besides the CBA service component an additional component called CBA client is provided for integrating the Open Market Business Service into the CBA service. This client can be embedded into the Business service for accessing the CBA component and facilitates the developers’ implementation work.
The CBA client can also be used for both testing and implementation purposes.

STORK component evolution

The STORK network has evolved from version 1.0 to STORK 2.0. In September 2014 entry into force the eIDAS Regulation (910/2014) [2] and will be compulsory to be adapted in September 2018 for public administrations as the following figure shows.

image011

eIDAS Regulation, which includes the development of an interoperability framework and encourages governments to make their eID schemes more cross- border friendly, can be positive for STRATEGIC. The influence of the eIDAS Regulation might help to lower the legal and technical hurdles and increase the amount of possible eID means that Brokers service can support.
The eIDAS Regulation enables the use of electronic identification means and trust services (i.e. electronic signatures, time stamping, registered electronic delivery, etc) by citizens, businesses and public administrations to access on-line services or manage electronic transactions.

Currently the eSENS European project, based on STORK project, is trying to facilitate the deployment of cross-border digital public services through generic and re-usable technical components. There are 20 European countries involved, which means that most of the European public bodies are developing the new nodes for the future network. The evolution of the CBA service will be upgrading to this new network, in the near future.

More information:
[1] STORK project: https://www.eid-stork.eu/
[2] EU eIDAS Regulation: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2014.257.01.0073.01.ENG

Evaluating STRATEGIC: The City of Genoa pilot case

STRATEGIC pilots – The City of Genoa: deploying an open data application in the Cloud with STRATEGIC

image001

Genoa is one of the most important cities in Italy, the third largest in the North and the capital of the Liguria region. It is located in the Gulf of Genoa in front of the Ligurian Sea. The Municipality of Genoa is the local Public Administration of the city.
The Municipality of Genoa experience in cloud computing, dates back to some years ago when its own private cloud had been included in the Ligurian Region data center.  Since then Genoa has extended its focus on cloud culture and technologies also by participating in different EU and international projects (for instance ClouT, ICity, Radical, MoveUs etc.) spanning different aspects from IaaS/PaaS/SaaS solutions  to IoT and so on.
The topic of exploiting cloud services is rapidly evolving but many problems still remain unsolved especially for Public Administration needs.
Among the main aspects of interest in using cloud solutions there is the need for scalability, clear costs and ease of deployment for applications, eventually with different cloud providers. A critical aspect has to do with strong security enforcement given the rising risks of hacks, redundancy and minimization of downtime.

Most, if not all of the issues above, are tackled by the STRATEGIC project. In order to deploy new instances of an application, an easy-to-use GUI/control app is provided to the personnel in charge. You can take a glance at the main dashboard for our pilot in the picture below.

image002
It is possible to deploy any of the many applications provided, among which some are unique to the Public Administration scenarios, on different public and/or private cloud. For the many features provided you can easily find information on other articles of this site.
In our premises we decided to also experiment with a private cloud (our own IaaS) which is interfaced with the above GUI/control app and allows to directly deploy applications on our local VMs.
See below a screenshot of the instances of some applications deployed on our private cloud (which is in this case an OpenStack platform).

image003
STRATEGIC has some features we consider of interest. First it’s quite easy to deploy fully operational applications easily with different clouds, virtual infrastructures and computational power. The idea that is underlined is to have an ample set of applications particularly devoted to Public Administrations, some of which re-usable in different countries. In fact two of the main applications we experimentally deployed have to do with cross-border business activities and issuing of certificates.
The applications can have different levels of security protection, also including intelligent data protection, that can be decided and modified at run time according to the necessity in terms both of functionalities and/or cost.
The ease of use doesn’t mean one cannot customize with a great level of detail both the deployment and also the many parameters of workloads/cloud profiles etc. at run time. On the contrary it is even possible to make personalized scripts.
In the context of our pilot one of the applications we deployed was a CKAN Open Data portal. See below a screenshot of the home page.

image004

The deployment of the application is quite straightforward and we already experienced moving the fully deployed application from/to different cloud instances.
The overall end-user experience after deployment of this portal is nearly the same as for the portal we previously had deployed in our local servers. What differs is the time that was required to deploy the application, the possibility to scale and easily move the application along with its data, the different level of security we can impose depending on the needs and so on.
Finally, given that the applications are deployed on VMs on an IaaS, an ssh remote access is always possible in order to eventually make some fine tuning or other operations, as we did for example to make minor adjustments to the application appearance.

 

Evaluating STRATEGIC: The pilot case of Municipality of Stari Grad, Serbia

Municipality of Stari Grad (MoSG) is the part of the local government system and it is one of central municipalities in the City of Belgrade, Serbia. Its central location, value and importance of cultural and historical heritage of the Old Town area are extremely attractive to many economic activities, especially trade and banking. The MoSG plays a role of one of the three pilots in the STRATEGIC project. Goal of this blog is to explain how MoSG is using cloud in its organization and also how STRATEGIC Service Store is used for the deployment of MoSG services.

Major benefits from STRATEGIC for MoSG and its users
For MoSG:

  • Cutting costs for infrastructure and applications
  • Increase effectiveness of current services
  • Get experience of cloud services’ usage
  • Get experience of the STRTATEGIC service store usage
  • Service migration to the chosen private IaaS in Serbia
  • Get experience in cross-border cloud e-government services
  • Getting experience of some cross-border e-gov services with some EU country (Italy)
  • Getting experience in using cross-border identity management

For MoSG’s citizens:

  • Increase in cloud confidence (no impact to same service over cloud = good impact)
  • Getting experience of cross-border attribute exchange
  • Covering the ever increasing needs of the users by taking advantage of the elastic capabilities of the cloud
  • Availability of open Public Sector Information to its citizens
  • To be additionally determined during the testing

Deployed MoSG applications/use cases through the STRATEGIC service store
During the STRATEGIC project, the Municipality of Stari Grad (MoSG) has deployed the four previously defined e-government services, as well as one additional one (based on LimeSurvey) through the STRATEGIC Service Store on the privately hosted IaaS implemented in Serbia (from one service provider – Orion Telecom), connected to the STRATEGIC service store and used them for piloting activities. In total 4 servers were dedicated for the creation of the private cloud of MoSG based on OpenStack that is used for the hosting of the StariGrad use cases/applications.

MoSG is using the OpenStack IaaS established in Serbia with a help and coordination from the SingularLogic (SiLO) as the MoSG technical partner in the STRATEGIC project for all pilot scenarios and utilizes the existing OpenStack flavours for the testing and evaluation of both STRATEGIC as a framework and the deployed applications.

There are four originally defined applications that are deployed in the cloud for MoSG in the scope of the STRATEGIC project:

  • StariGrad-1 – Cloudified version of already existing different certificate request services (birth, death, marriage, etc.).
  • StariGrad-2 – Development of the cross-border residence certificate issuance service based on outcomes of the SEMIRAMIS project. Related to Genoa-3 use case.
  • StariGrad-3 – Development of the cloud based email service for internal users of MoSG.
  • StariGrad-4 – CKAN based Open Data cloud service. Development of the Open data sets relevant to MoSG.

Use case #1: MoSG certificate request service
In this use case a cloudified version of the certificate request service of the Municipality of Stari Grad has been created using STRATEGIC Service Store. The application is used for sending requests for some certificates (birth, death, marriage) for some citizen. The application has a form that should be filled in order to send a request. When a proper request is sent and received and validated by the application, the application will automatically send an email to the predefined email address of the civil servant responsible for issuing the requested certificate. When the civil servant receives the request he issues the actual certificate by calling another application which is not in the scope of the project. The part of the process for requesting the certificate and sending the email with corresponding data to the civil servant is in the scope of this cloudified certificate issuance application and thus in the scope of the STRATEGIC project. There are two versions of the application already tested; by using default/test email addresses of the organization and by using the email accounts created through the use case #3 scenario of MoSG. The service is avalaible on www.certificates.starigrad.org.rs.

image001
Use case #2: Cross-border attribute exchange using SEMIRAMIS
The use case for cross-border attribute exchange service (cross-border residence certificate) based on the outputs of SEMIRAMIS project and is a joint use case with Genoa-3. The SEMIRAMIS components are offered as part of the STRATEGIC framework and the required components (Serbian FP and IA) have been already deployed on the MoSG’s IaaS with the technical help of ATOS and SILO. The development and necessary customization on the Service provider (SP) component MoSG that will be integrated with basic SEMIRAMIS components has been finalized.
Based on the initial cross-border application provided by ATOS, necessary development, configurations and modifications on the code have been done by MoSG and with collaboration of ATOS. The Service Provider component of the MoSG is available on the following domain/URL: www.crossborderresidence.starigrad.org.rs

image003
Use case #3: Deployment of an email solution for MoSG
In this use case is a cloud based email service for internal users of MoSG has been created. Upon a detailed analysis, the open source solution of iRedMail mail server has been chosen in order to be cloudified through STRATEGIC Service Store. After some initial tests with iRedMail in a testbed deployment, the email service has been packaged, published in the STRATEGIC Service Store and deployed at the SILO’s OpenStack based cloud infrastructure during the year 2 of the Project. This application is to be configured and parameterized by MoSG’s technical team through the SRATEGIC Service Store.

The iRedMail cloud webmail service has been deployed on the MoSG’s private IaaS using STRATEGIC Service Store and is used by internal MoSG users for evaluation perspectives.
image005
Use case #4: Open Data of MoSG
In this use case, a CKAN-based open data application has been published on STRATEGIC Service Store and used by MoSG. After the deployment of the application through Service Store, further customization has been done and open datasets have been uploaded by MoSG’s team and are available for download.

The application has been deployed on the MOSG private IaaS and is published on the following URL www.opendata.starigrad.org.rs and has been already tested by some internal users from MoSG and SiLO.

image007