The introduction of the Payment Service Directive (PSD2) has accelerated financial services and open banking growth. Deploying appropriate identity management solutions is crucial. This implies the adoption of secure protocols for authentication and authorization, such as OpenID Connect and OAuth 2.0. The PSD2 also requires the application of the General Data Protection Regulation (GDPR) when transactions involve personal data. In turn, the GDPR mandates a Data Protection Impact Assessment (DPIA) for assessing risks posed to data subjects’ rights and freedom. This is a time-consuming and challenging task requiring heterogeneous skills that include the knowledge of best practices for deploying protocols, security mechanisms adopted by available identity management providers, and the capability to perform careful what-if analysis of the possible alternatives. To assist users in this task, we propose a methodology based on the formalization of the what-if analysis as an optimization problem that available tools can solve. The formalization is derived from the OAuth 2.0 and OpenID connects standards, security best practices to mitigate threats, and thorough the evaluation of 19 identity management providers to check their supported features concerning the identified set of features for OAuth/OIDC solutions. We apply the methodology to assist controllers and identify the most appropriate security setup to drive the process of making financial services compliant with the PSD2.

Automated Risk Assessment and What-if Analysis of OpenID Connect and OAuth 2.0 Deployments / Dashti, S.; Sharif, A.; Carbone, R.; Ranise, S.. - 12840:(2021), pp. 325-337. (Intervento presentato al convegno 35th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy, DBSec 2021 tenutosi a Canada nel 19-21/07/2021) [10.1007/978-3-030-81242-3_19].

Automated Risk Assessment and What-if Analysis of OpenID Connect and OAuth 2.0 Deployments

Ranise S.
2021-01-01

Abstract

The introduction of the Payment Service Directive (PSD2) has accelerated financial services and open banking growth. Deploying appropriate identity management solutions is crucial. This implies the adoption of secure protocols for authentication and authorization, such as OpenID Connect and OAuth 2.0. The PSD2 also requires the application of the General Data Protection Regulation (GDPR) when transactions involve personal data. In turn, the GDPR mandates a Data Protection Impact Assessment (DPIA) for assessing risks posed to data subjects’ rights and freedom. This is a time-consuming and challenging task requiring heterogeneous skills that include the knowledge of best practices for deploying protocols, security mechanisms adopted by available identity management providers, and the capability to perform careful what-if analysis of the possible alternatives. To assist users in this task, we propose a methodology based on the formalization of the what-if analysis as an optimization problem that available tools can solve. The formalization is derived from the OAuth 2.0 and OpenID connects standards, security best practices to mitigate threats, and thorough the evaluation of 19 identity management providers to check their supported features concerning the identified set of features for OAuth/OIDC solutions. We apply the methodology to assist controllers and identify the most appropriate security setup to drive the process of making financial services compliant with the PSD2.
2021
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
GEWERBESTRASSE 11, CHAM, CH-6330, SWITZERLAND
Springer Science and Business Media Deutschland GmbH
978-3-030-81241-6
978-3-030-81242-3
Dashti, S.; Sharif, A.; Carbone, R.; Ranise, S.
Automated Risk Assessment and What-if Analysis of OpenID Connect and OAuth 2.0 Deployments / Dashti, S.; Sharif, A.; Carbone, R.; Ranise, S.. - 12840:(2021), pp. 325-337. (Intervento presentato al convegno 35th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy, DBSec 2021 tenutosi a Canada nel 19-21/07/2021) [10.1007/978-3-030-81242-3_19].
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11572/333121
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo

Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 0
  • ???jsp.display-item.citation.isi??? 0
social impact