Secure external access to Odoo

Tämän kirjallisuustutkimuksena toteutettavan opinnäytetyön tavoitteena on tutkia kuinka Odoo-toiminnanohjausjärjestelmän (ERP) käyttöönotto toteutetaan turvallisesti ulkoisten toimijoiden kanssa. Lisäksi tavoitteena on löytää parhaita käytänteitä, miten ulkoiset käyttäjät liitetään ERP:iin vaarantamatta yrityksen ydintietoa. Työn toimeksiantaja on suomalainen teollisuusalan yritys, jolla on käytössä avoimen lähdekoodin ERP-järjestelmä Odoo. Yrityksessä on tulevaisuudessa vahva tarve laajentaa Odoon toiminnallisuuksia siten, että myös ulkoiset toimijat kuten partnerit, toimittajat sekä asiakkaat saadaan integroitua osaksi yrityksen Odoota. Teoriaosuudessa perehdytään ERP-järjestelmien tarkoitukseen, etuihin ja haittapuoliin sekä eri toimitus- sekä hankintamalleihin. Lisäksi luodaan lyhyt katsaus tietoturvaan, keskittyen etenkin sovellusten ja tietokantojen tietoturvaan. Lisäksi tarkastellaan myös ERP-tietoturvamenetelmiä. ERP:n arkkitehtuurimalli yhdessä sovellus- ja tietokantaturvamekanismien kanssa nähdään ratkaisevaksi tietoturvahaasteisiin vastaamisessa. Kolmitasoinen arkkitehtuurimalli, jota myös Odoo tukee, nähdään turvallisempana ratkaisuna kuin yksi- tai kaksitasoiset mallit. Koska yritykset toimivat tänä päivänä verkostoissa, joissa liiketoimintapartnerit ovat osa ERP-järjestelmää, tarvitaan uudenlaisia tapoja mahdollistamaan pääsy ERP:iin mutta kuitenkin samalla suojaamaan yrityksen ydindataa. Perinteiset ERP-tietoturvamekanismit eivät välttämättä enää riitä. Tarvitaan uusia ratkaisuja, joilla ERP:n turvallinen ulkoinen käyttö voidaan mahdollistaa. Nämä parhaat käytänteet ovat vasta muovautumassa.The aim of this thesis is to investigate based on the literature review that how to implement Odoo enterprise resource planning system (ERP) securely with external connectivity. Additionally, the target was to form an understanding of the best practises available to create the external connections in ERP without risking the core data of the company. The commissioner of this thesis is a manufacturing company in Finland which is using open source ERP called Odoo. In the future there is a strong need to enable connectivity also with external partners meaning that several modules from the same ERP application need to be enabled for external usage. The theory framework is introducing main purpose of ERP systems, its advantages, disadvantages, different delivery models and acquisition options. Information security on high level is introduced with focus on application, database and ERP specific security aspects. The architectural structure of ERPs, together with application and database security mechanisms, are seen crucial to respond to security challenges. The three tier architecture model, supported also by Odoo, is seen more secure than one or two tier models. As companies today are operating over the traditional company borders, secure business partner access to enterprise data is needed. Traditional security methods of ERP have to be re-considered to enable usage also with external connections to fulfil the security needs of companies. It seems that at the moment the best practise security mechanisms for web ERPs are not yet widely established

Access Control for IoT: Problems and Solutions in the Smart Home

The Internet of Things (IoT) is receiving considerable amount of attention from both industry and academia due to the business models that it enables and the radical changes it introduced in the way people interact with technology. The widespread adaption of IoT in our everyday life generates new security and privacy challenges. In this thesis, we focus on "access control in IoT": one of the key security services that ensures the correct functioning of the entire IoT system. We highlight the key differences with access control in traditional systems (such as databases, operating systems, or web services) and describe a set of requirements that any access control system for IoT should fulfill. We demonstrate that the requirements are adaptable to a wide range of IoT use case scenarios by validating the requirements for access control elicited when analyzing the smart lock system as sample use case from smart home scenario. We also utilize the CAP theorem for reasoning about access control systems designed for the IoT. We introduce MQTT Security Assistant (MQTTSA), a tool that automatically detects misconfigurations in MQTT-based IoT deployments. To assist IoT system developers, MQTTSA produces a report outlining detected vulnerabilities, together with (high level) hints and code snippets to implement adequate mitigations. The effectiveness of the tool is assessed by a thorough experimental evaluation. Then, we propose a lazy approach to Access Control as a Service (ACaaS) that allows the specification and management of policies independently of the Cloud Service Providers (CSPs) while leveraging its enforcement mechanisms. We demonstrate the approach by investigating (also experimentally) alternative deployments in the IoT platform offered by Amazon Web Services on a realistic smart lock solution

Platform for efficient switching between multiple devices in the intensive care unit

Introduction: This article is part of the Focus Theme of Methods of Information in Medicine on "Managing Interoperability and Complexity in Health Systems". Objectives: Handheld computers, such as tablets and smartphones, are becoming more and more accessible in the clinical care setting and in Intensive Care Units (ICUs). By making the most useful and appropriate data available on multiple devices and facilitate the switching between those devices, staff members can efficiently integrate them in their workflow, allowing for faster and more accurate decisions. This paper addresses the design of a platform for the efficient switching between multiple devices in the ICU. The key functionalities of the platform are the integration of the platform into the workflow of the medical staff and providing tailored and dynamic information at the point of care. Methods: The platform is designed based on a 3-tier architecture with a focus on extensibility, scalability and an optimal user experience. After identification to a device using Near Field Communication (NFC), the appropriate medical information will be shown on the selected device. The visualization of the data is adapted to the type of the device. A web-centric approach was used to enable extensibility and portability. Results: A prototype of the platform was thoroughly evaluated. The scalability, performance and user experience were evaluated. Performance tests show that the response time of the system scales linearly with the amount of data. Measurements with up to 20 devices have shown no performance loss due to the concurrent use of multiple devices. Conclusions: The platform provides a scalable and responsive solution to enable the efficient switching between multiple devices., Due to the web-centric approach new devices can easily be integrated. The performance and scalability of the platform have been evaluated and it was shown that the response time and scalability of the platform was within an acceptable range

Multi-Dimensional Model Based Engineering for Performance Critical Computer Systems Using the AADL

International audienceThe Architecture Analysis & Design Language, (AADL), Society of Automotive Engineers (SAE), AS5506, was developed to support quantitative analysis of the runtime architecture of the embedded software system in computer systems with multiple critical operational properties, such as responsiveness, safety-criticality, security, and reliability by allowing a model of the system to be annotated with information relevant to each of these quality concerns and AADL to be extended with analysis-specific properties. It supports modelling of the embedded software runtime architecture, the computer system hardware, and the interface to the physical environment of embedded computer systems and system of systems. It was designed to support a full Model Based Engineering lifecycle including system specification, analysis, system tuning, integration, and upgrade by supporting modelling and analysis at multiple levels of fidelity. A system can be automatically integrated from AADL models when fully specified and when source code is provided for the software components

A Service-Oriented Approach for Network-Centric Data Integration and Its Application to Maritime Surveillance

Maritime-surveillance operators still demand for an integrated maritime picture better supporting international coordination for their operations, as looked for in the European area. In this area, many data-integration efforts have been interpreted in the past as the problem of designing, building and maintaining huge centralized repositories. Current research activities are instead leveraging service-oriented principles to achieve more flexible and network-centric solutions to systems and data integration. In this direction, this article reports on the design of a SOA platform, the Service and Application Integration (SAI) system, targeting novel approaches for legacy data and systems integration in the maritime surveillance domain. We have developed a proof-of-concept of the main system capabilities to assess feasibility of our approach and to evaluate how the SAI middleware architecture can fit application requirements for dynamic data search, aggregation and delivery in the distributed maritime domain

Enabling the Collaborative Collection of Uncertainty Sources Regarding Confidentiality

Mit der zunemenden Digitalisierung nimmt die Menge gespeicherter sensibler Daten in Softwaresystemen zu. Jedoch kann die Vertraulichkeit dieser Daten in vielen Fällen nicht garantiert werden, da Ungewissheiten mit Auswirkung auf die Vertraulichkeit der Daten bestehen, insbesondere in den frühen Phasen der Softwareentwicklung. Da solche Ungewissheiten noch nicht ausreichend berücksichtigt werden und erforscht sind, besteht bei Softwarearchitekten ein Mangel an Bewusstsein für das Thema. Darüber hinaus ist das vorhandene Wissen über verschiedene Forscher und Institutionen verstreut, was es für Softwarearchitekten schwierig macht, das Wissen gesammelt zu erfassen und zu nutzen. Die aktuelle Forschung zu Ungewissheiten in Bezug auf Vertraulichkeit konzentriert sich auf die Analyse von Softwaresystemen, um die Möglichkeiten von Vertraulichkeitsverletzungen zu bewerten, sowie auf die Entwicklung von Methoden zur Klassifizierung von Ungewissheiten. Diese Ansätze beschränken sich jedoch auf die beobachteten Ungewissheiten der Forscher, was die Verallgemeinerbarkeit von Klassifikationssystemen, die Gültigkeit von Analysemethoden und die Entwicklung von Minderungsstrategien einschränkt. Diese Arbeit zielt darauf ab, zur Sammlung und Verwaltung von Wissen über Ungewissheiten in Bezug auf Vertraulichkeit beizutragen, um es SoftwarearchitektInnen zu ermöglichen, Ungewissheiten in Bezug auf Vertraulichkeit besser zu verstehen und diese in Ihren Software Architekturen zu identifizieren. Darüber hinaus soll der vorgeschlagene Ansatz die Zusammenarbeit zwischen Forschern und Praktikern ermöglichen, um den Aufwand für die Sammlung des Wissens möglichst gering zu halten. Um diesen Ansatz und seine Fähigkeit, die Forschungsziele zu erfüllen zu validieren, wurde ein Prototyp entwickelt und mit einer Nutzerstudie an 17 Teilnehmern aus dem Bereich Softwaretechnik evaluiert, darunter 7 Studenten, 5 Forscher und 5 Praktiker. Die Ergebnisse zeigen, dass der Ansatz Softwarearchitekten dabei unterstützen kann, Ungewissheiten in Bezug auf Vertraulichkeit zu identifizieren und zu beschreiben, auch bei Personen mit begrenztem Vorwissen, da sie in einer nahezu realen Umgebung Ungewissheiten in 94,4% der Fällen korrekt identifizieren und beschreiben konnten

Personal Data Management Systems: The security and functionality standpoint

International audienceRiding the wave of smart disclosure initiatives and new privacy-protection regulations, the Personal Cloud paradigm is emerging through a myriad of solutions offered to users to let them gather and manage their whole digital life. On the bright side, this opens the way to novel value-added services when crossing multiple sources of data of a given person or crossing the data of multiple people. Yet this paradigm shift towards user empowerment raises fundamental questions with regards to the appropriateness of the functionalities and the data management and protection techniques which are offered by existing solutions to laymen users. These questions must be answered in order to limit the risk of seeing such solutions adopted only by a handful of users and thus leaving the Personal Cloud paradigm to become no more than one of the latest missed attempts to achieve a better regulation of the management of personal data. To this end, we review, compare and analyze personal cloud alternatives in terms of the functionalities they provide and the threat models they target. From this analysis, we derive a general set of functionality and security requirements that any Personal Data Management System (PDMS) should consider. We then identify the challenges of implementing such a PDMS and propose a preliminary design for an extensive and secure PDMS reference architecture satisfying the considered requirements. Finally, we discuss several important research challenges remaining to be addressed to achieve a mature PDMS ecosystem

Advantages of low-code in Intranet Portals: Enhancing the visualization of internal data in a major retail chain through low-code applications

Internship Report presented as the partial requirement for obtaining a Master's degree in Information Management, specialization in Information Systems and Technologies ManagementLIDL, a major multinational retail chain with branches spread across the globe, has many internal processes that aren’t centralized. In each country branch, information is dispersed within several platforms, in different formats, which in turn makes data harder to analyze, slowing down procedures that are frequently used within each division of the major retail chain. With this problem in mind LIDL has decided to invest in Low-Code, giving the liberty to each country to develop its own internal portal to counter this problem. With this, each branch centralizes all its essential information in one place. By choosing low-code, LIDL has given each country the freedom of developing the necessary applications in record time, providing a way to experience omnichannel experiences without giant budgets and costly development teams. The results of this study show why portal development should be done with Low-Code, the synergy that is built between the two concepts and the many advantages that follow. To defend these claims, the work done during my internship will be showcased and analyzed

Moving To The Cloud: Transitioning From Client-Server To Service Architecture

This paper makes the case that the traditional three-tier client-server architecture requires a major overhaul to address the changing and rapidly increasing information processing and services needs of consumers. Revisions to the conventional architecture model are suggested and two examples of information systems applications are discussed to illustrate how the new information service architecture fits into the realm of future systems development