Chisinau 2004NATO ANW1 Security Issues for e-Society Oliver B. Popov MSU, SU, SCMU NATO ANW The...
-
Upload
laurence-flowers -
Category
Documents
-
view
212 -
download
0
Transcript of Chisinau 2004NATO ANW1 Security Issues for e-Society Oliver B. Popov MSU, SU, SCMU NATO ANW The...
Chisinau 2004 NATO ANW 1
Security Issues for e-Society
Oliver B. PopovMSU, SU, SCMU
NATO ANWThe Third CEENet Workshop
on Managerial Issues - MIXRENChisinau, October 200
Chisinau 2004 NATO ANW 2
On Security
Security is mostly a superstition. It does not exists in nature…
Chisinau 2004 NATO ANW 3
Content
e-Government definition Aspects of Security Systems Challenges for e-Government Concerns of e-Citizens Integration Privacy Perils and threats Summary
Chisinau 2004 NATO ANW 4
e-Government
Definition: e-Government is a combination of interconnected heterogeneous information systems in which Government agencies Business – private sector Public
exchange high volumes of data in order to attain seamless and secure information flow, service integration, and effective and transparent decision-making process for the benefit of every citizen.
Chisinau 2004 NATO ANW 5
Fundamental Issues
Networks should be secure as any other real-life systems, no more no less.
Balance between the cost of protection and the risk of loss
When risk is less than the cost of recovering from a failure in security then investment in better systems decreases
The myth of “perfect” security
Chisinau 2004 NATO ANW 6
Aspects of Secure Systems
Policy (definition what to do – specification)
Mechanism (Transformation of what into how – implementation)
Assurance (Does it match reality and how well – validation, verification, or assurance)
Chisinau 2004 NATO ANW 7
Policy Making – Defining Needs
Secrecy – who gets the information Integrity – how to use info resources
and transformation Availability – accessing info resources in
easy and efficient manner Accounting – who has done it and when
Chisinau 2004 NATO ANW 8
Security Problems
Information has been changed, transformed, and damaged that has rendered unusable – integrity
Service disrupted or severely impaired – availability
Leakage and theft of data – secrecy Private information made public –
secrecyPolicy as a concept selector – positive and negative
Chisinau 2004 NATO ANW 9
Mechanisms for Security
Strategies Isolation Exclusion Restriction Recovery Punishment
Access Control Model Information Flow Control
Chisinau 2004 NATO ANW 10
Access Control Models
Traditional Discretionary (DAC) Mandatory (MAC)
Novelty Rule-based Access Control (RBAC) Task-based Access Control (TBAC) Tickets-based
Chisinau 2004 NATO ANW 11
AAA or Au Standard
Authentication Authorization Auditing
Chisinau 2004 NATO ANW 12
Validation and Verification
Trusted Computing Base – TCB Redundancy – combination of several
levels – network, computer, and applications
Simple translates to perfection for both users and administrators
Chisinau 2004 NATO ANW 13
Challenges for EG
Interoperability among different systems with respect to security
Methods and metrics for the state of the democratic processes
Building and maintaining multiple partnerships as key to human networking
Management of electronic archives Availability and equity of access
Chisinau 2004 NATO ANW 14
Challenges for the e-Citizens
Omnipresence of info protection Privacy Identification – Digital signatures Accessibility Security Return and corrective procedures Credibility Social profiles Level of sharing Responsiveness
Chisinau 2004 NATO ANW 15
Integration
Semantic heterogeneity Interoperability
Autonomy principle Security principle
Risk and assurance propagation Management
Chisinau 2004 NATO ANW 16
Resolving Integration I
Policy and meta-policy specification Conflict resolution Interaction Preference of RBAC over DAC and MAC TBAC (where the authorization unit is a
task) just emerging
Architectural models CORBA OSF DCE
Chisinau 2004 NATO ANW 17
Resolving Integration II
Multi agent systems Adaptive Cooperative Autonomous Mobile yet increased complexity and questionable
efficiency (a lot of overhead).
Database federation Aggregation of several database systems
Chisinau 2004 NATO ANW 18
Privacy
Definition: A right of individuals, groups or organizations to determine when and how much of the information about them is communicated.
Communication – Encryption and PKI Database – problems with sensitive
personal information Solution – a combined effort by
technology, legislative, and public policy
Chisinau 2004 NATO ANW 19
Infrastructure Perils
Info WMD - DoS and DDos, Virtual sit-ins, blockades, computer viruses, worms, and logic bombs
Wide range of threats – from hacking activities to cyber terrorism
SEI at CMU
Breaches
Damages (USD)
2002 82094 20 billion
2003 137529 50 billion
Chisinau 2004 NATO ANW 20
Types of Threats for EG
National level Information (Cyber army) Intelligence (Cyber spies)
Shared treats Cyber terrorism Industrial patents and products Cyber crime
Local (hackers) Institutional Recreational
Chisinau 2004 NATO ANW 21
Summary
Difficult and open problems Integration of what is done so far It appears that RBAC works well in the
multi-domain environment and cooperates well with encryption and PKI
Possible aggregation with the FDM Multi agent systems Systems for risk analysis and security
assurance Threats management Combined models for privacy
Chisinau 2004 NATO ANW 22
Thank you