Chisinau 2004NATO ANW1 Security Issues for e-Society Oliver B. Popov MSU, SU, SCMU NATO ANW The...

Chisinau 2004 NATO ANW 1

Security Issues for e-Society

Oliver B. PopovMSU, SU, SCMU

NATO ANWThe Third CEENet Workshop

on Managerial Issues - MIXRENChisinau, October 200


On Security

Security is mostly a superstition. It does not exists in nature…


Content

e-Government definition Aspects of Security Systems Challenges for e-Government Concerns of e-Citizens Integration Privacy Perils and threats Summary


e-Government

Definition: e-Government is a combination of interconnected heterogeneous information systems in which Government agencies Business – private sector Public

exchange high volumes of data in order to attain seamless and secure information flow, service integration, and effective and transparent decision-making process for the benefit of every citizen.


Fundamental Issues

Networks should be secure as any other real-life systems, no more no less.

Balance between the cost of protection and the risk of loss

When risk is less than the cost of recovering from a failure in security then investment in better systems decreases

The myth of “perfect” security


Aspects of Secure Systems

Policy (definition what to do – specification)

Mechanism (Transformation of what into how – implementation)

Assurance (Does it match reality and how well – validation, verification, or assurance)


Policy Making – Defining Needs

Secrecy – who gets the information Integrity – how to use info resources

and transformation Availability – accessing info resources in

easy and efficient manner Accounting – who has done it and when


Security Problems

Information has been changed, transformed, and damaged that has rendered unusable – integrity

Service disrupted or severely impaired – availability

Leakage and theft of data – secrecy Private information made public –

secrecyPolicy as a concept selector – positive and negative


Mechanisms for Security

Strategies Isolation Exclusion Restriction Recovery Punishment

Access Control Model Information Flow Control


Access Control Models

Traditional Discretionary (DAC) Mandatory (MAC)

Novelty Rule-based Access Control (RBAC) Task-based Access Control (TBAC) Tickets-based


AAA or Au Standard

Authentication Authorization Auditing


Validation and Verification

Trusted Computing Base – TCB Redundancy – combination of several

levels – network, computer, and applications

Simple translates to perfection for both users and administrators


Challenges for EG

Interoperability among different systems with respect to security

Methods and metrics for the state of the democratic processes

Building and maintaining multiple partnerships as key to human networking

Management of electronic archives Availability and equity of access


Challenges for the e-Citizens

Omnipresence of info protection Privacy Identification – Digital signatures Accessibility Security Return and corrective procedures Credibility Social profiles Level of sharing Responsiveness


Integration

Semantic heterogeneity Interoperability

Autonomy principle Security principle

Risk and assurance propagation Management


Resolving Integration I

Policy and meta-policy specification Conflict resolution Interaction Preference of RBAC over DAC and MAC TBAC (where the authorization unit is a

task) just emerging

Architectural models CORBA OSF DCE


Resolving Integration II

Multi agent systems Adaptive Cooperative Autonomous Mobile yet increased complexity and questionable

efficiency (a lot of overhead).

Database federation Aggregation of several database systems


Privacy

Definition: A right of individuals, groups or organizations to determine when and how much of the information about them is communicated.

Communication – Encryption and PKI Database – problems with sensitive

personal information Solution – a combined effort by

technology, legislative, and public policy


Infrastructure Perils

Info WMD - DoS and DDos, Virtual sit-ins, blockades, computer viruses, worms, and logic bombs

Wide range of threats – from hacking activities to cyber terrorism

SEI at CMU

Breaches

Damages (USD)

2002 82094 20 billion

2003 137529 50 billion


Types of Threats for EG

National level Information (Cyber army) Intelligence (Cyber spies)

Shared treats Cyber terrorism Industrial patents and products Cyber crime

Local (hackers) Institutional Recreational


Summary

Difficult and open problems Integration of what is done so far It appears that RBAC works well in the

multi-domain environment and cooperates well with encryption and PKI

Possible aggregation with the FDM Multi agent systems Systems for risk analysis and security

assurance Threats management Combined models for privacy


Thank you

Chisinau 2004NATO ANW1 Security Issues for e-Society Oliver B. Popov MSU, SU, SCMU NATO ANW The...

Documents

Transcript of Chisinau 2004NATO ANW1 Security Issues for e-Society Oliver B. Popov MSU, SU, SCMU NATO ANW The...