Operational Security Assurance: “Requirements for a trusted future internet and privacy ·...

8/12/2010Copyright © 2010 Alcatel-Lucent. All rights reserved.

1

Operational Security Assurance:

“Requirements for a trusted future internet and privacy"

Bertrand Marquet

Head of Security Research Dept (Acting)

Alcatel-Lucent Bell Labs France

Copyright © 2010 Alcatel-Lucent. All rights reserved.2

Agenda

• Introduction

• Operational Security Assurance

• Requirements for Security Assured Operations

• Assurance Profiles in operations

• Conclusion


Introduction


Several major transformation are occurring simultaneously

You will be here


Technological context:

Telco is facing two major transformations

Service

providers

Service

providersEnd

users

End

users

ICT CloudElastic Telco Cloud

ICT infrastructuresIT Cloud (virtualized ressources)

Transformation of infrastructures Transformation of End devices

PCs, SmartphonesApplication stores

Internet of ThingsApplication stores

Mastering risksof service infrastructures


Protecting User experiencePrivacy and usability

Protecting User experiencePrivacy and usability


Social and economical context

Service

providers

Service

providersEnd

users

End

users

Everything is Video

Social life exposed

Open platforms

Content providerApplication

provider

New ecosystems

Spikes in

ressources demand

Need to comply

with more and

more regulations

Open Services and

APIs


Operational Security assurance to provide guaranties



Protecting User experiencePrivacy

Protecting User experiencePrivacy

Operational Security AssuranceProtecting Business and Privacy

Operational Security AssuranceProtecting Business and Privacy


Operational Security Assurance


Linked European projects

Part of this work has been studied within EUREKA Celtic Project

2005-2007: BUGYO – CELTIC Excellence award

2009-2011: BUGYO beyond

Large-scale, multi-domain and dynamic infrastructures

Content of the following slides cannot be used without Alcatel-Lucent

And BUGYO Beyond consortium written authorization


Between risk management

and trust management:

Inclure roue de BUGYO

Metrics

Assurance

that generate

which leads to

that th

eminimize

Infrastructures

that threaten the

mea

sure

d by

which gives

AssuranceAssuranceAssuranceAssuranceManagementManagementManagementManagementMeasurement

Measurement

Measurement

MeasurementMonitoring

Monitoring

Monitoring

Monitoring Trust managementTrust managementTrust managementTrust management

Risk ManagementRisk ManagementRisk ManagementRisk Management

Assi

stan

ceAs

sist

ance

Assi

stan

ceAs

sist

ance

CountermeasuresEvidence

Confidence

Risks


Top down approach: From service to indicators.

Inherent risks for the ServiceInherent risks for the Service

Identified risks for the Service

Security Policy

Security Controls realisation

Procedures and Technical mechanisms

enforcing or supporting security controls

Op

era

tio

na

l

syst

em

Running Security ControlsRunning Security Controls

OK OK OK NOK

Ris

k

Ass

ess

me

nt

De

sig

n

&

Imp

lem

en

tati

on

Security Architecture

Accepted risks

Implementation gap (CC evaluation scope)

Application gap (operational evaluation scope)


Methodology and tools


Requirements for Security Assured Operations


2. Service infrastructure

1. Service

3. Target of Measurement

Assurance ProfileSAVSAV

M

M

M

M

M

SAVSAV

M

M

M M

M

M

SAV: Security Assurance Views

M M

SAVSAV

M M

M

SAVSAV

M

M

M

M

M

SAVSAVSAVSAV

MMM

MMM

MMM

MMM

MMM

SAVSAV

M

M

M M

M

M

SAVSAVSAVSAV

MMM

MMM

MMM MMM

MMM

MMM


M M

SAVSAV

M M

MMMM MMM

SAVSAVSAVSAV

MMM MMM

MMM

4. Security Assurance Views

Runs on

SAVSAV

M

M

M

M

M

SAVSAV

M

M

M

M

M

M


M

M

SAVSAV

M

M

M

SAVSAV

M

M

M

M

M

SAVSAVSAVSAV

MMM

MMM

MMM

MMM

MMM

SAVSAV

M

M

M

M

M

M

SAVSAVSAVSAV

MMM

MMM

MMM

MMM

MMM

MMM


M

M

SAVSAV

M

M

M

MMM

MMM

SAVSAVSAVSAV

MMM

MMM

MMM

AP

Target Of Measurement

Critical Infrastructure Objects

Assurance profile: a commonly agreed requirements


Assurance related componentsAssurance related components

Security related ComponentsSecurity related Components

Infrastructure related

Components

Infrastructure related

Components

Services/businessServices/business

Service InfrastructureService Infrastructure

AP_TOM: Target of MeasurementAP_TOM: Target of Measurement

AP_SSO: Service Security ObjectivesAP_SSO: Service Security Objectives

AP_SMO: Object Measurement ObjectivesAP_SMO: Object Measurement Objectives

AP_CCL: Compliance ClaimAP_CCL: Compliance ClaimAP_REF:

Reference

AP_REF:

Reference

AP_SAV: Security Assurance ViewsAP_SAV: Security Assurance Views

AP_OMR: Object Measurement

Requirements


Requirements

AP_OSR: Object Security Requirements


AP_SPD: Security Problem DefinitionAP_SPD: Security Problem Definition

SAVSAV

M

M

M

M

M

SAVSAV

M

M

M M

M

M


M M

SAVSAV

M M

M

SAVSAV

M

M

M

M

M

SAVSAVSAVSAV

MMM

MMM

MMM

MMM

MMM

SAVSAV

M

M

M M

M

M

SAVSAVSAVSAV

MMM

MMM

MMM MMM

MMM

MMM


M M

SAVSAV

M M

MMMM MMM

SAVSAVSAVSAV

MMM MMM

MMM

SAVSAV

M

M

M

M

M

SAVSAV

M

M

M

M

M

M


M

M

SAVSAV

M

M

M

SAVSAV

M

M

M

M

M

SAVSAVSAVSAV

MMM

MMM

MMM

MMM

MMM

SAVSAV

M

M

M

M

M

M

SAVSAVSAVSAV

MMM

MMM

MMM

MMM

MMM

MMM


M

M

SAVSAV

M

M

M

MMM

MMM

SAVSAVSAVSAV

MMM

MMM

MMM

AP



Assurance profil content


Objectives levelObjectives level

Requirements levelRequirements level

View levelView level







Reference

AP_REF:

Reference



Requirements


Requirements




Compliance with an AP

Leveraging expertises in a common formalized format


Associated method: From risk assessment to probes deployment

Interpretation function

+

Interpretation function

+

Bases MeasuresBases Measures

Operations on viewsRefinement,

combination

Operations on viewsRefinement,

combination


AP_SPD:Security Problem Definition

AP_SPD:Security Problem Definition

List of Supporting

Assets Classified by priority order

List of Supporting

Assets Classified by priority order

Identification Of Assets

Identification Of Assets

Supporting Assets

Supporting Assets

Primary

Assets

Primary

Assets

Perimeter and boundaries of the study [27005] 7.3Business or processes activities of the company [27005] 7.3

List of objects with ownership [27005] 8.2.1.2

Location and function of objects [27005] 8.2.1.2

Supporting assets

evaluation

Supporting assets

evaluation

[27005] B.2 Break of activities or services

[27005] B.2 Reputation and financial loss

[27005] B.2 Agreement rupture[27005] B.2 Confidence loss

[AP] applicability criteria

Risks EvaluationRisks EvaluationRisks Level EstimationRisks Level Estimation

List of Threats [27005] 8.2.1.3 List of existing security measures [27005] 8.2.1.4

List of Vulnerabilities [27005] 8.2.1.5

List of consequences [27005] 8.2.1.6

[AP] Applicability criteria

List of

Risks

List of

Risks

Risks ReductionRisks ReductionRisks identificationRisks identification

List of risks selected for risk reduction

List of risks selected

for risk reduction

List of

Risks with a

valued risk level

List of

Risks with a valued risk level

List of Consequences Assessed [27005] 8.2.2.2

Likelihood of Risks Selected [27005] 8.2.2.3

Risk Acceptance Criteria [27005] 7.2

Risk Evaluation Criteria [27005] 7.2

Cost of treatment

[27005)

Selection Selection

[AP] Threshold[AP] Applicability criteria

Other AP inherited risks




inheritanceinheritance

AP_CCL:

Compliance Claim

AP_CCL:

Compliance Claim

Identification of standards/Regulation/PoliciesIdentification of standards/Regulation/Policies

List of

MeasurementObjectives from AP_CCL

List of

MeasurementObjectives

from AP_CCL

Formalization & Refinement


List of Security

Objectives

from risks reduction

List of Security Objectives


AP_OSR:

Object Security Requirements

AP_OSR:


AP_SAV:

Security Assurance Views

AP_SAV:


List of security objectives and

best practices

from AP_CCL


best practicesfrom AP_CCL

Separation Separation

List of Views and

objectives

List of Views and

objectives

Add Define SAVObject

Add Define SAVObject

AP_OMR:

Object Measurement Requirements

AP_OMR:

Object Measurement

Requirements

Binding / coherence checkingBinding / coherence checking

List of


from AP_OSR

List of


from AP_OSR

Identification of measurement objectives


Measurement taxonomy

[AP] [Standards]

AP_SSO: Service Security Objectives


Binding / coherence checkingBinding / coherence checkingList of incoherence and remediation

List of incoherence and remediation

List of incoherence's and remediation


formalizationformalization

All requirement are expressed using Measurement taxonomy as a simple binary question:Is [taxonomy domain] of [Security countermeasures] on [TOM-object] is (running) as expected ?

Taxonomy domain = static-configuration, dynamic configuration, etc…(WP2 taxonomy)

Part 1 SFR[ISO15408][ISO27002-ISO27011]

[others standards to identity]

[AP] View(s) definition

AP_TOM:Target of Measurement



Business

model(s)

Business

model(s)



Identify view(s)Identify view(s) ExtractionExtraction

List of identified security

countermeasures


countermeasures

List of existing security counter measures [27005] 8.2.1.4

List of

Risks classified by priority order

List of

Risks classified by priority order

List of existing security counter measures [27005] 8.2.1.4With new identified for risk reduction

1

2

3’

5

6

3

List of standards/

regulations/Policies/

Best practises

List of standards/


Best practises

4’

AP_SMO: Object Measurement objectives

AP_SMO: Object Measurement objectives 4

associateassociate List of Metrics

List of Metrics

Aggregation function +

Derives Mesures

Aggregation function +

Derives Mesures

Specify MetricSpecify Metric

IOMInfrastructure of

Masure

IOMInfrastructure of

MasureDerived MeasuresDerived Measures

deployed


deployed

Security Assurance ViewsList of probesList of probes

List of deployed

security countermeasures

List of deployed

security

countermeasures

Deployed Target of Measurement

Deployed Target of Measurement

associateassociate

Security Realizations

Security

Realizations

associateassociate

List of Selected supporting Assets


associateassociate Addition of infrastructure element for

measuring

Addition of infrastructure element for

measuring

Construct view(s)Construct view(s)


Defining Assurance profile


Identifying supporting assets: AP first target


List of Supporting Assets

Classified by priority order

List of Supporting

Assets


Identification

Of Assets

Identification

Of Assets

Supporting Assets

Supporting Assets

Primary Assets

Primary Assets

Perimeter and boundaries of the study [27005] 7.3

Business or processes activities of the company [27005] 7.3

List of objects with ownership [27005] 8.2.1.2Location and function of objects [27005] 8.2.1.2

Supporting assetsevaluation


[27005] B.2 Break of activities or services[27005] B.2 Reputation and financial loss

[27005] B.2 Agreement rupture

[27005] B.2 Confidence loss


Selection Selection

[AP] Threshold


inheritanceinheritanceOther AP

inherited risks

Other AP inherited risks List of Selected supporting

Assets



List of Supporting Assets


List of Supporting

Assets


Identification

Of Assets

Identification

Of Assets

Supporting Assets

Supporting Assets

Primary Assets

Primary Assets

Perimeter and boundaries of the study [27005] 7.3

Business or processes activities of the company [27005] 7.3

List of objects with ownership [27005] 8.2.1.2Location and function of objects [27005] 8.2.1.2



[27005] B.2 Break of activities or services[27005] B.2 Reputation and financial loss

[27005] B.2 Agreement rupture

[27005] B.2 Confidence loss


Selection Selection

[AP] Threshold


inheritanceinheritanceOther AP

inherited risks

Other AP inherited risks List of Selected supporting

Assets



Step 1: identifying Security Problem

AP_SPD:

Security Problem Definition

AP_SPD:

Security Problem Definition

Risks EvaluationRisks EvaluationRisks Level EstimationRisks Level Estimation

List of Threats [27005] 8.2.1.3

List of existing security measures [27005] 8.2.1.4

List of Vulnerabilities [27005] 8.2.1.5List of consequences [27005] 8.2.1.6


List of Risks

List of

Risks

Risks ReductionRisks ReductionRisks identificationRisks identification


for risk reduction


for risk reduction

List of Risks with a

valued risk level

List of

Risks with a

valued risk level

List of Consequences Assessed [27005] 8.2.2.2

Likelihood of Risks Selected [27005] 8.2.2.3

Risk Acceptance Criteria [27005] 7.2

Risk Evaluation Criteria [27005] 7.2

Cost of treatment

[27005)

Other AP

inherited risks

Other AP

inherited risks Other AP

inherited risks

Other AP

inherited risks


List of Security Objectives from risks

reduction

List of Security Objectives from risks

reduction

Business

model(s)

Business

model(s)


countermeasures


countermeasures

List of Risks classified

by priority order

List of Risks classified

by priority order


With new identified for risk reduction

1


Step 3: From Compliance to security requirements

AP_CCL:Compliance Claim

AP_CCL:Compliance Claim

List of


List of

Measurement

Objectives from AP_CCL



List of Security

Objectives


List of Security Objectives

from risks

reduction


AP_OSR:



best practices

from AP_CCL


best practicesfrom AP_CCL

Separation Separation



Binding / coherence checkingBinding / coherence checkingList of incoherence and remediation

List of incoherence and remediation

Part 1 SFR[ISO15408]

[ISO27002-ISO27011][others standards to identity]


countermeasures


countermeasures


With new identified for risk reduction

2

3’

3

List of standards/


Best practises

List of standards/

regulations/

Policies/Best practises


Step 4: Deriving Object Measurement Requirements

List of


List of




AP_OMR:

Object Measurement Requirements


Requirements

Binding / coherence checkingBinding / coherence checking

List of


from AP_OSR

List of


from AP_OSR



Measurement taxonomy

[AP] [Standards]


List of incoherence's

and remediation

formalizationformalization

All requirement are expressed using Measurement taxonomy as a simple binary question:

Is [taxonomy domain] of [Security countermeasures] on [TOM-object] is (running) as expected ?Taxonomy domain = static-configuration, dynamic configuration, etc…(WP2 taxonomy)

3’

4’

AP_SMO: Object Measurement objectives

AP_SMO: Object Measurement objectives 4


Step 5: Defining Target of Measurement and assurance views


Requirements


Requirements



ExtractionExtraction


5 4’

List of Selected supporting

Assets


Assets


Requirements


Requirements



ExtractionExtraction


5 4’


Assets


Assets


Requirements


Requirements4’

AP_SAV: Security Assurance Views

AP_SAV: Security Assurance Views

List of

Views and objectives

List of

Views and

objectives

Add Define

SAVObject

Add Define

SAVObject

[AP] View(s) definition

Identify view(s)Identify view(s)

6

associateassociate List of

Metrics

List of

MetricsConstruct view(s)Construct view(s)


Assurance profile in operations


Service infrastructure

Assurance Profilefor this service

EvaluationAggregationMeasuringMetric

selection

Service

modellingPresentation

operational stepspreperatory steps

continous

Learning process

(TOM + SAVs)

SAVSAV

M

M

M

M

M

SAVSAV

M

M

M

M

M

M


M

M

SAVSAV

M

M

M

SAVSAV

M

M

M

M

M

SAVSAVSAVSAV

MMM

MMM

MMM

MMM

MMM

SAVSAV

M

M

M

M

M

M

SAVSAVSAVSAV

MMM

MMM

MMM

MMM

MMM

MMM


M

M

SAVSAV

M

M

M

MMM

MMM

SAVSAVSAVSAV

MMM

MMM

MMM

AP




Applicability Requirementssatisfied ?

SAVSAV

M

M

M

M

M

SAVSAV

M

M

M

M

M

M


M

M

SAVSAV

M

M

M

SAVSAV

M

M

M

M

M

SAVSAVSAVSAV

MMM

MMM

MMM

MMM

MMM

SAVSAV

M

M

M

M

M

M

SAVSAVSAVSAV

MMM

MMM

MMM

MMM

MMM

MMM


M

M

SAVSAV

M

M

M

MMM

MMM

SAVSAVSAVSAV

MMM

MMM

MMM

AP



Specific service deployment

YES

M M

M

M

Use AP to deploy assurance program

SAVSAV

M

M

M

M

M

SAVSAV

M

M

M

M

M

M


M

M

SAVSAV

M

M

M

SAVSAV

M

M

M

M

M

SAVSAVSAVSAV

MMM

MMM

MMM

MMM

MMM

SAVSAV

M

M

M

M

M

M

SAVSAVSAVSAV

MMM

MMM

MMM

MMM

MMM

MMM


M

M

SAVSAV

M

M

M

MMM

MMM

SAVSAVSAVSAV

MMM

MMM

MMM

AP



AP compliance(Objective level,Requirements level

Views level)

NO Use AP as support tool only but No compliance can be claimed

ContractSLAsCertificationAccreditation

APPLICABILIY and COMPLIANCE


Metric Construction Metric Construction

ContributionCombinationRefinement

Instantiation

Operations on Views Operations on Views

Instantiation

Deployed Security Assurance ViewsDeployed Security Assurance Views







Reference

AP_REF:

Reference



Requirements


Requirements




Deriving assurance profiles into models and metrics



(TOM + SAVs)

SAVSAV

M

M

M

M

M

SAVSAV

M

M

M

M

M

M


M

M

SAVSAV

M

M

M

SAVSAV

M

M

M

M

M

SAVSAVSAVSAV

MMM

MMM

MMM

MMM

MMM

SAVSAV

M

M

M

M

M

M

SAVSAVSAVSAV

MMM

MMM

MMM

MMM

MMM

MMM


M

M

SAVSAV

M

M

M

MMM

MMM

SAVSAVSAVSAV

MMM

MMM

MMM

AP





(TOM + SAVs)

SAVSAV

M

M

M

M

M

SAVSAV

M

M

M

M

M

M


M

M

SAVSAV

M

M

M

SAVSAV

M

M

M

M

M

SAVSAVSAVSAV

MMM

MMM

MMM

MMM

MMM

SAVSAV

M

M

M

M

M

M

SAVSAVSAVSAV

MMM

MMM

MMM

MMM

MMM

MMM


M

M

SAVSAV

M

M

M

MMM

MMM

SAVSAVSAVSAV

MMM

MMM

MMM

AP




TOMSAVSAV

M

M

M

M

SAVObject without metric

M

SAVObject with metric

AP_SAV

SAV instanciation

Object Measurement Requirements:



AP_OMR




Derived Measures

Derived Measures

Derived Measures

Derived Measures

Derived Measures

Derived Measures

Derived Measures

Derived Measures

AP Security Assurance view Operational environment

probes

probes

probes

probes

probes

probes

Measurement FrameworkOperations on views

Instantiation of deployed views and binding to measurement framework

TOMSAVSAVSAVSAV

MMM

MMM

MMM

MMM

SAVObject without metric

MMM

SAVObject with metric

AP_SAV

SAV instanciation




AP_OMR




Derived Measures

Derived Measures

Derived Measures

Derived Measures

Derived Measures

Derived Measures

Derived Measures

Derived Measures

AP Security Assurance view Operational environment

probes

probes

probes

probes

probes

probes

Measurement FrameworkOperations on views

Instantiation of deployed views and binding to measurement framework

Binding profiles with

infrastructures


Conclusion


Operational security assurance

• Both from service providers and end user privacy, security

assurance can lead to trust as it

– Requires formalized expression of security requirement

– Requires formalized expression of security verification

– Helps different entities of large organizations to communicate

– Allow confidence in deployed security without having details of

mechanisms deployed

• Privacy aspects (guaranties of protection without revealing information)

• Service level agreement based contracts

– Allows best practices approach to extent to more formalized,

comprehensive and coherent approach to security

• From risk management to trust management

Operational Security Assurance: “Requirements for a trusted future internet and privacy ·...

Documents

Transcript of Operational Security Assurance: “Requirements for a trusted future internet and privacy ·...