250 likes | 379 Views
New Generation of Trusted Technologies. Claire Vishik March 2014. Outline. C onnected environment Towards trust-based technologies with built in security & privacy Towards users with good understanding of technologies Global e nvironment; research & practice. Ubiquitous connectivity.
E N D
New Generation of Trusted Technologies Claire Vishik March 2014
Outline • Connected environment • Towards trust-based technologies with built in security & privacy • Towards users with good understanding of technologies • Global environment; research & practice
Ubiquitous connectivity Services, infrastructure Areas • Shopping, education, banking, electrical systems, consumer appliances, health, trasportation, • Organizations, etc. Devices & appliances Adapted from Ericsson
New Era for Computing Mobile Traffic Today 2015 Mobile Traffic Average Traffic per SMARTPHONE MB/Month 40% Video 66% Video * ~40x Average Traffic per TABLET 90 PB/month MB/Month 7M paid video subscribers * 3600 PB/month 700M paid video subscribers Average Traffic per LAPTOP 2.5 Billion Connected Users by 2015 >10 Billion Connected Devices By 2015 60 Exabytes Data Stored MB/Month * *Forecast Source: Cisco Visual Networking Index
New Usage Models • Multiple uses for the same devices & process • Identical uses for different processes • Casual and formal environments merge • Diverse business and economic models overlap • Interaction increases in all environments • Barriers to entry are reduced, but the environments and processes gain complexity Source: Stanford (adapted)
New trust and security problems Arising in (examples): • Supply chain • Industrial systems • Internet of things • Mobile devices Arising through (examples): • New usage models • Economic developments • Geopolitical issues
Threat Environment Tools to perform security attacks are readily available and increasingly efficient The tools are increasingly adapted to the intended environments Cybercrime is Funding Organized Crime Cybercrime has been so profitable for organized crime that the mob is using it to fund its other underground exploits. And U.S. law enforcement is reaching around the world to reel it in.2 “We see many signs that criminals are mimicking the practices embraced by successful, legitimate businesses to reap revenue and grow their enterprises.”3 —Tom Gillis, Vice President and General Manager, Cisco Security Products • New threats from: • Social networking • Drive-by downloads • Mobile & CPS devices • Hardware and firmware attacks • Virtualization attacks • Power management tools • Home automation Threats are more sophisticated and professional
Example: Home Automation • Kohno & Denning, 2013 • Technically savvy burglars could identify houses with expensive, easily resold items. • Adversaries can also target technologies with new capabilities, • accessing video and audio • unlocking doors • disabling home security, • tampering with healthcare • interfering with home appliances and utilities • New approaches are needed to supplement available mechanisms
Outline • Connected Environment • Towards trust-based technologies with built in security & privacy • Towards users with good understanding of technology • Global environment, research & practice
Trust and Trust Evidence • Research on improving trust anchors or point solutions seems no longer sufficient • Most processes today are cross-domain and dynamic, with devices and participants leaving and joining domains • Devices, networks, and applications are increasingly complex • If all trust anchors were implemented successfully, the ecosystem still would not be secure • We need mechanismsto produce, verify, transmit, share, and consume dynamic evidence of trust among the components of the ecosystem
Wang, Y. and Singh, M. P., 2010: Trust Definitions • Trust is belief about future actions • Reflects the trusting party’s belief that the trusted party will support it • In computing, it affects decisions made by one or more participants, subject to two constraints: • Ability to predict each other’s behavior • It doesn’t work well in anonymous systems • Current approaches emphasize identity • E.g., by presenting a certificate, with the assumption that the verification process is robust and valid • Reputation based trust permits us to look at graduated trust values
Other Trust Definitions • Ban Al-Ani, Erik Trainer, David Redmiles, Erik Simmons, 2012 • Trust can be defined in terms of one party’s expectations of another, and the former’s willingness to be vulnerable based on those expectations. • JingweiHuang and Mark S. Fox, 2007 • Trust is established in interaction between two entities and any one entity only has a finite number of direct trust relationships. • Some types of trust have to be transitive
What the developers need to knowif they develop for every use case Incomplete list of issues… Legacy integration Software environment Intent of all other developers Future device architectures Networking environments Current and potential use models Economic & regulatory requirements Usability & performance tradeoffs Composite threat picture
Trust Indicators (Trust Evidence) • Broadly applicable indicators that provide evidence that a system, network, device or application are trustworthy and have preserved their integrity • Examples include: • Results of certification or self-certification; data quality (for medical devices), risk parameters, development process, attestation results, device, network, and user identification, adherence to baselines • Typically machine readable, ideally quantitative • Quantitative models for trust are reputation based or based on statistics for deviations,e.g.,TianLiqin et al. 2006 • Could be communicated through trust language and trust protocols
Outline • Connected Environment • Towards trust-based technologies with built In security & privacy • Towards users with good understanding of technologies • Global Environment, Research & Practice
What the users need to knowif they try to understand devices and applications Incomplete list of issues… Data movements All software on their devices Application & network ownership Security& privacy features of each device Networking environments Security models used Regulatory requirements Optimal configuration for each device, application, activity Information they share
Outline • Connected Environment • Towards trust-based technologies with built-in security and privacy • Towards users with good understanding of technologies • Global Environment, research & practice
Global EnvironmentICT environments operate globally Incomplete list of issues… Distributed data International workforce Cloud computing R&D collaboration Convergent Networks Different lifestyles and living standards Diverse regulatory & legal framework Different education systems Varied technology adoption models
Practical and theoretical aspects of research • Perceived or real disconnect between “real life problems” and theoretical research caused by (a few examples): • Differing tactical goals • Increasing specialization of research • Decreasing product development cycles • Multidisciplinary nature of many hard problems • Limited access to real life data and operational environments • Lack of broadly applicable technology transfer approaches • Increased awareness (examples): • Commercialization and transition to practice • “Real life” conferences and workshops, e.g., real life cryptography • Funded programs to support mechanisms for industry and academic collaboration • Industrial advisory boards • Private/public partnerships
Thank you! • Questions?