220 likes | 233 Views
This workshop discusses the various security challenges and issues faced by e-Society, including privacy, integration, access control, and threat types. It explores the need for policies, mechanisms, and validation methods to ensure secure systems for e-Government and e-Citizens.
E N D
Security Issues for e-Society Oliver B. Popov MSU, SU, SCMU NATO ANW The Third CEENet Workshop on Managerial Issues - MIXREN Chisinau, October 200 NATO ANW
On Security Security is mostly a superstition. It does not exists in nature… NATO ANW
Content • e-Government definition • Aspects of Security Systems • Challenges for e-Government • Concerns of e-Citizens • Integration • Privacy • Perils and threats • Summary NATO ANW
e-Government • Definition: e-Government is a combination of interconnected heterogeneous information systems in which • Government agencies • Business – private sector • Public exchange high volumes of data in order to attain seamless and secure information flow, service integration, and effective and transparent decision-making process for the benefit of every citizen. NATO ANW
Fundamental Issues • Networks should be secure as any other real-life systems, no more no less. • Balance between the cost of protection and the risk of loss • When risk is less than the cost of recovering from a failure in security then investment in better systems decreases • The myth of “perfect” security NATO ANW
Aspects of Secure Systems • Policy (definition what to do – specification) • Mechanism (Transformation of what into how – implementation) • Assurance (Does it match reality and how well – validation, verification, or assurance) NATO ANW
Policy Making – Defining Needs • Secrecy – who gets the information • Integrity – how to use info resources and transformation • Availability – accessing info resources in easy and efficient manner • Accounting – who has done it and when NATO ANW
Security Problems • Information has been changed, transformed, and damaged that has rendered unusable – integrity • Service disrupted or severely impaired – availability • Leakage and theft of data – secrecy • Private information made public – secrecy Policy as a concept selector – positive and negative NATO ANW
Mechanisms for Security • Strategies • Isolation • Exclusion • Restriction • Recovery • Punishment • Access Control Model • Information Flow Control NATO ANW
Access Control Models • Traditional • Discretionary (DAC) • Mandatory (MAC) • Novelty • Rule-based Access Control (RBAC) • Task-based Access Control (TBAC) • Tickets-based NATO ANW
AAA or Au Standard • Authentication • Authorization • Auditing NATO ANW
Validation and Verification • Trusted Computing Base – TCB • Redundancy – combination of several levels – network, computer, and applications • Simple translates to perfection for both users and administrators NATO ANW
Challenges for EG • Interoperability among different systems with respect to security • Methods and metrics for the state of the democratic processes • Building and maintaining multiple partnerships as key to human networking • Management of electronic archives • Availability and equity of access NATO ANW
Challenges for the e-Citizens • Omnipresence of info protection • Privacy • Identification – Digital signatures • Accessibility • Security • Return and corrective procedures • Credibility • Social profiles • Level of sharing • Responsiveness NATO ANW
Integration • Semantic heterogeneity • Interoperability • Autonomy principle • Security principle • Risk and assurance propagation • Management NATO ANW
Resolving Integration I • Policy and meta-policy specification • Conflict resolution • Interaction • Preference of RBAC over DAC and MAC • TBAC (where the authorization unit is a task) just emerging • Architectural models • CORBA • OSF DCE NATO ANW
Resolving Integration II • Multi agent systems • Adaptive • Cooperative • Autonomous • Mobile • yet increased complexity and questionable efficiency (a lot of overhead). • Database federation • Aggregation of several database systems NATO ANW
Privacy • Definition: A right of individuals, groups or organizations to determine when and how much of the information about them is communicated. • Communication – Encryption and PKI • Database – problems with sensitive personal information • Solution – a combined effort by technology, legislative, and public policy NATO ANW
Infrastructure Perils • Info WMD - DoS and DDos, Virtual sit-ins, blockades, computer viruses, worms, and logic bombs • Wide range of threats – from hacking activities to cyber terrorism • SEI at CMU NATO ANW
Types of Threats for EG • National level • Information (Cyber army) • Intelligence (Cyber spies) • Shared treats • Cyber terrorism • Industrial patents and products • Cyber crime • Local (hackers) • Institutional • Recreational NATO ANW
Summary • Difficult and open problems • Integration of what is done so far • It appears that RBAC works well in the multi-domain environment and cooperates well with encryption and PKI • Possible aggregation with the FDM • Multi agent systems • Systems for risk analysis and security assurance • Threats management • Combined models for privacy NATO ANW
Thank you NATO ANW