resilience as a new enforcement model for it security based on usage control
DESCRIPTION
Security and privacy are not only general requirements of a society but also indispensable enablers for innovative IT infrastructure applications aiming at increased, sustainable welfare and safety of a society. A critical activity of these IT applications is spontaneous information exchange. This information exchange, however, creates inevitable, unknown dependencies between the participating IT systems, which, in turn threaten security and privacy. With the current approach to IT security, security and privacy follow changes and incidents rather than anticipating them. By sticking to a given threat model, the current approach fails to consider vulnerabilities which arise during a spontaneous information exchange. With the goal of improving security and privacy, this work proposes adapting an IT security model and its enforcement to current and most probable incidents before they result in an unacceptable risk for the participating parties or failure of IT applications. Usage control is the suitable security policy model, since it allows changes during run-time without conceptually raising additional incidents.TRANSCRIPT
Dr. Sven Wohlgemuth PersoApp - An Open Source Community for the new German national ID card. Trust in identity.
Resilience as a new Enforcement Model for
IT Security based on Usage Control
IEEE S&P 5th Workshop on Data Usage Management (DUMA) 2014
San José, CA, USA
May 17, 2014
Dr. Sven Wohlgemuth
Center for Advanced Security Research Darmstadt (CASED)
Technische Universität Darmstadt, Germany
Dr. Sven Wohlgemuth
• Diploma in computer science with economics at University of Saarland, Germany
(Prof. B. Pfitzmann) (Key Management – OO Design and Implementation)
• Dr.-Ing. in computer science on Privacy with Delegation of Rights at Albert-Ludwigs
University Freiburg, Germany (Prof. Müller)
(doIT Software Award 2003 for Security and Usability with Identity Management)
• JSPS & DAAD postdoctoral fellow on Privacy-compliant Delegation of Personal Data
at National Institute of Informatics (NII), Tokyo, Japan (Prof. Echizen)
(Gerd Griesser Award 2009, Best Paper of IFIP SEC 2010 both on privacy with data
provenance)
• Associate professor within Data-Centric Social Systems Science of Research
Organization for Information and Systems (ROIS) and NII, Tokyo, Japan
(Prof. Sonehara) (ICT Resilience)
• Senior consultant IT security and project manager at Sirrix AG security technologies,
Germany (Trusted Execution Environment for mobile devices)
• Senior researcher at System Security Lab, CASED/TU Darmstadt, Germany (Prof.
Sadeghi) (Coordinator of PersoApp on German national ID card funded by BMI)
Dr. Sven Wohlgemuth
2
Dr. Sven Wohlgemuth
Agenda
I. Data-Centric Society
II. Vulnerability by Dependencies
III. Adaptive User-Centered Security
IV. Adaptive Identity Management
V. Conclusion
3
Dr. Sven Wohlgemuth
I. Data-Centric SocietyImprove welfare, safety, and resilience of a
society
Ubiquitous data collection and processing
• Cyber-Physical Systems
• Big Data Analytics
User “inherits” responsibility and risk
Industry
eGovernment
eHealthcare
Energy
Transportation
AND MORE…
Social networks
90-day Big Data and Privacy review (USA), Declaration to be the World’s Most Advanced IT Nation (JP), Horizon 2020 (Europe), Wahlster and Müller 2013 …
EducationParties may modify, misuse, or disclose
personal data to 3rd parties without
authorization.
Security and privacy problem
How can the user control usage of personal data
and derived information?
4
Dr. Sven Wohlgemuth
Core Activity: Information Exchange
pkBob
Man in the
middle
Alice Bob
• No security without TTP
Spontaneous key exchange
• Unobservability of pkBob
• Availability, integrity, and accountability of pkBob
Individual (multilateral) security interests
Example: Cryptographic key exchange
D. Hellmann and W. Diffie 2000; K. Rannenberg, A. Pfitzmann, and G. Müller 1999; K. Riemer, C. Steinfield, and D. Vogel 2009; E. Freire, D. Hofheinz, E. Kiltz, and K. Paterson 2013
5
Dr. Sven Wohlgemuth
Intermediary and Dependencies
• Spontaneous information exchange implies dependencies during run-time
• Threat by propagation of incidents via dependencies
eIDAlice eIDBob
pkBob pkBob
DP DC
Charlie
pkBobDC DP
Alice Bob
• Accountability and unobservability by eID infrastructures
DC = Data consumer
DP = Data provider
Key exchange via intermediary as “man-in-the-middle”
D. Chaum 1985; A. Pretschner, D. Basin, and M. Hilty 2006; S. Wohlgemuth 2008; M. Gilliot, V. Matyas, and S. Wohlgemuth 2009
6
Dr. Sven Wohlgemuth
II. Vulnerability by Dependencies
Natural
phenomen
a
Human
errors
Malicious
actions
System
failures
Third
party
failure
Cause in detail
Incidents per
root cause (%)6 5 8 76 13
1. Hardware failure
2. Software bug
…
6. Cyber attack
Average
duration of
recovery
(hours)
36 26 4 9 13
1. Storm
2. Heavy snowfall
3. Human error
…
15. Cyber attack
Average
number of user
connections557 447 1528 2330 2808
1. Overload
2. Software bug
…
4. Cyber attack
User hours lost 20283 11393 5858 19842 36502
1. Overload
2. Power cut
…
6. Cyber attack
• ENISA in 2012: Incident report
• BSI in 2011: Trend to indirect attacks on mobile and CPS
Federal Office for Information Security (BSI) 2011; European Network and Information Security Agency (ENISA) 2012
7
Dr. Sven Wohlgemuth
10
48
42
20
0
10
20
30
40
50
60
Problem Category I Problem Category II Problem Category III Problem Category
IV
Cit
ati
on
s
Dependency: User
75% of identified problems are usability
problems with negative effect on user‘s
security
• User has to learn technical concept
• PGP and Signtrust study: “Misuse” raises
vulnerability
• Responsibility for security in Germany
People with less security expertise
(approx. 70%) want to delegate
responsibility to TTP
Security and Usability
• Study on Internet Milieus of population
A. Whitten and J.D. Tygar 1999; D. Gerd tom Markotten 2004; G. Müller and S. Wohlgemuth 2005; DIVSI 2012
8
Dr. Sven Wohlgemuth
Dependency: Enforcement
Case (a): Passive incident Case (b): Active incident
Assumption: Each IT system is secure and participants are trustworthy
• Enforcement classes: Static analysis, detector with monitor, re-writing
Impossible to decide ‘purely’ on covert dependencies, but statistical
Threat by misuse of data via compromised TTP
• Enforcement of safety restricts liveness of dependable system
C. Wang and S.Ju 2005; K.W. Hamlen, G. Morrisett, and F.B. Schneider 2006; A. Grusho, N. Grebnev, and E. Timonina 2007
9
Dr. Sven Wohlgemuth
Resilience and IT Security
Detect
Institut-
ionalize
Recover
Re-
sponse
Abstract View Real View
Resilience: Achieving acceptable equilibriums of opposite interests of a system
by adapting its dependencies to incidents of any kinds.
Information
Liveness Safety
Threat model
Security model
Incident reporting: Information exchange in real-time (e.g. EU Article13a)
C.S. Holling 2001; European Commission 2009; B. Biggio, B. Nelson, and P. Laskov 2012; L. Huang, A.D. Joseph, B. Nelson, B.I. Rubenstein, and J. Tygar 2011; The White House 2014
10
Dr. Sven Wohlgemuth
Resilience and IT Security
Detect
Institut-
ionalize
Recover
Re-
sponse
Abstract View Real View
Resilience: Achieving acceptable equilibriums of opposite interests of a system
by adapting its dependencies to incidents of any kinds.
Information
Liveness Safety
Threat model
Security model
Incident reporting: Information exchange in real-time (e.g. EU Article13a)„Faulty“ data increase error rate of derived information:
Supervised ML (z.B. SVM) Unsupervised ML (z.B. PCA)
Trustworthy information exchange on incidents
C.S. Holling 2001; European Commission 2009; B. Biggio, B. Nelson, and P. Laskov 2012; L. Huang, A.D. Joseph, B. Nelson, B.I. Rubenstein, and J. Tygar 2011; The White House 2014
11
Dr. Sven Wohlgemuth
III. Adaptive User-Centered SecurityAdaption of IT security enforcement to user and security model
• User: Adaptive user interactions
• System: Scalability of enforcement according to IT risk tolerance
User model
Security enforcement
User interactions with
identity manager
Online survey System tests
Ad
ap
tati
on
(A
uto
pilo
t) AccountabilityUnobservability
Partial identities
12
Dr. Sven Wohlgemuth
Isolation and AbstractionIsolation is a variation of privacy, which considers information flow
UI element
UI element
Pattern Pattern
API of
mechanism
Adaption Adaption
Mechanism
layer
Abstraction
layer
User layer
API of
mechanism
API of
mechanism
Pattern
API of
mechanism
Isolation
E. Gamma, R. Helm, R.E. Johnson, and J. Vlissides 1994; N. Sonehara, I. Echizen, and S. Wohlgemuth, 2011
13
Dr. Sven Wohlgemuth
Isolation of information exchange• Adaptation requires future safety and liveness on identity
MAC
• Restricting liveness for future state transitions
DAC• Not precise for data aggregation on identity
for safety
Usage Control• Obligations allow safety and liveness for future
state transitions on identity
N. Sonehara, I. Echizen, and S. Wohlgemuth 2011
Security Policy Model
14
Dr. Sven Wohlgemuth
Evidence by a User-Centered View
• 4 logic statements:
• AutA,X
• TrustA,X,i
• CertX,Y
• RecX,Y,i
• 2 derivation rules:
• ∀X,Y: AutA,X, TrustA,X,1, CertX,Y → AutA,Y
• ∀X,Y,i≥1: AutA,X, TrustA,X,i+1, RecX,Y,i → TrustA,Y,i
• Deriving statement AutA,X on authenticity of pkX from individual view on a PKI
• Supports dependencies and probabilities (for covert dependency)
U. Maurer. Modelling a Public-Key Infrastructure, 1996.
Alice
1
2
BobSystem 4
DP/DC
System 3DP/DC
15
Dr. Sven Wohlgemuth
Control and Transparency
• Privacy Transparency: Evidence on information accountability
• Privacy Control: Unobservable re-writing
D.J. Weitzner, H. Abelson, T. Berners-Lee, J. Feigenbaum, J. Hendler, and G.J. Sussman 2008; N. Sonehara, I. Echizen, and S. Wohlgemuth, 2011
16
Dr. Sven Wohlgemuth
IV. Adaptive Identity Management• Enhanced trust infrastructure by measuring evidences on isolation
• Adaptation with personal security tool: eID client, e.g. iManager
IT Risk Analysis
Privacy Control
Privacy ForensicsSystem Evolution
Usage Control
Policy Toolbox
X17
Dr. Sven Wohlgemuth
Privacy Control
• Specification of isolation by non-linkable delegation of rights
• Control: eID infrastructure with pseudonymized identities
iManager: doIT Software-Award 2003
S. Wohlgemuth and G. Müller 2006; N. Sonehara, I. Echizen, and S. Wohlgemuth 2011
Transparency &
Control
Control Transparency
Transparency
System 1
DP/DC
System 3
DP/DC
System 2
DP/DCpkBob pkBob pkBob
Policy
d
Control
System 4
DP/DC
d
d
Policy
18
Dr. Sven Wohlgemuth
Privacy Forensics
Transparency
Transparency
Transparency
System 1
DP/DCSystem 3
DP/DC
System 2
DP/DCpkBob
System 4
DP/DC
pkBob
pkBob
System 2pkBob
System 2
System 3
pkBob
System 2
System 3
System 4
pkBob
System 2
System 3
System 4
System 3
S. Haas, S. Wohlgemuth, I. Echizen, N. Sonehara, and G. Müller 2009; S. Wohlgemuth, I. Echizen, N. Sonehara, and G. Müller 2010
Control
• Transparency: Re-constructing usage of pkBob by data provenance
• eID client enforces documenting data provenance audit trail
Impeding non-authorized
re-identification
Unobservability
Misuse of pkBob can be detected
Accountability and availability
Gerd Griesser Award 2009;
Best paper IFIP SEC 2010
19
Dr. Sven Wohlgemuth
V. Conclusion
20
• Privacy by isolation is an evidence on resilience of a data-centric society
• Implies the security paradoxon that improving isolation
• Requires personal information instead of data economy
• For Security by Design with User-centered Adaptation and Usage Control
Electronic Markets special issue Security and Privacy in Business
Networking in being published as 24(2), Springer, 2014
http://link.springer.com/journal/12525/24/2/page/1
Business & Information Systems Engineering (BISE) special issue
Sustainable Cloud Computing 3(3), Gabler, 2011
http://link.springer.com/journal/12599/3/3/