Top Ten Security and Privacy Challenges for Big Data and Smartgrids. Arnab Roy Fujitsu Laboratories of America

Transcription

1 1 Top Ten Security and Privacy Challenges for Big Data and Smartgrids Arnab Roy Fujitsu Laboratories of America

2 2 User Roles and Security Concerns [SKCP11] Users and Security Concerns [SKCP10] Utilities: Consumers 3 rd Party Service Providers Data Leakage Consumer trust, Regulatory compliance Data Leakage Behavior monitoring, industrial espionage Data/Platform Sharing Internal algorithms, Data Data Modification Power billing, Grid operation Data Modification Power usage measurement, Pricing Access Diversity Regulatory compliance, Platform integration Data Platform Sharing Pricing/Forecast algorithms

3 3 Data Characteristics & S&P Issues [SKCP11] Data Characteristics & Security/Privacy Issues Data Diversity Data Granularity Data Transformation Data Access & Sharing Data Archival Direct & Indirect Data Types Data Size Multi-owner data aggregation Shared repositories Data size growth Distributed Sources Data Collection Rates Integrating private & public data Individual access control Policy & technology evolution Diverse Ownership Access Control Granularity Current & legacy data sources Dynamic policies & latency Longer, wider attack exposure Heterogeneous Cloud Storage Services Security enforcement cost/latencies Intent of use & Audit trail Multiple jurisdiction

4 4 Top 10 Challenges Identified by CSA BDWG 1) Secure computations in distributed programming frameworks 2) Security best practices for non-relational datastores 3) Secure data storage and transactions logs 4) End-point input validation/filtering 5) Real time security monitoring 6) Scalable and composable privacy-preserving data mining and analytics 7) Cryptographically enforced access control and secure communication 8) Granular access control 9) Granular audits 10) Data provenance 4, 10 4, 8, 9 1, 3, 5, 6, 7, 8, 9, 10 Data Storage Public/Private/Hybrid Cloud 5, 7, 8, , 3, 5, 8, 9

5 5 Top 10 Big Data S&P Challenges Infrastructure security Data Privacy Data Management Integrity and Reactive Security Secure Computations in Distributed Programming Frameworks Privacy Preserving Data Mining and Analytics Secure Data Storage and Transaction Logs End-point validation and filtering Security Best Practices for Non- Relational Data Stores Cryptographically Enforced Data Centric Security Granular Audits Real time Security Monitoring Granular Access Control Data Provenance

6 Secure Computation in Distributed Programming Frameworks 6 Application Computation Infrastructure Malfunctioning compute worker nodes Access to sensitive data Trust establishment: initiation, periodic trust update Mandatory access control Privacy of output information Privacy preserving transformations

7 7 Security Best Practices for Non Relational Data Stores Data from Diverse Appliances and Sensors Lack of stringent authentication and authorization mechanisms Lack of secure communication between compute nodes Enforcement through middleware layer Passwords should never be held in clear Encrypted data at rest Protect communication using SSL/TLS Copyright 2013 FUJITSU LIMITED

8 8 Secure data storage and transaction logs Consumer Data Archive Data Confidentiality and Integrity Availability Consistency Collusion Encryption and Signatures Proof of data possession Periodic audit and hash chains Policy based encryption

9 9 End-point Input Validation / Filtering Adversary may tamper with device or software Tamper-proof Software Data Poisoning Adversary may clone fake devices Adversary may directly control source of data Trust Certificate and Trusted Devices Analytics to detect outliers Adversary may compromise data in transmission Cryptographic Protocols Copyright 2013 FUJITSU LIMITED

10 10 Real-time Security Monitoring Fraud Detection Security of the infrastructure Security of the monitoring code itself Security of the input sources Adversary may cause data poisoning Discussed before Secure coding practices Discussed before Analytics to detect outliers Copyright 2013 FUJITSU LIMITED

11 Scalable and Composable Privacy-Preserving Data Mining and Analytics 11 Consumer Data Privacy Exploiting vulnerability at host Insider threat Outsourcing analytics to untrusted partners Unintended leakage through sharing of data Encryption of data at rest, access control and authorization mechanisms Separation of duty principles, clear policy for logging access to datasets Awareness of reidentification issues, differential privacy Copyright 2013 FUJITSU LIMITED

12 12 Cryptographically Enforced Data Centric Security How do we enforce the protection of data end to end? Enforcing access control Identity and Attribute-based encryptions Data Integrity and Privacy Search and filter Outsourcing of computation Encryption techniques supporting search and filter Fully Homomorphic Encryption Integrity of data and preservation of anonymity Group signatures with trusted third parties Copyright 2013 FUJITSU LIMITED

13 13 Granular Access Control Keeping track of secrecy requirements of individual data elements Pick right level of granularity: row level, column level, cell level Data Privacy Maintaining access labels across analytical transformations At the minimum, conform to lattice of access restrictions. More sophisticated data transforms are being considered in active research Keeping track of roles and authorities of users Authentication, authorization, mandatory access control Copyright 2013 FUJITSU LIMITED

14 14 Granular Audits Audit of usage, pricing, billing Completeness of audit information Timely access to audit information Integrity of audit information Authorized access to audit information Infrastructure solutions as discussed before. Scaling of SIEM tools. Copyright 2013 FUJITSU LIMITED

15 15 Data Provenance Secure collection of data Authentication techniques Keeping track of ownership of data pricing, audit Consistency of data and metadata Insider threats Message digests Access Control through systems and cryptography Copyright 2013 FUJITSU LIMITED

16 Thank You 16