Moderator: Panelists: Panel #2 Big Data: Application Security and Privacy. Keith Swenson, VP of Research and Development, Fujitsu America, Inc.

Size: px

Start display at page:

Download "Moderator: Panelists: Panel #2 Big Data: Application Security and Privacy. Keith Swenson, VP of Research and Development, Fujitsu America, Inc."

Barnard Johns
8 years ago
Views:

1 Panel #2 Big Data: Application Security and Privacy 2:15 PM 3:00 PM Moderator: Keith Swenson, VP of Research and Development, Fujitsu America, Inc. Panelists: Taka Matsutsuka, Researcher, Fujitsu Laboratories of Europe, Ltd. Praveen Murthy, Member of Research Staff, Fujitsu Laboratories of America, Inc. Arnab Roy, Member of Research Staff, Fujitsu Laboratories of America, Inc. Copyright 2013 FUJITSU LABORATORIES OF AMERICA 0

2 Big Data: Application Security and Privacy Keith Swenson Vice-President of Research and Development Fujitsu America, Inc.

3 CSA Big Data Working Group Arnab Roy Software Systems Innovation Group Fujitsu Laboratories of America, Inc.

4 BDWG Organization Data analytics for security Privacy preserving/enhancing technologies Big data-scale crypto Big Data Working Group 60+ members Cloud Infrastructures' Attack Surface Analysis and Reduction Policy and Governance Framework and Taxonomy Top 10 Legal Issues

5 CSA BDWG Plan The Big Data Working Group (BDWG) will be identifying scalable techniques for data-centric security and privacy problems. BDWG s investigation is expected to lead to Crystallization of best practices for security and privacy in big data, Help industry and government on adoption of best practices, Establish liaisons with SDOs to influence big data security and privacy standards Accelerate the adoption of novel research aimed to address security and privacy issues. Identify new and fundamentally different technical and organizational problems in big data security and privacy. Establish liaison with NIST (US), ENISA (EU) and Participate in PAPs, SDOs Execute research plans based on funding and IP 9/12 12/12 3/13 3/14 Summarize state of the art, propose best practices, and identify gaps Report on outcomes of BDWG research 4

Scalable and composable privacy-preserving data mining and analytics 7) Cryptographically enforced access control and secure communication 8)

6 First Milestone: Identified Top 10 Challenges 1) Secure computations in distributed programming frameworks 2) Security best practices for non-relational datastores 3) Secure data storage and transactions logs 4) End-point input validation/filtering 5) Real time security monitoring 6) Scalable and composable privacy-preserving data mining and analytics 7) Cryptographically enforced access control and secure communication 8) Granular access control 9) Granular audits 10) Data provenance 4, 10 4, 8, 9 1, 3, 5, 6, 7, 8, 9, 10 Data Storage Public/Private/Hybrid Cloud 5, 7, 8, , 3, 5, 8, 9 5

7 Initial Set of Topics in Big Data Crypto 1) Communication protocols 2) Access policy based encryption 3) Big data privacy 4) Key management 5) Data integrity and poisoning concerns 6) Searching / filtering encrypted data 7) Secure data collection/aggregation 8) Secure collaboration 9) Proof of data storage 10) Secure outsourcing of computation 2,5,7,10 2,3,6 1,3,6 3,6,8,9

9 BDWG Organization Data analytics for security Privacy preserving/enhancing technologies Big data-scale crypto Big Data Working Group 60+ members Cloud Infrastructures' Attack Surface Analysis and Reduction Policy and Governance Framework and Taxonomy Top 10 Legal Issues

10 Big Data Security New security challenges of big data Public cloud environment coupled with Big data characteristics Volume, Velocity, Variety Increased Attack Surface Big Data based on commodity cloud architecture Demands more cloud infrastructure services to be exposed More APIs exposed for attack Need to identify unused services/apis and block them from access 9 Copyright 2013 Fujitsu Laboratories of America

11 Cloud attack surface taxonomy SSL certificate spoofing Phishing How much can the cloud learn about a user? Buffer overflow SQL injection Privilege escalation Attacks on cloud control Privacy attack Data integrity attack Data confidentiality attack Resource exhaustion DoS Figure from: Gruschka et al., Attack Surfaces: A Taxonomy for Attacks on Cloud Services. Copyright 2013 Fujitsu Laboratories of America

12 Attack surface as information flow Potential for Dangerous data to flow from (un-trusted) user to system SQL injection, side channel attack, buffer overflow or For sensitive information to flow from system to unauthorized user Information flow examples: User has read permissions on all files User can create files via APIs User can spawn multiple VMs via APIs

with real-time data Node.js Visualization of Big Data Analytics D3.

13 Cloud infrastructure elements and JavaScript Hadoop Software framework for Big Data Microsoft HDInsight has JavaScript API for Hadoop Interactive applications with real-time data Node.js Visualization of Big Data Analytics D3.js Amazon EC2 Cloud platform NodeJS library can communicate with AWS EC2 APIs (Open source)

14 Attack Surface Analysis on Cloud Software APIs To determine metrics based on number of paths from user APIs to sensitive data/functions in cloud infrastructure code using static analysis on JavaScript. To determine metrics based on higher level audits of virtual images, hypervisors, ports, and host OS s. Infrastructure code Program paths Sensitive data Sensitive functions Attack surface: Paths that access sensitive data/functions as a proportion of all paths 13 Copyright 2013 Fujitsu Laboratories of America

15 Java 7 0-day: could attack surface analysis catch this? import java.applet.applet; import java.awt.graphics; import java.beans.expression; import java.beans.statement; import java.lang.reflect.field; import java.net.url; import java.security.*; import java.security.cert.certificate; import metasploit.payload; public class Exploit extends Applet { public Exploit() { } public void disablesecurity() throws Throwable { Statement localstatement = new Statement(System.class, "setsecuritymanager", new Object[1]); Permissions localpermissions = new Permissions(); localpermissions.add(new AllPermission()); ProtectionDomain localprotectiondomain = new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), localpermissions); AccessControlContext localaccesscontrolcontext = new AccessControlContext(new ProtectionDomain[] { localprotectiondomain }); SetField(Statement.class, "acc", localstatement, localaccesscontrolcontext); localstatement.execute(); } ::Applet ::Statement ::Permissions Sandbox violation!! 14 Copyright 2013 Fujitsu Laboratories of America

17 Business Problem Frauds in Social Benefits Costs ~200B yen annually: in UK only!* Hard to bridge and interconnect claims - Heterogeneous formats - Multiple councils Ealing Westminster Difficult to adapt to change of requirements Kent - Dynamism of fraud techniques * 1.6B pound 16 Copyright 2013 Fujitsu Laboratories of Europe Limited

System A Month Staff May Month 2012 3 June Month 2012 July Month 2012 5 4 Process System B Month Name No Address Month Nuno 12 3

18 BigGraph connects Big Data with relationships A technology to enable analysis of Big Data with connections This exhibition uses public sector claim analysis (using data from the UK) Analysis Rule Rule Individual Systems Process Graph layer: integrated view System A Month Staff May Month June Month 2012 July Month Process System B Month Name No Address Month Nuno 12 3 Clefield Month Roger Prince G Month Aisha 28 Flat 2, 223 System C Individual Files 17 Copyright 2013 Fujitsu Laboratories of Europe Limited

Our Solution BigGraph Big Data Application Platform based on Graph Technology Graph that enables bridging and interconnection of data to solve

business logic Users phone BigGraph Platform Event ID Theft Anomalies Various Data Sources New business logic attached locally to the data and added

20 Our Solution BigGraph Big Data Application Platform based on Graph Technology Graph that enables bridging and interconnection of data to solve multiple councils heterogeneity Locally embeddable algorithms to dynamically adapt to change of requirements claim1 claim2 home claim3 school Add new business logic Users phone BigGraph Platform Event ID Theft Anomalies Various Data Sources New business logic attached locally to the data and added to the graph on the fly e.g. Home.coordinate - School.coordinate > 60 miles Essex Leicestershir e Surrey 19 Copyright 2013 Fujitsu Laboratories of Europe Limited

21 20 FUJITSU EYES ONLY

Arnab Roy Fujitsu Laboratories of America and CSA Big Data WG

Arnab Roy Fujitsu Laboratories of America and CSA Big Data WG 1 The Big Data Working Group (BDWG) will be identifying scalable techniques for data-centric security and privacy problems. BDWG s investigation