Releasing the potential of cloud computing in Europe Building the secure environment for big and small partners

Transcription

1 Releasing the ptential f clud cmputing in Eurpe Building the secure envirnment fr big and small partners Dr. Ladislav Hudec, Assciate Prfessr Faculty f Infrmatics and Infrmatin Technlgies Slvak University f Technlgy Prepared fr V4S VISEGRAD 4 FOR SECURE DATA Meeting held n May 28, 2015 in Brussels

2 Intrductin f the FIIT STU We cver a wide range f the Infrmatics and Infrmatin Technlgies (IIT) in bth the research and educatin. We are the first faculty with a such missin in Slvak republic. We ffer mdern study prgrams accredited study prgrams by the IET (Institutin f Engineering and Technlgy) cmmunity, which is established in Lndn. Staff Mre than 15 prfessrs and assciate prfesssrs, allmst all full time Mre than 30 teachers Mre than 5 research fellws Students Mre than 1100 (full time nly), including 50 PhD students Budget apprx. 2,5 mi Eurs. 2

3 A baseline f study at the FIIT STU university degree in anther field MSc.(Ing.) FIIT 3 years Graduatin frm high schl BSc. (Bc.)FIIT 4 years BSc. (Bc.)FIIT 3 years practice MSc.(Ing.) FIIT 2 years practice PhD. FIIT 3 years practice 3

4 Accredited study prgrams at the FIIT STU 1 st. level Bachelr degree study INFORMATICS COMPUTER AND COMMUNICATION SYSTEMS AND NETWORKS 2 nd. level Master (Engineer) degree study SOFTWARE ENGINEERING INFORMATION SYSTEMS COMPUTER AND COMMUNICATIO N SYSTEMS AND NETWORKS 3 rd. level Dctral degree study SOFTWARE SYSTEMS APPLIED INFORMATICS INFORMATION SECURITY 4

5 Research in security at the FIIT STU Security evaluatin mdel based n the scre f security mechanisms Infrmatin security risks pse a serius threat t rganizatins dependent n their infrmatin systems. The main prcess that is suppsed t help in security decisins is a risk analysis. Outputs f a risk analysis are essential inputs fr risk management. It prvides a risk manager with a set f significant risks and with data t assist in treatment f these risks. Quantitative methds are usually preferred because, if fllwing a prper methdlgy, they can prvide us with mre accurate results. Qualitative methds are influenced by subjective perceptin f a risk analyst that cnducts this prcess, s they tend t be biased. Risk managers and security prfessinals need frmalized quantitative risk measures and metrics, s they can efficiently and crrectly measure risks. Our gal is t bring the bjectivity int the prcess f the risk assessment and evaluatin and t express the security scre in an rganizatin in three basic security attributes. We used the security mechanisms implementatin scre t measure the quality f implemented security cntrls and the Analytic Hierarchy Prcess technique t express the imprtance f particular mechanisms. Security cntrls are riginated frm the ISO/IEC 27002:2005 standard and we prpse security mechanisms fr each cntrl bjective frm this standard. Designed apprach specifies hw t use the standard with selected security mechanisms and defines a methdlgy n determining weighted relatins between fur layers f the prpsed security mdel. The lwest layer are security mechanisms, then cntrl bjectives, fllwed by security clauses and the upper layer cnsists f security attributes. 5

6 Research in security at the FIIT STU Security mechanisms implement security cntrls desired by cntrl bjectives in standard in rder t imprve the verall scre f infrmatin security attributes, depicted at the bttm. 6

7 Research in security at the FIIT STU Overall scre f security mechanisms implementatin. One security mechanism can cntribute t ne r mre cntrl bjectives and ne cntrl bjective can be supprted by ne r mre security mechansims. These relatins are weighted, s we can adjust the influence f each assignment. We can express this part f a mdel with the weighted sum, where Mi is the scre f the security mechanism i and W(Mi) is its weight. 7

8 Research in security at the FIIT STU The evaluatin shuld be dne in the fllwing way. First, the security administratr r manager selects the rganizatin type. Then he inputs available statistics data int the evaluatin system tgether with the security mechanisms' implementatin scre, which can be btained by security metrics r by the expert judgement. The system then evaluates the security clauses with respect t these specific data and shw the result in main security attributes. Fr mre detailed infrmatin see: BREIER, J., HUDEC, L.: On selecting critical security cntrls. In: ARES 2013 : Prceedings 2013 internatinal cnference n availability, reliability and security, 2-6 September 2013, Regensburg, Germany. - Ls Alamits : IEEE Cmputer Sciety, ISBN ( - p BREIER, J., HUDEC, L.: On identifying prper security mechanisms. In Khabib Mustfa, Erich J. Neuhld, AMin Tja, Edgar Weippl, and Ilsun Yu (Eds) Infrmatin and Cmmunicatian Technlgy. The 2013 Asian Cnference n Availability, Reliability and Security (AsiaARES 2013), March 25th - 29th 2013, Gadjah Mada University, Indnesia. Vlume LNCS Springer Berlin Heidelberg, ISBN , p

9 Research in security at the FIIT STU Secure access cntrl in Mbile Ad-hc NETwrks (MANET) The MANET netwrk is a special kind f mbile ad-hc netwrk, which des nt rely n any fixed infrastructure (e.g. swarm f drnes, cnferences, meetings, where grup f peple needs t exchange data r share the cnnectin t the Internet). PKI cnsists f trusted third party certificate r attribute authrity and clients which rely n and trust t certificates signed by this authrity. The cmmn way f hw certificate authrity wrks is binding public key t legal identity f its wner. The main gal f this wrk is t develp new apprach fr secure access cntrl in cnditins f MANET netwrks with utilizatin f public key infrastructure. This new apprach imprve the public key infrastructure deplyability in the mbile ad-hc netwrks ruted by B.A.T.M.A.N. Advanced. We have extended the B.A.T.M.A.N. Advanced ruting prtcl with authenticatin and authrizatin f ruting updates based n X.509 certificates. Furthermre we have determined several levels f nde's trustwrthiness and tw levels f interperability between trusted authrities in the netwrk. T mitigate extra lad caused by renewing f certificates, we have identified critical factrs affecting it and designed the cmputatin frmula fr ptimal amunt f crss certificates issued by trusted authrity. T further imprve the service reachablity in highly mbile netwrks in earlier stages f PKI deplyment, we have designed the Cluster Glue. The ClusterGlue helps t cnnect grups f ndes frm different parts f netwrk which wns the certificates issued by the same authrity. Thanks t these mdificatins we are able t mitigate varius security risks and prvide the mre secure rute fr messages transmitting thrugh the netwrk. Results were verified by simulatins. 9

10 Research in security at the FIIT STU Secure access cntrl in Mbile Ad-hc NETwrks (MANET) Fr mre details see: VILHAN, P., HUDEC, L.: Building Public Key Infrastructure fr MANET with Help f B.A.T.M.A.N. Advanced. In: Prceeding f the 2013 Eurpean Mdelling Sympsium. Manchester, UK, Nvember, IEEE Cmputer Sciety. ISBN P VILHAN, P., HUDEC, L.: Cluster glue - imprving service reachability in PKI enabled MANET. In: UKSim-AMSS 2014 : prceedings UKSim-AMSS 16th internatinal cnference n cmputer mdelling and simulatin March 2014, Cambridge, United Kingdm. - Ls Alamits : IEEE Cmputer Sciety, ISBN S

11 Research in security at the FIIT STU, FMFI UK and CSIRT.SK (prpsal) Centre f excellence in infrmatin security Cnsrtium cnsists f the FIIT STU, FMFI UK (Faculty f Mathemetics, Physics and Infrmatics f Cmenius University), CSIRT.SK (Cmputer Security Incident Respnse Team Slvakia). This year infrastructural prject fr cmpleting existing technlgy at the cnsrtium partners is prpsed. Next fur years research and innvatin activities will be perfrmad. Field f research: Develpment and implementatin f SIEM (Security Infrmatin and Event Management) slutin fr public administratin: SIEM will be built n pen-surce technlgies. Develped slutin will be built with an emphasis n the ability t mnitr and prcess a large number f events and data flws (at least 10,000 events per secnd and 100,000 flws per secnd), the ability t evaluate infrmatin frm these events and flws. Research in wireless and mbile netwrks built up n the current netwrk technlgies with fcus n security and privacy. This includes the pssibility f mnitring and evaluatin f existing users, but als thrugh analysis f wired and wireless technlgies, including the pssibility t analyze the behavir f grups. Distributed NIDS (Netwrk Intrusin Detectin System) fr hme netwrks with Internet access. The prject gal is t design new mdel fr bserving and prfiling f the netwrk traffic with end-device granularity frm the perspective f the hme Wi-Fi ruter. Prpsed mdel shuld prvide infrmatin abut the type f netwrk traffic and abut its develpment in time fr each cnnected device t the LAN. Data frm mre Wi-Fi ruters will be accumulated and prcessed at sme central nde t prvide higher level aggregate statistics usable fr anmaly detectin and netwrk attack mitigatin in individual lcal netwrks. 11

12 Research in security at the FIIT STU, FMFI UK and CSIRT.SK (prpsal) Centre f excellence in infrmatin security Field f research: Secure cmmunicatin in netwrked embedded systems. The prject aim is t research f security requirements f embedded systems with regard t specific characteristics f autmtive cmmunicatin buses. Security extensin f currently used buses CAN (Cntrlled Area Netwrk) using Ethernet netwrk. Fr example explitatin f higher bandwidth r ther security mechanisms. Research in wireless and mbile netwrks built up n the current netwrk technlgies with fcus n security and privacy. This includes the pssibility f mnitring and evaluatin f existing users, but als thrugh analysis f wired and wireless technlgies, including the pssibility t analyze the behavir f grups. Develpment f secure active netwrks devices. Fr the security f the physical layer f cmputer netwrks pays that almst all active netwrk cmpnents f cmputer netwrks (switches, ruters, hardware firewall with IPS and IDS functins, etc.) are implemented as embedded systems. Increasing the security f these embedded systems imlpies increasing security f active netwrk devices. Big data analyse fr security purpse. Cmputer lgs cntais a huge amunt f data. Lking fr patterns f malicius activities requires t design fast parallel algrithms fr big data prcessing. Bimetric methds. The aim f research in this area will be user authenticatin based n the dynamics f writing and dynamics f wrking with a muse and may be supplemented by the inclusin f additinal authenticatin methds based n ther characteristics f the user. Research in security metrics. Design f new security mdel that cnsist f mdeling f assets in rganizatin, their relatinships and prcesses in which the assets participate in prducing prfit. 12

13 Research in security at the FIIT STU, FMFI UK and CSIRT.SK (prpsal) Centre f excellence in infrmatin security Field f research: Research and develpment in the field f secure sftware f persnal cmputers, servers, netwrking, cnsumer and industrial electrnics. testing and analysis f the weaknesses f the firmware, perating systems and applicatins the design and develpment f slutins t increase the resilience f sftware against varius frms f attack the safety f perating systems and applicatins in virtual envirnments and in clud the design and peratin f hneypts t detect new attacks. Research and develpment in the field f secure hardware f persnal cmputers, servers, netwrking, cnsumer and industrial electrnics. testing and analysis f the weaknesses f the hardware elements and their interfaces the design and develpment f slutins t increase the resilience f hardware against varius frms f attack the develpment f equipment fr the discvery and demnstratin f hardware security vulnerabilities a side channel analysis (time, sampling, electrmagnetic radiatin). Research and develpment f security systems fr ppulatin services. cryptgraphic currency, payment prtcls, electrnic vting, mass remte cntrl, health (eg. medical equipment). Research and develpment in visual security. 13

14 Thank yu 14