Information Security Research



Similar documents
CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

JOURNAL OF OBJECT TECHNOLOGY

Strengthen security with intelligent identity and access management

Solve your toughest challenges with data mining

IBM's Fraud and Abuse, Analytics and Management Solution

!!!!! White Paper. Understanding The Role of Data Governance To Support A Self-Service Environment. Sponsored by

Compliance & SAP Security. Secure SAP applications based on state-of-the-art user & system concepts. Driving value with IT

Best Practices for Building a Security Operations Center

Trust areas: a security paradigm for the Future Internet

CHAPTER 1 INTRODUCTION

ISSECO Syllabus Public Version v1.0

The Principles of Effective Dashboards

C A S E S T UDY The Path Toward Pervasive Business Intelligence at an Asian Telecommunication Services Provider

Tapping the benefits of business analytics and optimization

Enterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH. White Paper February

Roadmapping Discussion Summary. Social Media and Linked Data for Emergency Response

Solve Your Toughest Challenges with Data Mining

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

Associate Prof. Dr. Victor Onomza Waziri

Fujitsu Cloud Integration Platform Lead your business into the cloud

The SEEMP project Single European Employment Market-Place An e-government case study

Brainloop Cloud Security

Incident Management & Forensics Working Group. Charter

Cloud security architecture

Integrating SAP and non-sap data for comprehensive Business Intelligence

Enterprise Data Quality

Identity and Access Management

API Architecture. for the Data Interoperability at OSU initiative

Advanced Analytics. The Way Forward for Businesses. Dr. Sujatha R Upadhyaya

Technical Management Strategic Capabilities Statement. Business Solutions for the Future

Information Visualization WS 2013/14 11 Visual Analytics

Self-Service Business Intelligence

Big Data Executive Survey

TP 7: Identity 3.0 Dynamic Identity and Access Management

A BUSINESS CASE FOR BEHAVIORAL ANALYTICS. White Paper

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

RECOMMENDED CHARTER FOR THE IDENTITY ECOSYSTEM STEERING GROUP

WHITEPAPER. Creating and Deploying Predictive Strategies that Drive Customer Value in Marketing, Sales and Risk

Cloud Security: The Grand Challenge

On the Application of Trust and Reputation Management and User-centric Techniques for Identity Management Systems

The NREN s core activities are in providing network and associated services to its user community that usually comprises:

Making critical connections: predictive analytics in government

INFORMATION TECHNOLOGY STANDARD

locuz.com Big Data Services

Oracle Financial Services Broker Compliance

How Does Big Data Change Your Way of Managing Information?

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

BUSINESS INTELLIGENCE AS SUPPORT TO KNOWLEDGE MANAGEMENT

2010 Data Breach Investigations Report

Cis330. Mostafa Z. Ali

Organizational IT Concepts and SAP Solution Manager. General IT operations and service concepts with SAP Solution Manager. Driving value with IT

Making Critical Connections: Predictive Analytics in Government

Course DSS. Business Intelligence: Data Warehousing, Data Acquisition, Data Mining, Business Analytics, and Visualization

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Government's Adoption of SOA and SOA Examples

Viewpoint ediscovery Services

OASIS Open Reputation Management Systems (ORMS) Technical Committee

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

WHITEPAPER. How to Credit Score with Predictive Analytics

IBM Software IBM Business Process Management Suite. Increase business agility with the IBM Business Process Management Suite

A Near Real-Time Personalization for ecommerce Platform Amit Rustagi

The State of Insurance Fraud Technology. A study of insurer use, strategies and plans for anti-fraud technology

BEYOND THE EHR MEANINGFUL USE, CONTENT MANAGEMENT AND BUSINESS INTELLIGENCE

Analance Data Integration Technical Whitepaper

Interim Threat / Risk Assessment. Student E- Communications Outsourcing Project

Virtualization s Evolution

Anatomy of a Decision

CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS

Privacy and Identity Management for Europe

JOURNAL OF OBJECT TECHNOLOGY

Data Mining Analysis of a Complex Multistage Polymer Process

Whitepaper Data Governance Roadmap for IT Executives Valeh Nazemoff

Healthcare, transportation,

Impact of Cybersecurity Innovations in Key Sectors (Technical Insights)

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

The following is intended to outline our general product direction. It is intended for informational purposes only, and may not be incorporated into

Creative Shorts: The business value of Release Management

Accenture Cyber Security Transformation. October 2015

TRENDS IN THE DEVELOPMENT OF BUSINESS INTELLIGENCE SYSTEMS

A Guide Through the BPM Maze

perspective Progressive Organization

Chapter 5 Business Intelligence: Data Warehousing, Data Acquisition, Data Mining, Business Analytics, and Visualization

CLOUD COMPUTING SECURITY ISSUES

FRAUNHOFER INSTITUTE FOR EXPERIMENTAL SOFTWARE ENGINEERING IESE VARIATION MANAGEMENT: USER EXPERIENCE FOR EFFICIENCY IN PROVIDING SOLUTIONS

Managing Cloud Services in the Enterprise The Value of Cloud Services Brokers

Cloud Computing: Legal Risks and Best Practices

Solve your toughest challenges with data mining

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Summary Report Report # 1. Security Challenges of Cross-Border Use of Cloud Services under Special Consideration of ENISA s Contributions

Cloud and Big Data Standardisation

Analance Data Integration Technical Whitepaper

Embedding Knowledge Processes to Maintain Service Levels and Efficiency in a Growing Software Service Firm

CISM ITEM DEVELOPMENT GUIDE

KnowledgeSEEKER Marketing Edition

CA Technologies Healthcare security solutions:

Intelligent Agents The New perspective Enhancing Network Security

Bringing Sustainable Privacy and Identity Management to Future Networks and Services

Master Data Management

Data Governance. Unlocking Value and Controlling Risk. Data Governance.

Transcription:

Information Security Research at the Department of Information Systems (Lehrstuhl für Wirtschaftsinformatik I) University of Regensburg, Germany Prof. Dr. Günther Pernul guenther.pernul@wiwi.uni-r.de www-ifs.uni-r.de As of spring 2015 the chair consists of 11 full time researchers, 2 full time supporting personnel, 3 external lecturers, and 8-10 graduate students working on part time contracts. In addition, the chair is engaged in the spin-off Nexis GmbH 1, a SME active in identity and access governance, and is one of the founding members of the Bavarian cluster in IT-Security 2. This cluster is a network of competence of more than 50 firms active in IT security. In addidtion the chair is coordinating the FORSEC research alliance (https://www.bayforsec.de ) aiming on integrating research on the security of highly connected it-systems and performed at 4 major Bavarian Universities. Our work group s main research focus lies on application-oriented, project-based, as well as on basic research in information systems and information security. In its broadest sense, the focus can be characterized by researching the analysis, modeling, design, and reliable and secure use of state-of-theart information systems in different application areas. Most of our research is supported by external funds, provided for example by industry, federal resources or by the European Commission under its research framework programs. Currently active research topics The following paragraphs introduce the topics that our group is actively researching at the time of writing of this report. Big Data (Storage, Governance, Management) and Visual Analytics We are currently living in the age of big data which is driven by high-volume, high-variety and high-velocity data-assets that could be used to extract useful information and to derive insights. But big data not only comes with great opportunities for enhanced decision making and the realization of innovative business models, but also with manifold challenges for the efficient governance and management of this data. Thereby, one major aspect is the management of data storage with regard to varying information security requirements and costs while considering the strategic value of these data-assets. As some data are more valuable than others, e.g. when containing company secrets, or more sensitive due to a lot of personally identifiable information (PII), some storage locations might be more appropriate for storing specific data than others. Additionally, some storage locations might involve more risk than others, e.g. because of varying protection mechanisms or different geographical regions, which might be subject to disparate data protection standards and regulations. Storage of certain information can also be contractually regulated, that is data is only allowed to be stored in a specific legal sphere with suitable 1 http://www.nexis-secure.de/ 2 http://www.it-sicherheit-bayern.de Summary Information Security Research, G. Pernul, Autumn 2014-1 -

data protection laws. In general, data storage has a large share in IT expenses. Thus potentially valuable or sensitive data might be stored on premium storage while less valuable or sensitive data could also adequately be stored on cheaper storage. As the management of big data is both complex and costly our research in this domain is directed to solutions for the efficient management of big data storage which includes security, privacy and economical aspects. An ideal approach for tackling these issues is the use of visual analytics which aim at providing the perfect combination of humans perceptual and cognitive abilities and automated computational analyses. By using interactive visual interfaces, decision makers as well as end users are put into position to intuitively plan and accomplish data storage in big data settings. Visualizing the costs and risks of data storage locations in addition to information on data value and sensitivity puts decision makers in a position to efficiently manage big data storage. Trust Management Trust is an important mechanism for risk perception and has therefore been identified to be a key factor for the success of various electronic environments and platforms, such as online marketplaces and peerto-peer networks. Unlike traditional face-to-face transactions, electronic transactions are carried out between strangers whose trustworthiness is unknown. The quality of products, services or information provided can mostly not be verified ex ante. Thus, actors face high risks. Our research addresses soft security mechanisms to establish trust in these environments such as reputation systems and recommender systems. Typically, transaction partners are encouraged to leave feedback (numerical ratings or textual reviews) after each transaction denoting their satisfaction. Reputation systems collect all evidence, aggregate the referrals and give an overview of past behavior in a reputation profile. While a lot of research has been carried out on computation methods to make reputation systems more accurate and robust against attacks, current systems have become quite nontransparent. Thus, our research focusses on enhancing transparency of reputation systems and involve the user in the computation process by providing an interactive visual representation of seller reputation profiles. We, thereto, make use of visual analytics. Recommender systems are used to address the problem of information overload by determining those items of a platform (e.g. movies, books, news articles) that a particular user will likely be interested in. Just like reputation systems, they are also based on ratings. The main difference between these two types of systems is that the ratings in reputation systems are supposed to be insensitive to taste whereas the ratings in recommender systems are highly dependent on the preferences of the user. Our research efforts in this domain particularly focus on trust-based (or trust-enhanced) recommender systems, which utilize trust values and trust networks to overcome certain drawbacks of traditional recommender systems. For instance, recent proposals have shown to be able to mitigate the user cold start problem (i.e. providing recommendations to a user who has provided only few information about her preferences through ratings) and to facilitate the detection of manipulations. Major parts of our work are carried out within the Bavarian research association FORSEC, which focuses on security in highly connected IT systems. Our subproject, in particular, is concerned with Next Generation Online Trust. Summary Information Security Research, G. Pernul, Autumn 2014-2 -

Identity and Access Management (IdM) We are primarily interested in IdM in closed environments, such as for large organizations and enterprises (in-house IdM). Basic research focuses on the analysis of the importance of IdM and role-based access controls for large corporative systems. Effectively managing user access to sensitive applications and data is one of the biggest security challenges organizations are facing today. A typical large organization manages millions of user accesses, spread across thousands of IT resources, users and privileges. Both quality of identity data and management of user roles as a central building block of IdM Infrastructures have become an important topic for most large and medium-sized companies. On the one hand organizations have to ensure high data quality of their managed digital identities while on the other hand accurately managing role and group information has become critical for securely managing enterprise operations and resources. Besides the usage of statistical analysis and neural networks for cleansing existing identity data, another concern of our research is investigating a structured process for defining proper role structure for an organization. This includes the analysis of existing role development methodologies, practical state-ofthe-art solutions, and their shortcomings. The definition of valid roles is the most challenging task before achieving the benefits of role usage. Current approaches address only parts of the role development problem. They either deal with the mapping of business functions to access privileges, neglecting the current situation within a company, or apply data mining techniques to derive permission bundles as role candidates based on existing identity information and access rights. Output of our research is a hybrid and tool-supported role development methodology ( HyDRo Hybrid Development of Roles). HyDRo integrates organizational and operational structures as well as already existing access rights in an iterative manner. Data mining technologies and other automated analysis techniques for data cleansing and the discovery of role candidates play a major role in the execution of HyDRo. The methodology itself is supported by the controle software as a role development tool. Thereby HyDRo overcomes another drawback of existing RDMs as it provides tool-support throughout the process of role definition, essentially offering organizations the chance to streamline and control the role development project during all phases. Additionally, new research concentrated on the management of roles after an initial deployment. An overall model for a structured process for these so called role model optimizations, the Role Opimization Process Model (ROPM) has been proposed and its applicability has been shown in a large scale industry project. Further research comprises quality issues in IdM in general and specifically in roles, in order to ensure a high quality IdM-infrastructure that can be managed with more ease and lower cost. Hence, for a better decision-making in role improvement, role quality metrics in role mining algorithms have been discovered, extracted and aggregated. We further argue, that traditional approaches for authorization and access control in computer systems (i.e., discretionary, mandatory, and role-based access controls) are not appropriate to address the requirements of highly flexible networked or distributed systems and that proper authorization and access control requires infrastructural support in one way or another. This support can be provided, for example, by an authentication and authorization infrastructure (AAI). Against this background, we investigate, analyze, discuss, and put into perspective some of the current technologies that can be used to build and operate AAIs. A privilege management infrastructure (PMI) is one step further and able to support a comprehensive authorization service. We are working on new approaches for privilege management by dynamically controlling the users accesses based on exchanging and evaluating general user characteristics, most notable the attribute-based access control model (ABAC). Summary Information Security Research, G. Pernul, Autumn 2014-3 -

Information Security Risk Management Today, computing is ubiquitous and information systems are interconnected globally. Therefore, the efficiency of modern companies relies heavily on effective operation of information technologies. However, a more dynamic threat environment has to be faced. Targeted and unique attacks, such as Stuxnet and Aurora, are raising. There is a plethora of possible products or scientific solutions available to secure information systems. Therefore, especially when struggling with tight budgets, it is difficult to decide which security measures are necessary and which are not. Managing information security risks, i.e. knowing where information security assets are at risk (identification) and how dangerous these risks could be (estimation), helps companies to invest in a targeted way in order to secure their assets. Risk metrics today, and therefore also decisions based on theses metrics, are often based on estimations and outdated data. Scientists and even some professionals start realizing that sharing risk information is of mutual benefit. As a result, threat repositories, vulnerability databases and honey pot data are available. However, a lot of information seems not to be considered yet. Especially information to define the context of the assets at stake, such as system events, are often not taken into consideration. Therefore, our research group is searching innovative information repositories that can be considered within risk management. We focus on system events to characterize the systems' context, dependencies and states. Moreover, risks are often estimated at constant time intervals, e.g. twice a year. We are working on ways to calculate information system risks dynamically in (near) real time and to inform the persons responsible as soon as an identification of unknown risks is necessary or a risk recalculation might be required. Digital Forensics in Organizations Information security incidents are the most obvious reasons for digital forensic investigations. But, through the ever-increasing penetration of everyday life with digital devices, digital forensic investigations are also needed to solve classic crimes. Within the corporate environment, classic crimes are mostly financial crimes like money laundering, Ponzi schemes or fraud. As the support of enterprises' processes through information systems increases, an investigator gets evermore evidence out of these systems. However, the acquisition of digital evidence from the overall, highly interconnected organizational information system is often complex and cumbersome. While techniques to extract, preserve and analyze data from isolated systems, individual networks or network systems have been discussed within the digital forensics community in the last few years, digital forensic investigations in organizations have been only discussed at less extent. Our research focuses on scientifically proven guidelines and techniques to enable digital forensics within enterprise information system infrastructures as well as on measures to heighten the value of evidence gathered from information systems. With new techniques in this area we also hope to enhance information security incident response. Possible improvements are capabilities, i.e. sound evidence, to prosecute offenders and a faster recovery from incidents due to a better knowledge of damages and impacts through certain attacks. Summary Information Security Research, G. Pernul, Autumn 2014-4 -

Further competencies In addition to the actively researched topics mentioned above, the chair profits from a host of precursory research results and associated competencies in the following fields. User-centric Privacy Technologies and Privacy in Social Media The rise of social media highlights the importance of enhancing the user-centric privacy and its usability. First generation Privacy-enhancing technologies (PETs) were neither easily understandable nor did they support the user in making an informed decision whether to disclose personal information or not. In addition, keeping track of personal information disclosed to service providers was impossible. Addressing these shortcomings of existing PET solutions, we developed methods for the user-friendly generation of privacy preferences for the controlled disclosure of personal user data and userunderstandable tools that inform users about transactions of personal data using a collaborative approach. A data disclosure log, which involves the recording of personal data transactions and the managing of already submitted data, was a key research result as well. Global Identity Management With a focus on the field of egovernment and especially on those systems that enable the relaying of sensitive personal data within cross-organizational public administration processes, technology drivers (political-legal frameworks (e.g. EU s Data Protection directive, EU s Services Directive, the i2010 Initiative) and newly arising technologies from other varieties of IdM have been applied to global usage scenarios. We further investigated, how already existing IdM systems are able to support global IdM in collaborative cross-border scenarios. Federated Identity Management Federated identity management (FIM), meaning the exchange of identity information across security domains as well as organizational and legal boundaries, has long been a central research topic at the chair. In contrast to identity management in global networks our efforts regarding FIM are limited to closed organization networks. Federations in this case are much more than only exchanging identity information and accessing some partner resources. Contracts and agreements between the collaboration partners must be defined, a kind of federation structure needs to be set up, necessary federation technologies need to be adopted and many more supportive actions need to be taken into account. Secure, efficient and transparent methods for handling these federations have been the main aims of our research in this area. Security Patterns Security Patterns encapsulate expert knowledge about secure systems design similar to the concept of design patterns in software engineering. Our research was focused on applying security patterns and measuring the degree of their implementation with the intent to support the construction of secure software within each phase of the software development process. Our aim was to attach appropriate metrics to security patterns and to develop a methodology to measure the improvement of security by using these patterns. Summary Information Security Research, G. Pernul, Autumn 2014-5 -

Security Semantics for Business Processes, Compliance and Business Intelligence Our research in this area was committed to finding ways of expressing security semantics in business process models that are sufficiently expressive while preserving the intuitiveness of BPM for most stakeholders. Component Security Services, Semantic, Portal Interfaces The open environment built through today s usage of technologies like SOA and EBS requires strong and reliable security schemes, which still have to be adoptable and easy to deploy. Especially an ESB as an intermediary between services providers and services users opens up interesting potential and is a good place for enforcing security in any given setting. In this area, we covered topics such as distributed security infrastructures and distributed privacy-aware authentication and authorization models, mapping, re-issuing and re-certification of security credentials and trustworthy service discovery and selection. Another area of research was concerned with the implications, SOAs and especially semantic SOAs have on security in software systems. Lastly, security aspects arising from the inclusion of heterogeneous applications into holistic user portals, allowing for the interoperability of individual applications on a user interface level, have been researched as well. Summary Information Security Research, G. Pernul, Autumn 2014-6 -

Current and recent funded research Bayerisches Staatsministerium für Bildung und Kultus, Wissenschaft und Kunst, 20013 2017 https://www.bayforsec.de EU FP7-2009-248920, 2010-2012 http://www.padgets.eu EU EFRE Structural Funds, 2009-2015 http://www.it-sicherheit-bayern.de/itsecurity Freistaat Bayern, High-Tech-Offensive, 2009-2011 http://www.secpat.de EU FP7-2007-217098, 2008-2011 http://www.spike-project.eu DAAD: Funding for IPICS in the years 2008-2010 http://www.ipics-school.eu EU FP6-2004-27020, 2006-2009 http://www.accessegov.org Contact: Prof. Dr. Günther Pernul Department of Information Systems, University of Regensburg Universitätsstrasse 31 D-93053 Regensburg, Germany Tel.: +49-941 943 2742, Fax.: +49-941 943 2744 guenther.pernul@wiwi.uni-r.de www-ifs.uni-r.de Summary Information Security Research, G. Pernul, Autumn 2014-7 -

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information