Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Cyber Security and PrivacyINNOVATION & BUSINESS CHALLENGES & SOLUTIONS
Jovan GolićEIT ICT Labs Action Line Leader for Privacy, Security & Trust
“Cyber Security & Privacy Innovation Forum,” Brussels, April 28-29, 2015
• Cyber security − Data security in cyberspace• Data security: Resistance to cyber attacks, against
data integrity, confidentiality, availability, and entity authentication & identification
• Attacks multiply rapidly and evolve dramatically • Different aims − fraud, DoS, physical damage,
defamation, data theft, cyber espionage, cyberwar• Different levels of sophistication
• In practice, identified with reactive approach• Monitoring, attack detection, response, and mitigation• SOCs and CERTs, information sharing• Protection of critical infrastructures, government (e.g.,
public administration), and enterprises• N.B. Reactive approach necessary, but insufficient!
Cyber Security
• Cyber privacy − Data privacy in cyberspace• Data privacy: User’s control + Security of sensitive
data: • About citizens, private or public companies, institutions,
and organizations (personal, financial, industrial etc.)• During the whole life cycle of data
• Loosing control of sensitive data may put at risk property, industrial and financial assets, public safety, jobs, liberty, and even life of citizens
• N.B. No cyber privacy → No cyber security• Sensitive data are then exposed to attacks, even by
unsophisticated attackers
Cyber Privacy
• Minimality principle: Sensitive data should be controlled by the user during the whole life cycle and disclosed to the lowest possible extent, for a minimum period of time, only to entities and for purposes authorized by the user (ideal balance with usability)
• N.B. Rarely applied in practice, due to:• Massive user profiling by online service providers,
since user data have market value (control?)• Surveillance and lawful interception by government
agencies and law enforcement authorities, to help detect and monitor social threats and detect, track, and investigate criminal or terrorist activities (abuses?)
Minimality Principle
• User profiling means collecting, processing, and modelling of user data over a period of time, e.g.:• User IDs or identity attributes, data collected from
sensors and meters, search engines, social networks, health data, client data etc.
• User profiling is useful• Personalized and targeted: information, advertising,
services, social contacts etc.• Security: authentication by behavior-based anomaly
detection• N.B. Privacy policies are difficult to control• N.B. Massive user profiling becomes massive
citizen profiling if user identity attributes are associated with user profiles!
User Profiling
• Many cryptographic algorithms and protocols are now transparent and standardized – trustworthy
• Many proprietary ones turned out to be weak after exposure
• Software products (operating systems, middleware, applications) are mostly proprietary and obfuscated, possibly with backdoors – not trustworthy
• Secure hardware requires transparent and auditable hardware fabrication facilities
• N.B. Security chain is as strong as its weakest link!
Software and Hardware Security
• Attacks in cyberspace multiply rapidly and evolve dramatically and traditional reactive approaches are insufficient to deal with them effectively
• Uncontrolled massive user/citizen profiling by online service providers and abuses of surveillance practices by government agencies are a great threat to data privacy
• EU ICT security market is fragmented along national borders and constrained to high-security military and government segments, without much business prospects
• Data protection laws and regulations in EU do not match the challenges
Challenges
• Use proactive approach: deploy trustworthy and transparent innovative technologies bridging the gaps between available techniques and practice
• Apply security&privacy-by-design paradigm• Exploit great business opportunities, overcome
market fragmentation: EU security&privacy solutions are more trustworthy
• Raise social awareness about cyber security and privacy - threats and solutions
• Improve data protection laws: e.g., controllable privacy policies, minimality principle, user/citizen profiling, privacy protection by new techniques, transparent and certified SW and HW, privacy assurance levels
What to Do
• EIT ICT Labs was set up in 2010 by the European Institute of Innovation and Technology (EIT), in order to urgently strengthen the ICT competence in Europe
• Mission: Drive European leadership in ICT innovation for economic growth and quality of life, through a network of partners and business development accelerator for startups and SMEs
• PST AL is one of eight thematic action lines• Funding of finalization stages of research and
innovation aiming at bringing to market innovative ICT products and services, through 1-year projects
EIT ICT Labs Action Line forPrivacy, Security & Trust
• Privacy-aware federated digital ID management & strong authentication
• Data privacy in online/mobile applications, services & communications
• Protection of endpoint computing devices, especially mobile, against malicious software and intrusions
• N.B. Also, secure SW and HW platforms, since there is no cyber security and privacy without secure SW and HW!
PST AL Priorities 2014-2016
• Necessary for unique EU digital economy - enabler of ICT services, new business opportunities
• Digital identification requires verification of physical/logical identity attributes by trusted ID providers and ID credentials for real-time remote e-authentication (e.g., on HW-token)
• ID federation means that different service providers share the same ID providers, even cross border
• STORK is ID federation platform in EU (18 member states), obligatory for public entities (eIDAS)
• E-authentication based on passwords/PINs is weak and impractical; single sign-on is even less secure
• N.B. Privacy-critical: single sign-on and federated e-ID facilitate user or citizen profiling via linking!
• N.B. Multiple HW-tokens (e.g., bank) are impractical
Digital Identity Management
• Secret sharing (no single points of trust and failure)• Secure multiparty computation (joint computation of
functions without disclosing own data) - 2015• Practical homomorphic encryption (processing of
encrypted data, e.g., in the cloud) - 2015• Privacy-preserving profiling (without revealing user
data, not only pseudonymization and data aggregation)• Anonymity protocols (e.g., anonymous credentials)• Revocable anonymity (if needed)• Attribute-based encryption (cloud data sharing by
applying access policies on encrypted data)• Searchable encryption (search over encrypted data)• End2end encryption (possibly, with key escrow –
secret sharing for lawful interception)
Advanced Crypto Techniquesfor Privacy
Mobile devices contain various sensitive data, such as phone numbers, contacts, location data, mobile payment and other financial data, ID credentials for m-authentication, as well as industrial secrets and other business data; real-time protection against malicious apps and intrusions is complicated by battery and connectivity constraintsConsider techniques and technologies such as: Behavior-based malware detection, system calls
analysis, APT detection/removal, device usage profiling, kernel integrity checks, sandboxing, virtualization, combined client-server apps inspection, real-time traffic monitoring, trustworthy apps, privacy-preserving location-based services, user-controllable CPU monitoring, and privacy-preserving intrusion detection
Mobile Security and Privacy
• Scalable security intelligence 2013• Reply et al.• Early warning and recovery services with respect to
cyber attacks, based on business intelligence technology• 24x7 Security Operations Centre, serving 100+
enterprises with a portfolio of 20+ security services
• CADENCE 2014, 2015• TNO, Reply et al.• Offline network traffic monitoring and APT (Advanced
Persistent Threat) and other malware detection by sophisticated statistical anomaly detection tools, based on Netflow (packet content is not inspected)
• In 2015, adaptation to mobile platforms
Selected PST AL Projects - 1
• ID and access management for IoT 2014• SICS, Ericsson, Univ. Saint-Etienne et al.• Identification of chips based on PUF (Physically
Unclonable Function) technology• Authentication and Authorization in Constrained
Environments (contributions to IETF)
• Secure digital ID management 2014• Telecom Italia et al.• Strong authentication• Multiple ID credentials stored on advanced SIM-card• Integrated in STORK platform• Various use cases
Selected PST AL Projects - 2
• FIDES 2015• Poste Italiane et al.• Federated and interoperable ID management platform• Compliant with STORK and SPID• Privacy techniques• Various use cases, pilots, and business models
• HC@WORKS 2015• CEA, CNR, Thales, ATOS, Engineering• Disruptive technology for privacy-preserving services• Practical fully homomorphic encryption and secure
multiparty computation• Industrial pilots: e-health, deep packet inspection,
security intelligence of sensitive data
Selected PST AL Projects - 3
• MobileShield – Freedome 2014, 2015• F-Secure et al.• Cloud service for privacy and security (anti-tracking, anti-
SPAM, IP masking, VPN to cloud, secured public Wi-Fi etc.)• Great market success in 2014• In 2015, focus on anti-malware protection
• MobileShield – SiMKo 2014, 2015• TU Berlin et al.• High security mobile platform – virtualization by secure
hypervisor (secure and insecure compartment)• Secure monitoring of insecure compartment – APT detection
and removal (static or dynamic)• MobileShield – Anti-fraud & anti-malware protection
• Reply, Univ. Trento et al. 2014, 2015• Real-time mobile traffic monitoring• Fraud and malware detection/prevention service• Mobile device usage and behavior-based profiling
Selected PST AL Projects - 4
EIT ICT Labs Contribution
Security features
User testing
Freemium business model
Early Market Success
F-Secure Freedome team
grown to over 20 people
Growth to ~2M users
in 10 months
Excellent user rating
MobileShieldREAL-TIME MOBILE SECURITY&PRIVACY SHIELD
Nominee for the EIT Innovation Award 2014!
• Named “Security and Privacy in Digital Life”. Annual event since 2014. Part of innovation and entrepreneurship education of the EIT ICT Labs Master School. Internal and external Master and PhD students (54=18+36, in 2014).
• Main objectives:• Demonstrate importance of data security and privacy for ICT
applications and existing challenges and solutions • Point out market needs and business opportunities • Teach students how to transform knowledge into innovative
business ideas, turn these ideas into concrete business proposals, and present them to investment companies
• Focus on business applications of cryptographic techniques for security and privacy
• Typical use cases: e-ID management, strong e-authentication, e-health, e-commerce, e-voting and e-polls, user profiling, smart energy, mobile security
PST AL Summer School
What it is:A business ideas contest to support startups ready to scale up
1st Prize: 40 k€2nd Prize: 25 k€3rd Prize: 15 k€
+ Access to EIT ICT Labs’ pan-European innovation network+ International growth support+ Free use of our Co-Location Centers for up to 3 months+ Support of our marketing and communication experts
Winners will get:
Applications are open from May 6 to July 6, 2015
Who can apply:• Startup incorporated in a EU28 state, max 5 years old, max 1m€ ext. investments
Proof of concept required:• First users (public beta available) OR• Revenue (min. 12 k€ in past 12 months) OR• Investment (min. 100 k€ external investments incl. prizes)
http://ideachallenge.eitictlabs.eu
Action Line for Privacy, Security & Trust
• New initiative of EIT ICT Labs• Associated with thematic action lines• Supported by business development team
• Objectives:• Create business community around innovation results of
funded projects (new products & services, technology adoptions & transfers, etc.) and coached startups (offer)
• Promote supplier-buyer relationships (offer-demand)• Support coached startups• Encourage business relationships• Stimulate high-quality project proposals• Involve all relevant stakeholders: partners, investment
funds, startups, SMEs, enterprises, organizations• Kick-off meeting held on Feb. 12, 2015
PST AL Business Community
“We need an environment where those who manage and use ICT have the incentives to use high-quality security. Public and private. ... And we need the best technology. Maybe this means that we make it ourselves in Europe, thanks to a vibrant, European market that innovates to create those security solutions. And this is why we are increasing R&D in cybersecurity. Or maybe it requires that we verify that the ICT equipment and applications we buy are not designed with backdoors built in! ... The combined experience of governments, industry, academics and customers was the only way to tackle the problems ...”
EC ex-Vice-President, Neelie Kroes (2013)
Conclusion – Be Proactive