Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
PRIVACY ENGINEERING WITH LINDDUNKIM WUYTS – ARAM HOVSEPYAN
PRIVACY ENGINEERING
2
We’re building self-driving cars and planning Mars missions – but we haven’t figured out how to make sure people’s vacuum cleaners don’t join botnets.
#JSConfAU2016
PRIVACY ENGINEERING
3
http://www.independent.co.uk/news/business/news/my-friend-cayla-i-que-intelligent-robot-genesis-smart-toys-spying-on-children-a7469741.htmlhttp://fortune.com/2016/12/08/my-friend-cayla-doll/
4
GDPR OBLIGATIONS
• Implement “appropriate” technical and organizational measures
• Implement measures that meet principles of data protection by design and data protection by default
LINDDUN PRIVACY-BY-DESIGN FRAMEWORK
Systematic support for elicitation and mitigation of privacy threats in software systems
From high-level model of the system
Privacy knowledge base
5
• Linkability• Identifiability• Non-repudation• Detectability• Disclosure of information
• Unawareness• Non-Compliance
NON-REPUDIATION
DETECTABILITY
© Allan Ringgaard
LINDDUN IN A NUTSHELL
• LINDDUNthreattaxonomy• Mappingtable
Analysis
Processsupport Knowledgesupport
4. Driverselectionandprioritization5. Decision&trade-offsupport:mitigation
strategy6. Instantiationofmitigationstrategy:
patterns,tactics,PETs,…
• Taxonomyofmitigationstrategies• Classificationofprivacy-enhancing
technologies(PETs)
Mitigatio
n
CORE
CORE
1. Analysisscoping:DFD,assumptionmanagement,prioritization
2. Privacythreatidentification&elicitation3. Template-drivendocumentation
Privacy Impact Assessment
Traceability documentation
MITIGAT
IONTAX
ONOMY
MITIGAT
IONTAX
ONOMY
Threattarget L I N D D U N
Datastore Socialnetworkdb X X x x X X*
Dataflow Userdatastream(user-portal)
...
L I N D D U N
Datastore X X X X X X
Data flow X X X X X X
Process X X X X X X
Entity X X X
1.DFD
2.Map
3.Elicitanddocumentthreats
1.User
2.Portal
3.Service
4.Socialnetworkdata
MITIGAT
IONTAX
ONOMY
MAP
PING
TEMPLAT
E
10
4.Prioritizethreats
T01
IMPACT
LIKELIHOOD
5.ElicitMitigationStrategies
Nr Threat MitigationStrategies
1 Linking data(atdatastore)
Minimizecollecteddatabygeneralization…
…
6.Selectsolutions
...
Guardexposure
...
ConfidentialityEncryption
Symmetrickey&publickeyencryption[MOV97],Deniableencryption[Nao02],Homomorphicencryption[FG07],Verifiableencryption[CD98]
Accesscontrol
Context-basedaccesscontrol[GMPT01],
Privacy-awareaccesscontrol[CF08,ACK+09]
Minimization
Remove /
Hide
Receiverprivacy
Privateinformationretrieval[CGKS98],Oblivioustransfer[Rab81,Cac98]
Databaseprivacy
Privacypreservingdatamining[VBF+04,Pin02],Searchableencryption[ABC+05],Privatesearch[OS05]
General seeguardexposure- confidentiality–encryption
Replace /
Generalize K-anonymitymodel[Swe02b,Swe02a],l-Diversity[MGKV06] M
ITIGAT
IONTAX
ONOMY
PETsOVE
RVIEW
MITIGATIONSTRATEGY LINDDUNTHREATTREE...
GuardexposureCompliance NCConfidentiality ID_ds,NR_ds,*_pMinimization L_ds,I_ds,D_ds
MaximizeaccuracyReviewdata U_2...M
ITIGAT
ION
MAP
PING
Nr Threat Threattreeleaf nodes
1 Linkingdata(atdatastore)
Storingtoomuchdata
Informationdisclosureofdatastore
…
Created in 2010 *
Extended and improved based on empirical studies and feedback
Well received by community100+ citations
Analyzed and applied in European projects
1 4 920 18
32 34
Google scholar status February 2017
LINDDUN FACTS & FIGURES
"LINDDUN provides a clear methodology throughwhich engineers can translate general privacyconcerns into system objectives and further intoactual technical responses answering on practicalmisuse scenarios. It makes a continuous adaptationpossible at several levels (system objectives, threattree patterns, mitigation strategies) for new technicaldevelopments.”
FP7 BYTE projectD4.2 Evaluating and addressing positive and negative
societal externalities
Deliverable D4.2Evaluating and addressing positive and negative societal externalities
* Collaboration of DistriNet and COSIC
LINDDUN IN THE WILD
12
“[LINDDUN] is, in many ways, one of themost serious and thought-provokingapproaches to privacy threat modeling, andthose seriously interested in privacy shouldtake a look at it.’’
Adam Shostack (Microsoft)Threat Modeling,Wiley, 2014
“The LINDDUN methodology broadly shares theprinciples of the CNIL method but it puts forwards amore systematic approach based on data flowdiagrams and privacy threat tree patterns.”
European Union Agency for Network and Information Security (ENISA)Privacy and Data Protection by Design – from policy to engineering. December 2014.
The catalogue of privacy threats is taken from LINDDUN. Itis used in the privacy risk management process to identify privacy risksources. […] The catalogue of privacy measures is taken fromLINDDUN. It is used in the privacy engineering design process toidentify privacy and security controls.
ISO/IEC 27550 – Privacy Engineeringfirst working draft. January 2017
LINDDUN IN A NUTSHELL
13
Systematic support for privacy by design
Solid scientific foundation
Ongoing pilot projects with industry
PRIVACY ENGINEERING WITH LINDDUNKIM WUYTS – ARAM HOVSEPYAN
www.linddun.org