Trust and Cybersecurity in Europe - By Amardeo Sarma - During iCompetences FRR2013

7/28/2019 Trust and Cybersecurity in Europe - By Amardeo Sarma - During iCompetences FRR2013

http://slidepdf.com/reader/full/trust-and-cybersecurity-in-europe-by-amardeo-sarma-during-icompetences 1/31

Trust and Cybersecurity in Europe

Amardeo [email protected]

General Manager at NEC Laboratories Europe

Chairman of Trust in Digital Life (TDL)



An interdependent Triangle

© NEC Corporation / TDL - Trust and Cybersecurity in Europe2 4 June 2013

Trust

Cybersecurity Privacy



Ų The 27 member states of the European Union all have their own

legislation: The result is that products and services can often onlybe sold in one or a few states.

Ų But the EU also offers common legislation: this

allows to harmonize laws and potentially enable

larger markets.

Ų There are also very different views in the EU

countries on social issues and in particular

on security ± so they often want to keep

their independence.

Ų EU Regulations are binding on all member statesŲ EU Directives are given a QDWLRQDO³flavour ́

Background of Situation in Europe


Council Parliament

Decision

Legislation

Input material

for legislation

Commission



A short note on TDL

Ų TDL was founded in 2009 by Microsoft, Gemalto, Philips and Nokia

as an industry-driven consortium with the ambition to accelerate the adoption of trustworthy ICT .

Ų TDL consists of a mix of more than 25 members representing

industry, knowledge institutes, universities and consumer

organisations that has steadily been growing.

Ų TDL is recognized by the European Commission in the Cyber

Security Strategy (2013) as independent public private platform

Ų Since April 2013, TDL is a non-profit registered society

4 June 2013© NEC Corporation / TDL - Trust and Cybersecurity in Europe4



From the TDL* Strategic Research Agenda

Ų Governments need to provide the legal basis to ensure

the rights of its citizens in the digital world, whileproviding an attractive environment to business.

European values related to trust and privacy are

differentiators that enable business.

Ų Legislators should create a level playing field thatsafeguards core values of the rule of law, and provide

for effective remedies in case of breaches.

Ų This is an opportunity to focus on solutions that

differentiate on security, privacy and trust as enablers to

enter business in areas where take-up has been

reluctantÆ particularly valid for European business


* TDL: Trust in Digital Life - http://www.trustindigitallife.eu/

http://www.trustindigitallife.eu/





The European Commission: Importance of Trust

Ų Commissioner Neelie Kroes

z Importance of Trust, especially in the Cloud context

zSingle seamless space for the digital market requires a

secure Internet and legal predictability

Ų Reiteration that Cloud requires Trust

z Trust recognized as the greatest challenge for migration to

Cloud

zPrivacy also remained an issue of core relevance: This is

an area for differentiation in Europe

Ų European Ecosystem

zNeed to make a profitable environment for large and small

companies in the Cloud




What is Trust

Ų The trustor is willing to rely on the actions of a trustee

Ų The trustor has no (direct) control RYHUWKHWUXVWHH¶VDFWLRQV.

Ų The trustor is usually uncertain about what the trustee will do

Ų The trustor needs to develop and evaluate expectations.

Ų Will the trustee behave as desired?

Ų Can the trustor come to harm?

Ų Loss or misuse of assets?


Expectations



Joint Communication ± The EU Cybersecurity Strategy


For cyberspace to remain open and free, the same

norms, principles and values that the EU upholds

offline, should also apply online.

Fundamental rights, democracy and the rule of lawneed to be protected in cyberspace.

Our freedom and prosperity increasingly depend on a

robust and innovative Internet.

An Open, Safe and Secure Cyberspace



Actions proposed by the European Commission


Parliament and Council: adopt the proposal for aDirective on a common high level of Network and

Information Security (NIS) across the Union [..] take up

of risk management practices and information sharing

Industry: invest in a high level of cybersecurity and

develop best practices and information sharing [..]ensuring a strong and effective protection of assets and

individuals, in particular through public-private

partnerships like EP3R and Trust in Digital Life (TDL).





The European Commission: Cybersecurity resources


Launch in 2013 a public-private platform on NIS solutionsto develop incentives for the adoption of secure ICT

solutions and the take-up of good cybersecurity

performance to be applied to ICT products used in Europe.

Industry should adopt security standards and ensure that

software and hardware is equipped with stronger,embedded and user-friendly security features.

Develop industry-led standards for companies' performance

on cybersecurity and improve the information available to

the public



Data Protection and Privacy

Ų Data Protection and Privacy has for a while been high on the social

agenda with a lot of pressure groups pushing for more privacyz Stronger in some countries e.g. Germany, Austria, Switzerland and

Scandinavian countries

z Big difference with the USA (recently China) leading to several

conflicts e.g. on providing passenger data

Ų Article 16(1) of Treaty on the Functioning of the European Union(TFEU), as introduced by the Lisbon Treaty, establishes the

principle that everyone has the right to the protection of personal

data concerning him or her.

Ų Moreover, with Article 16(2) TFEU, the Lisbon Treaty introduced aspecific legal basis for the adoption of rules on the protection of

personal data.

Ų Article 8 of the Charter of Fundamental Rights of the EU enshrines

protection of personal data as a fundamental right.




Ensuring high NIS across the Union

Ų Several options were evaluated

1) Business as usual banking on voluntary action by Member States2) Regulation: Member States are obliged to comply

3) Mixed Approach

Ų The level of achieved security and the economic and social impact

were compared

Ų Clear recommendation fot the second approach: Regulation

Ų Option 1 does not allow for a level playing field across Europe

Ų 4XRWH³The current situation in the EU, reflecting the purely

voluntary approach followed so far, does not provide sufficient

protection against NIS incidents and risks across the EU. Existing NIS capabilities and mechanisms are simply insufficient to keep

pace with the fast-changing landscape of threats and to ensure a

common high level of protection in all the Member States.´




Backdrop: Legislation Changes due in Europe

Ų Data protection: new EU Regulation due

z No national interpretations ± all EU countries obligedz Mandatory data protection, privacy-by-design prescribed

z Stricter rules on data security ± breaches to be notified in 24h

z Obligations to implement technical and organizational measures

Ų Cybersecurity: EU Cybersecurity Directive proposed

z Obligation to implement appropriate technical and organizational

measures and to undergo security audits

z All sorts of market operators will be expected to oblige, e.g. social

networks, Cloud computing services, energy suppliers

z EU Member States required to lay down rules on sanctionsŲ Cloud computing: EU Strategy ± Standards and Certification

z Pan-European certification schemes by 2014

z Address data protection, especially data portability, and focus on

LQFUHDVHGWUDQVSDUHQF\RIFORXGVHUYLFHSURYLGHUV¶VHFXULW\SUDFWLFHV




Service Scenario Today


Trust?

Trust?

CLOUD

assets

assets



The Cloud changes our relationships


I n - h o u s e

( o w n o p e r a t i o n )

I n - h o u s e

( o u t - s o u r c e d o p e r a t i o n )

O f f

- s i t e o p e r a t i o n

H o s t e d &

m a n a g e d s e r v i c e s

C l o u d

Real or apparent loss of control

Need to rely on what the other is going to do

7RWKHULJKWWKH³RWKHU´JHWVPRUHanonymous The providers become more like the users themselves ± often interchangeable



What citizens and users ask

Ų How good are the services?

Ų Are they dependable?

Ų What about the reputation of the provider?

Ų Will they continue to exist?

Ų Is my data safe and available?

Ų Do providers follow best practices?

Ų What if something goes wrong?




End-to-end Trust ± the Ends


CLOUD

User / Device

Enterprise



The security and privacy compontent of Trust

Ų User / Device

z New threats with smaller devices Loss of device and thus data

Malicious apps stealing data

Social attacks more likely

z Possible solutions:

Ensure linkage of user and device ± shut off on separation, user change

Create secure containers in device

New, easier authentication schemes ± e.g. use biometrics

&ULWLFDO&RPELQHWHFKQLFDODQG³VRFLDO´VHFXULW\SURWHFWLRQ

Ų Cloud / Data Centers

z Ensure security, data protection, availability and performance

Lack of trust a show stopper for business

The test: Will large corporations use cloud services run by others?


loss of control

loss of device itself



Enabling Trust in the Cloud

Ų Option 1: Brand, tradition and inheritance of trust

z Large companies with known brands are often trustedz ,QWKH&ORXGLQKHULWRUHVWDEOLVK³&KDLQRI7UXVW´

Ų Option 2: Recommendations of experts, friends and family

z This also happens in real life: What do you think of offering x ...

z Some services use this already (Amazon & Co.)


The Cloud needs all optionsÆ

A useful trust framework must combine severaloptions of how trust is associated with entities



Various Trust Frameworks emerging


ID and Attribute

Providers

Users

Relying Party

Rules and Regulations

Trust Frameworks

(Brand, Reputation, ...)



TDL addresses how to bridge the gap


Net user value for

trustworthy ICT

Trust = Benefit

Trust Paradigm Shift

Trust = Burden

Net user value for

trustworthy ICT

Impact of transparent incidents =

number times effect

Who is going to pay for trust?

Will a trustable services survive?



TDL: Pilots and test beds will be critical: Sprints!


³&HUWLILHG´ Ethical hackers

Technology providers of Trustworthy solutions

User groups

Application domains

Provision

Feedback Rules that apply

Test Bed

Integration

infra

content

Internet

Telecom

Webserver

SMS server

Enabling Infrastructure

TrustworthyPlatforms

ICT- Expert community



TDL USE CASEon

Claim based Authentication




TDL USE CASES

onClaim based Authentication




Architecture for complex Identity infrastructures




Public Sector as Identity

Provider

Public Sector as RelyingParty

Private Sector as IdentityProvider

Public Sector as RelyingParty

Public Sector as Identity

Provider

Private Sector as Relying

Party

Private Sector as Identity

Provider

Private Sector as Relying

Party




Six design principles

1.Composable architecture2.Open for technology and standards evolution

3.Attributes remains with the source of the data

4.User consent

5.Privacy6.Correctness and accountability

Architecture for complex Identity infrastructures




Use case E-health service: Claim based authentication


SPRI NT 1 Technical set-up e -He alth service

SPRINTGREEN

Traditional Healthcare Service Provider

EHR

HCP Front End Patients Front End

HealthcareProfessionals

eHealth Service Provider

Activity repository

PersonalDevicesinterface

HealthSP

userFrontEnd

HealthSP

FrontEnd

Health ServiceProvider (e.g coach)

Patient/User

Tokengen.

Relyingpartypolicy

Token

Trust framework architecture Identity proofing

Token

Logonpage

Relying party:

Id provider:



Conclusion

© NEC Corporation / TDL - Trust and Cybersecurity in Europe 4 June 2013

Ų Trust, security and privacy are interdependent and

sometimes in conflictŲ In Europe, there is a strong focus on privacy and data

protection

Ų A major European goal is to promote business by removing

trust barriers in the digital worldŲ TDL is working on improving Trust in the Digital World and

liaising with the European Commission

Ų Central in this context are the so-called sprints that enable

quick interoperability tests based on the TDL e-Authenticationarchitecture

30



Trust and Cybersecurity in Europe

Amardeo [email protected]

General Manager at NEC Laboratories Europe

Chairman of Trust in Digital Life (TDL)

Documents

Trust and Cybersecurity in Europe - By Amardeo Sarma - During iCompetences FRR2013