Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security, Privacy and the Future Internet

2,329 views

Published on

This presentation was held by Michael Waidner at »Konferenz Zukünftiges Internet« on 5/6 of July 2011.

Can be also found at: http://www.future-internet-konferenz.de/programm/5.-juli-2011-1

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

Security, Privacy and the Future Internet

  1. 1. Security, Privacy and the Future InternetProf. Dr. Michael Waidner © Fraunhofer-Gesellschaft 2011 –1–
  2. 2. Outline  Future Internet  Security and Privacy  Security and Privacy by Design © Fraunhofer-Gesellschaft 2011 –2–
  3. 3. Internet of People, Data, Services, Things, … and Crime & War Online Social Networks Cloud-deliveredCloud-delivered Crime & War IT & Business Services Globally interconnected cyber-physical system © Fraunhofer-Gesellschaft 2011 –3–
  4. 4. Overall, Security is Becoming More Difficult  Future Internet is the ideal target: everybody, everything is online  Professionalization and industrialization of cybercrime and cyberwar  Network of people and user-generated content  Privacy (in public spaces …)  Intellectual property © Fraunhofer-Gesellschaft 2011  Filtering illegal and dangerous content  Withstanding censorship –4–
  5. 5. But Security may Also Benefit from the Future Internet  Better security through standards, automation, services  Cloud will lower costs for good and well-managed security and privacy  Today, poor service management (governance, change, patch) is key source of insecurity!  Global scale, global economy may enable global standards  Trust and identity infrastructures © Fraunhofer-Gesellschaft 2011  Privacy and information sharing  Assurance, auditing, forensics –5–
  6. 6. Outline  Future Internet  Security and Privacy  Security and Privacy by Design © Fraunhofer-Gesellschaft 2011 –6–
  7. 7. A Slightly More Technical View: Security Problems  New technologies, new threat vectors  Massive resource sharing in clouds  Mobile and ambient as new access channel  Cyber-physical convergence  Global connectivity without global identity  Old principles don’t apply anymore  Perimeter security vs. service decomposition  Trusted base vs. everything in the cloud  Managed endpoint security © Fraunhofer-Gesellschaft 2011 vs. consumerization … –7–
  8. 8. Some Security Research Challenges  Research pipe full of untested results  Crypto, trusted computing, provenance, sticky policies, automated checking, …  More applied research  Security for legacy systems, networks, …  Unexpected intrusions, abuses, insiders  Accountability with privacy  Forensics with privacy  Quantification of risks and security  Create a network to fight a network  Cross-org sharing of security information © Fraunhofer-Gesellschaft 2011  Commons nature of security –8–
  9. 9. Privacy in the Future Internet  Privacy is difficult to define  What is the €-value of your personal information?  What is privacy in a public space like an OSN?  Tradeoffs are always individual  Status  Purpose Binding: responsible data management – mostly mature  Data minimization: crypto and data management – no practical experience  Context binding: not even well defined © Fraunhofer-Gesellschaft 2011  Sustainable informational self-determination: no good solutions –9–
  10. 10. Some Privacy Research Challenges  What is privacy in …  OSN, location, ambient, mobile, cloud, smart grids, …  Mental models for usability  Research pipe full of untested results  Standardization  Portable id, pseudonyms, options, expiration dates, …  Globally practical trust and identity framework  M0re applied research  Privacy despite accountability  Privacy despite forensics © Fraunhofer-Gesellschaft 2011  Computing with encrypted data  Commons nature of privacy – 10 –
  11. 11. Outline  Future Internet  Security and Privacy  Security and Privacy by Design © Fraunhofer-Gesellschaft 2011 – 11 –
  12. 12. Building a Secure System Huge body of engineering knowledge Many articles, books, courses, degrees, tools, … So, in theory, this should be doable © Fraunhofer-Gesellschaft 2011 – 12 –
  13. 13. Building a Secure SystemState of theart in thesoftwareindustry Source: Microsoft Secure Development Lifecycle A more detailed lookBut # of shows:vulnerabilities • Same errorsis still again and again • IT people lack skillsgoing up • Current processes © Fraunhofer-Gesellschaft 2011 and tools are too complex for humans Source: IBM X-Force, 2011 – 13 –
  14. 14. Which one is Better: “by design” or “by patching” NIST 2010:Security and Privacy Security and Privacy • 80% of developmentby Design by Patching costs spent on finding and fixing errorsOverall: economic Overall: expensive IBM 2010: Fixing a single High initial costs  Low initial costs defect during … costs: Low recurring costs  High recurring costs • Coding: $80 • Build: $240Avoids damage Damage might be • QA/Test: $960 irreversible: • Post release: $7’600 + reputational costs  Life and health  Critical infrastructure  Privacy, reputation, confidentiality © Fraunhofer-Gesellschaft 2011 European Center for Security and Privacy by Design (EC-SPRIDE) Projected start: October 1st, 2011 – 14 –
  15. 15. What needs to be done Challenges  Consistent models throughout all phases  Patterns for requirements analysis  Model-driven security (design, test)  Static and dynamic analysis  Usability: end users, developers, admins  Ready to use building blocks  Demonstrable and quantifiable improvements in security  Applied to interesting cases: © Fraunhofer-Gesellschaft 2011 cloud computing, embedded, …  Education for ordinary developers – 15 –
  16. 16. Outline  Future Internet  Security and Privacy  Security and Privacy by Design © Fraunhofer-Gesellschaft 2011 – 16 –
  17. 17. Prof. Dr. Michael Waidnermichael.waidner@sit.fraunhofer.deFraunhofer-Institut fürSichere InformationstechnologieRheinstraße 7564295 Darmstadtwww.fraunhofer.dewww.sit.fraunhofer.deCenter for Advanced SecurityResearch DarmstadtLehrstuhl für Sicherheit in der ITMornewegstraße 30 © Fraunhofer-Gesellschaft 201164289 Darmstadtwww.cased.dewww.sit.tu-darmstadt.de – 17 –

×