Discussion of ways in which GDPR has, and will continue to influence the SDLC and deployment of IoT, especially as it impacts the privacy and security fabric.
IoT and Cybersecurity: What can be done? by Gerald Faulhaber at Inform[ED] Io...CableLabs
As IoT insecurity creates vulnerabilities, policymakers become concerned about the health of the Internet. How can public policy address these concerns in a smart way, targeting their efforts to improve IoT security without imposing unnecessary costs across the Internet ecosystem or creating unintended effects? What is the role of government versus industry?
Gerald Faulhaber
Professor Emeritus, Business Economics & Public Policy, Wharton School
https://www.cablelabs.com/informed/
This document summarizes security and privacy issues in the Internet of Things (IoT) environment. It discusses how IoT systems have layers - the perception layer containing sensors, the gateway layer for communication, and the cloud layer providing user services. Each layer faces different security threats like denial of service attacks, session hijacking, and data breaches. The document also provides an example of the Mirai malware infecting IoT devices and using them to launch large-scale cyberattacks. To improve IoT security, the document recommends implementing authentication, authorization, encryption for confidentiality and integrity checks using hashing to protect against various attacks on IoT systems.
A Novel Security Approach for Communication using IOTIJEACS
The Internet of Things (IOT) is the arrangement of physical articles or "things" introduced with equipment, programming, sensors, and framework accessibility, which enables these things to accumulate and exchange data. Here outlining security convention for the Internet of Things, and execution of this relating security convention on the inserted gadgets. This convention will cover the honesty of messages and verification of every customer by giving a productive confirmation component. By this venture the protected correspondence is executed on implanted gadgets.
Security and Privacy Big Challenges in Internet of thingsIRJET Journal
This document discusses security and privacy challenges with Internet of Things (IoT) systems. It notes that IoT provides broad functionality but also raises important challenges regarding privacy and security. Some key issues discussed include insufficient authentication, lack of transport encryption, insecure interfaces, default credentials, lack of secure coding practices, and privacy concerns regarding personal data collection. The document recommends approaches to address these challenges, such as base device analysis, network traffic verification, secure code reviews, and end-to-end penetration testing.
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTINGIJNSA Journal
In the IoT scenario, things at the edge can create significantly large amounts of data. Fog Computing has recently emerged as the paradigm to address the needs of edge computing in the Internet of Things (IoT) and Industrial Internet of Things (IIoT) applications. In a Fog Computing environment, much of the processing would take place closer to the edge in a router device, rather than having to be transmitted to the Fog. Authentication is an important issue for the security of fog computing since services are offered to massive-scale end users by front fog nodes.Fog computing faces new security and privacy challenges besides those inherited from cloud computing. Authentication helps to ensure and confirms a user's identity. The existing traditional password authentication does not provide enough security for the data and there have been instances when the password-based authentication has been manipulated to gain access into the data. Since the conventional methods such as passwords do not serve the purpose of data security, research worksare focused on biometric user authentication in fog computing environment. In this paper, we present biometric smartcard authentication to protect the fog computing environment.
This document discusses cryptography and security implementations for Internet of Things (IoT) devices. It begins with an introduction to IoT and the need for security protocols as IoT devices collect and transmit large amounts of sensitive data. Challenges to IoT security include the diversity of devices which makes vulnerabilities complex, and limited computational resources. The document then explores using symmetric and public key cryptography algorithms as well as proposed lightweight cryptography solutions for IoT security. It concludes that while traditional security solutions are inadequate, lightweight cryptography protocols have the potential to help secure IoT communications and address current challenges if standardized for diverse IoT hardware.
IoT and Cybersecurity: What can be done? by Gerald Faulhaber at Inform[ED] Io...CableLabs
As IoT insecurity creates vulnerabilities, policymakers become concerned about the health of the Internet. How can public policy address these concerns in a smart way, targeting their efforts to improve IoT security without imposing unnecessary costs across the Internet ecosystem or creating unintended effects? What is the role of government versus industry?
Gerald Faulhaber
Professor Emeritus, Business Economics & Public Policy, Wharton School
https://www.cablelabs.com/informed/
This document summarizes security and privacy issues in the Internet of Things (IoT) environment. It discusses how IoT systems have layers - the perception layer containing sensors, the gateway layer for communication, and the cloud layer providing user services. Each layer faces different security threats like denial of service attacks, session hijacking, and data breaches. The document also provides an example of the Mirai malware infecting IoT devices and using them to launch large-scale cyberattacks. To improve IoT security, the document recommends implementing authentication, authorization, encryption for confidentiality and integrity checks using hashing to protect against various attacks on IoT systems.
A Novel Security Approach for Communication using IOTIJEACS
The Internet of Things (IOT) is the arrangement of physical articles or "things" introduced with equipment, programming, sensors, and framework accessibility, which enables these things to accumulate and exchange data. Here outlining security convention for the Internet of Things, and execution of this relating security convention on the inserted gadgets. This convention will cover the honesty of messages and verification of every customer by giving a productive confirmation component. By this venture the protected correspondence is executed on implanted gadgets.
Security and Privacy Big Challenges in Internet of thingsIRJET Journal
This document discusses security and privacy challenges with Internet of Things (IoT) systems. It notes that IoT provides broad functionality but also raises important challenges regarding privacy and security. Some key issues discussed include insufficient authentication, lack of transport encryption, insecure interfaces, default credentials, lack of secure coding practices, and privacy concerns regarding personal data collection. The document recommends approaches to address these challenges, such as base device analysis, network traffic verification, secure code reviews, and end-to-end penetration testing.
BIOMETRIC SMARTCARD AUTHENTICATION FOR FOG COMPUTINGIJNSA Journal
In the IoT scenario, things at the edge can create significantly large amounts of data. Fog Computing has recently emerged as the paradigm to address the needs of edge computing in the Internet of Things (IoT) and Industrial Internet of Things (IIoT) applications. In a Fog Computing environment, much of the processing would take place closer to the edge in a router device, rather than having to be transmitted to the Fog. Authentication is an important issue for the security of fog computing since services are offered to massive-scale end users by front fog nodes.Fog computing faces new security and privacy challenges besides those inherited from cloud computing. Authentication helps to ensure and confirms a user's identity. The existing traditional password authentication does not provide enough security for the data and there have been instances when the password-based authentication has been manipulated to gain access into the data. Since the conventional methods such as passwords do not serve the purpose of data security, research worksare focused on biometric user authentication in fog computing environment. In this paper, we present biometric smartcard authentication to protect the fog computing environment.
This document discusses cryptography and security implementations for Internet of Things (IoT) devices. It begins with an introduction to IoT and the need for security protocols as IoT devices collect and transmit large amounts of sensitive data. Challenges to IoT security include the diversity of devices which makes vulnerabilities complex, and limited computational resources. The document then explores using symmetric and public key cryptography algorithms as well as proposed lightweight cryptography solutions for IoT security. It concludes that while traditional security solutions are inadequate, lightweight cryptography protocols have the potential to help secure IoT communications and address current challenges if standardized for diverse IoT hardware.
WEARABLE TECHNOLOGY DEVICES SECURITY AND PRIVACY VULNERABILITY ANALYSISIJNSA Journal
Wearable Technology also called wearable gadget, is acategory of technology devices with low processing
capabilities that can be worn by a user with the aim to provide information and ease of access to the master
devices its pairing with. Such examples are Google Glass and Smart watch. The impact of wearable
technology becomes significant when people start their invention in wearable computing, where their
mobile devices become one of the computation sources. However, wearable technology is not mature yet in
term of device security and privacy acceptance of the public. There exists some security weakness that
prompts such wearable devices vulnerable to attack. One of the critical attack on wearable technology is
authentication issue. The low processing due to less computing power of wearable device causethe
developer's inability to equip some complicated security mechanisms and algorithm on the device.In this
study, an overview of security and privacy vulnerabilities on wearable devices is presented.
The document discusses cybersecurity, artificial intelligence, and how AI can help improve cybersecurity. It notes that while organizations spend billions on cybersecurity, chief information security officers still feel highly exposed. Traditional security methods focus on preventing infiltration but are always one step behind evolving threats. The document argues that AI can help enforce cyber hygiene practices like least privilege to shrink the attack surface, making the problem more bounded and manageable compared to always chasing threats. It discusses how AI is well-suited for understanding intended application behavior based on established rules and data from good software.
- Embedded systems now contain sensitive personal data and perform safety-critical functions in devices like mobile phones, cars, and medical equipment. Unless embedded system security is adequately addressed, it could impede adoption.
- There are many challenges to security in embedded systems and IoT devices, including vulnerabilities in hardware, software, and networks. Effective security requires building security in at all stages of the design process.
- Various attacks like physical intrusion, side channel attacks, software exploits, and denial of service attacks threaten embedded systems. Countering these threats requires mechanisms at different levels including prevention, detection, and recovery techniques applied in hardware, software, and networks.
- The document discusses securing the Internet of Things (IoT), where every physical object has a virtual presence and can interact over the Internet.
- Several obstacles stand in the way of fulfilling the IoT vision, including security issues as the Internet and its users are already under attack and constrained IoT devices are vulnerable.
- To implement IoT security successfully, researchers must understand the IoT conceptually, evaluate current Internet security, and develop solutions that can reasonably assure a secure IoT.
IT Security Bedrohungen optimal abwehren_Tom Turner und Andreas WespiIBM Switzerland
This document summarizes IBM's security strategy and research. It discusses how security threats are evolving more rapidly and sophisticatedly. It presents IBM's holistic security approach of collecting and analyzing everything from people, data, applications, and infrastructure to gain insights. Examples are given of how IBM helps customers like ADP and Cisco strengthen security. IBM security research focuses on initiatives like enterprise information security management, cybersecurity analytics, and secure design using techniques like fully homomorphic encryption.
Tripwire Energy Working Group: Keynote w/Patrick Miller Tripwire
The document discusses the state of cybersecurity in the electric utility industry. It summarizes that infrastructure is a frequent target of cyber attacks from organized crime, nation states, and other adversaries. It also notes that new regulations and frameworks are being introduced at the national level to improve critical infrastructure security and resilience. Utilities are recommended to gap assess controls, improve monitoring, response capabilities, and conduct incident response exercises to prepare for increasing cybersecurity requirements.
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...CODE BLUE
Tons of insecure IoT devices are out there and ready to be compromised to join next IoT botnet or misused in even more serious threats. Since many of them are unmanaged, the situation does not seem to improve naturally in a short term. This talk will focus on series of efforts on discovery, monitoring, analysis, and notification of these devices trying to clean up "the mess".
The Internet of Things (IoT) promises to change the way enterprises connect, communicate, operate, and compete. At the same time, the IoT has left enterprise networks and IoT devices extremely vulnerable to security breaches. Current IoT devices and infrastructures are simply not equipped to tackle today’s sophisticated attack methods. Vulnerabilities can be easily exploited unless security is embedded from the inside out – from conception, deployment, and maintenance, to the network edge and across connected devices and infrastructures.
How is ai important to the future of cyber security Robert Smith
Today’s era is driven by technology in every aspect of our lives, so much that we’ve now increased our dependence on technology on a daily basis. With an increase in the dependency, we’re now very vulnerable and exposed to the intermittent threat posed as cyber-attacks. Cyber-attack threats have plagued businesses, corporates, governments, and institutions.
Cloud Analytics Ability to Design, Build, Secure, and Maintain Analytics Solu...YogeshIJTSRD
Cloud Analytics is another area in the IT field where different services like Software, Infrastructure, storage etc. are offered as services online. Users of cloud services are under constant fear of data loss, security threats, and availability issues. However, the major challenge in these methods is obtaining real time and unbiased datasets. Many datasets are internal and cannot be shared due to privacy issues or may lack certain statistical characteristics. As a result of this, researchers prefer to generate datasets for training and testing purposes in simulated or closed experimental environments which may lack comprehensiveness. Advances in sensor technology, the Internet of things IoT , social networking, wireless communications, and huge collection of data from years have all contributed to a new field of study Big Data is discussed in this paper. Through this analysis and investigation, we provide recommendations for the research public on future directions on providing data based decisions for cloud supported Big Data computing and analytic solutions. This paper concentrates upon the recent trends in Big Data storage and analysing, in the clouds, and also points out the security limitations. Rajan Ramvilas Saroj "Cloud Analytics: Ability to Design, Build, Secure, and Maintain Analytics Solutions on the Cloud" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-5 , August 2021, URL: https://www.ijtsrd.com/papers/ijtsrd43728.pdf Paper URL: https://www.ijtsrd.com/other-scientific-research-area/other/43728/cloud-analytics-ability-to-design-build-secure-and-maintain-analytics-solutions-on-the-cloud/rajan-ramvilas-saroj
Cloud Monitoring And Forensic Using Security MetricsSandeep Saxena
This document presents a methodology for cloud monitoring and forensics using security metrics. It discusses previous research on cloud security issues and architectural services. The proposed methodology monitors consumer activity, detects malicious activity using signatures, and activates an automated forensic system to store activity metrics. When malicious activity is detected, remote access is stopped and administrators are notified to collect data for legal processing. A generic architecture is proposed that uses host-based intrusion detection for monitoring network communications and a six-step process for cloud monitoring and forensics.
Internet of Things (IoT) will enable dramatic society transformation. This seminar presents an introduction to the IoT and explains why IoT Security is important.
Then it presents security issues in wireless sensor networks that constitute a main ingredient of IoT.
Seminar given at Centre Tecnològic de Telecomunicacions de Catalunya (CTTC) on 28 January 2015.
Technology & Policy Interaction Panel at Inform[ED] IoT SecurityCableLabs
As IoT insecurity creates vulnerabilities, policymakers become concerned about the health of the Internet. How can public policy address these concerns in a smart way, targeting their efforts to improve IoT security without imposing unnecessary costs across the Internet ecosystem or creating unintended effects? What is the role of government versus industry?
Rob Alderfer, Moderator
Vice President Technology Policy, CableLabs
Gerald Faulhaber
Professor Emeritus, Business Economics & Public Policy, Wharton School
Chaz Lever
Lead Reseacher, Georgia Tech
Jason Livingood
Vice President, Technology Policy & Standards, Comcast
Capstone Team Report -The Vicious Circle of Smart Grid Securityreuben_mathew
The document summarizes challenges facing different stakeholders in securing the smart grid:
- Utilities face rapid deployment, funding shortfalls, technical challenges explaining security, and sophisticated attacks exploiting systems.
- Regulators have inconsistent standards and gaps between policies, creating confusion.
- Equipment manufacturers consider security important but frameworks are not always implemented, leaving systems vulnerable.
Coordinated efforts are needed between utilities, regulators, and manufacturers to address gaps and build a secure smart grid.
Companies are developing their internal IoT security capabilities as they progress with IoT adoption in order to address lingering security concerns. While basic security issues like default passwords continue to put IoT devices at risk, more mature adopters are now enforcing stricter security specifications for devices and treating IoT security like corporate IT security through practices such as network segmentation, access controls and training users. Experts recommend that rather than fearing IoT, companies should find ways to benefit from it by developing internal expertise to ensure their IoT use is secure.
A Comprehensive Survey on Exiting Solution Approaches towards Security and Pr...IJECEIAES
‘Internet of Things (IoT)’emerged as an intelligent collaborative computation and communication between a set of objects capable of providing on-demand services to other objects anytime anywhere. A large-scale deployment of data-driven cloud applications as well as automated physical things such as embed electronics, software, sensors and network connectivity enables a joint ubiquitous and pervasive internet-based computing systems well capable of interacting with each other in an IoT. IoT, a well-known term and a growing trend in IT arena certainly bring a highly connected global network structure providing a lot of beneficial aspects to a user regarding business productivity, lifestyle improvement, government efficiency, etc. It also generates enormous heterogeneous and homogeneous data needed to be analyzed properly to get insight into valuable information. However, adoption of this new reality (i.e., IoT) by integrating it with the internet invites a certain challenges from security and privacy perspective. At present, a much effort has been put towards strengthening the security system in IoT still not yet found optimal solutions towards current security flaws. Therefore, the prime aim of this study is to investigate the qualitative aspects of the conventional security solution approaches in IoT. It also extracts some open research problems that could affect the future research track of IoT arena.
NIST Big Data Public WG : Security and Privacy v2Mark Underwood
The document discusses security and privacy considerations for big data as outlined by the National Institute of Standards and Technology's (NIST) Big Data Public Working Group. It notes that big data introduces new challenges due to factors like multiple security schemes, streamed and stored data, sensor data, and data sharing across organizations. It also summarizes NIST's volumes on big data definitions, taxonomies, use cases, and reference architectures as they relate to security and privacy.
Technologies in Support of Big Data EthicsMark Underwood
As part of the NIST Big Data Public Working Group, we examine technologies that can support ethics in systems design. In particular, we review issues raised by the IEEE P7000 community regarding ethics for autonomous systems and robotics. Possible adaptations to the NBDPWG reference model are considered for the third and final version of SP1500.
SECURITY AND PRIVACY AWARE PROGRAMMING MODEL FOR IOT APPLICATIONS IN CLOUD EN...ijccsa
This document summarizes a research paper on privacy-preserving techniques for IoT data in cloud environments. It introduces two differential privacy algorithms: 1) Generic differential privacy (GenDP) which provides generalized privacy protection for homogeneous and heterogeneous IoT metadata through data portioning. 2) Cluster-based differential privacy which groups similar data into clusters before defining classifiers to validate privacy. The paper evaluates these techniques and finds the cluster-based approach offers better security than customized interactive algorithms while maintaining data utility. Overall, the study presents new differential privacy methods for anonymizing IoT metadata stored in the cloud.
WEARABLE TECHNOLOGY DEVICES SECURITY AND PRIVACY VULNERABILITY ANALYSISIJNSA Journal
Wearable Technology also called wearable gadget, is acategory of technology devices with low processing
capabilities that can be worn by a user with the aim to provide information and ease of access to the master
devices its pairing with. Such examples are Google Glass and Smart watch. The impact of wearable
technology becomes significant when people start their invention in wearable computing, where their
mobile devices become one of the computation sources. However, wearable technology is not mature yet in
term of device security and privacy acceptance of the public. There exists some security weakness that
prompts such wearable devices vulnerable to attack. One of the critical attack on wearable technology is
authentication issue. The low processing due to less computing power of wearable device causethe
developer's inability to equip some complicated security mechanisms and algorithm on the device.In this
study, an overview of security and privacy vulnerabilities on wearable devices is presented.
The document discusses cybersecurity, artificial intelligence, and how AI can help improve cybersecurity. It notes that while organizations spend billions on cybersecurity, chief information security officers still feel highly exposed. Traditional security methods focus on preventing infiltration but are always one step behind evolving threats. The document argues that AI can help enforce cyber hygiene practices like least privilege to shrink the attack surface, making the problem more bounded and manageable compared to always chasing threats. It discusses how AI is well-suited for understanding intended application behavior based on established rules and data from good software.
- Embedded systems now contain sensitive personal data and perform safety-critical functions in devices like mobile phones, cars, and medical equipment. Unless embedded system security is adequately addressed, it could impede adoption.
- There are many challenges to security in embedded systems and IoT devices, including vulnerabilities in hardware, software, and networks. Effective security requires building security in at all stages of the design process.
- Various attacks like physical intrusion, side channel attacks, software exploits, and denial of service attacks threaten embedded systems. Countering these threats requires mechanisms at different levels including prevention, detection, and recovery techniques applied in hardware, software, and networks.
- The document discusses securing the Internet of Things (IoT), where every physical object has a virtual presence and can interact over the Internet.
- Several obstacles stand in the way of fulfilling the IoT vision, including security issues as the Internet and its users are already under attack and constrained IoT devices are vulnerable.
- To implement IoT security successfully, researchers must understand the IoT conceptually, evaluate current Internet security, and develop solutions that can reasonably assure a secure IoT.
IT Security Bedrohungen optimal abwehren_Tom Turner und Andreas WespiIBM Switzerland
This document summarizes IBM's security strategy and research. It discusses how security threats are evolving more rapidly and sophisticatedly. It presents IBM's holistic security approach of collecting and analyzing everything from people, data, applications, and infrastructure to gain insights. Examples are given of how IBM helps customers like ADP and Cisco strengthen security. IBM security research focuses on initiatives like enterprise information security management, cybersecurity analytics, and secure design using techniques like fully homomorphic encryption.
Tripwire Energy Working Group: Keynote w/Patrick Miller Tripwire
The document discusses the state of cybersecurity in the electric utility industry. It summarizes that infrastructure is a frequent target of cyber attacks from organized crime, nation states, and other adversaries. It also notes that new regulations and frameworks are being introduced at the national level to improve critical infrastructure security and resilience. Utilities are recommended to gap assess controls, improve monitoring, response capabilities, and conduct incident response exercises to prepare for increasing cybersecurity requirements.
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...CODE BLUE
Tons of insecure IoT devices are out there and ready to be compromised to join next IoT botnet or misused in even more serious threats. Since many of them are unmanaged, the situation does not seem to improve naturally in a short term. This talk will focus on series of efforts on discovery, monitoring, analysis, and notification of these devices trying to clean up "the mess".
The Internet of Things (IoT) promises to change the way enterprises connect, communicate, operate, and compete. At the same time, the IoT has left enterprise networks and IoT devices extremely vulnerable to security breaches. Current IoT devices and infrastructures are simply not equipped to tackle today’s sophisticated attack methods. Vulnerabilities can be easily exploited unless security is embedded from the inside out – from conception, deployment, and maintenance, to the network edge and across connected devices and infrastructures.
How is ai important to the future of cyber security Robert Smith
Today’s era is driven by technology in every aspect of our lives, so much that we’ve now increased our dependence on technology on a daily basis. With an increase in the dependency, we’re now very vulnerable and exposed to the intermittent threat posed as cyber-attacks. Cyber-attack threats have plagued businesses, corporates, governments, and institutions.
Cloud Analytics Ability to Design, Build, Secure, and Maintain Analytics Solu...YogeshIJTSRD
Cloud Analytics is another area in the IT field where different services like Software, Infrastructure, storage etc. are offered as services online. Users of cloud services are under constant fear of data loss, security threats, and availability issues. However, the major challenge in these methods is obtaining real time and unbiased datasets. Many datasets are internal and cannot be shared due to privacy issues or may lack certain statistical characteristics. As a result of this, researchers prefer to generate datasets for training and testing purposes in simulated or closed experimental environments which may lack comprehensiveness. Advances in sensor technology, the Internet of things IoT , social networking, wireless communications, and huge collection of data from years have all contributed to a new field of study Big Data is discussed in this paper. Through this analysis and investigation, we provide recommendations for the research public on future directions on providing data based decisions for cloud supported Big Data computing and analytic solutions. This paper concentrates upon the recent trends in Big Data storage and analysing, in the clouds, and also points out the security limitations. Rajan Ramvilas Saroj "Cloud Analytics: Ability to Design, Build, Secure, and Maintain Analytics Solutions on the Cloud" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-5 , August 2021, URL: https://www.ijtsrd.com/papers/ijtsrd43728.pdf Paper URL: https://www.ijtsrd.com/other-scientific-research-area/other/43728/cloud-analytics-ability-to-design-build-secure-and-maintain-analytics-solutions-on-the-cloud/rajan-ramvilas-saroj
Cloud Monitoring And Forensic Using Security MetricsSandeep Saxena
This document presents a methodology for cloud monitoring and forensics using security metrics. It discusses previous research on cloud security issues and architectural services. The proposed methodology monitors consumer activity, detects malicious activity using signatures, and activates an automated forensic system to store activity metrics. When malicious activity is detected, remote access is stopped and administrators are notified to collect data for legal processing. A generic architecture is proposed that uses host-based intrusion detection for monitoring network communications and a six-step process for cloud monitoring and forensics.
Internet of Things (IoT) will enable dramatic society transformation. This seminar presents an introduction to the IoT and explains why IoT Security is important.
Then it presents security issues in wireless sensor networks that constitute a main ingredient of IoT.
Seminar given at Centre Tecnològic de Telecomunicacions de Catalunya (CTTC) on 28 January 2015.
Technology & Policy Interaction Panel at Inform[ED] IoT SecurityCableLabs
As IoT insecurity creates vulnerabilities, policymakers become concerned about the health of the Internet. How can public policy address these concerns in a smart way, targeting their efforts to improve IoT security without imposing unnecessary costs across the Internet ecosystem or creating unintended effects? What is the role of government versus industry?
Rob Alderfer, Moderator
Vice President Technology Policy, CableLabs
Gerald Faulhaber
Professor Emeritus, Business Economics & Public Policy, Wharton School
Chaz Lever
Lead Reseacher, Georgia Tech
Jason Livingood
Vice President, Technology Policy & Standards, Comcast
Capstone Team Report -The Vicious Circle of Smart Grid Securityreuben_mathew
The document summarizes challenges facing different stakeholders in securing the smart grid:
- Utilities face rapid deployment, funding shortfalls, technical challenges explaining security, and sophisticated attacks exploiting systems.
- Regulators have inconsistent standards and gaps between policies, creating confusion.
- Equipment manufacturers consider security important but frameworks are not always implemented, leaving systems vulnerable.
Coordinated efforts are needed between utilities, regulators, and manufacturers to address gaps and build a secure smart grid.
Companies are developing their internal IoT security capabilities as they progress with IoT adoption in order to address lingering security concerns. While basic security issues like default passwords continue to put IoT devices at risk, more mature adopters are now enforcing stricter security specifications for devices and treating IoT security like corporate IT security through practices such as network segmentation, access controls and training users. Experts recommend that rather than fearing IoT, companies should find ways to benefit from it by developing internal expertise to ensure their IoT use is secure.
A Comprehensive Survey on Exiting Solution Approaches towards Security and Pr...IJECEIAES
‘Internet of Things (IoT)’emerged as an intelligent collaborative computation and communication between a set of objects capable of providing on-demand services to other objects anytime anywhere. A large-scale deployment of data-driven cloud applications as well as automated physical things such as embed electronics, software, sensors and network connectivity enables a joint ubiquitous and pervasive internet-based computing systems well capable of interacting with each other in an IoT. IoT, a well-known term and a growing trend in IT arena certainly bring a highly connected global network structure providing a lot of beneficial aspects to a user regarding business productivity, lifestyle improvement, government efficiency, etc. It also generates enormous heterogeneous and homogeneous data needed to be analyzed properly to get insight into valuable information. However, adoption of this new reality (i.e., IoT) by integrating it with the internet invites a certain challenges from security and privacy perspective. At present, a much effort has been put towards strengthening the security system in IoT still not yet found optimal solutions towards current security flaws. Therefore, the prime aim of this study is to investigate the qualitative aspects of the conventional security solution approaches in IoT. It also extracts some open research problems that could affect the future research track of IoT arena.
NIST Big Data Public WG : Security and Privacy v2Mark Underwood
The document discusses security and privacy considerations for big data as outlined by the National Institute of Standards and Technology's (NIST) Big Data Public Working Group. It notes that big data introduces new challenges due to factors like multiple security schemes, streamed and stored data, sensor data, and data sharing across organizations. It also summarizes NIST's volumes on big data definitions, taxonomies, use cases, and reference architectures as they relate to security and privacy.
Technologies in Support of Big Data EthicsMark Underwood
As part of the NIST Big Data Public Working Group, we examine technologies that can support ethics in systems design. In particular, we review issues raised by the IEEE P7000 community regarding ethics for autonomous systems and robotics. Possible adaptations to the NBDPWG reference model are considered for the third and final version of SP1500.
SECURITY AND PRIVACY AWARE PROGRAMMING MODEL FOR IOT APPLICATIONS IN CLOUD EN...ijccsa
This document summarizes a research paper on privacy-preserving techniques for IoT data in cloud environments. It introduces two differential privacy algorithms: 1) Generic differential privacy (GenDP) which provides generalized privacy protection for homogeneous and heterogeneous IoT metadata through data portioning. 2) Cluster-based differential privacy which groups similar data into clusters before defining classifiers to validate privacy. The paper evaluates these techniques and finds the cluster-based approach offers better security than customized interactive algorithms while maintaining data utility. Overall, the study presents new differential privacy methods for anonymizing IoT metadata stored in the cloud.
Automation alley day in the cloud presentation - formattedMatthew Moldvan
The document discusses securing a network by utilizing secure cloud strategies. It notes that only 25% of cloud providers consider security a top responsibility. It then introduces Security Inspection Inc. and an individual, detailing their experience. The document outlines cloud computing architectures and the benefits and potential security issues of cloud adoption. It stresses that security features like authentication, authorization, encryption, and segmentation are needed to mitigate risks. Security Inspection Inc. offers cloud security solutions like security as a service and virtualized firewalls. The conclusion emphasizes the importance of maintaining good security practices.
Product security by Blockchain, AI and Security CertsLabSharegroup
Three themes You need to think about Product Security — and some tips for How to Do It
I have been working with software security laboratories and IT security firms for years. I have talked with clients, read and watched dozens of articles/videos and talked with several experts about product security themes, future, technologies.
The three themes are:
Is the blockchain the new technology of trust?
Blockchain has the potential to transform industries. However, some security experts raised questions: If blockchain is broadly used in technology solutions will security standards be adopted? How to protect the cryptographic keys that allow access to the blockchain applications? Although it is true that the potential is huge such as securing IoT nodes, edge devices with authentication, improved confidentiality and data integrity, disrupting current PKI systems, reducing DDoS attacks etc.
AI (Machine Learning, Deep Learning, Reinforcement Learning algorithm) potential in Product Security
Machine learning can help in creating products that analyse threats and respond to attacks and security incidents. There are several repositories on GitHub or open-source codes by IBM available for developers. Deep learning networks are rapidly growing due to cheap cloud GPU services and after Reinforcement learning algorithm’s last success nobody knows the upper limit.
Product Security by International security standards and practices
The present, future, and developmental orientations of independent third party certificates Industry. How can the international standards answer the rapid growth of new technologies and maintain secure applications in IoT, Blockchain or AI-driven industries?
Are IT products reliable, secure and will they stay that way?
I would like to explain Product Security in a simple way. My goal is the introduction of product security for Tech startups, fast-growing Tech firms. Furthermore, I would like to emphasize the benefits of product security certification.
DDS - The Proven Data Connectivity Standard for the Industrial IoT (IIoT)Gerardo Pardo-Castellote
The document discusses DDS (Data Distribution Service) as the proven data connectivity standard for industrial IoT (IIoT). It notes that DDS addresses the key characteristics of reliability, scalability, safety, security and resiliency required for large, heterogeneous IIoT systems. The document also discusses the Industrial Internet Consortium's efforts to develop a common architecture connecting sensors to the cloud across industries. It highlights RTI's role in numerous projects and standards efforts related to IIoT.
Presentation at the 2016 IIOT Challenges and Opportunities Workshop.
The next wave of Industrial Internet applications will connect machines and devices together into functioning, intelligent systems with capabilities beyond anything possible today. These systems fundamentally depend on connectivity and information exchange to derive knowledge and make "smart decisions". They require a much higher level of reliability and security than "Consumer" IoT applications. OMG's Data-Distribution Service for Real-Time Systems (DDS) is the premier open middleware standard directly addressing publish-subscribe communications for Industrial IoT applications. It provides a protocol that meets the demanding security, scalability, performance, and Quality of Service requirements of IIoT applications spanning connected machines, enterprise systems, and mobile devices.This presentation will use concrete use cases to introduce DDS and examine why energy, advanced medical, asset-tracking, transportation, and military systems choose to base their designs on DDS.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
This document provides an overview of Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS), including fundamentals, evolution over time, vulnerabilities, security frameworks, good practices, and resources. It defines SCADA/ICS, describes how they have become more interconnected, lists vulnerabilities like outdated systems and remote access, outlines security standards like NIST and NERC, recommends practices like segmentation and patching, and provides example frameworks and resources.
This document discusses the state of cybersecurity and the need for a data-centric approach. It notes the massive growth in connected devices and data, and the fragmented security market with over 5,000 vendors. Traditional defense-focused security tools have led to complexity, high costs and failed to stop major data breaches. The document advocates shifting to a data-centric model that minimizes risk of data compromise and consolidates security tools. It promotes the Stash data-centric solution as helping organizations simplify security, reduce costs and better protect their data.
Software security, secure software development in the age of IoT, smart thing...LabSharegroup
How to design secure software products for IoT, embedded application, smart metering, smart lighting, medical application with the help of Common Criteria
What happens in the Innovation of Things?Kim Escherich
From the ComputerWorld Internet of Things conference in Copenhagen October 27 2015. On definitions, markets, trends, needed capabilities and how to implement using IBM BlueMix.
This document discusses codes of ethics and concerns regarding artificial intelligence and autonomous systems. It provides an overview of the various IEEE P7000 working groups that are examining issues around big data, machine learning, and ethics. It also mentions some case studies and examples that raise ethical issues relating to areas like bias, privacy, and fairness. The goal is to help engineers address ethical considerations in AI system design and development.
The document discusses several limitations of IoT-enabled automation solutions:
1. Cybersecurity and privacy concerns are significant as more devices are connected and hackers can more easily access building functions by exploiting vulnerabilities.
2. Lack of integration and interoperability standards means buildings use multiple incompatible protocols, increasing costs.
3. Data capturing and processing has limitations due to the expense of comprehensive sensor deployment and expert analysis needed to derive value from data.
Fog computing is a system-level architecture that distributes computing, storage, control and networking functions closer to users along the continuum between IoT devices and the cloud. It aims to address issues like high latency and network congestion that result from processing all IoT data in the cloud. Key characteristics of fog computing include its ability to support location awareness, mobility and real-time interactions through a geographically distributed deployment.
The WITDOM first project presentation has been updated to include a summary of the results corresponding to the first 18 months of the project. The presentation includes a high-level overview of the project scenarios, methodologies to elicit requirements and to formalize them into technical requirements, as well as the initial architecture.
The document discusses cybersecurity challenges related to IoT. It outlines several security incidents involving IoT devices over time. It then discusses inherent security challenges for IoT, including threats from advanced persistent threats, cyber terrorism, and compromised supply chains. The document also summarizes statistics on IoT security concerns and vulnerabilities. It identifies top vulnerabilities according to OWASP and discusses how to secure IoT in different domains like smart cities and homes.
SECURE DATA TRANSFER BASED ON CLOUD COMPUTINGIRJET Journal
This document summarizes a research paper on secure data transfer based on cloud computing. The paper proposes a method to securely store sensitive data on the cloud through encryption. Data owners can encrypt files before uploading them to the cloud. When recipients want to access the encrypted data, data owners can send decryption keys through secure channels. Even if hackers obtain the encrypted data from the cloud, they will be unable to read it without the decryption keys. The proposed method aims to address security and privacy concerns of cloud computing by encrypting data at rest and controlling access through encryption keys.
Deep Learning and Big Data technologies for IoT SecurityIRJET Journal
The document discusses using deep learning and big data technologies to improve security for Internet of Things (IoT) devices and networks. Specifically, it proposes using deep learning models to analyze large amounts of data from IoT sensors to better detect and classify security threats. This can help identify attacks like botnets and distributed denial-of-service (DDoS) attacks. The document also outlines some common IoT security challenges and how approaches like Apache Hadoop, Spark, and Storm can process large volumes of IoT data to improve real-time monitoring and threat prevention.
Similar to Implications of GDPR for IoT Big Data Security and Privacy Fabric (20)
The document provides an overview of the Scaled Agile Framework (SAFe) from the perspective of security and privacy specialists. It discusses how SAFe borrows concepts from lean, agile, and DevOps principles. While SAFe incorporates security as a quality attribute, the document notes it may not provide an in-depth treatment and hybrid models could also be considered.
An overview of Google's Site Reliability Engineering with a view toward possible incorporation in the IEEE P2675 DevOps security standard. (Creative Commons with credit.)
The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...Mark Underwood
What happens when the (Observe) Plan-Do-Check-Adjust cycle is undermined by lapses in data integrity? Observations are questioned. Plans may be ill-conceived. Actions may be undertaken that undermine rather than enhance. “Checks” can fail. Adjustments may be guesswork. In cybersecurity, the results of poor data integrity can be expensive outages, ransom requests, breaches, fines -- even bankruptcy (think Cambridge Analytica). But data integrity issues take many forms, ranging from benign to malicious. The full range of these issues is surveyed from a cybersecurity perspective, where logs and alerts are critical for defenders -- as well as quality engineers . Techniques borrowed from model-based systems engineering and ontology AI to are identified that can mitigate these deleterious effects on PDCA.
An introductory take on the ethical issues surrounding the use of algorithms and machine learning in finance, education, law enforcement and defense. This work was stimulated by, but is not a product or authorized content from the IEEE P7003 WG.
Disclaimer: This work is mine alone and does not reflect view of IEEE, IEEE 7003 WG, my employer.
DevOps Support for an Ethical Software Development Life Cycle (SDLC)Mark Underwood
As part of the IEEE SA P7000 and P2675 working groups, it has been determined that DevOps engineering practices can support (or hinder) the environment for an ethical software development life cycle (SDLC). This deck scratches the surface.
Presents a more expansive view of "stakeholders" in systems design, specifically beyond purely human notions. Produced for use by the IEEE P7000 working group "Model Process for Addressing Ethical Concerns During System Design."
Slowing the Two Cultures continental drift. The humanities are drifting further and further away from the realities of science and technology.Their marginalization should worry us all. I survey the current state of affairs 50 years after CP Snow's talk, and suggest how poets should retool.
IoT Day 2016: Cloud Services for IoT Semantic InteroperabilityMark Underwood
Presentation made on IoT Day 2016 about the importance of API-first, cloud services role in implementing ontologies for IoT. The use case is homely: providing proper humidity to my electric violin and guitar instruments while in their cases.
Ontology Summit - Track D Standards Summary & Provocative Use CasesMark Underwood
The OntologySummit is an annual series of events (first started by Ontolog and NIST in 2006) that involves the ontology community and communities related to each year's theme chosen for the summit. The Ontology Summit program is now co-organized by Ontolog, NIST, NCOR, NCBO, IAOA, NCO_NITRD along with the co-sponsorship of other organizations that are supportive of the Summit goals and objectives. This deck summarizes some of the work in Track D, IoT and Ontology Standards Synergies
The presentation discusses design patterns for ontologies in IoT. It proposes using ontologies to influence software engineering practices for IoT, leverage semantics, and foster reuse. Ontology-based design patterns can provide logic, architectural patterns, usability features, and enable simulation/testing. The presentation provides examples of how ontologies can help with issues like sensor provenance, privacy, standards integration, and forensic analysis of IoT data. It argues that ontologies are important to automate reasoning about IoT data and empower domain experts.
The Ipsos - AI - Monitor 2024 Report.pdfSocial Samosa
According to Ipsos AI Monitor's 2024 report, 65% Indians said that products and services using AI have profoundly changed their daily life in the past 3-5 years.
Global Situational Awareness of A.I. and where its headedvikram sood
You can see the future first in San Francisco.
Over the past year, the talk of the town has shifted from $10 billion compute clusters to $100 billion clusters to trillion-dollar clusters. Every six months another zero is added to the boardroom plans. Behind the scenes, there’s a fierce scramble to secure every power contract still available for the rest of the decade, every voltage transformer that can possibly be procured. American big business is gearing up to pour trillions of dollars into a long-unseen mobilization of American industrial might. By the end of the decade, American electricity production will have grown tens of percent; from the shale fields of Pennsylvania to the solar farms of Nevada, hundreds of millions of GPUs will hum.
The AGI race has begun. We are building machines that can think and reason. By 2025/26, these machines will outpace college graduates. By the end of the decade, they will be smarter than you or I; we will have superintelligence, in the true sense of the word. Along the way, national security forces not seen in half a century will be un-leashed, and before long, The Project will be on. If we’re lucky, we’ll be in an all-out race with the CCP; if we’re unlucky, an all-out war.
Everyone is now talking about AI, but few have the faintest glimmer of what is about to hit them. Nvidia analysts still think 2024 might be close to the peak. Mainstream pundits are stuck on the wilful blindness of “it’s just predicting the next word”. They see only hype and business-as-usual; at most they entertain another internet-scale technological change.
Before long, the world will wake up. But right now, there are perhaps a few hundred people, most of them in San Francisco and the AI labs, that have situational awareness. Through whatever peculiar forces of fate, I have found myself amongst them. A few years ago, these people were derided as crazy—but they trusted the trendlines, which allowed them to correctly predict the AI advances of the past few years. Whether these people are also right about the next few years remains to be seen. But these are very smart people—the smartest people I have ever met—and they are the ones building this technology. Perhaps they will be an odd footnote in history, or perhaps they will go down in history like Szilard and Oppenheimer and Teller. If they are seeing the future even close to correctly, we are in for a wild ride.
Let me tell you what we see.
End-to-end pipeline agility - Berlin Buzzwords 2024Lars Albertsson
We describe how we achieve high change agility in data engineering by eliminating the fear of breaking downstream data pipelines through end-to-end pipeline testing, and by using schema metaprogramming to safely eliminate boilerplate involved in changes that affect whole pipelines.
A quick poll on agility in changing pipelines from end to end indicated a huge span in capabilities. For the question "How long time does it take for all downstream pipelines to be adapted to an upstream change," the median response was 6 months, but some respondents could do it in less than a day. When quantitative data engineering differences between the best and worst are measured, the span is often 100x-1000x, sometimes even more.
A long time ago, we suffered at Spotify from fear of changing pipelines due to not knowing what the impact might be downstream. We made plans for a technical solution to test pipelines end-to-end to mitigate that fear, but the effort failed for cultural reasons. We eventually solved this challenge, but in a different context. In this presentation we will describe how we test full pipelines effectively by manipulating workflow orchestration, which enables us to make changes in pipelines without fear of breaking downstream.
Making schema changes that affect many jobs also involves a lot of toil and boilerplate. Using schema-on-read mitigates some of it, but has drawbacks since it makes it more difficult to detect errors early. We will describe how we have rejected this tradeoff by applying schema metaprogramming, eliminating boilerplate but keeping the protection of static typing, thereby further improving agility to quickly modify data pipelines without fear.
ViewShift: Hassle-free Dynamic Policy Enforcement for Every Data LakeWalaa Eldin Moustafa
Dynamic policy enforcement is becoming an increasingly important topic in today’s world where data privacy and compliance is a top priority for companies, individuals, and regulators alike. In these slides, we discuss how LinkedIn implements a powerful dynamic policy enforcement engine, called ViewShift, and integrates it within its data lake. We show the query engine architecture and how catalog implementations can automatically route table resolutions to compliance-enforcing SQL views. Such views have a set of very interesting properties: (1) They are auto-generated from declarative data annotations. (2) They respect user-level consent and preferences (3) They are context-aware, encoding a different set of transformations for different use cases (4) They are portable; while the SQL logic is only implemented in one SQL dialect, it is accessible in all engines.
#SQL #Views #Privacy #Compliance #DataLake
The Building Blocks of QuestDB, a Time Series Databasejavier ramirez
Talk Delivered at Valencia Codes Meetup 2024-06.
Traditionally, databases have treated timestamps just as another data type. However, when performing real-time analytics, timestamps should be first class citizens and we need rich time semantics to get the most out of our data. We also need to deal with ever growing datasets while keeping performant, which is as fun as it sounds.
It is no wonder time-series databases are now more popular than ever before. Join me in this session to learn about the internal architecture and building blocks of QuestDB, an open source time-series database designed for speed. We will also review a history of some of the changes we have gone over the past two years to deal with late and unordered data, non-blocking writes, read-replicas, or faster batch ingestion.
STATATHON: Unleashing the Power of Statistics in a 48-Hour Knowledge Extravag...sameer shah
"Join us for STATATHON, a dynamic 2-day event dedicated to exploring statistical knowledge and its real-world applications. From theory to practice, participants engage in intensive learning sessions, workshops, and challenges, fostering a deeper understanding of statistical methodologies and their significance in various fields."
Analysis insight about a Flyball dog competition team's performanceroli9797
Insight of my analysis about a Flyball dog competition team's last year performance. Find more: https://github.com/rolandnagy-ds/flyball_race_analysis/tree/main
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Data and AI
Round table discussion of vector databases, unstructured data, ai, big data, real-time, robots and Milvus.
A lively discussion with NJ Gen AI Meetup Lead, Prasad and Procure.FYI's Co-Found
Implications of GDPR for IoT Big Data Security and Privacy Fabric
1. Impact of GDPR
on the IoT / Big Data
Security & Privacy Fabric
Presented to IEEE P1451-99 | 2018-05-25 Effectivity Date for GDPR
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
2. General Data Protection Reg (GDPR)
EU Data Protection Directive 95/46/EC
Implements “Privacy by Design,” via “Value-aware Design”
Data Originator rights:
Correction
Removal (“to be forgotten”)
To restrict third party distribution
Opt-in required for anything involving PII
Opt-in required for a new purpose
If used, algorithm (“profiling”) explanations & access to humans
Broad definition of data privacy
E.g., vehicle telemetry can be connected to vehicle owners, occupants
Mobility accelerates geospatially tagged events and processes
GDPR SLA: 40 days to respond to subject access requests (with caveats for extensions)
See Article 15 https://gdpr-info.eu/art-15-gdpr/
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
3. About Me
Co-Chair NIST Big Data Public WG Security & Privacy subgroup https://bigdatawg.nist.gov/
Chair Ontology / Taxonomy subgroup for IEEE P7000. Occasional participant in IEEE Standards WGs
P7007, P7003, P7002, P7004, P7010
IEEE Standard P1915.1 Standard for Software Defined Networking and Network Function Virtualization
Security (member)
IEEE Standard P2675 WG Security for DevOps (member)
Current: Finance, large enterprise: supply chain risk, complex playbooks, many InfoSec tools, workflow
automation, big data logging; risks include fraud and regulatory #fail
Authored chapter “Big Data Complex Event Processing for Internet of Things Provenance: Benefits for
Audit, Forensics, and Safety” in Cyber-Assurance for IoT (Wiley, 2017) https://kbros.co/2GNVHBv
@knowlengr dark@computer.org knowlengr.com https://linkedin.com/in/knowlengr
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
4. “Old” Buzzword: But Big Data Still Matters
Each “V” fronts a collection of
compliance hazards
Credit: “Ten V’s of Big Data”
from XenonStack.
https://kbros.co/2rMX0v0
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
5. Big Data Risks to Security & Privacy
Multi-organizational (e.g., Facebook -> Academia -> Cambridge Analytica)
Removal of economic constraints on archiving
Software-driven, complex supply chain
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
6. Machine Learning Meets
Public Disillusionment with Algorithms
ML has weak transparency
Analytics practitioners may have weak statistical background
Algorithms may not face usability or reproducibility tests
Computation on encrypted data is still primitive and/or slow
Anonymization practices may not take big data variety into account
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
7. IoT-Specific Fabric Risks
End Point devices easy targets for man-in-middle attacks (AUTH)
Decryption points are often at consumer end points where expertise is weakest
Consumer and semi-professional / paraprofessional reliance on IoT devices
Unanticipated uses create multiple risk, safety and security threats
E.g., children have unanticipated access
Traditional InfoSec threat models may be inadequate
“Last mile” increasingly reliant on autonomous systems ($$$)
Lack of redundancy for devices, connections
Lack of network microsegmentation (especially home Wi Fi)
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
8. IoT as Force Multiplier
GDPR compounds IoT InfoSec problems. If IoT data can be
corrupted or lost, compliance will be difficult where PII – or the
suspicion of PII-enabled data, e.g., through Big Data Variety.
Complexity: Network topologies become more complex, creating
manageability challenges. Where manageability is weak, security
can also be weakened.
InfoSec solutions (cryptography, certs, logging, audits, blockchain,
security training) may not scale with IoT.
The most sophisticated threat detection and mitigation solutions
require beefy computational resources.
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
9. Oft-Missed Use Cases
Withdrawal of consent
Proxy consent scenarios (common in health care)
Playbooks for GDPR internal/external audits
Application design patterns that support GDPR values
“Break-glass” scenarios, often left to InfoSec staff instead of domain experts
Lack of ethical principle traceability
Weak, untested or un-simulated ad hoc IoT networks, not studied for threat or scalability
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
10. NIST Big Data PWG (NBDPWG)
Value Chain – Reference Model
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
11. Contributions of NBDPWG
Security & Privacy Fabric
Checklists (Appendix A)
Deep bibliography
Consent and Break-Glass after HL7 (Adaptable for GDPR compliance)
Centrality of Domain Models
Simulation
Security/Privacy modeled after Safety frameworks
E.g., data / code toxicity (after Material Data Safety standard link)
“System Communicator”
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
12. CRISP-DM Process Model
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
Widely used data mining standard
(IBM version ASUM-DM – 2015).
Each process may need to take into
account GDPR processing constraints:
steps not previously anticipated.
New steps: audit, reporting, sent-
tracking.
13. Selected Compliance Problem Areas
“Categories of personal data” disclosure (Do you use canonical metadata tagging?)
“Envisaged period for PII storage” (Can you test and verify expiration? User story?)
“Right to lodge a complaint with supervisors” (Can you scale up call centers?)
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
14. “Smart” Home
Use Cases
Smart Plug ->
Home Wi Fi ->
Telecom WAN ->
Vendor Cloud ->
Vendor Cloud ->
AWS Alexa ->
WAN ->
Home Wi Fi ->
Device
Image Credit: TP-Link
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
15. Possible Data Flows & Archives
Cloud provider data centers (including DR sites)
Telecom providers (metered billing?)
ISP’s, e.g., Web hosts
Mobile phones (+ cache)
Desktops (+ cache)
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
16. Possible Direction for Improvements
Build Catalog of S&P fabric related use cases
Tied to the application’s domain
Touching realistic roles – so people involved in systems are engaged
For Agile / SDLC
Story points, epics
Include breach / noncompliance
Embrace Device Models
IoT devices may be implicated in particular risks – or S&P protection tactics
More and better model-based engineering (MBSE)
Move to Attribute-based Access Control
Complex Event Processing
For event-driven security, audit, alerting
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
17. End of P1451-99 Presentation
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
18. This deck is released under
Creative Commons
Attribution-Share Alike.
Portions of the work summarized was developed by multiple contributors through the NIST open
public working group framework under the leadership of Wo Chang, but this document represents
my views alone. https://bigdatawg.nist.gov | govNISTBig Databig data securityBig Data SecPriv
V2
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
20. Ethical Considerations
Issues from IEEE P7000 and related initiatives
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
21. IEEE P7000: Marquis Group Charter
“Scope: The standard establishes a process model by which engineers and technologists can address
ethical consideration throughout the various stages of system initiation, analysis and design.
Expected process requirements include management and engineering view of new IT product
development, computer ethics and IT system design, value-sensitive design, and, stakeholder
involvement in ethical IT system design. . .. The purpose of this standard is to enable the pragmatic
application of this type of Value-Based System Design methodology which demonstrates that
conceptual analysis of values and an extensive feasibility analysis can help to refine ethical system
requirements in systems and software life cycles.”
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
22. Related IEEE P70nn Groups
IEEE P7000 Ethical Systems Design
IEEE P7001 Transparency of Autonomous Systems
IEEE P7002 Data Privacy Process
IEEE P7003 Algorithmic Bias Considerations
IEEE P7004 Standard for Child and Student Data Governance
IEEE P7005 Standard for Transparent Employer Data Governance
IEEE P7006 Standard for Personal AI Agent
IEEE P7007 Ontological Standard for Ethically Driven Robotics and Automation Systems
IEEE P7008 - Standard for Ethically Driven Nudging for Robotic, Intelligent and Autonomous Systems
IEEE P7009 - Standard for Fail-Safe Design of Autonomous and Semi-Autonomous Systems
IEEE P7010 - Wellbeing Metrics Standard for Ethical Artificial Intelligence and Autonomous Systems
IEEE P7011 - SSIE Standard for Trustworthiness of News Media
IEEE P7012 - SSIE Machine Readable Personal Privacy Terms
IEEE P7013 - Facial Analysis
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
23. Key References
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
Focus: artificial intelligence
and autonomous systems.
Havens asks, “How will
machines know what we
value if we don’t know
ourselves?”
24. Recent Case Study Opportunities:
Case Study 1
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
“Faster, Higher, Farther chronicles a corporate scandal that rivals
those at Enron and Lehman Brothers—one that will cost Volkswagen
more than $22 billion in fines and settlements.” –Publisher
25. Case Study 2
“Equifax said that about 38,000 driver's
licenses and 3,200 passports details
had been uploaded to the portal that
had was hacked. (http://bit.ly/2jF3VTh)
Equifax said in September that hackers
had stolen personally identifiable
information of U.S., British and
Canadian consumers. The company
confirmed that information on about
146.6 million names, 146.6 million dates
of birth, 145.5 million social security
numbers, 99 million address
information and 209,000 payment card
number and expiration date, were
stolen in the cyber security incident.” –
Yahoo Finance
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
26. Case Study 3
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
It will be remembered as “a breach,” but the Facebook –
Cambridge Analytica incident was about big data.
Adjectives to
remember:
“Tiny” + “Big”
27. Case Study 4
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
Finding: Hispanic-owned and managed Airbnb properties, controlled for other
aspects, receive less revenue than other groups.
Response from Airbnb when contacted by reporters: We already provide tools
to help price listings.
Source: American Public Media Marketplace 8-May-2018
Related story: Dan Gorenstein, “Airbnb cracks down on bias – but at what cost?” Marketplace, 2018-09-08.
28. Case Study 5
A “charity” was used to subsidize
payments to Medicare patients in order
to boost drug sales. Multiple
manufacturers are involved.
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
29. Case Study 6
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
“Value-added measures for teacher evaluation, called the Education Value-Added
Assessment System, or EVAAS, in Houston, is a statistical method that uses a
student’s performance on prior standardized tests to predict academic growth in the
current year. This methodology—derided as deeply flawed, unfair and
incomprehensible—was used to make decisions about teacher evaluation, bonuses
and termination. It uses a secret computer program based on an inexplicable
algorithm (above).
In May 2014, seven Houston teachers and the Houston Federation of Teachers
brought an unprecedented federal lawsuit to end the policy, saying it reduced
education to a test score, didn’t help improve teaching or learning, and ruined
teachers’ careers when they were incorrectly terminated. Neither HISD nor its
contractor allowed teachers access to the data or computer algorithms so that they
could test or challenge the legitimacy of the scores, creating a ‘black box.’”
http://kbros.co/2EvxjU9
30. Case Study 7
A radiologist sends a message to a provider. It is never received, and critical
care was not delivered, probably resulting in a patient’s death. Whom would
you blame?
What’s in your stack?
“Apache Flink is an open-source framework for distributed stream processing that
Provides results that are accurate, even in the case of out-of-order or late-arriving
data. Some of its features are – (1) It is stateful and fault-tolerant and can seamlessly
recover from failures while maintaining exactly-once application state; (2) performs
at large scale, running on thousands of nodes with excellent throughput and latency
characteristics; (3) its streaming data flow execution engine, APIs and domain-
specific libraries for Batch, Streaming, Machine Learning, and Graph Processing.”
Or . . . ? “Apache Kafka solves the situation where the producer is generating
messages faster than the consumer can consume them in a reliable way.”
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
31. Related Decks
NIST Big Data Public Working Group – Overview for Cloud Native SAFE
Stakeholders for Ethical Systems Design
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
32. My Perspective
Chair Ontology / Taxonomy subgroup for P7000
Occasional participant in IEEE Standards WGs P7007, P7003, P7002, P7010
IEEE Standard P2675 WG Security for DevOps
Finance large enterprise: supply chain risk, complex playbooks, many InfoSec tools, workflow
automation, big data logging; risks include fraud and regulatory #fail
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
33. IEEE Society on Social Implications
of Technology
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
34. IEEE Product Safety Engineering Society
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
• “Do no harm.” – It’s not
so easy.
• Do you know a system is
safe before it’s been fully
scaled up -- & possibly
federated?
• What constitutes “a
reasonable explanation”?
35. IEEE Reliability Society
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
See free reliability analytics toolkit. Some
items are useful to Big Data DevOps)
https://kbros.co/2rugRij
36. IEEE Shill? No.
Active communities are small.
Standards documents are not free, though participation for IEEE members is.
Heavily weighted toward late career participants.
Despite “Engineering” in title, often not “engineering.”
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
37. But IEEE has . . .
IEEE Digital Library (with cross reference to ACM digital library)
Multinational reach and engagement
Reasonable internal advocacy and oversight
Diversity
Sometimes good awareness of NIST work
Often best work in lesser-known conference publications (e.g., vs. IEEE Security)
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
38. State of Computing Profession Ethics
@ACM_Ethics
ACM Code of Ethics
(Draft 3, 2018) https://www.acm.org/about-acm/code-of-ethics
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
39. Highlights of ACM Ethics v3
“minimize negative consequences of computing, including threats to health, safety, personal
security, and privacy.”
When the interests of multiple groups conflict, the needs of the least advantaged should be given
increased attention and priority
computing professionals should promote environmental sustainability both locally and globally.
“. . .the consequences of emergent systems and data aggregation should be carefully analyzed.
Those involved with pervasive or infrastructure systems should also consider Principle 3.7
(Standard of care when a system is integrated into the infrastructure of society).
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
40. Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
https://www.computer.org/web/education/code-of-ethics
41. Joint ACM IEEE Software Engr Code
https://www.computer.org/web/education/code-of-ethics
1. PUBLIC - Software engineers shall act consistently with the public interest.
2. CLIENT AND EMPLOYER - Software engineers shall act in a manner that is in the best interests of their client and
employer consistent with the public interest.
3. PRODUCT - Software engineers shall ensure that their products and related modifications meet the highest
professional standards possible.
4. JUDGMENT - Software engineers shall maintain integrity and independence in their professional judgment.
5. MANAGEMENT - Software engineering managers and leaders shall subscribe to and promote an ethical approach
to the management of software development and maintenance.
6. PROFESSION - Software engineers shall advance the integrity and reputation of the profession consistent with the
public interest.
7. COLLEAGUES - Software engineers shall be fair to and supportive of their colleagues.
8. SELF - Software engineers shall participate in lifelong learning regarding the practice of their profession and shall
promote an ethical approach to the practice of the profession.
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
42. Human Computer Interaction
NBDPWG System Communicator
Usability for web and mobile content
Substitutes for old school manuals
“Privacy text” for disclosures, policy, practices
Central to much of the click-based economy
“User” feedback, recommendations
Recommendation engines
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
43. Natural Language Tooling
Hyperlinks to artifacts
Chatbots
Live agent
Speech to text support
Text mining
Enterprise search (workflow-enabled artifacts)
Some of the indexed artifacts may approach big data status
SaaS Text Analytics
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
44. Dependency Management
Big Data configuration management
Across organizations
Needed for critical infrastructure
See NIST critical sector efforts
Dependencies may not be human-intelligible
Special issues with machine-to-machine transactions
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
45. Traceability & Requirements Engineering
Define what is an ethical requirement
Possible: big data ethical fabric (transparency, usage)
Audit
Traceability requirements
Can an ethical responsibility be inherited like PII-tagged data elements?
What about synthetic, algorithm-defined elements?
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
46. Special Populations
Disadvantaged
By regulation (e.g., 8A, SBIR, disability)
By “common sense” (“fairness” and “equity”)
By economic / sector (“underserved”)
Internet Bandwidth inequity
Children
“Criminals” / Malware Designers
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
47. Transparency
What does it mean to be “transparent” about ethics?
What connection to IEEE /ACM professional ethics?
ACM: “The entire computing profession benefits when the ethical decision making process is accountable to
and transparent to all stakeholders. Open discussions about ethical issues promotes this accountability and
transparency.”
ACM “A computing professional should be transparent and provide full disclosure of all pertinent system
limitations and potential problems. Making deliberately false or misleading claims, fabricating or falsifying data,
and other dishonest conduct are violations of the Code.”
ACM “Computing professionals should establish transparent policies and procedures that allow individuals to
give informed consent to automatic data collection, review their personal data, correct inaccuracies, and, where
appropriate, remove data.”
ACM “Organizational procedures and attitudes oriented toward quality, transparency, and the welfare of society
reduce harm to the public and raise awareness of the influence of technology in our lives. Therefore, leaders
should encourage full participation of all computing professionals in meeting social responsibilities and
discourage tendencies to do otherwise.”
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
48. Algorithms
“Why am I locked out while she is permitted?”
“Why isn’t my FICO score changing?”
“How can I know when I have explained our algorithm?”
“Is there an ‘explain-ability’ metric?”
What is different about machine-to-machine algorithms?
“Can an algorithm be abusive?”
“Is ‘bias’ the new breach?” https://kbros.co/2I2sxDO
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
49. Audience, Alerts, Audits: Monitoring
Support multiple “stakeholders”
Not all are paying customers (“public interest”, regulators, suppliers)
Traceability requirements vary across stakeholder groups
In addition to those specified by product owners:
Alerts for citizens, infrastructure managers, CEOs, CIO’s, CISO’s, industry peers
May be the same, or may vary
Monitoring may need to be specialized according to each “V” | Live “seed” testing
Cautionary Tales: “Tin Can on the Wedding Car,” toddlers eating button batteries
(Opinion: Need to resurrect Complex Event Processing design patterns)
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
50. Big Data Simulation
New: DevOps Scalability
Simulation and Interoperability (SISO)
Scale for the V’s (see SISO)
NIST Big Data S&P Appendix A high conformance
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
51. Big Data Operational Intelligence
Big Data often needed to manage applications
Managing pay-as-you-go computing resources =>
OpIntel
Related: Managing OpSec
Related: Alerts and Logging
Tradeoffs and utility models
Transparency, traceability, “documentation”
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
52. Test Engineering and DevOps
Continuous Pipeline concepts applied to IoT / Edge / Distributed
Each platform (or stack “layer”) may introduce different types of ethical concerns
E.g., Identity Management for children
Infectious disease statistics -> break glass for public health
Autonomous vehicles response to fog conditions (see http://web.media.mit.edu/~guysatat/fog/)
Reliance on less reliable hardware or bandwidth (e.g., cheap sensors, residential wi-fi)
Left- and right-shift of safety, reliability, regulatory constraints (remember case studies)
New meaning for “interoperability” – “inter-responsibility”
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
53. Forensics
Big Data may be needed for full stack playback
Full stack for After Action Review is still immature with forensics professionals
Even large firms may not be staffed with forensics specialists
Big surprise may be in store when breach or litigation occurs
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
54. Federation & Supply Chain
Facebook/Cambridge Analytica scenario was forecast in V1
Supply Chains that have been casual need upgrades
Risk often increases as organizational size decreases
Cost of “keeping data around” dangerously close to zero
Conventional systems taxed to handle volume of identity management
Access is infrequently leased
Simplistic network zones fail to isolate subcomponents important to domain experts
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
55. Corporate Initiatives
Environmental Social Governance
Transparency within employee groups, departments, subsidiaries (See P7005)
Computing decisions that affect carbon footprint (green data centers, etc.)
Individual practitioners have greater influence than before
Disclaimers in developer contract work
Offshore culture: some workers may be afraid to question requirements, risk-taking
Whistle-blower (a la Bug Bounty) not working well yet
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
56. Who Decides?
Some Opinions
Requirements Engineering may need a refresher, uplift
System Architects must continuously place controls in hands of domain experts
This is counter to the “sysadmin” design pattern
Risks multiply in part due to the commercial deprecation of documentation, manuals
Boundaries of safe & manageable release pipelines may have already been exceeded (mobile)
“Explain this” mentality partly offsets the DIY developer syndrome
Good for self-education, but the problem is not defining “ethics”
On-demand microlearning must accompany microservices deployment
AI Agents: Can ask, “Why?” “Who?” and nudge ethical considerations
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
57. Value Chain – Reference Model
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
58. Bibliography
Bo Brinkman, Catherine Flick, Don Gotterbarn, Keith Miller, Kate Vazansky, and Marty J. Wolf. 2017.
Listening to professional voices: draft 2 of the ACM code of ethics and professional
conduct. Commun. ACM 60, 5 (April 2017), 105-111. DOI: https://doi.org/10.1145/3072528
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
59. Related Work
NIST 800-53 Rev 5 and others, NIST Cloud Security, NIST RMF
Building, Auto Automation ISO 29481, 16739, 12006
https://www.buildingsmart.org/about/what-is-openbim/ifc-introduction
Uptane
Ethics and Societal Considerations ISO 26000, IEEE P70nn
DevOps Security IEEE P2675
Microsegmentation and NFV IEEE P1915.1
Safety orientation
Infrastructure as code
E.g., security tooling is code, playbooks are code
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
60. This deck is released under
Creative Commons
Attribution-Share Alike.
Portions of the work summarized was developed by multiple contributors through the NIST open
public working group framework under the leadership of Wo Chang, but this document represents
my views alone. https://bigdatawg.nist.gov | govNISTBig Databig data securityBig Data SecPriv
V2
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
61. Background: NIST Big Data PWG
Other insights from the NIST Big Data Public Working Group
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
62. What’s Different about Big Data
(OLD NEWS)
Multiple security schemes, attack vectors, countermeasures
May have streamed data frameworks + data at rest
Sensor Sensibility
Unintended uses and deanonymization
Often multi-organizational (most standards built for single-org adoption)
Problems of scale and complexity, veracity, content, provenance, jurisdiction
Data and code shared across organizations
Big data power wielded by smaller organizations with weak governance, training, regs
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
63. Fluff
Security and privacy are affected by all dimensions:
Volume
Velocity
Variety
Veracity (Provenance)
Volatility
Cloud
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
64. Less Fluffy
Big Data partly side effect of SDLC shifts
Agile
API-First
Microservices / Containerization
Deprecated but not forgotten: Components, Composable Services
SDN, 5G
Left Shift (DevOps)
DevSecOps
Model portability: CrispDM (IBM SPSS link), OMG DOL (Distributed Ontology, Model & Spec Language, link)
IoT (Distributed Computing c. 1970-present)
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
65. Key Trends
Cloud (centralization, scale, code-sharing)
IoT, especially health & safety related
Mobility and pervasive human-computer interactions (Alexa, etc.)
Data Center automation (scripting -> DevOps code, “left-shift”)
Trust and Federation (related: Blockchain)
Domain automation (E.g., smart buildings, autonomous vehicles, FIBO)
ABAC more than RBAC
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
66. Use Cases
Network Protection
Systems Health & Management (AWS metrics, billing, performance)
Education
Cargo Shipping
Aviation (safety)
UAV, UGV regulation
Regulated Government Privacy (FERPA, HIPAA, COPPA, GDPR, PCI etc.)
Healthcare Consent Models
HL7 FHIR Security and Privacy link
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
67. Liaison
NIST (mostly 1:1 contacts, catalog of cited SPs and standards)
IEEE P2675 Security for DevOps
IEEE P1915.1 NFV and SDN Security, 5G (1:1 via AT&T)
IEEE P7000-P7010 (S&P in robotics: algorithms, student data, safety & resilience, etc.)
ISO 20546 20547 Big Data
IEEE Product Safety Engineering Society
IEEE Reliability Engineering
IEEE Society for Social Implications of Technology
HL7 FHIR Security Audit WG
Cloud Native SAFE Computing (Kubernetes-centric)
Academic cryptography experts
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
68. Value Chain – Reference Model
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
69. ACM Computing Classification
Security & Privacy Topics
Database and storage security
Data anonymization and sanitation
Management and querying of encrypted data
Information accountability and usage control
Database activity monitoring
Software and application security
Software security engineering
Web application security
Social network security and privacy
Domain-specific security and privacy architectures
Software reverse engineering
Human and societal aspects of security and privacy
Economics of security and privacy
Social aspects of security and privacy
Privacy protections
Usability in security and privacy
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
70. Conceptual Taxonomy
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
Security
and Privacy
Conceptual
Taxonomy
Data
Confidentiality
Provenance
System Health
Public Policy,
Social, and Cross-
Organizational
Topics
71. Operational Taxonomy
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
Security
and Privacy
Operational
Taxonomy
Device and
Application
Registration
Identity and
Access
Management
Data
Governance
Infrastructure
Management
Risk and
Accountability
72. NBD SP Security & Privacy Safety:
Conformance Levels
General approach: ISO 17021, 17067, 17023 Conformity Assessment
Sets forth suggested levels of conformance:
Safety Level 1, 2 & 3
Self-administered
Mechanics at Level 3
Automated use of domain models for Security Operations
Security and privacy risks driven to IDE
Continuous Test (left- & right-shift of code)
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
73. Value of Security Ontologies
(Obrst, Chase, & Markeloff, 2012) Note that systematic use of ontologies could enable information
security tools to process standardized information streams from third parties, using methods such as
the Security Content Automation Protocol (SCAP). This model could enable automated reasoning to
address potential breaches closer to real time, or which have indirect effects on networks or
applications which require a mixture of human and machine cognition.
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
74. Privacy and Security Fabric
“Fabric” notion adopted by several organizations
Fabric to cover multiple layers, facets, technologies
Dissolving distinction between security and privacy
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
75. Snips from NBDPWG V2 Appendix A
Best practices for ABAC
Integration of legacy RBAC with ABAC
Derivation of ABAC from other model formats
Kubernetes walkthrough
Container and Microservice ABAC
Log analysis for Splunk Security Operations / Application design patterns
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
76. Appendix A
There is more . . . Refer to Appendix A in the full document. The preceding
slides were an excerpt.
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
87. Cloud Native Foundation
Safe Access For Everyone (SAFE)
https://github.com/cn-security/safe
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1
88. This deck is released under
Creative Commons
Attribution-Share Alike.
Portions of the work summarized was developed by multiple contributors through the NIST open
public working group framework under the leadership of Wo Chang, but this document represents
my views alone. https://bigdatawg.nist.gov | govNISTBig Databig data securityBig Data SecPriv
V2
Mark Underwood @knowlengr | Synchrony | Views my own | dark@computer.org | v1.1