Upload
vanquynh
View
221
Download
0
Embed Size (px)
Citation preview
Confidential 1 21 July 2014
Defining Security Standards – Challenges, Technologies & Solutions
Dr. Walter Fumy
Chairman JTC 1/SC 27 IT Security Techniques
Chief Scientist, Bundesdruckerei GmbH, Germany
Abu Dhabi: Defining Standards 2014-11-19
Abu Dhabi: Defining Standards 2 19 November 2014
Basic Human Needs are evolving
Safety, Security
Social Needs: Friends, Family
Physiological Needs:
Air, Water, Food, Shelter
Abu Dhabi: Defining Standards 3 19 November 2014
Identity management for individuals, objects and processes
Mobility Industry 4.0 Cloud Big/Smart Data Social
Data
Need for security & privacy technologies
Networks Identities Automation Communications
Major Trends
Abu Dhabi: Defining Standards 4 19 November 2014
Ø Object IDs Ø Industry 4.0 Ø M2M Communication Ø Material Trust
Ø Secure but Simple Ø User Experience Ø Work Life Balance
Ø Privacy Ø Anonymity / Pseudonymity Ø Control & Trust
Ø Software as a service (SAAS) Ø Data Privacy Ø Data Confidentiality
Ø BYOD Ø High Security Access Ø Full ID | Governance Ø Material Trust
Ø Phishing Ø Pharming Ø ID Theft
Trends & Digital Identities
Digital Identity
Big Data & Cloud
Computing
Data Sensitivity
Cybercrime
Internet of Things (IoT)
Mobility
Simplicity
Abu Dhabi: Defining Standards 5 19 November 2014
Simplicity – The 15 most used passwords in 2013 vs. 2012 j%7K&yPx$ can be difficult to remember
123456 password
12345678 qwerty
abc123
123456789 111111
1234567 iloveyou
adobe123
123123 admin
1234567890 letmein
photoshop
password 123456
12345678
abc123 qwerty
monkey letmein
dragon
111111 baseball
iloveyou trustno1
1234567
sunshine master
source: splashdata.com
2013 2012
Abu Dhabi: Defining Standards 6 19 November 2014
Simplicity
„To keep your customers, keep it simple“ Harvard Business Review, 2012
Abu Dhabi: Defining Standards 7 19 November 2014
Password Practice*
Ø 30% of adult users maintain 10 or more unique passwords
Ø 8% maintain 21 or more
Ø 81% of users do not use a unique password for each website
Ø 33% use the same password for each website Ø 48% use a few different passwords
Ø 51% dislike the prospect of remembering another username or password
Ø 37% have to ask for assistance on their username or password for at least one website per month
*) source: passwordresearch.com
Abu Dhabi: Defining Standards 9 19 November 2014
Mobility & Financial Services are Reshaping the Biometrics Marketplace
Ø Biometric authentication such as fingerprint, face and voice recognition integrated in mobile devices (e.g. smartphones, tablets)
Ø Biometric authentication in smartphones expected to transition from “early adopter phase” to “early maturity phase”
Ø Some Japanese banks are adopting vein pattern recognition for customer authentication
Ø Barclays plans to adopt finger vein recognition
Ø MasterCard and Zwipe recently have announced a contactless payment card featuring an integrated finger print sensor without the need for a battery
Abu Dhabi: Defining Standards 10 19 November 2014
Biometrics Standardization
sour
ce:
Fern
ando
Pod
io, S
C 37
Cha
irman
Abu Dhabi: Defining Standards 11 19 November 2014
Biometrics Standardization within ISO/IEC JTC 1
sour
ce:
Fern
ando
Pod
io, S
C 37
Cha
irman
Abu Dhabi: Defining Standards 12 19 November 2014
Security and Privacy Topic Areas
Informa(on security management system (ISMS) requirements, methods and processes
Accred
ita(o
n, cer(fi
ca(o
n and audi(n
g requ
iremen
ts and
metho
ds fo
r Managem
ent
System
s
Cryptographic and security mechanisms and technologies
Security Evalua(o
n, Tes(n
g, Processes,
Metho
ds and
Spe
cifica(
on (p
rodu
cts, devices
and system
of p
rodu
cts)
Econ
omics o
f informa(
on se
curity and privacy
Informa(on security and privacy governance
Privacy controls and iden(ty
management methods (including applica(on specific
e.g. cloud), techniques, frameworks, biometric informa(on protec(on, biometric
authen(ca(on
Security controls (including
applica(on and sector specific e.g. Cloud, Telecoms,
Energy, FInance), codes of prac(ce,
frameworks
Security services (including applica(on and sector specific e.g. Cloud), IT network security, 3rd party
services, IDS, incident management, cyber security, applica(on secuirty, disaster recovery, forensics
WG 1
WG 2
WG 3
WG 4
WG 5
Abu Dhabi: Defining Standards 13 19 November 2014
IS 27003 ISMS Implementation guidance
SC 27/WG 1 ISMS Family of Standards
IS 27001 ISMS Requirements
IS 27004 Information security mgt
measurement
IS 27005 Information security
risk management
IS 27000 ISMS Overview and vocabulary
IS 27002 Code of practice
IS 27006 Accreditation requirements
IS 27007 ISMS Auditing guidelines
Supporting Guidelines Accreditation Requirements and Auditing Guidelines
Sector Specific Requirements and Guidelines
IS 27011 / ITU-T X.1051 Telecom sector ISMS guidelines
based on 27002
IS 27010 ISMS for inter-sector
communications
TR 27015 ISMS guidelines for financial
and services
TR 27008 ISMS Guide for auditors on
ISMS controls
CD 27009 Use and application of 27001 for
sector-specific 3rd party certifications
TR 27019 Energy industry ISMS
guidelines based on 27002
CD 27017 Code of practice for cloud computing
services based on 27002
Abu Dhabi: Defining Standards 14 19 November 2014
ICT Readiness for business continuity (IS 27031)
Cybersecurity (IS 27032)
Network security (27033-x, six parts)
Application security (27034-x, six parts) Security info-objects for access control (TR 15816)
Security for supplier relationships (DIS 27036) Storage security (CD 27040)
TTP Services security (TR 14516; 15945) Time stamping services (TR 29149)
Information security incident management (IS 27035)
ICT Disaster recovery services (IS 24762)
Identification, collection and/or acquisition, and preservation of digital evidence (IS 37037)
Unknown or emerging security issues
Known security issues
Security breaches and compromises
SC 27/WG 4 Security Controls and Services
Abu Dhabi: Defining Standards 15 19 November 2014
SC 27/WG 3 Security Evaluation Criteria
IT Security Evaluation Criteria (CC) (IS 15408)
Evaluation Methodology (CEM) (IS 18045)
PP/ ST Guide
(TR 15446)
Protection Profile Registration Procedures
(IS 15292)
A Framework for IT Security Assurance (TR 15443) Security Assessment of
Operational Systems (TR 19791)
Security Evaluation of Biometrics (IS 19792)
SSE-CMM (IS 21827)
Test Requirements for Cryptographic Modules
(IS 24759)
Security Requirements for Cryptographic Modules
(IS 19790)
Verification of Cryptographic Protocols
(IS 29128)
Vulnerability Disclosure (IS 29147)
Abu Dhabi: Defining Standards 16 19 November 2014
Cryptographic Protocols
Message Authentication Digital Signatures
Encryption & Modes of Operation Parameter Generation
SC 27/WG 2 Cryptography and Security Mechanisms
Entity Authenticati
on (IS 9798)
Key Mgt (IS 11770)
Encryption (IS 18033)
Modes of Operation (IS 10116)
Hash Functions
(IS 10118)
Message Authenticati
on Codes (IS 9797)
Signatures giving Msg Recovery (IS 9796)
Non-Repudiation (IS 13888)
Signatures with
Appendix (IS 14888)
Check Character Systems
(IS 7064)
ECC Techniques (IS 15946)
Lightweight Crypto
(IS 29192)
Time Stamping Services
(IS 18014)
Random Bit Generation (IS 18031)
Prime Number
Generation (IS 18032)
Authenticated
Encryption (IS 19772)
Biometric Template Protection (IS 24745)
Abu Dhabi: Defining Standards 17 19 November 2014
SC 27/WG 5 Identity Management & Privacy Technologies
WG 5 addresses security aspects of identity management, biometrics and the protection of personal data, including
Frameworks & Architectures
Ø A framework for identity management (IS/DIS/CD 24760) Ø Privacy framework (IS 29100) Ø Privacy architecture framework (IS 29101) Ø Entity authentication assurance framework (IS 29115 / ITU-T Xeaa)
Ø Privacy impact assessment – Methodology (WD 29134) Ø A framework for access management (CD 29146)
Protection Concepts
Ø Biometric information protection (IS 24745) Ø Requirements for partially anonymous, partially unlinkable authentication (IS 29191) Ø Identity proofing (CD 29003)
Guidance on Context and Assessment
Ø Authentication context for biometrics (IS 24761) Ø Privacy capability assessment framework (PRF 29190)
Abu Dhabi: Defining Standards 18 19 November 2014
ISO/IEC 29115:2013 Entity Authentication Assurance
ISO/IEC 29115 provides a framework for managing entity authentication assurance in a given context. In particular, it specifies
Ø four levels of entity authentication assurance (LoA 1 to 4)
Ø criteria and guidelines for achieving each of the four levels
Level Description Objective Control
LoA 1 – low
Little or no confidence in asserted ID
ID is unique within a context Self-asserted
LoA 2 – medium
Some confidence in asserted ID
ID is unique within context and entity exists objectively
Proof of ID through use of ID information from authoritative source
LoA 3 – high
High confidence in asserted ID
ID is unique within context, entity exists objectively, and ID is verified
Proof of ID through use of ID information from authoritative source + verification
LoA 4 – very high
Very high confidence in asserted ID
ID is unique within context, entity exists objectively, and ID is verified
Proof of ID through use of ID information from multiple authoritative sources + verification + entity witnessed in-person*
*) applies to human entities only
Abu Dhabi: Defining Standards 20 19 November 2014
Conclusions
Ø Personal authentication transactions are predicted to increase from millions to billions … and perhaps trillions*
Ø Secure digital IDs and their efficient management are essential
Ø Required technologies are largely available
Ø Challenges include
Ø Users need to become more security-aware ⇔ security needs to become more user-friendly
Ø Security & privacy needs to be built-in rather than bolt-on Ø Prepare for the future but do not reinvent the wheel
*) Source: Acuity Market Research, Nov 2013