SlideShare ist ein Scribd-Unternehmen logo

Simon Foley

G
guest34c834
Technologie
1 von 15
Downloaden Sie, um offline zu lesen
Academic Perspective Some Security Activities at University College Cork Simon Foley Department of Computer Science, University College Cork, Ireland www.cs.ucc.ie/~s.foley
Overview of Computer Security Activities User Centered Security Advance foundational results in security by Business Centered considering the application of security in practice. Security Federated Security Research ¢ Security policy models and mechanisms ¢ Federated and distributed systems security ¢ Security risk management and governance Teaching ¢ Computer security (undergraduate) ¢ Network security & Mobile systems security (postgraduate) ¢ Final year BSc and taught MSc projects in Security. 2 / 15
User Centered Security Business Centered Security Federated Security User Centered Security 3 / 15
Security Policy Requirements Elicitation User Centered Security Policy elicitation often driven by technical concerns. Business Centered Security ¢ Technical policies designed by technical people. Federated Security ¢ Based on the system artifacts with which users interact: groups, roles, transactions, etc. Should consider needs of individuals and their relationships. ¢ Balance individuals’ requirements [eg, Multilateral Security]. ¢ Include human issues. How can we address this? 4 / 15
Trust Management Policy Elicitation User Centered Security Use qualitative analysis methods from social sciences to elicit trust Business Centered management policy for photograph sharing. Security Federated Security ¢ Explore user-experience through semi-structured interviews. ¢ Qualitative analysis elicits policy requirements. ¢ Model the result in a Bayesian Network. User requirements more complex than basic access controls. [S.N. Foley, V.M. Rooney. Qualitative Analysis for Trust Management. International Security Protocols Workshop, Cambridge, 2009. Springer LNCS.] 6 / 15
User Centered Security Business Centered Security Federated Security Business Centered Security 7 / 15
Managing Security User Centered Security Siloed security driven by technical concerns. Business Centered Security ¢ Technical mechanisms designed by technical people. Federated Security ¢ Based on the system artifacts: groups, roles, transactions, etc. Should align security with business strategy. ¢ Secure critical business processes, not just technologies ¢ Security threats are inevitable, need to manage the risk. 8 / 15
Security Risk Management User Centered Security Use Enterprise Risk Management (ERM) to manage (operational) Business Centered risks related to security: Security Federated Security ¢ security mechanisms as controls that mitigate known risks in meeting objectives of business process, ¢ tests that audit efficacy of risk mitigation. Security as an ongoing process: ¢ measure, prioritize, mitigate, ¢ security risk metrics and aggregation. [S.N. Foley. Security Risk Management using Internal Controls, Proceedings of ACM Workshop on Information Security Governance (held at ACM-CCS), 2009; S.N. Foley, H.B. Moss. A Risk-Metric Framework for Enterprise Risk Management, IBM Journal of Research and Development, to appear 2010.] 10 / 15
Risk Management of Network Access Controls User Centered Security Security controls should be compliant with best practice. Business Centered Security ¢ 1.2.1.a Verify that inbound and outbound traffic is limited to Federated Security that which is necessary for the cardholder data. [PCI-DSS] Semantic configuration models facilitate automated reasoning: ¢ Analysis of n-tier network for shadowing, redundancy, etc. ¢ Encode catalogues of best practice [PCI-DSS, NIST-800-41, NIST-800-44, RFC-3330, RFC-1918]. ¢ Autonomic configuration based on catalogue search. [W.M. Fitzgerald, S.N. Foley, M O’Foghlu. Network Access Control Interoperation using Semantic Web Techniques, In Proceedings of 6th International Workshop on Security in Information Systems, (WOSIS 2008), June 2008; S.N. Foley and W.M. Fitzgerald. An Approach to Autonomic Security Policy Configuration using Semantic Threat Graphs. IFIP WG 11.3 Working Conference on Data and Applications Security 2009. Springer LNCS 5645.] 11 / 15
User Centered Security Business Centered Security Federated Security Federated Security 12 / 15
Security Policy User Centered Security Centralized policy, closed system. Business Centered Security ¢ Centralized authority, controlled by administrator. Federated Security ¢ Principle of no privilege. ¢ Opportunity to subvert administrator usually small. Decentralized policy, open system. ¢ Decentralized authority across multiple stakeholders. ¢ Principle of flexible privilege ¢ Opportunity to subvert stakeholder intentions? 13 / 15
Secure Coalitions User Centered Security Federation as coalition of principals/federations. Business Centered Security ¢ coalition policy govern actions, Federated Security ¢ coalition formation governed by participants, ¢ policy decentralized/distributed across PKI, ¢ principal of governed flexible privilege. In the absence of a centralized authority, the actions of a malicious principal/coalition should not be able to circumvent policy. [ S.N. Foley and H. Zhou, Authorisation Subterfuge by Delegation in Decentralised Networks In Proceedings of International Security Protocols Workshop, Cambridge UK 2005. Springer Verlag LNCS; H. Zhou and S.N. Foley, A Framework for Establishing Decentralized Secure Coalitions. IEEE Computer Security Foundations, 2006.] 15 / 15

Empfohlen

IANS-2008
IANS-2008IANS-2008
IANS-2008Bob Radvanovsky
 
ITFM Business Brief
ITFM Business BriefITFM Business Brief
ITFM Business Briefwdjohnson1
 
Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity ModelCSCJournals
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems PolicyAli Sadhik Shaik
 
Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policycharlesgarrett
 
Biznesa infrastruktūras un datu drošības juridiskie aspekti
Biznesa infrastruktūras un datu drošības juridiskie aspektiBiznesa infrastruktūras un datu drošības juridiskie aspekti
Biznesa infrastruktūras un datu drošības juridiskie aspektiebuc
 
Prevention Is Better Than Prosecution: Deepening the defence against cyber c...
Prevention Is Better Than Prosecution: Deepening the defence against cyber c...Prevention Is Better Than Prosecution: Deepening the defence against cyber c...
Prevention Is Better Than Prosecution: Deepening the defence against cyber c...Jacqueline Fick
 
Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity ModelConferencias FIST
 

Empfohlen

IANS-2008
IANS-2008IANS-2008
IANS-2008Bob Radvanovsky
 
ITFM Business Brief
ITFM Business BriefITFM Business Brief
ITFM Business Briefwdjohnson1
 
Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity ModelCSCJournals
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems PolicyAli Sadhik Shaik
 
Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policycharlesgarrett
 
Biznesa infrastruktūras un datu drošības juridiskie aspekti
Biznesa infrastruktūras un datu drošības juridiskie aspektiBiznesa infrastruktūras un datu drošības juridiskie aspekti
Biznesa infrastruktūras un datu drošības juridiskie aspektiebuc
 
Prevention Is Better Than Prosecution: Deepening the defence against cyber c...
Prevention Is Better Than Prosecution: Deepening the defence against cyber c...Prevention Is Better Than Prosecution: Deepening the defence against cyber c...
Prevention Is Better Than Prosecution: Deepening the defence against cyber c...Jacqueline Fick
 
Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity ModelConferencias FIST
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesJack Nichelson
 
The Role of Information Security Policy
The Role of Information Security PolicyThe Role of Information Security Policy
The Role of Information Security PolicyRobot Mode
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By DesignNalneesh Gaur
 
E5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionE5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionBen Rothke
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security BlueprintZefren Edior
 
Stu r35 b
Stu r35 bStu r35 b
Stu r35 bSelectedPresentations
 
مشروع الامن السيبراني
مشروع الامن السيبرانيمشروع الامن السيبراني
مشروع الامن السيبرانيmeshalalmrwani
 
Information Security : Is it an Art or a Science
Information Security : Is it an Art or a ScienceInformation Security : Is it an Art or a Science
Information Security : Is it an Art or a SciencePankaj Rane
 
iCode Security Architecture Framework
iCode Security Architecture FrameworkiCode Security Architecture Framework
iCode Security Architecture FrameworkMohamed Ridha CHEBBI, CISSP
 
Why Traditional Security has Failed
Why Traditional Security has Failed Why Traditional Security has Failed
Why Traditional Security has Failed Steven_Jackson
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...UBM_Design_Central
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)MetroStar
 
Lesson 1 - Introduction
Lesson 1 - Introduction Lesson 1 - Introduction
Lesson 1 - Introduction MLG College of Learning, Inc
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1Mohammad Ashfaqur Rahman
 
Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013Tuan Phan
 
Information security principles
Information security principlesInformation security principles
Information security principlesDan Morrill
 
Continuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringContinuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringQ1 Labs
 
An information security governance framework
An information security governance frameworkAn information security governance framework
An information security governance frameworkAnne ndolo
 
RMF Training, Risk Management Framework Implementation
RMF Training, Risk Management Framework ImplementationRMF Training, Risk Management Framework Implementation
RMF Training, Risk Management Framework ImplementationBryan Len
 
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdfControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdfsulu98
 
Twitter
TwitterTwitter
Twitterkmmatte
 
Mini project 1
Mini project 1Mini project 1
Mini project 1tasevski
 

Weitere ähnliche Inhalte

Was ist angesagt?

Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesJack Nichelson
 
The Role of Information Security Policy
The Role of Information Security PolicyThe Role of Information Security Policy
The Role of Information Security PolicyRobot Mode
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By DesignNalneesh Gaur
 
E5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionE5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionBen Rothke
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security BlueprintZefren Edior
 
مشروع الامن السيبراني
مشروع الامن السيبرانيمشروع الامن السيبراني
مشروع الامن السيبرانيmeshalalmrwani
 
Information Security : Is it an Art or a Science
Information Security : Is it an Art or a ScienceInformation Security : Is it an Art or a Science
Information Security : Is it an Art or a SciencePankaj Rane
 
Why Traditional Security has Failed
Why Traditional Security has Failed Why Traditional Security has Failed
Why Traditional Security has Failed Steven_Jackson
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...UBM_Design_Central
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)MetroStar
 
Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013Tuan Phan
 
Information security principles
Information security principlesInformation security principles
Information security principlesDan Morrill
 
Continuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringContinuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringQ1 Labs
 
An information security governance framework
An information security governance frameworkAn information security governance framework
An information security governance frameworkAnne ndolo
 
RMF Training, Risk Management Framework Implementation
RMF Training, Risk Management Framework ImplementationRMF Training, Risk Management Framework Implementation
RMF Training, Risk Management Framework ImplementationBryan Len
 
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdfControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdfsulu98
 

Was ist angesagt? (20)

Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your Vulnerabilities
 
The Role of Information Security Policy
The Role of Information Security PolicyThe Role of Information Security Policy
The Role of Information Security Policy
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By Design
 
E5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionE5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryption
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
 
Stu r35 b
Stu r35 bStu r35 b
Stu r35 b
 
مشروع الامن السيبراني
مشروع الامن السيبرانيمشروع الامن السيبراني
مشروع الامن السيبراني
 
Information Security : Is it an Art or a Science
Information Security : Is it an Art or a ScienceInformation Security : Is it an Art or a Science
Information Security : Is it an Art or a Science
 
iCode Security Architecture Framework
iCode Security Architecture FrameworkiCode Security Architecture Framework
iCode Security Architecture Framework
 
Why Traditional Security has Failed
Why Traditional Security has Failed Why Traditional Security has Failed
Why Traditional Security has Failed
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)
 
Lesson 1 - Introduction
Lesson 1 - Introduction Lesson 1 - Introduction
Lesson 1 - Introduction
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1
 
Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013
 
Information security principles
Information security principlesInformation security principles
Information security principles
 
Continuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringContinuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk Scoring
 
An information security governance framework
An information security governance frameworkAn information security governance framework
An information security governance framework
 
RMF Training, Risk Management Framework Implementation
RMF Training, Risk Management Framework ImplementationRMF Training, Risk Management Framework Implementation
RMF Training, Risk Management Framework Implementation
 
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdfControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf
 

Andere mochten auch

Mini project 1
Mini project 1Mini project 1
Mini project 1tasevski
 
Poweerrr1
Poweerrr1Poweerrr1
Poweerrr1Nodet
 
Bebidas azucaras
Bebidas azucarasBebidas azucaras
Bebidas azucarasCERN
 
User Manuel
User ManuelUser Manuel
User Manueltasevski
 

Andere mochten auch (6)

Twitter
TwitterTwitter
Twitter
 
Mini project 1
Mini project 1Mini project 1
Mini project 1
 
Poweerrr1
Poweerrr1Poweerrr1
Poweerrr1
 
Bebidas azucaras
Bebidas azucarasBebidas azucaras
Bebidas azucaras
 
Digifinal
DigifinalDigifinal
Digifinal
 
User Manuel
User ManuelUser Manuel
User Manuel
 

Ähnlich wie Simon Foley

2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccessasundaram1
 
Whitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingWhitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingRaghuraman Ramamurthy
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
SEMINAR ghajkakqkqkvnnkamsmAJAY PPT.pptx
SEMINAR ghajkakqkqkvnnkamsmAJAY PPT.pptxSEMINAR ghajkakqkqkvnnkamsmAJAY PPT.pptx
SEMINAR ghajkakqkqkvnnkamsmAJAY PPT.pptxprasanna212623
 
IDBI Intech - Information security consulting
IDBI Intech - Information security consultingIDBI Intech - Information security consulting
IDBI Intech - Information security consultingIDBI Intech
 
Cisco Yıllık Güvenlik Raporu 2015
Cisco Yıllık Güvenlik Raporu 2015Cisco Yıllık Güvenlik Raporu 2015
Cisco Yıllık Güvenlik Raporu 2015Marketing Türkiye
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...EC-Council
 
report on Mobile security
report on Mobile securityreport on Mobile security
report on Mobile securityJAYANT RAJURKAR
 
2 Security And Internet Security
2 Security And Internet Security2 Security And Internet Security
2 Security And Internet SecurityAna Meskovska
 
Strategically moving towards a secure hybrid it
Strategically moving towards a secure hybrid itStrategically moving towards a secure hybrid it
Strategically moving towards a secure hybrid itAvancercorp
 
The Importance of Consolidating Your Infrastructure Security – by United Secu...
The Importance of Consolidating Your Infrastructure Security – by United Secu...The Importance of Consolidating Your Infrastructure Security – by United Secu...
The Importance of Consolidating Your Infrastructure Security – by United Secu...United Security Providers AG
 
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal FirewallsMicro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal FirewallsColorTokens Inc
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsPECB
 
Cyber security framework
Cyber security frameworkCyber security framework
Cyber security frameworkYann Lecourt
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworksVincent Bellamy
 
113505 6969-ijecs-ijens
113505 6969-ijecs-ijens113505 6969-ijecs-ijens
113505 6969-ijecs-ijensgeekmodeboy
 

Ähnlich wie Simon Foley (20)

2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess
 
Whitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingWhitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcing
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
SEMINAR ghajkakqkqkvnnkamsmAJAY PPT.pptx
SEMINAR ghajkakqkqkvnnkamsmAJAY PPT.pptxSEMINAR ghajkakqkqkvnnkamsmAJAY PPT.pptx
SEMINAR ghajkakqkqkvnnkamsmAJAY PPT.pptx
 
IDBI Intech - Information security consulting
IDBI Intech - Information security consultingIDBI Intech - Information security consulting
IDBI Intech - Information security consulting
 
Ccie security 01
Ccie security 01Ccie security 01
Ccie security 01
 
Cisco Yıllık Güvenlik Raporu 2015
Cisco Yıllık Güvenlik Raporu 2015Cisco Yıllık Güvenlik Raporu 2015
Cisco Yıllık Güvenlik Raporu 2015
 
CISO-Fundamentals
CISO-FundamentalsCISO-Fundamentals
CISO-Fundamentals
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
 
Why physical security just isn’t enough, Sending the heavies into virtualized...
Why physical security just isn’t enough, Sending the heavies into virtualized...Why physical security just isn’t enough, Sending the heavies into virtualized...
Why physical security just isn’t enough, Sending the heavies into virtualized...
 
Rogers eBook Security
Rogers eBook SecurityRogers eBook Security
Rogers eBook Security
 
report on Mobile security
report on Mobile securityreport on Mobile security
report on Mobile security
 
2 Security And Internet Security
2 Security And Internet Security2 Security And Internet Security
2 Security And Internet Security
 
Strategically moving towards a secure hybrid it
Strategically moving towards a secure hybrid itStrategically moving towards a secure hybrid it
Strategically moving towards a secure hybrid it
 
The Importance of Consolidating Your Infrastructure Security – by United Secu...
The Importance of Consolidating Your Infrastructure Security – by United Secu...The Importance of Consolidating Your Infrastructure Security – by United Secu...
The Importance of Consolidating Your Infrastructure Security – by United Secu...
 
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal FirewallsMicro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO Standards
 
Cyber security framework
Cyber security frameworkCyber security framework
Cyber security framework
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworks
 
113505 6969-ijecs-ijens
113505 6969-ijecs-ijens113505 6969-ijecs-ijens
113505 6969-ijecs-ijens
 

Kürzlich hochgeladen

Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 

Kürzlich hochgeladen (20)

Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 

Simon Foley

  • 1. Academic Perspective Some Security Activities at University College Cork Simon Foley Department of Computer Science, University College Cork, Ireland www.cs.ucc.ie/~s.foley
  • 2. Overview of Computer Security Activities User Centered Security Advance foundational results in security by Business Centered considering the application of security in practice. Security Federated Security Research ¢ Security policy models and mechanisms ¢ Federated and distributed systems security ¢ Security risk management and governance Teaching ¢ Computer security (undergraduate) ¢ Network security & Mobile systems security (postgraduate) ¢ Final year BSc and taught MSc projects in Security. 2 / 15
  • 3. User Centered Security Business Centered Security Federated Security User Centered Security 3 / 15
  • 4. Security Policy Requirements Elicitation User Centered Security Policy elicitation often driven by technical concerns. Business Centered Security ¢ Technical policies designed by technical people. Federated Security ¢ Based on the system artifacts with which users interact: groups, roles, transactions, etc. Should consider needs of individuals and their relationships. ¢ Balance individuals’ requirements [eg, Multilateral Security]. ¢ Include human issues. How can we address this? 4 / 15
  • 5.
  • 6. Trust Management Policy Elicitation User Centered Security Use qualitative analysis methods from social sciences to elicit trust Business Centered management policy for photograph sharing. Security Federated Security ¢ Explore user-experience through semi-structured interviews. ¢ Qualitative analysis elicits policy requirements. ¢ Model the result in a Bayesian Network. User requirements more complex than basic access controls. [S.N. Foley, V.M. Rooney. Qualitative Analysis for Trust Management. International Security Protocols Workshop, Cambridge, 2009. Springer LNCS.] 6 / 15
  • 7. User Centered Security Business Centered Security Federated Security Business Centered Security 7 / 15
  • 8. Managing Security User Centered Security Siloed security driven by technical concerns. Business Centered Security ¢ Technical mechanisms designed by technical people. Federated Security ¢ Based on the system artifacts: groups, roles, transactions, etc. Should align security with business strategy. ¢ Secure critical business processes, not just technologies ¢ Security threats are inevitable, need to manage the risk. 8 / 15
  • 9.
  • 10. Security Risk Management User Centered Security Use Enterprise Risk Management (ERM) to manage (operational) Business Centered risks related to security: Security Federated Security ¢ security mechanisms as controls that mitigate known risks in meeting objectives of business process, ¢ tests that audit efficacy of risk mitigation. Security as an ongoing process: ¢ measure, prioritize, mitigate, ¢ security risk metrics and aggregation. [S.N. Foley. Security Risk Management using Internal Controls, Proceedings of ACM Workshop on Information Security Governance (held at ACM-CCS), 2009; S.N. Foley, H.B. Moss. A Risk-Metric Framework for Enterprise Risk Management, IBM Journal of Research and Development, to appear 2010.] 10 / 15
  • 11. Risk Management of Network Access Controls User Centered Security Security controls should be compliant with best practice. Business Centered Security ¢ 1.2.1.a Verify that inbound and outbound traffic is limited to Federated Security that which is necessary for the cardholder data. [PCI-DSS] Semantic configuration models facilitate automated reasoning: ¢ Analysis of n-tier network for shadowing, redundancy, etc. ¢ Encode catalogues of best practice [PCI-DSS, NIST-800-41, NIST-800-44, RFC-3330, RFC-1918]. ¢ Autonomic configuration based on catalogue search. [W.M. Fitzgerald, S.N. Foley, M O’Foghlu. Network Access Control Interoperation using Semantic Web Techniques, In Proceedings of 6th International Workshop on Security in Information Systems, (WOSIS 2008), June 2008; S.N. Foley and W.M. Fitzgerald. An Approach to Autonomic Security Policy Configuration using Semantic Threat Graphs. IFIP WG 11.3 Working Conference on Data and Applications Security 2009. Springer LNCS 5645.] 11 / 15
  • 12. User Centered Security Business Centered Security Federated Security Federated Security 12 / 15
  • 13. Security Policy User Centered Security Centralized policy, closed system. Business Centered Security ¢ Centralized authority, controlled by administrator. Federated Security ¢ Principle of no privilege. ¢ Opportunity to subvert administrator usually small. Decentralized policy, open system. ¢ Decentralized authority across multiple stakeholders. ¢ Principle of flexible privilege ¢ Opportunity to subvert stakeholder intentions? 13 / 15
  • 14.
  • 15. Secure Coalitions User Centered Security Federation as coalition of principals/federations. Business Centered Security ¢ coalition policy govern actions, Federated Security ¢ coalition formation governed by participants, ¢ policy decentralized/distributed across PKI, ¢ principal of governed flexible privilege. In the absence of a centralized authority, the actions of a malicious principal/coalition should not be able to circumvent policy. [ S.N. Foley and H. Zhou, Authorisation Subterfuge by Delegation in Decentralised Networks In Proceedings of International Security Protocols Workshop, Cambridge UK 2005. Springer Verlag LNCS; H. Zhou and S.N. Foley, A Framework for Establishing Decentralized Secure Coalitions. IEEE Computer Security Foundations, 2006.] 15 / 15