1. Academic Perspective
Some Security Activities at University College Cork
Simon Foley
Department of Computer Science,
University College Cork, Ireland
www.cs.ucc.ie/~s.foley
2. Overview of Computer Security Activities
User Centered
Security
Advance foundational results in security by
Business Centered considering the application of security in practice.
Security
Federated Security
Research
¢ Security policy models and mechanisms
¢ Federated and distributed systems security
¢ Security risk management and governance
Teaching
¢ Computer security (undergraduate)
¢ Network security & Mobile systems security (postgraduate)
¢ Final year BSc and taught MSc projects in Security.
2 / 15
4. Security Policy Requirements Elicitation
User Centered
Security
Policy elicitation often driven by technical concerns.
Business Centered
Security
¢ Technical policies designed by technical people.
Federated Security
¢ Based on the system artifacts with which users interact:
groups, roles, transactions, etc.
Should consider needs of individuals and their relationships.
¢ Balance individuals’ requirements [eg, Multilateral Security].
¢ Include human issues.
How can we address this?
4 / 15
5.
6. Trust Management Policy Elicitation
User Centered
Security
Use qualitative analysis methods from social sciences to elicit trust
Business Centered management policy for photograph sharing.
Security
Federated Security ¢ Explore user-experience through semi-structured interviews.
¢ Qualitative analysis elicits policy requirements.
¢ Model the result in a Bayesian Network.
User requirements more complex
than basic access controls.
[S.N. Foley, V.M. Rooney. Qualitative Analysis for Trust Management. International Security Protocols Workshop,
Cambridge, 2009. Springer LNCS.]
6 / 15
8. Managing Security
User Centered
Security
Siloed security driven by technical concerns.
Business Centered
Security
¢ Technical mechanisms designed by technical people.
Federated Security
¢ Based on the system artifacts: groups, roles, transactions, etc.
Should align security with business strategy.
¢ Secure critical business processes, not just technologies
¢ Security threats are inevitable, need to manage the risk.
8 / 15
9.
10. Security Risk Management
User Centered
Security Use Enterprise Risk Management (ERM) to manage (operational)
Business Centered risks related to security:
Security
Federated Security
¢ security mechanisms as controls that mitigate known risks in
meeting objectives of business process,
¢ tests that audit efficacy of risk mitigation.
Security as an ongoing process:
¢ measure, prioritize, mitigate,
¢ security risk metrics and aggregation.
[S.N. Foley. Security Risk Management using Internal Controls, Proceedings of ACM Workshop on Information
Security Governance (held at ACM-CCS), 2009;
S.N. Foley, H.B. Moss. A Risk-Metric Framework for Enterprise Risk Management, IBM Journal of Research and
Development, to appear 2010.]
10 / 15
11. Risk Management of Network Access Controls
User Centered
Security
Security controls should be compliant with best practice.
Business Centered
Security ¢ 1.2.1.a Verify that inbound and outbound traffic is limited to
Federated Security that which is necessary for the cardholder data. [PCI-DSS]
Semantic configuration models facilitate automated reasoning:
¢ Analysis of n-tier network for shadowing, redundancy, etc.
¢ Encode catalogues of best practice [PCI-DSS, NIST-800-41,
NIST-800-44, RFC-3330, RFC-1918].
¢ Autonomic configuration based on catalogue search.
[W.M. Fitzgerald, S.N. Foley, M O’Foghlu. Network Access Control Interoperation using Semantic Web Techniques, In
Proceedings of 6th International Workshop on Security in Information Systems, (WOSIS 2008), June 2008;
S.N. Foley and W.M. Fitzgerald. An Approach to Autonomic Security Policy Configuration using Semantic Threat
Graphs. IFIP WG 11.3 Working Conference on Data and Applications Security 2009. Springer LNCS 5645.]
11 / 15
13. Security Policy
User Centered
Security
Centralized policy, closed system.
Business Centered
Security ¢ Centralized authority, controlled by administrator.
Federated Security
¢ Principle of no privilege.
¢ Opportunity to subvert administrator usually small.
Decentralized policy, open system.
¢ Decentralized authority across multiple stakeholders.
¢ Principle of flexible privilege
¢ Opportunity to subvert stakeholder intentions?
13 / 15
14.
15. Secure Coalitions
User Centered
Security Federation as coalition of principals/federations.
Business Centered
Security ¢ coalition policy govern actions,
Federated Security
¢ coalition formation governed by participants,
¢ policy decentralized/distributed across PKI,
¢ principal of governed flexible privilege.
In the absence of a centralized authority,
the actions of a malicious principal/coalition
should not be able to circumvent policy.
[ S.N. Foley and H. Zhou, Authorisation Subterfuge by Delegation in Decentralised Networks In Proceedings of
International Security Protocols Workshop, Cambridge UK 2005. Springer Verlag LNCS;
H. Zhou and S.N. Foley, A Framework for Establishing Decentralized Secure Coalitions. IEEE Computer Security
Foundations, 2006.]
15 / 15