SlideShare ist ein Scribd-Unternehmen logo

Simon Foley

G
guest34c834
Technologie
1 von 15
Downloaden Sie, um offline zu lesen
Academic Perspective Some Security Activities at University College Cork Simon Foley Department of Computer Science, University College Cork, Ireland www.cs.ucc.ie/~s.foley
Overview of Computer Security Activities User Centered Security Advance foundational results in security by Business Centered considering the application of security in practice. Security Federated Security Research ¢ Security policy models and mechanisms ¢ Federated and distributed systems security ¢ Security risk management and governance Teaching ¢ Computer security (undergraduate) ¢ Network security & Mobile systems security (postgraduate) ¢ Final year BSc and taught MSc projects in Security. 2 / 15
User Centered Security Business Centered Security Federated Security User Centered Security 3 / 15
Security Policy Requirements Elicitation User Centered Security Policy elicitation often driven by technical concerns. Business Centered Security ¢ Technical policies designed by technical people. Federated Security ¢ Based on the system artifacts with which users interact: groups, roles, transactions, etc. Should consider needs of individuals and their relationships. ¢ Balance individuals’ requirements [eg, Multilateral Security]. ¢ Include human issues. How can we address this? 4 / 15
Trust Management Policy Elicitation User Centered Security Use qualitative analysis methods from social sciences to elicit trust Business Centered management policy for photograph sharing. Security Federated Security ¢ Explore user-experience through semi-structured interviews. ¢ Qualitative analysis elicits policy requirements. ¢ Model the result in a Bayesian Network. User requirements more complex than basic access controls. [S.N. Foley, V.M. Rooney. Qualitative Analysis for Trust Management. International Security Protocols Workshop, Cambridge, 2009. Springer LNCS.] 6 / 15
User Centered Security Business Centered Security Federated Security Business Centered Security 7 / 15
Managing Security User Centered Security Siloed security driven by technical concerns. Business Centered Security ¢ Technical mechanisms designed by technical people. Federated Security ¢ Based on the system artifacts: groups, roles, transactions, etc. Should align security with business strategy. ¢ Secure critical business processes, not just technologies ¢ Security threats are inevitable, need to manage the risk. 8 / 15
Security Risk Management User Centered Security Use Enterprise Risk Management (ERM) to manage (operational) Business Centered risks related to security: Security Federated Security ¢ security mechanisms as controls that mitigate known risks in meeting objectives of business process, ¢ tests that audit efficacy of risk mitigation. Security as an ongoing process: ¢ measure, prioritize, mitigate, ¢ security risk metrics and aggregation. [S.N. Foley. Security Risk Management using Internal Controls, Proceedings of ACM Workshop on Information Security Governance (held at ACM-CCS), 2009; S.N. Foley, H.B. Moss. A Risk-Metric Framework for Enterprise Risk Management, IBM Journal of Research and Development, to appear 2010.] 10 / 15
Risk Management of Network Access Controls User Centered Security Security controls should be compliant with best practice. Business Centered Security ¢ 1.2.1.a Verify that inbound and outbound traffic is limited to Federated Security that which is necessary for the cardholder data. [PCI-DSS] Semantic configuration models facilitate automated reasoning: ¢ Analysis of n-tier network for shadowing, redundancy, etc. ¢ Encode catalogues of best practice [PCI-DSS, NIST-800-41, NIST-800-44, RFC-3330, RFC-1918]. ¢ Autonomic configuration based on catalogue search. [W.M. Fitzgerald, S.N. Foley, M O’Foghlu. Network Access Control Interoperation using Semantic Web Techniques, In Proceedings of 6th International Workshop on Security in Information Systems, (WOSIS 2008), June 2008; S.N. Foley and W.M. Fitzgerald. An Approach to Autonomic Security Policy Configuration using Semantic Threat Graphs. IFIP WG 11.3 Working Conference on Data and Applications Security 2009. Springer LNCS 5645.] 11 / 15
User Centered Security Business Centered Security Federated Security Federated Security 12 / 15
Security Policy User Centered Security Centralized policy, closed system. Business Centered Security ¢ Centralized authority, controlled by administrator. Federated Security ¢ Principle of no privilege. ¢ Opportunity to subvert administrator usually small. Decentralized policy, open system. ¢ Decentralized authority across multiple stakeholders. ¢ Principle of flexible privilege ¢ Opportunity to subvert stakeholder intentions? 13 / 15
Secure Coalitions User Centered Security Federation as coalition of principals/federations. Business Centered Security ¢ coalition policy govern actions, Federated Security ¢ coalition formation governed by participants, ¢ policy decentralized/distributed across PKI, ¢ principal of governed flexible privilege. In the absence of a centralized authority, the actions of a malicious principal/coalition should not be able to circumvent policy. [ S.N. Foley and H. Zhou, Authorisation Subterfuge by Delegation in Decentralised Networks In Proceedings of International Security Protocols Workshop, Cambridge UK 2005. Springer Verlag LNCS; H. Zhou and S.N. Foley, A Framework for Establishing Decentralized Secure Coalitions. IEEE Computer Security Foundations, 2006.] 15 / 15

Empfohlen

IANS-2008
IANS-2008IANS-2008
IANS-2008
Bob Radvanovsky
 
ITFM Business Brief
ITFM Business BriefITFM Business Brief
ITFM Business Brief
wdjohnson1
 
Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity Model
CSCJournals
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems Policy
Ali Sadhik Shaik
 
Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policy
charlesgarrett
 
Biznesa infrastruktūras un datu drošības juridiskie aspekti
Biznesa infrastruktūras un datu drošības juridiskie aspektiBiznesa infrastruktūras un datu drošības juridiskie aspekti
Biznesa infrastruktūras un datu drošības juridiskie aspekti
ebuc
 
Prevention Is Better Than Prosecution: Deepening the defence against cyber c...
Prevention Is Better Than Prosecution: Deepening the defence against cyber c...Prevention Is Better Than Prosecution: Deepening the defence against cyber c...
Prevention Is Better Than Prosecution: Deepening the defence against cyber c...
Jacqueline Fick
 
Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity Model
Conferencias FIST
 

Empfohlen

IANS-2008
IANS-2008IANS-2008
IANS-2008
Bob Radvanovsky
 
ITFM Business Brief
ITFM Business BriefITFM Business Brief
ITFM Business Brief
wdjohnson1
 
Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity Model
CSCJournals
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems Policy
Ali Sadhik Shaik
 
Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policy
charlesgarrett
 
Biznesa infrastruktūras un datu drošības juridiskie aspekti
Biznesa infrastruktūras un datu drošības juridiskie aspektiBiznesa infrastruktūras un datu drošības juridiskie aspekti
Biznesa infrastruktūras un datu drošības juridiskie aspekti
ebuc
 
Prevention Is Better Than Prosecution: Deepening the defence against cyber c...
Prevention Is Better Than Prosecution: Deepening the defence against cyber c...Prevention Is Better Than Prosecution: Deepening the defence against cyber c...
Prevention Is Better Than Prosecution: Deepening the defence against cyber c...
Jacqueline Fick
 
Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity Model
Conferencias FIST
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your Vulnerabilities
Jack Nichelson
 
The Role of Information Security Policy
The Role of Information Security PolicyThe Role of Information Security Policy
The Role of Information Security Policy
Robot Mode
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By Design
Nalneesh Gaur
 
E5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionE5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryption
Ben Rothke
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
Zefren Edior
 
Stu r35 b
Stu r35 bStu r35 b
Stu r35 b
SelectedPresentations
 
مشروع الامن السيبراني
مشروع الامن السيبرانيمشروع الامن السيبراني
مشروع الامن السيبراني
meshalalmrwani
 
Information Security : Is it an Art or a Science
Information Security : Is it an Art or a ScienceInformation Security : Is it an Art or a Science
Information Security : Is it an Art or a Science
Pankaj Rane
 
iCode Security Architecture Framework
iCode Security Architecture FrameworkiCode Security Architecture Framework
iCode Security Architecture Framework
Mohamed Ridha CHEBBI, CISSP
 
Why Traditional Security has Failed
Why Traditional Security has Failed Why Traditional Security has Failed
Why Traditional Security has Failed
Steven_Jackson
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
UBM_Design_Central
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)
MetroStar
 
Lesson 1 - Introduction
Lesson 1 - Introduction Lesson 1 - Introduction
Lesson 1 - Introduction
MLG College of Learning, Inc
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1
Mohammad Ashfaqur Rahman
 
Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013
Tuan Phan
 
Information security principles
Information security principlesInformation security principles
Information security principles
Dan Morrill
 
Continuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringContinuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk Scoring
Q1 Labs
 
An information security governance framework
An information security governance frameworkAn information security governance framework
An information security governance framework
Anne ndolo
 
RMF Training, Risk Management Framework Implementation
RMF Training, Risk Management Framework ImplementationRMF Training, Risk Management Framework Implementation
RMF Training, Risk Management Framework Implementation
Bryan Len
 
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdfControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf
sulu98
 
Twitter
TwitterTwitter
Twitter
kmmatte
 
Mini project 1
Mini project 1Mini project 1
Mini project 1
tasevski
 

Weitere ähnliche Inhalte

Was ist angesagt?

Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your Vulnerabilities
Jack Nichelson
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By Design
Nalneesh Gaur
 
Continuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringContinuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk Scoring
Q1 Labs
 
RMF Training, Risk Management Framework Implementation
RMF Training, Risk Management Framework ImplementationRMF Training, Risk Management Framework Implementation
RMF Training, Risk Management Framework Implementation
Bryan Len
 

Was ist angesagt? (20)

Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your Vulnerabilities
 
The Role of Information Security Policy
The Role of Information Security PolicyThe Role of Information Security Policy
The Role of Information Security Policy
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By Design
 
E5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionE5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryption
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
 
Stu r35 b
Stu r35 bStu r35 b
Stu r35 b
 
مشروع الامن السيبراني
مشروع الامن السيبرانيمشروع الامن السيبراني
مشروع الامن السيبراني
 
Information Security : Is it an Art or a Science
Information Security : Is it an Art or a ScienceInformation Security : Is it an Art or a Science
Information Security : Is it an Art or a Science
 
iCode Security Architecture Framework
iCode Security Architecture FrameworkiCode Security Architecture Framework
iCode Security Architecture Framework
 
Why Traditional Security has Failed
Why Traditional Security has Failed Why Traditional Security has Failed
Why Traditional Security has Failed
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)
 
Lesson 1 - Introduction
Lesson 1 - Introduction Lesson 1 - Introduction
Lesson 1 - Introduction
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1
 
Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013Key Points of FISMA Reforms of 2013
Key Points of FISMA Reforms of 2013
 
Information security principles
Information security principlesInformation security principles
Information security principles
 
Continuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringContinuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk Scoring
 
An information security governance framework
An information security governance frameworkAn information security governance framework
An information security governance framework
 
RMF Training, Risk Management Framework Implementation
RMF Training, Risk Management Framework ImplementationRMF Training, Risk Management Framework Implementation
RMF Training, Risk Management Framework Implementation
 
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdfControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf
ControlsforProtectingCriticalInformationInfrastructurefromCyberattacks (1).pdf
 

Andere mochten auch

Mini project 1
Mini project 1Mini project 1
Mini project 1
tasevski
 
Poweerrr1
Poweerrr1Poweerrr1
Poweerrr1
Nodet
 
User Manuel
User ManuelUser Manuel
User Manuel
tasevski
 

Andere mochten auch (6)

Twitter
TwitterTwitter
Twitter
 
Mini project 1
Mini project 1Mini project 1
Mini project 1
 
Poweerrr1
Poweerrr1Poweerrr1
Poweerrr1
 
Bebidas azucaras
Bebidas azucarasBebidas azucaras
Bebidas azucaras
 
Digifinal
DigifinalDigifinal
Digifinal
 
User Manuel
User ManuelUser Manuel
User Manuel
 

Ähnlich wie Simon Foley

2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess
asundaram1
 
SEMINAR ghajkakqkqkvnnkamsmAJAY PPT.pptx
SEMINAR ghajkakqkqkvnnkamsmAJAY PPT.pptxSEMINAR ghajkakqkqkvnnkamsmAJAY PPT.pptx
SEMINAR ghajkakqkqkvnnkamsmAJAY PPT.pptx
prasanna212623
 
report on Mobile security
report on Mobile securityreport on Mobile security
report on Mobile security
JAYANT RAJURKAR
 
2 Security And Internet Security
2 Security And Internet Security2 Security And Internet Security
2 Security And Internet Security
Ana Meskovska
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO Standards
PECB
 
113505 6969-ijecs-ijens
113505 6969-ijecs-ijens113505 6969-ijecs-ijens
113505 6969-ijecs-ijens
geekmodeboy
 

Ähnlich wie Simon Foley (20)

2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess
 
Whitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingWhitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcing
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
SEMINAR ghajkakqkqkvnnkamsmAJAY PPT.pptx
SEMINAR ghajkakqkqkvnnkamsmAJAY PPT.pptxSEMINAR ghajkakqkqkvnnkamsmAJAY PPT.pptx
SEMINAR ghajkakqkqkvnnkamsmAJAY PPT.pptx
 
IDBI Intech - Information security consulting
IDBI Intech - Information security consultingIDBI Intech - Information security consulting
IDBI Intech - Information security consulting
 
Ccie security 01
Ccie security 01Ccie security 01
Ccie security 01
 
Cisco Yıllık Güvenlik Raporu 2015
Cisco Yıllık Güvenlik Raporu 2015Cisco Yıllık Güvenlik Raporu 2015
Cisco Yıllık Güvenlik Raporu 2015
 
CISO-Fundamentals
CISO-FundamentalsCISO-Fundamentals
CISO-Fundamentals
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
 
Why physical security just isn’t enough, Sending the heavies into virtualized...
Why physical security just isn’t enough, Sending the heavies into virtualized...Why physical security just isn’t enough, Sending the heavies into virtualized...
Why physical security just isn’t enough, Sending the heavies into virtualized...
 
Rogers eBook Security
Rogers eBook SecurityRogers eBook Security
Rogers eBook Security
 
report on Mobile security
report on Mobile securityreport on Mobile security
report on Mobile security
 
2 Security And Internet Security
2 Security And Internet Security2 Security And Internet Security
2 Security And Internet Security
 
Strategically moving towards a secure hybrid it
Strategically moving towards a secure hybrid itStrategically moving towards a secure hybrid it
Strategically moving towards a secure hybrid it
 
The Importance of Consolidating Your Infrastructure Security – by United Secu...
The Importance of Consolidating Your Infrastructure Security – by United Secu...The Importance of Consolidating Your Infrastructure Security – by United Secu...
The Importance of Consolidating Your Infrastructure Security – by United Secu...
 
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal FirewallsMicro-Segmentation for Data Centers - Without Using Internal Firewalls
Micro-Segmentation for Data Centers - Without Using Internal Firewalls
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO Standards
 
Cyber security framework
Cyber security frameworkCyber security framework
Cyber security framework
 
From checkboxes to frameworks
From checkboxes to frameworksFrom checkboxes to frameworks
From checkboxes to frameworks
 
113505 6969-ijecs-ijens
113505 6969-ijecs-ijens113505 6969-ijecs-ijens
113505 6969-ijecs-ijens
 

Kürzlich hochgeladen

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 

Kürzlich hochgeladen (20)

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

Simon Foley

  • 1. Academic Perspective Some Security Activities at University College Cork Simon Foley Department of Computer Science, University College Cork, Ireland www.cs.ucc.ie/~s.foley
  • 2. Overview of Computer Security Activities User Centered Security Advance foundational results in security by Business Centered considering the application of security in practice. Security Federated Security Research ¢ Security policy models and mechanisms ¢ Federated and distributed systems security ¢ Security risk management and governance Teaching ¢ Computer security (undergraduate) ¢ Network security & Mobile systems security (postgraduate) ¢ Final year BSc and taught MSc projects in Security. 2 / 15
  • 3. User Centered Security Business Centered Security Federated Security User Centered Security 3 / 15
  • 4. Security Policy Requirements Elicitation User Centered Security Policy elicitation often driven by technical concerns. Business Centered Security ¢ Technical policies designed by technical people. Federated Security ¢ Based on the system artifacts with which users interact: groups, roles, transactions, etc. Should consider needs of individuals and their relationships. ¢ Balance individuals’ requirements [eg, Multilateral Security]. ¢ Include human issues. How can we address this? 4 / 15
  • 5.
  • 6. Trust Management Policy Elicitation User Centered Security Use qualitative analysis methods from social sciences to elicit trust Business Centered management policy for photograph sharing. Security Federated Security ¢ Explore user-experience through semi-structured interviews. ¢ Qualitative analysis elicits policy requirements. ¢ Model the result in a Bayesian Network. User requirements more complex than basic access controls. [S.N. Foley, V.M. Rooney. Qualitative Analysis for Trust Management. International Security Protocols Workshop, Cambridge, 2009. Springer LNCS.] 6 / 15
  • 7. User Centered Security Business Centered Security Federated Security Business Centered Security 7 / 15
  • 8. Managing Security User Centered Security Siloed security driven by technical concerns. Business Centered Security ¢ Technical mechanisms designed by technical people. Federated Security ¢ Based on the system artifacts: groups, roles, transactions, etc. Should align security with business strategy. ¢ Secure critical business processes, not just technologies ¢ Security threats are inevitable, need to manage the risk. 8 / 15
  • 9.
  • 10. Security Risk Management User Centered Security Use Enterprise Risk Management (ERM) to manage (operational) Business Centered risks related to security: Security Federated Security ¢ security mechanisms as controls that mitigate known risks in meeting objectives of business process, ¢ tests that audit efficacy of risk mitigation. Security as an ongoing process: ¢ measure, prioritize, mitigate, ¢ security risk metrics and aggregation. [S.N. Foley. Security Risk Management using Internal Controls, Proceedings of ACM Workshop on Information Security Governance (held at ACM-CCS), 2009; S.N. Foley, H.B. Moss. A Risk-Metric Framework for Enterprise Risk Management, IBM Journal of Research and Development, to appear 2010.] 10 / 15
  • 11. Risk Management of Network Access Controls User Centered Security Security controls should be compliant with best practice. Business Centered Security ¢ 1.2.1.a Verify that inbound and outbound traffic is limited to Federated Security that which is necessary for the cardholder data. [PCI-DSS] Semantic configuration models facilitate automated reasoning: ¢ Analysis of n-tier network for shadowing, redundancy, etc. ¢ Encode catalogues of best practice [PCI-DSS, NIST-800-41, NIST-800-44, RFC-3330, RFC-1918]. ¢ Autonomic configuration based on catalogue search. [W.M. Fitzgerald, S.N. Foley, M O’Foghlu. Network Access Control Interoperation using Semantic Web Techniques, In Proceedings of 6th International Workshop on Security in Information Systems, (WOSIS 2008), June 2008; S.N. Foley and W.M. Fitzgerald. An Approach to Autonomic Security Policy Configuration using Semantic Threat Graphs. IFIP WG 11.3 Working Conference on Data and Applications Security 2009. Springer LNCS 5645.] 11 / 15
  • 12. User Centered Security Business Centered Security Federated Security Federated Security 12 / 15
  • 13. Security Policy User Centered Security Centralized policy, closed system. Business Centered Security ¢ Centralized authority, controlled by administrator. Federated Security ¢ Principle of no privilege. ¢ Opportunity to subvert administrator usually small. Decentralized policy, open system. ¢ Decentralized authority across multiple stakeholders. ¢ Principle of flexible privilege ¢ Opportunity to subvert stakeholder intentions? 13 / 15
  • 14.
  • 15. Secure Coalitions User Centered Security Federation as coalition of principals/federations. Business Centered Security ¢ coalition policy govern actions, Federated Security ¢ coalition formation governed by participants, ¢ policy decentralized/distributed across PKI, ¢ principal of governed flexible privilege. In the absence of a centralized authority, the actions of a malicious principal/coalition should not be able to circumvent policy. [ S.N. Foley and H. Zhou, Authorisation Subterfuge by Delegation in Decentralised Networks In Proceedings of International Security Protocols Workshop, Cambridge UK 2005. Springer Verlag LNCS; H. Zhou and S.N. Foley, A Framework for Establishing Decentralized Secure Coalitions. IEEE Computer Security Foundations, 2006.] 15 / 15