IST 2006 – 22/11/2006
Aljosa PasicAtos Origin
Security, Dependability and Trust in Service Infrastructures
IST 2006, 22/11/2006 - 2
Index
Service Oriented World
Where is the problem?
Examples
Security dimensions in Service Oriented World
ESFORS and NESSI
Research topics
Conclusion
IST 2006, 22/11/2006 - 3
Service Oriented World
Applications will need to utilise shared and co-owned services out of different domains of control that require to obey separate
security policies and ask for diverse security and dependability qualities
IST 2006, 22/11/2006 - 4
Coming problems
For industry: Demand for Secure software is much higher than available security expertise
For research/technology: New complex scenarios (e.g. ambient intelligence) introduce security issues not addressed by conventional engineering processes
For market consultants: Security properties difficult to measure and it is also difficult to evaluate their “compositional effects”
For users: Security segmentation and market definitions are blurring: “service infrastructure” covers network infrastructure, perimeter, desktop, server and application security
For auditors and lawyers: Who is accountable and liable for what? For society: Trust becomes a “key enabler” for service provision
and use For everyone: How much should we spend on security?
IST 2006, 22/11/2006 - 5
Example: Secure “Crossroads”
Hi, I am a software Hi, I am a software serviceservice
Hi, I am a really Hi, I am a really naughty naughty crossroadcrossroad
Cross - Platform , Cross - device , Cross - domain , Cross - ProtocolCross - Platform , Cross - device , Cross - domain , Cross - Protocol ……
IST 2006, 22/11/2006 - 6
Example: Secure “Crossroads”
Platform A, Credentials BPlatform A, Credentials B…… Device A, Protocol B Device A, Protocol B ……, ,
Pla
tform
B,
Pla
tform
B,
Cre
den
tials
AC
red
en
tials
A…… D
om
ain
C, p
olic
y C
Dom
ain
C, p
olic
y C
S2M
security
S2M
securityDyn
amic
Dyn
amic
A
dapt
atio
n
Ada
ptat
ion
““Factor 5“ Access and Factor 5“ Access and identityidentity
Shared understandingShared understanding
IST 2006, 22/11/2006 - 7
Security Dimensions in Service Infrastructures
Secure Services
Securing Services
Security as a service
IST 2006, 22/11/2006 - 8
ESFORS and NESSI WG TSD
NESSI
SC SB
NWG TSD
ESFORS
European Security Forum for Web Services, ESFORS
European Technology Platform: Networked European Software & service Initiative , NESSI
IST 2006, 22/11/2006 - 9
Objectives
Address the security and dependability requirements, challenges and priorities of emerging service oriented software applications
Bridge two communities: the software engineering (services, GRID) community and the security community
Support the NESSI vision and respond to security challenges
Address long-term research on trust, security and dependability in software and services
IST 2006, 22/11/2006 - 10
NESSI TSD in SRA Vol3.
1. Widespread and large-scale deployment of Privacy Enhancing Technologies (PETs)
2. Strong identity management
3. Security mechanisms for service
4. Trust & dependability management and assurance
5. Trusted certification tools for services
6. Openness as a foundation for systems security
7. Holistic Management of Trust
8. Engineering security throughout the whole lifecycle of Service oriented systems
9. Security of the human-computer interface
______________________________________
10. Inherently Stable and Safe Architectures (together with SOI NWG)
IST 2006, 22/11/2006 - 11
Current activity within research topic groups
1. Security mechanisms for services
2. Trust and dependability1. Trust analysis, management and monitoring
2. Dependability assessment and monitoring
3. Security and Dependability engineering
4. Dependable architectures
5. Identity considerations
6. Multidisciplinary and integrated approach to TSD
7. Security of the human-computer interface
8. Privacy considerations
9. Certification, auditing and assurance
10. Openness as a foundation for systems security
IST 2006, 22/11/2006 - 12
Mapping challenges, scenarios and research topics
Scenario Scenario AA
Scenario Scenario BB
Scenario Scenario CC
Decrease
Gap …
More sec. knowledge More Trusted components
More trusted relations
Handle
complexity
Dynamic & ad-hoc Cross-x Context dependent
Decision Making User involvement
Perception and psychology
Economics of security
Social mechanisms
IST 2006, 22/11/2006 - 13
Conclusions
It is not “business as usual”: we need many stakeholders in order to deal with trust, security and dependability in service oriented software applications
We have the responsibility to build secure software & services that MATCH people´s expectations and notions of trust (and also “trust just a little bit”).
Long-term research on trust, security and dependability in software and services should address components, mechanisms and processes, not all of them have technical nature
A large group of interested parties already started with the discussions within NESSI WG
Join us for the networking session 23/11, room 207 at 11:00
IST 2006, 22/11/2006 - 14
Contact for more information
Aljosa Pasic
Trust, Dependability and Security cannot be
“bolted on”, it should be “woven in”.