Deploying information security management for proper data life-cycle #appsecapac2014

Transcript

1. Deploying  informa/on  security   management  for  proper  data  life-­‐cycle Prof.

    Dr.  Suguru  Yamaguchi   Graduate  school  of  Informa/on  Science,   Nara  Ins/tute  of  Science  and  Technology,   Japan.

2. Overview •  Global  business   •  Data  centric  services  

   •  Informa/on  processing  architecture  and  its  security   management   •  What  we  should  do.

3. Global  Businesses •  “Business  Anywhere”   •  Op/miza/on  of  business

     opera/on  globally   •  High  mobility  on  investments,   enterprise  resources,  financial   assets,  informa/on   processing,  and  human   resources.   •  Knowledge  based  economy  

4. Supply  Chain  Management  (SCM),  today suppliers Stock  mgt factories logis/cs

   customers ICT  plaSorm Produc/on  Op/miza/on Financial  Management Integrated  Business  Management  &  ERP

5. Roles  of  Informa/on  Systems •  Informa/on  storage  &  repository  

   •  Process  reuse  with  economic  efficiency   •  Handling  “money”   •  Parallel  process  to  manage  many  devices   •  “Business  Enabler”   –  Implement  their  business  model  on  informa/on  systems.   •  Because  informa/on  systems  are  now  managing  all  the  business   process  in  any  enterprises.   –  Direct  improvement  on  economic  efficiency  through  integra/on   and  interconnec/on  of  the  systems.   –  New  style  of  “value  crea/on”    

6. Business  Globaliza/on 1980’s • Manufacturing   Industries  made   global  supply

     chains. • Automakers  use   “SCM” 1990’s • Financial  services   and  Foreign  Direct   Investment • Global  Banking   System 2000’s • Various  services   over  the  Internet • E-­‐commerce  for   end  consumers • a.k.a.  “Cloud” 2010’s • Knowledge   (Intelligence)  from   “Big  Data”

7. Business  Globaliza/on 1980’s • Manufacturing   Industries  made   global  supply

     chains. • Automakers  use   “SCM” 1990’s • Financial  services   and  Foreign  Direct   Investment • Global  Banking   System 2000’s • Various  services   over  the  Internet • E-­‐commerce  for   end  consumers • a.k.a.  “Cloud” 2010’s • Knowledge   (Intelligence)  from   “Big  Data” Goods! Money Expertise Data

8. ! Any data is in this life-cycle from its creation to

   discarding. Each process requires its specific security management. ! We need risk assessment and threat analysis for each phase in this life-cycle. Access control Encryption , access control, backup Right to do Dedicated software Right to do Rating Data  life-­‐cycle

9. Data  centric  service  example  –  Smart  House •  Op/miza/on  on

    use  of  electricity  at  home  among   energy  feed,  solar  power  genera/on,  storing  in  EV,   use  in  home,  using  HEMS  (Home  Energy   Management  System)  and  Smart  meters.   •  Mixture  of  management  system,  running  on  internet   plaSorm,  for  net-­‐enabled  home  appliances  including   HEMS.
10. None

11. Example  -­‐  Protec/on  of  home  network •  Protec/on  of  the

     data  is  a  key.   –  Of  course,  system  protec/on  is  important,  and  data   transferred  over  home  network  is  the  subject  of  security   management  of  home  networks.   –  Data  is  shared  and  used  for  management.   •  Various  system  involved   –  Many  non  PC  device   –  Various  protocol  standardiza/on   •  Echonet  for  HEMS  (IS))   •  IoT  &  M2M  (BBF  etc.)   •  ITU-­‐T,  ISO/IEC,  etc.   •  Security  func/ons  are  vital,  but  s/ll  in  forest…  

12. M2M  Architecture Nodes Backbone Applica/on Sensors Camera Mobile   system

    RFID Home   appliances M2M  Applica/on Client  Applica/on Internet  or   Some  other   network   Database Applica/on   server M2M  backbone M2M   Gateway

13. Backyard  servers  is  ok? IT  Business  PlaSorm システム運用   (opera/on)

    Applica/ons

14. Security  management  in  Anywhere •  Any  place  where  data  is

     traveling  needs  security   management.    The  idea  “data  life-­‐cycle”  gives  many   hints  for  designing  the  systems.   •  System  protec/on  is  not  making  best  fit  for  data   protec/on.    In  many  cases,  the  specific  data   protec/on  schemes  are  required.   •  Risk  is  diversified,  but  malicious  ac/vity  is  a  part  of   everything.    Human  errors  and  non-­‐inten/onal   troubles  are  major  por/on  of  security  incidents.   •  No  security,  no  service.  

15. What  we  should  do  (1) •  Set  data  protec/on  scheme

      –  Encryp/on  on  transfer,  storing,  and  use.   •  Key  management   •  Decryp/on  code  has  to  be  implemented  smart.   •  hips  is  not  enough  in  some  cases.   –  Storage  protec/on  and  backups   •  File   •  Database   •  File  system   –  Good  processing  model  

16. What  should  we  do  (2) •  Security  on  backyard  

    –  Bas/on  host   –  Strong  server  implementa/on   –  Protec/on  of  data  in  backyard  server.   •  Main  storage  for  data   •  Clear  pipe  model  is  good  enough?   –  Some/mes  we  need  end-­‐point  authen/ca/on.   –  Powerful  enough,  PKI?  

17. Scalable,  Sustainable  and  Resilient  Management Overhead of management # of

    Components in Info. Sys. #  of  components  to  be  managed. ideal Acceptable?   e.g.  O(n)=log Course  of   collapse (ini/al  cost)

18. What  we  should  do  (3) •  Scalability  is  quite  important

     for  service  systems.   –  Scaling  up  to  million  users  is  now  easy  to  go,  buy  it’s  so   tough  on  security  management.   –  Monitoring  &  analysis  are  its  boile-­‐necked  process.    We   need  its  good  performance.    But  how?   –  Distributed  management  system.

19. IT  Business  PlaSorm Opera/on Observa/on Analysis   Recomposi/on   Intelligence

      •  Colla/on  with  other  factors   •  Business  Intelligence  &  Big  Data •  Analysis  on  aiack  scheme.   •  More  value  for  IR  process   •  Using  them  for  simula/on.  

20. Summary •  More  data  protec/on  in  service  system.   – 

    Mainly  on  backyard  servers.   –  Clear  pipe  (hips)  only  is  not  enough.   –  Data  is  valuable  component  for  both  users  and  aiackers.   •  Recent  advanced  scheme  should  be  employed.   –  Encryp/on  on  data  processing.   –  Any  phases  in  data  life-­‐cycle.   •  Scalability  is  highly  required  for  systems.   –  Million  users  level  is  tough  for  security  management.   –  Distributed  management