Bridging the Policy Gap in Trust Evidence
-
Upload
aristotle-richardson -
Category
Documents
-
view
28 -
download
1
description
Transcript of Bridging the Policy Gap in Trust Evidence
![Page 1: Bridging the Policy Gap in Trust Evidence](https://reader031.fdocuments.in/reader031/viewer/2022020721/56812aee550346895d8ed332/html5/thumbnails/1.jpg)
Bridging the Policy Gap in Trust Evidence
Project Overview
Hanover, NH
March 31, 2011
![Page 2: Bridging the Policy Gap in Trust Evidence](https://reader031.fdocuments.in/reader031/viewer/2022020721/56812aee550346895d8ed332/html5/thumbnails/2.jpg)
2
Table of Content
• Project Overview– Context– Goal– Scope– Expected Results
• Project Plan– Work packages– Time Frame
• Engagement with Business Communities– Approach– Interview Guide– Benefit for Participants
• Acknowledgement• Contact Information
![Page 3: Bridging the Policy Gap in Trust Evidence](https://reader031.fdocuments.in/reader031/viewer/2022020721/56812aee550346895d8ed332/html5/thumbnails/3.jpg)
Project Overview: Context
3
• 60 percent of all companies perceive an increased risk level due to new developments such as social networking, cloud computing, and personal devices in the enterprise.1
• Enterprises must proof trust to regulators, external business partners, and themselves.
• Trust in data, networks, and clients is to a large extent an organizational and behavioral concept – and not so much a technical one.
1) Ernst & Young: Borderless security. Ernst & Young’s 2010 Global Information Security Survey . EYGM Limited, 2010.
![Page 4: Bridging the Policy Gap in Trust Evidence](https://reader031.fdocuments.in/reader031/viewer/2022020721/56812aee550346895d8ed332/html5/thumbnails/4.jpg)
Project Overview: Goal
4
Understand the security and trust properties companies want to have in their systems
Understand how companies communicate these properties to the systems (if possible at all) and how companies then verify that the systems have the properties
![Page 5: Bridging the Policy Gap in Trust Evidence](https://reader031.fdocuments.in/reader031/viewer/2022020721/56812aee550346895d8ed332/html5/thumbnails/5.jpg)
Project Scope
Scope Today
Project Overview: Scope
5
Mental model of systems’ trust
relevant behavior
Systems’ actual trust relevant
behavior
SystemHuman
equivalent?
Trust evidence:
producesdraws
conclusions from
produces enforces
Policy
Attestation
Don‘t think of what is easy for the machine to do. Instead, let policy engineering be driven from what business users require and perceive.
![Page 6: Bridging the Policy Gap in Trust Evidence](https://reader031.fdocuments.in/reader031/viewer/2022020721/56812aee550346895d8ed332/html5/thumbnails/6.jpg)
6
Project Overview: Expected Results
• Analysis of requirements and constraints of business communities for policy engineering and trust evidence
• Assessment of current practice (e.g. SELinux) and experimental approaches (e.g. Trust Distribution Diagrams) against the requirements
• Example user studies
![Page 7: Bridging the Policy Gap in Trust Evidence](https://reader031.fdocuments.in/reader031/viewer/2022020721/56812aee550346895d8ed332/html5/thumbnails/7.jpg)
7
Project Plan: Work Packages
• Identify communities of real-world stakeholders:
• Chief information security officers• Business analysts• Business process experts• Information security architects
• Identify use cases• Conduct expert interviews, gather data• Prepare mini case studies
Business & Organizational Needs1
• Identify sample languages for trust evidence• Current practice:
• SELinux hooks• TCG attestation
• Experimental approaches• Property-based attestation and
semantic remote attestation• DTrace-based characterizations of
run-time behavior• Trust distribution diagram (TDD)
Trust Evidence Languages2
• Study effectiveness of these languages for these communities to talk about these trust properties
• Identify future directions of research
Assessment of Effectiveness3
Legend: Focus of this presentation.
![Page 8: Bridging the Policy Gap in Trust Evidence](https://reader031.fdocuments.in/reader031/viewer/2022020721/56812aee550346895d8ed332/html5/thumbnails/8.jpg)
8
Project Plan: Time Frame
Q1/2011 Q2/2011 Q3/2011 Q4/2011
WP 1: Business and Organizational Needs
WP 2: Trust Evidence Languages
WP 3: Assessment of Effectiveness
Design interview guide
Prepare interviews
Conduct interviews
Document results
![Page 9: Bridging the Policy Gap in Trust Evidence](https://reader031.fdocuments.in/reader031/viewer/2022020721/56812aee550346895d8ed332/html5/thumbnails/9.jpg)
9
Engagement with Businesses Communities: Approach
Overall Methodology
• Qualitative research• Mini-case studies based on expert interviews (telephone)• Interview guideline (10 pages) as a baseline• No publication of any information without prior approval
Target Group
• 8 to 10 multinational enterprises from different industries• 2 to 3 roles per company:
• Chief Information Security Officer (CISO)• Information Security Architect/Responsible• Information Security Technology Expert
Engagement Process
• Step 1 (Interviews):• 1 interview (approx. 1 to 2 hours) with CISO• 1 to 2 interviews (approx. 1 to 2 hours) with further roles
• Step 2 (Protocols):• Transcription of interview recordings• Creation of protocols and submission for approval to interviewees
• Step 3 (Final documentation)• Creation and submission for approval to CISO
Effort of Participation
• 4 to 12 hours (depending on number of interviewees)
![Page 10: Bridging the Policy Gap in Trust Evidence](https://reader031.fdocuments.in/reader031/viewer/2022020721/56812aee550346895d8ed332/html5/thumbnails/10.jpg)
10
Trust Evidence Scenarios
Engagement with Businesses Communities: Interview Structure
Strategic and Environmental Context$/§
OrganizingInformation Security Management
Information Systems Perspective
Information Technology andSources of Trust Evidence
![Page 11: Bridging the Policy Gap in Trust Evidence](https://reader031.fdocuments.in/reader031/viewer/2022020721/56812aee550346895d8ed332/html5/thumbnails/11.jpg)
11
Engagement with Businesses Communities: Benefits for Participants
Reflection of own approach within the peer group
Reflection of own approach against external perspective
Access to leading edge research knowledge
Results will be made available to all participants in Q3/2011
![Page 12: Bridging the Policy Gap in Trust Evidence](https://reader031.fdocuments.in/reader031/viewer/2022020721/56812aee550346895d8ed332/html5/thumbnails/12.jpg)
12
Acknowledgement
This project is supported by a research grant from Intel Corporation.
![Page 13: Bridging the Policy Gap in Trust Evidence](https://reader031.fdocuments.in/reader031/viewer/2022020721/56812aee550346895d8ed332/html5/thumbnails/13.jpg)
13
Contacts
Computer Science Department at Dartmouth College
Sean W. Smith
Sergey Bratus
Tuck School of Business at Dartmouth CollegeCenter for Digital Strategies
M. Eric Johnson
Boris Otto
Tel.: +1 603 646 8991