Citizen centric digital and mobile-identity, personal data ecosystems and the internet of things:...
-
date post
21-Oct-2014 -
Category
Technology
-
view
964 -
download
0
description
Transcript of Citizen centric digital and mobile-identity, personal data ecosystems and the internet of things:...
CITIZEN CENTRIC DIGITAL AND MOBILE-IDENTITY, PERSONAL DATA ECOSYSTEMS AND THE INTERNET OF THINGS: ASSESSING THE NATURE OF OPERATIONAL SECURITY ISSUES
Dr Rachel O’ConnellRSA Conference 2013, Europe
WHO AM I? PhD online criminal activity: implications for investigative strategies
Chief Security Officer Bebo, VP AOL
Research Consultant
Oxford Internet Institute: Effective Age Verification Techniques: Lessons to be Learnt from the
Online Gambling Industry
Ctrl_Shift A market analyst and consulting: changing personal data landscape.
Member of OIX and the GSMA’s UK Assured legal working group
Advisor to commercial organisations on both the policy requirements and business opportunities associated with digital and mobile ID
Co-founder of GroovyFuture.com.
IINTERNE
T OF
THINGS
E-COMMERCEDATA DRIVEN
ECONOMY
DIGITAL IDMOBILE ID
PDETS
NASCENT INTEROPERABLE ECOSYSTEMS:
DATA DRIVEN ECONOMY
CISCO’S PREDICTIONS: IoT
DATA GENERATED BY IoT
ELECTRONIC AND MOBILE ID
NSTIC
STORK
IdAP
GSMA Mobile ID
Proposed regulation
PERSONAL INTERNET OF THINGS
• Multi-tenancy cloud based personal data stores
• Targeted attacks, • Cryptolocker virus
PATH TO ROI
Gigya's series 'Path to ROI', focuses on the different technologies and tools that businesses can leverage to generate valuable ROI from their marketing efforts
IoT TRUSTED CREDENTAILS
Education
Assert trusted credentials (LoA)
Recognise trusted intermediaries (accreditation)
Quantified self - Databetes
Convenience, security
Active participants
IoT SECURITY AND TRUST Inofsec properties of the IoT are often hidden in
pervasive systems and small devices manufactured by a large number of vendors.
uTRUSTit enables system manufacturers and system integrators to express the underlying security concepts to users in a comprehensible way, allowing them to make valid judgments on the trustworthiness of such systems.
How security conscious is the average user of IoT devices?
Data mining
End-to-end security telemetry – automated scripts, correlating data points from multiple machines across multiple sectors
M2M VISION
MARKET EVOLUTION FOR TELCO IN M2M
PDETS TRUST FRAMEWORKS
Forging new social contracts
The Respect Trust Framework is designed to give individuals control over the sharing of their personal data on the Internet.
Mydex, the personal data store and trusted identity provider, has also had its “Mydex Trust Framework” listed by the Open Identity Exchange.
Connet.me has had its Trust Model and Business Model for Personal Data listed by OIX
The Personal Network: A New Trust Model and Business Model for Personal Data
Access to data that companies make available and authoritative personal data sources – university exam results
Penetration testing, SEIM, ISO27001,
GOVERNANCE AS A SOFTWARE SERVICE
ID³ believes, governance principles should be expressed as software that is then able to evolve to incorporate advances in technology and to support changing market and societal requirements.
Using these tools, people will be able to ensure the privacy of their personal information, leverage the power of networked data, and create new forms of online coordination, exchange and self-governance.
Forge new “social contracts” and participate in new types of legal and regulatory systems for managing organizations, markets and their social and civic lives. These systems will conform to both international legal standards and to the specific social norms and priorities of its members.
LEGAL FRAMEWORK
European Network and Information Security Agency (ENISA) comprehensive duties and responsibilities, which are inter alia motivated by the protection of critical infrastructures
Cert (Computer Emergency Response Teams)
Directive and working paper
Proposal for a Directive of the EU Parliament and of the Council concerning measures to ensure a high level of network and information security across the Union
Cyber-security Strategy of the European Union: An open, Safe and Secure Cyberspace
INCREASE IN NUMBER OF THREATS VECTORS
Structured and unstructured data
Information security management systems – threat intelligence
Security Information and Event Management (SIEM) -
Access management – lessons from enterprise solution providers
Data access, control, leakage, revocation, audits,
Social engineering
Scale of attacks
Complex crypto based attacks, e.g. flame
Vulnerabilities of inter-operable trust frameworks
LoA’s associated with different ecosystems
NEW APPROACHES Existing solutions – each ecosystem is an island
Security incident and management systems – usually utilised in a single system (SIEM)
Stephen Trilling, Symantec, keynote speaker: Massive cloud based security - SIEM on steroids – apps that run on security telemetry data
New era of operational security
New attacks – automatically looking for anomalous behaviours
Forensic graph for Attack ID
Security system with a world view – looks across ecosystems, industries and geographies …
Proportionate, self fulfilling prophecies, balance
Security in critical infrastructures – Future pre-condition for operating license?
POINTS FOR DISCUSSION
Will the convergence between e-identity, Mobile ID and personal data ecosystems in concert with the Internet of Things, foster new and diverse commercial opportunities, whilst pushing legal, security, policy and regulatory debates into new terrain?
From a security perspective, what are the nature, scale and extent of the threat vectors we can expect to be associated with these nascent ecosystems that are evolving at different rates?
Ubiquitous connectedness opens up pathways for attacks however, a siloed approach to development and oversight creates a perception issue, how can this best be addressed?
Operational Security Assurance?
POINTS FOR DISCUSSION
Where should concerns lie – unsecured M2M or citizen centric facing, or interactions between these ecosystems?
Scale: Destructive attacks, cybercrimes, erosion of privacy, trust
Will the operation of the IoT in concert with e.g. critical infrastructure necessitate new sets of international rules that address cyber security threats and govern cyber warfare?
What can the security community do to address these issues?