emerging issues on public information management and...
TRANSCRIPT
Emerging issues on public information management and information securityand information security
November 2011
Prof. Bae, Kyoung Yul
Sangmyung University
Introduction
• Data & Information & Knowledge– Data: Raw, non-summarized and unanalyzed facts and figures
– Information: Data that have been converted into a meaningful and useful context for the receiver
– Knowledge: Human understanding of a subject matter – Knowledge: Human understanding of a subject matter that has been acquired through proper study and experience
4/48
Introduction
• What is Digital?– Generates, stores, and processes data in terms of two states: positive and non-positive.
– A digital system uses discrete (discontinuous) values, usually but not always symbolized numerically (hence called "digital") to represent information for input, called "digital") to represent information for input, processing, transmission, storage
– Digital technology is primarily used with new physical communications media. Electronic transmission was limited to analog technology, which conveys data as electronic signals of varying frequency or amplitude that are added to carrier waves of a given frequency.
5/48
Introduction
• What is Digital?
Digital Immigrant Digital Natives
How they
handle
information
Slow & controlled from
limited channels
Quickly from multiple
sources
How they view
information
Text before pictures,
sounds and video
Pictures, sounds and video
before text
How they
process
information
Sequential, linear and
logical
Random access to
hyperlinks multimedia
information
6/48
Introduction
• Why Digital?
Voice Data
Internet
IT/Service/NetworkDigitalization
Audio DMB, DMCConvergence
Wireless Broadcast
Satellite
Internet
Entertain
ment
InformationEducation
Computer
Tele
communi
cation
Appliance
Devices Contents
가나다라 A B C D
0101101001011···
Video
Text
Digital Home Media Center MP3, MPEG
7/48
Digital Convergence
• Digital Convergence
Convergence
IT Service, Computing Networking,
Information Devices
Broadband
•VVVVV
•
•VVVVVVVVV
•VVVVVV
VV
VVVV
VV
VVV
VVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVV VVV
• VVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVV VVV
Broadband
High Data Processing Power
Real Time Information Processing
Ubiquity
Anytime, Anyplace,
Any Device, Any Platform,
Mobility, Accessability
SeamlessIntelligence
Artificial Intelligence
Context Awareness Service
•VVVV
•VVVV
VVVV
VVVVVVVV
VVVVVVVVV
VVVVVVVV
VVVVVVVVVVVV
VVVVVVVV
VVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VV
VVVV
VVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVV
9/48
Digital Convergence
• What is ICT?– ICT, a driver of the socioeconomic “mega trend” leads to fundamental changes in the national society system
– A key to responding to future uncertainties and crisis
Design of
4th space
Real-time analysis
and control
Active information
security
Communication
through senses
- Body media
Interface detecting
all 5 senses
Nano robotu-Life
ICT TechnologyICT TechnologyICT TechnologyICT Technology
Employment
Energy
Environment
Welfare
Education
Industry
11/48
Digital Convergence
• The application of ICT in interactions between– Government and Citizens
– Government and Businesses
– Government and Employees
– Government and Government– Government and Government
Publish Interact Transact Integrate Transform
Information
available
online
Two-way
communicationTransaction
handled
online
Process,
system and
organisational
integration
Entirely new
services delivered
cross-agency
through a
centralized
enterprise portal
12/48
Digital Convergence
• Use of ICT in Governance
– Constraints and Recommendations
� Create one-stop government portal � Prioritization of Services
Constraints Recommendations
� Inadequate Access to ICT� Public Awareness about ICTs � Lack of integrated approach� Lack of regulatory/legal framework � Absence of processes and
systems
� Prioritization of Services� Improve ICT access by citizens� Emphasize Bangla interface for
citizen services � Need training and leadership from
the government� Awareness for the use of Open
Source� Payment Gateway
13/48
Information Security
• Security– Freedom from risk or danger; safety.
– Freedom from doubt, anxiety, or fear; confidence.
– Something that gives or assures safety, as:
– A group or department of private guards: Call – A group or department of private guards: Call building security if a visitor acts suspicious.• Measures adopted by a government to prevent
espionage, sabotage, or attack.• Measures adopted, as by a business or homeowner,
to prevent a crime such as burglary or assault: Security was lax at the firm's smaller plant.…etc.
16/48
Information Security
• Security Trend
Lifelines for society, economy, and daily life
Exclusive systems Big, host types C/S types PC, Internet Mobile & Ubiquitous
Small/medium
Personal use
Role of information systems
Direction of IT security InternetPC
Mobile/Ubiquitous
Efficient work style,competitiveness
2000
Users
National security,calculation use
Reliability ofsystems
E-commerceEconomic infrastructure
Government
Banking, transportation, energy sectors
Large enterprises
Small/mediumenterprises
Protection of military data.
Availability for critical infrastructure
Availability for IT systems in corporations
Network security for e-commerce
Security fore-government
Safe/reliable society
1950
18/48
Information Security
• Security Paradigm– Technical Control
• S/W security
• Access control, Information Security
• Technical Hacking
– Physical Control– Physical Control
• H/W security
• Physical Intrusion
– Managing Control
• Human security
• Effluence of information
20/48
Information Security
• Technical Control
– Fundamental Defense
• IPS (Intrusion Prevention System) • Secure Operating System• Multilevel SecurityData security– Data security
• Data Encryption • DRM• Watermarking
21/48
Information Security
• Physical Control
– Lock, DVR, guard
• Physical Security Systems– Biometrics
– Bio Smartcard– Bio Smartcard
22/48
Information Security
• Security for Network Communications
Interception
Confidentiality
Is Private?
Modification
Integrity
Has been altered?
Forgery
Authentication
Who am I dealing with?Is Private? Has been altered? Who am I dealing with?
Claim
Non-Repudiation
Who sent/received it?
Not SENT !
Denial of Service
Availability
Wish to access!!
Access Control
Have you privilege?
Unauthorised access
24/48
Information Security
• Long Term Digital Signature• For assuming paper documents and electronic documents, the same
and specific period is required. (For example 10 years)
27/48
PKI
• Security for Network Communications
DB serverWeb server
Customer
informationExclusive line/Wired or Wireless
organization
InternetInternet
Subscriber
sectionCommunication network
section
Web server section Intranet,
user section
Application server
section
Data interception
Malware execution
Data bugging
Data alteration
Data processing error
Inadequate access control,
authorization
Inadequate authentication
Inadequate
security settings
Inadequate patch
management
Inadequate
access control
AP server
firewall firewallinternal staff
IPSuser
29/48
PKI
• PKI
� Breach of personal profile and credit card information at transaction
� Breach of personal profile in shared computer� Cyber stealing
Hacking on cyber securities & bank account / Stock price � Hacking on cyber securities & bank account / Stock price manipulation
� ID and password stealing
Need of Strong Security Protection Need of Strong Security Protection With With PKI technologyPKI technology
31/48
Information Security
• PKI Structure– A system of digital certificates, Certificate Authorities, and other registration authorities that verify and authenticate the validity of each party involved in an Internet transaction.
ThreatSecurityServices
Solution
Root-CA
Certificate Authority (CA)
Encryption
DigitalSignature
DigitalSignature
DigitalSignature
Data Leakage
Data Forgery
UnauthorizedUser
Repudiation
ThreatServices
Solution
Certificate
Issue Revoke RenewRegistrarion
Registration Authority (RA)
CorporationCorporation ServerServer S/MiMEIndividual
Certificate Authority (CA)
OperationOperationManagementManagement
CRLCRLManagementManagement
Confidentiality
Integrity
Authenticity
Non-repudiation
CertificateCertificateManagementManagement
C
R
Y
T
O
G
R
A
P
Y
PUBLIC
KEY
35/48
Information Security
• PKI Functions– When to apply PKI techniques in each business unit, Security functions (Authentication, Integrity, Confidentiality, Non-repudiation) are applied as follows
Problem Matched security method
Protection Technology
Difficult to verify user
security method
Authentication of identity
Digital Signature Technology(User authentication)
Easy to make forgery or modification on contents
Guarantee Integrity
Digital Signature Technology(Message authentication)
Technology
Repudiate transactions Non-repudiation Digital Signature Technology(Message authentication)
Breach information Confidentiality Encryption Technology(Message authentication)
36/48
PKI
• Government PKI & National PKI
MutualRecognition
National Root CANational Root CA(KISA)(KISA)
Government Root CAGovernment Root CA(GCMA)(GCMA)
Accredited CA
Accredited CA
Certification issuance / Management
Accredited CA
Accredited CA
Certification issuance / Management
Subscriber Subscriber
E-Government Service Provider
E-Government Service Provider
Certification issuance / Management
Certification issuance / Management
……
……
……
……
38/48
PKI
• PKI in e-Government Applications
e-Government
Petition Service- Identify oneself online by certificates
Taxation - National Tax Agency - Access with certificates
Regional Administration- Service for counties- Access with certificates
Personal Management inside Government- All employees inside Government
Digital Signature & Seal-Distribute certificates-Develop and enhance system adopting certificatese-Government
ApplicationsE-Supply (G2B)- Online bidding with certificate
4 Major Insurances data exchange- Labor, Medical care, Pension, Industrial disaster- Internet access with certificate
National Financing Information System- Based on Internet banking, etc
Education Administration System-Teachers can assess with cert.
Electric document system- Interoperable with other systems
adopting certificates
Enhance computerization- Sharing national resource information
Public Key Infrastructure(PKI Center)
41/48
PKI
• PKI Services
– Public Services
• Housing subscription deposit system, Education, Medical information, e-bidding ('06)• Housing subscription, the year-end tax adjustment,
NEIS, National health Insurance, etc.NEIS, National health Insurance, etc.
42/48
PKI
• PKI Services
– Mobile Banking
• Mobile banking service with certificate ('07~)• Transferring a certificate from PC to mobile phone• Generating electronic signature in mobile phone
43/48
PKI
• PKI in Korea– Establishing a reliable u-Authentication System
– Extending the authentication means to Biometric, OTP with PKI certificate
– Extending the authentication object to devices
– Developing new PKI business model – Developing new PKI business model
44/48
PKI
• General PKI Issues
– PKI technologies have been matured
• However, lack of killer applications
– Long term signature retention is necessary
• Stable standards are needed for signature verification capability • Stable standards are needed for signature verification capability over long term period
– PKI supports high assurance security
• Many applications will reside on web services
– Trusted validation authority
• Out source validation service from client
45/48