IST 2006 – 22/11/2006

Aljosa PasicAtos Origin

Security, Dependability and Trust in Service Infrastructures

IST 2006, 22/11/2006 - 2

Index

Service Oriented World

Where is the problem?

Examples

Security dimensions in Service Oriented World

ESFORS and NESSI

Research topics

Conclusion

IST 2006, 22/11/2006 - 3

Service Oriented World

Applications will need to utilise shared and co-owned services out of different domains of control that require to obey separate

security policies and ask for diverse security and dependability qualities

IST 2006, 22/11/2006 - 4

Coming problems

For industry: Demand for Secure software is much higher than available security expertise

For research/technology: New complex scenarios (e.g. ambient intelligence) introduce security issues not addressed by conventional engineering processes

For market consultants: Security properties difficult to measure and it is also difficult to evaluate their “compositional effects”

For users: Security segmentation and market definitions are blurring: “service infrastructure” covers network infrastructure, perimeter, desktop, server and application security

For auditors and lawyers: Who is accountable and liable for what? For society: Trust becomes a “key enabler” for service provision

and use For everyone: How much should we spend on security?

IST 2006, 22/11/2006 - 5

Example: Secure “Crossroads”

Hi, I am a software Hi, I am a software serviceservice

Hi, I am a really Hi, I am a really naughty naughty crossroadcrossroad

Cross - Platform , Cross - device , Cross - domain , Cross - ProtocolCross - Platform , Cross - device , Cross - domain , Cross - Protocol ……

IST 2006, 22/11/2006 - 6

Example: Secure “Crossroads”

Platform A, Credentials BPlatform A, Credentials B…… Device A, Protocol B Device A, Protocol B ……, ,

Pla

tform

B,

Pla

tform

B,

Cre

den

tials

AC

red

en

tials

A…… D

om

ain

C, p

olic

y C

Dom

ain

C, p

olic

y C

S2M

security

S2M

securityDyn

amic

Dyn

amic

A

dapt

atio

n

Ada

ptat

ion

““Factor 5“ Access and Factor 5“ Access and identityidentity

Shared understandingShared understanding

IST 2006, 22/11/2006 - 7

Security Dimensions in Service Infrastructures

Secure Services

Securing Services

Security as a service

IST 2006, 22/11/2006 - 8

ESFORS and NESSI WG TSD

NESSI

SC SB

NWG TSD

ESFORS

European Security Forum for Web Services, ESFORS

European Technology Platform: Networked European Software & service Initiative , NESSI

IST 2006, 22/11/2006 - 9

Objectives

Address the security and dependability requirements, challenges and priorities of emerging service oriented software applications

Bridge two communities: the software engineering (services, GRID) community and the security community

Support the NESSI vision and respond to security challenges

Address long-term research on trust, security and dependability in software and services

IST 2006, 22/11/2006 - 10

NESSI TSD in SRA Vol3.

1. Widespread and large-scale deployment of Privacy Enhancing Technologies (PETs)

2. Strong identity management

3. Security mechanisms for service

4. Trust & dependability management and assurance

5. Trusted certification tools for services

6. Openness as a foundation for systems security

7. Holistic Management of Trust

8. Engineering security throughout the whole lifecycle of Service oriented systems

9. Security of the human-computer interface

______________________________________

10. Inherently Stable and Safe Architectures (together with SOI NWG)

IST 2006, 22/11/2006 - 11

Current activity within research topic groups

1. Security mechanisms for services

2. Trust and dependability1. Trust analysis, management and monitoring

2. Dependability assessment and monitoring

3. Security and Dependability engineering

4. Dependable architectures

5. Identity considerations

6. Multidisciplinary and integrated approach to TSD

7. Security of the human-computer interface

8. Privacy considerations

9. Certification, auditing and assurance

10. Openness as a foundation for systems security

IST 2006, 22/11/2006 - 12

Mapping challenges, scenarios and research topics

Scenario Scenario AA

Scenario Scenario BB

Scenario Scenario CC

Decrease

Gap …

More sec. knowledge More Trusted components

More trusted relations

Handle

complexity

Dynamic & ad-hoc Cross-x Context dependent

Decision Making User involvement

Perception and psychology

Economics of security

Social mechanisms

IST 2006, 22/11/2006 - 13

Conclusions

It is not “business as usual”: we need many stakeholders in order to deal with trust, security and dependability in service oriented software applications

We have the responsibility to build secure software & services that MATCH people´s expectations and notions of trust (and also “trust just a little bit”).

Long-term research on trust, security and dependability in software and services should address components, mechanisms and processes, not all of them have technical nature

A large group of interested parties already started with the discussions within NESSI WG

Join us for the networking session 23/11, room 207 at 11:00

IST 2006, 22/11/2006 - 14

Contact for more information

Aljosa Pasic

aljosa.pasic@atosorigin.com

Trust, Dependability and Security cannot be

“bolted on”, it should be “woven in”.