the future of identity, security and privacy · iot: security vs. endpoint spending [gartner, apr...
TRANSCRIPT
![Page 1: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/1.jpg)
The Future of Identity,Security and Privacy
Bart Preneelimec-COSIC KU Leuven
COSIC
![Page 2: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/2.jpg)
IntrusiveunavOidable
sTealthy
Trend 1IoT makes IT more intrusive
![Page 3: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/3.jpg)
![Page 4: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/4.jpg)
IoT security risks
![Page 5: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/5.jpg)
IoT security risksLow costLarge attack surfaceHard to update
Market for lemonsTragedy of the commonsNo regulation
![Page 6: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/6.jpg)
IoT: security vs. endpoint spending [Gartner, Apr 2016]
2014
2015
2016
2020
Security (billion $) Endpoints (trillion$)
0.23
0.940.28
1.2
0.35
1.4
0.55
3
2014 2015 2016 2020
![Page 7: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/7.jpg)
Trend 2Big Data and Data Analytics for Security
![Page 8: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/8.jpg)
![Page 9: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/9.jpg)
Richard Stallman: the cloud is someone else’s computer
![Page 10: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/10.jpg)
Big Data for SecurityIf you have no visibility of your systems, how can you
secure them?Prevention is hopeless: if you detect all incidents, you can
stop the bad guys in a cost effective way (read: you can reduce investments in prevention)
By applying analytics to incident data sets, we can learn how the bad guys behave and detect them even faster next time around
![Page 11: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/11.jpg)
Trend 3
Big Data means ever bigger breaches
![Page 12: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/12.jpg)
World’s Biggest Data Breacheshttp://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks
![Page 13: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/13.jpg)
Privacy is a security property
![Page 14: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/14.jpg)
Thinking of Big Data in terms of pollution
A metafor
![Page 15: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/15.jpg)
![Page 16: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/16.jpg)
« Who knew in 1984…
Trend 4: Big Data for mass surveillance
![Page 17: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/17.jpg)
… that this world would be big Brother … »
![Page 18: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/18.jpg)
… and the Zombies would be payingcustomers ? »
https://www.authcom.com/going-crazy-for-apples-iphone-6/ http://phys.org/news196665821.html
http://www.rjgeib.comhttp://stocks.org/wp-content/uploads/2014/09/iphone-6-wait-660x336.png
![Page 19: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/19.jpg)
NSA calls the iPhone users public 'zombies' who pay for their own
surveillance
![Page 20: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/20.jpg)
It’s the
metadatastupid
![Page 21: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/21.jpg)
industry
users government
![Page 22: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/22.jpg)
Mass Surveillancepanopticon[Jeremy Bentham, 1791]
discriminationfearconformism - stifles dissentoppression and abuse
![Page 23: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/23.jpg)
Trend 5: Big Data for Identity
![Page 24: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/24.jpg)
100+ countries with compulsory national ID cards15 countries with optional national ID cards9 countries without national ID cards
but only few have no national register (including 5 eyes)
Identity: common law versus the rest
but those still have registers for social security, driving licenses, …
![Page 25: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/25.jpg)
Contracts: US versus Belgium
Belgium
• Still insists on paper copies
US
• Acceptable to sneak in nasty clauses in the middle of an 80-page contract
• But a scan of a signature is fine
![Page 26: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/26.jpg)
Identity Management: back to 2002
MasterCard
Diners Club
Government
Alice
Telecom-
munication
Leisure
Boyfriend
Bob
Travel
Shopping
Work
Payment
Health Care
HealthStatus
CreditRating
Interests
Age
DrivingLicence
TaxStatus
NameBirthday
Birthplace
Good-Conduct
Certificate
Insurance
PhoneNumber
BloodGroup
ForeignLanguages
Income
Diary
Address
CellphoneNumber Likes &
DislikesLegend:
Identity
of Alice
Partial
Identity
of Alice
![Page 27: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/27.jpg)
Conflicting views
Ideal world
• User centric• Privacy: prove properties of
attributes using anonymous credentials
• GDPR: “privacy by design”
Real world
• A few large players trace us everywhere on the web and in apps
• Sophisticated privacy settings but real control is unclear
• Major source of advertising income• Trends: price discrimination,
recommendations, banking services
![Page 28: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/28.jpg)
EU focus: entity/data authentication
![Page 29: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/29.jpg)
EU and e-signatureElectronic Signatures Directive 1999/93/EC
• no regulation of CAs(Diginotar!)
• define e-signature, AES, QES
eiDAS Regulation EU 910/2014• legal framework for mutual recognition
by governments• allows for cloud signing• 3 levels of security• crossborder• electronic seals (legal
entities/corporates)• trust mark for trust services
Divergent implementationsTechnology neutral??
Sometimes way too strict15cm of standards
Does not allow cloud signing
![Page 30: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/30.jpg)
eIDAS: cloud-based trust serviceseiDAS• ‘electronic signature creation
data that the signatory can, with a high level of confidence, use under his sole control’.
Directive 1999/93/EC• ‘electronic signature creation
data that the signatory canuse under his sole control’.
![Page 31: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/31.jpg)
eIDAS: cloud-based trust services
Not secure enough: WYSIWYS
• steal key• signing Trojan
![Page 32: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/32.jpg)
eIDAS: cloud-based trust services
WYSIWYS?
![Page 33: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/33.jpg)
eIDAS: cloud-based trust servicesThreat actor
WYSIWYS?
KISSGoogle signs a statement: “user with Gmail account `Bart Preneel’ agrees to contract X”(just need 1 key)
![Page 34: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/34.jpg)
Data/entity authentication requires a secure computer
Is this what the industry calls trusted computing?
![Page 35: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/35.jpg)
• How you hold phone• Gait• Voice (text-dependent and
text-independent)• Keystroke dynamics• Handwritten signature• ...
• Easy to use and less intrusive• Mix of characteristic of
individual and device• Variable-size data streams• Learning system• What if person is distressed?• FAR/FRR worse than for
physiological
35
Behavioural biometrics for entity authentication
![Page 36: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/36.jpg)
36
Google Trust API
![Page 37: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/37.jpg)
Identity management choices
secure local information vs. the surveillance approach
![Page 38: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/38.jpg)
Architecture is politics [Mitch Kaipor’93]
Avoid single point of trust that becomes single point of failure
![Page 39: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/39.jpg)
Secure computing
Trusted by the user
![Page 40: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/40.jpg)
From Big Data to Small Local Data
Data stays with
users
![Page 41: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/41.jpg)
From Big Data to Encrypted Data
Encrypted dataLocal encryption with
low multiplication depth
Can still compute on the data with somewhat Fully Homomorphic Encryption
![Page 42: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/42.jpg)
Open (Source) Solutions
Effective governance
Transparency for service providers
EU Free and Open Source Software Auditing
![Page 43: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/43.jpg)
Control technology to take control of our lives
Industrial policy
European sovereignty and values
![Page 44: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/44.jpg)
44
Bart Preneel, imec-COSIC KU Leuven
Kasteelpark Arenberg 10, 3000 Leuven
homes.esat.kuleuven.be/~preneel/
@CosicBe
ADDRESS:
WEBSITE:
EMAIL:
TWITTER:
+32 16 321148TELEPHONE:
ECRYPT CSA
ECRYPT CSA
http://www.ecrypt.eu.org
![Page 45: The Future of Identity, Security and Privacy · IoT: security vs. endpoint spending [Gartner, Apr 2016] 2014 2015 2016 2020 Security (billion $) Endpoints (trillion$) 0.23 0.94 0.28](https://reader033.vdocument.in/reader033/viewer/2022050503/5f95658cf88cd552e63bb3d1/html5/thumbnails/45.jpg)
CreditsNapoleonBy Jacques-Louis David - zQEbF0AA9NhCXQ at Google Cultural Institute, Public Domain, https://commons.wikimedia.org/w/index.php?curid=22174172TrustmarkBy https://ec.europa.eu/info/legal-notice_en#copyright-notice -
https://ec.europa.eu/commission/commissioners/2014-2019/ansip/blog/electronic-identification-and-trust-services-convenience-and-confidence-online-world_en/, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=58283751