Citizen centric digital and mobile-identity, personal data ecosystems and the internet of things: Assessing the nature of operational security issues

CITIZEN CENTRIC DIGITAL AND MOBILE-IDENTITY, PERSONAL DATA ECOSYSTEMS AND THE INTERNET OF THINGS: ASSESSING THE NATURE OF OPERATIONAL SECURITY ISSUES

Dr Rachel O’ConnellRSA Conference 2013, Europe

WHO AM I? PhD online criminal activity: implications for investigative strategies

Chief Security Officer Bebo, VP AOL

Research Consultant

Oxford Internet Institute: Effective Age Verification Techniques: Lessons to be Learnt from the

Online Gambling Industry

Ctrl_Shift A market analyst and consulting: changing personal data landscape.

Member of OIX and the GSMA’s UK Assured legal working group

Advisor to commercial organisations on both the policy requirements and business opportunities associated with digital and mobile ID

Co-founder of GroovyFuture.com.

IINTERNE

T OF

THINGS

E-COMMERCEDATA DRIVEN

ECONOMY

DIGITAL IDMOBILE ID

PDETS

NASCENT INTEROPERABLE ECOSYSTEMS:

DATA DRIVEN ECONOMY

CISCO’S PREDICTIONS: IoT

DATA GENERATED BY IoT

ELECTRONIC AND MOBILE ID

NSTIC

STORK

IdAP

GSMA Mobile ID

Proposed regulation

PERSONAL INTERNET OF THINGS

• Multi-tenancy cloud based personal data stores

• Targeted attacks, • Cryptolocker virus

PATH TO ROI

Gigya's series 'Path to ROI', focuses on the different technologies and tools that businesses can leverage to generate valuable ROI from their marketing efforts

IoT TRUSTED CREDENTAILS

Education

Assert trusted credentials (LoA)

Recognise trusted intermediaries (accreditation)

Quantified self - Databetes

Convenience, security

Active participants

IoT SECURITY AND TRUST Inofsec properties of the IoT are often hidden in

pervasive systems and small devices manufactured by a large number of vendors.

uTRUSTit enables system manufacturers and system integrators to express the underlying security concepts to users in a comprehensible way, allowing them to make valid judgments on the trustworthiness of such systems.

How security conscious is the average user of IoT devices?

Data mining

End-to-end security telemetry – automated scripts, correlating data points from multiple machines across multiple sectors

M2M VISION

MARKET EVOLUTION FOR TELCO IN M2M

PDETS TRUST FRAMEWORKS

Forging new social contracts

The Respect Trust Framework is designed to give individuals control over the sharing of their personal data on the Internet.

Mydex, the personal data store and trusted identity provider, has also had its “Mydex Trust Framework” listed by the Open Identity Exchange.

Connet.me has had its Trust Model and Business Model for Personal Data listed by OIX

The Personal Network: A New Trust Model and Business Model for Personal Data  

Access to data that companies make available and authoritative personal data sources – university exam results

Penetration testing, SEIM, ISO27001,

GOVERNANCE AS A SOFTWARE SERVICE

ID³ believes, governance principles should be expressed as software that is then able to evolve to incorporate advances in technology and to support changing market and societal requirements.

Using these tools, people will be able to ensure the privacy of their personal information, leverage the power of networked data, and create new forms of online coordination, exchange and self-governance.

Forge new “social contracts” and participate in new types of legal and regulatory systems for managing organizations, markets and their social and civic lives. These systems will conform to both international legal standards and to the specific social norms and priorities of its members.

LEGAL FRAMEWORK

European Network and Information Security Agency (ENISA) comprehensive duties and responsibilities, which are inter alia motivated by the protection of critical infrastructures

Cert (Computer Emergency Response Teams)

Directive and working paper

Proposal for a Directive of the EU Parliament and of the Council concerning measures to ensure a high level of network and information security across the Union

Cyber-security Strategy of the European Union: An open, Safe and Secure Cyberspace

INCREASE IN NUMBER OF THREATS VECTORS

Structured and unstructured data

Information security management systems – threat intelligence

Security Information and Event Management (SIEM) -

Access management – lessons from enterprise solution providers

Data access, control, leakage, revocation, audits,

Social engineering

Scale of attacks

Complex crypto based attacks, e.g. flame

Vulnerabilities of inter-operable trust frameworks

LoA’s associated with different ecosystems

NEW APPROACHES Existing solutions – each ecosystem is an island

Security incident and management systems – usually utilised in a single system (SIEM)

Stephen Trilling, Symantec, keynote speaker: Massive cloud based security - SIEM on steroids – apps that run on security telemetry data

New era of operational security

New attacks – automatically looking for anomalous behaviours

Forensic graph for Attack ID

Security system with a world view – looks across ecosystems, industries and geographies …

Proportionate, self fulfilling prophecies, balance

Security in critical infrastructures – Future pre-condition for operating license?

POINTS FOR DISCUSSION

Will the convergence between e-identity, Mobile ID and personal data ecosystems in concert with the Internet of Things, foster new and diverse commercial opportunities, whilst pushing legal, security, policy and regulatory debates into new terrain?

From a security perspective, what are the nature, scale and extent of the threat vectors we can expect to be associated with these nascent ecosystems that are evolving at different rates?

Ubiquitous connectedness opens up pathways for attacks however, a siloed approach to development and oversight creates a perception issue, how can this best be addressed?

Operational Security Assurance?

POINTS FOR DISCUSSION

Where should concerns lie – unsecured M2M or citizen centric facing, or interactions between these ecosystems?

Scale: Destructive attacks, cybercrimes, erosion of privacy, trust

Will the operation of the IoT in concert with e.g. critical infrastructure necessitate new sets of international rules that address cyber security threats and govern cyber warfare?

What can the security community do to address these issues?

Thank youRachel O’Connell

[email protected]

Twitter: @racheloconnell