Defining Security Standardsdefiningstandards.com/wp-content/uploads/2014/11/... · Defining Security Standards – Challenges, Technologies & Solutions Dr. Walter Fumy ... BYOD !

Confidential 1 21 July 2014

Defining Security Standards – Challenges, Technologies & Solutions

Dr. Walter Fumy

Chairman JTC 1/SC 27 IT Security Techniques

Chief Scientist, Bundesdruckerei GmbH, Germany

Abu Dhabi: Defining Standards 2014-11-19

Abu Dhabi: Defining Standards 2 19 November 2014

Basic Human Needs are evolving

Safety, Security

Social Needs: Friends, Family

Physiological Needs:

Air, Water, Food, Shelter


Identity management for individuals, objects and processes

Mobility Industry 4.0 Cloud Big/Smart Data Social

Data

Need for security & privacy technologies

Networks Identities Automation Communications

Major Trends


Ø Object IDs Ø Industry 4.0 Ø M2M Communication Ø Material Trust

Ø Secure but Simple Ø User Experience Ø Work Life Balance

Ø Privacy Ø Anonymity / Pseudonymity Ø Control & Trust

Ø Software as a service (SAAS) Ø Data Privacy Ø Data Confidentiality

Ø BYOD Ø High Security Access Ø Full ID | Governance Ø Material Trust

Ø Phishing Ø Pharming Ø ID Theft

Trends & Digital Identities

Digital Identity

Big Data & Cloud

Computing

Data Sensitivity

Cybercrime

Internet of Things (IoT)

Mobility

Simplicity


Simplicity – The 15 most used passwords in 2013 vs. 2012 j%7K&yPx$ can be difficult to remember

123456 password

12345678 qwerty

abc123

123456789 111111

1234567 iloveyou

adobe123

123123 admin

1234567890 letmein

photoshop

password 123456

12345678

abc123 qwerty

monkey letmein

dragon

111111 baseball

iloveyou trustno1

1234567

sunshine master

source: splashdata.com

2013 2012


Simplicity

„To keep your customers, keep it simple“ Harvard Business Review, 2012


Password Practice*

Ø  30% of adult users maintain 10 or more unique passwords

Ø  8% maintain 21 or more

Ø  81% of users do not use a unique password for each website

Ø  33% use the same password for each website Ø  48% use a few different passwords

Ø  51% dislike the prospect of remembering another username or password

Ø  37% have to ask for assistance on their username or password for at least one website per month

*) source: passwordresearch.com


Biometrics to replace Passwords?


Mobility & Financial Services are Reshaping the Biometrics Marketplace

Ø  Biometric authentication such as fingerprint, face and voice recognition integrated in mobile devices (e.g. smartphones, tablets)

Ø  Biometric authentication in smartphones expected to transition from “early adopter phase” to “early maturity phase”

Ø  Some Japanese banks are adopting vein pattern recognition for customer authentication

Ø  Barclays plans to adopt finger vein recognition

Ø  MasterCard and Zwipe recently have announced a contactless payment card featuring an integrated finger print sensor without the need for a battery


Biometrics Standardization

sour

ce:

Fern

ando

Pod

io, S

C 37

Cha

irman


Biometrics Standardization within ISO/IEC JTC 1

sour

ce:

Fern

ando

Pod

io, S

C 37

Cha

irman


Security and Privacy Topic Areas

Informa(on security management system (ISMS) requirements, methods and processes

Accred

ita(o

n, cer(fi

ca(o

n and audi(n

g requ

iremen

ts and

metho

ds fo

r Managem

ent

System

s

Cryptographic and security mechanisms and technologies

Security Evalua(o

n, Tes(n

g, Processes,

Metho

ds and

Spe

cifica(

on (p

rodu

cts, devices

and system

of p

rodu

cts)

Econ

omics o

f informa(

on se

curity and privacy

Informa(on security and privacy governance

Privacy controls and iden(ty

management methods (including applica(on specific

e.g. cloud), techniques, frameworks, biometric informa(on protec(on, biometric

authen(ca(on

Security controls (including

applica(on and sector specific e.g. Cloud, Telecoms,

Energy, FInance), codes of prac(ce,

frameworks

Security services (including applica(on and sector specific e.g. Cloud), IT network security, 3rd party

services, IDS, incident management, cyber security, applica(on secuirty, disaster recovery, forensics

WG 1

WG 2

WG 3

WG 4

WG 5


IS 27003 ISMS Implementation guidance

SC 27/WG 1 ISMS Family of Standards

IS 27001 ISMS Requirements

IS 27004 Information security mgt

measurement

IS 27005 Information security

risk management

IS 27000 ISMS Overview and vocabulary

IS 27002 Code of practice

IS 27006 Accreditation requirements

IS 27007 ISMS Auditing guidelines

Supporting Guidelines Accreditation Requirements and Auditing Guidelines

Sector Specific Requirements and Guidelines

IS 27011 / ITU-T X.1051 Telecom sector ISMS guidelines

based on 27002

IS 27010 ISMS for inter-sector

communications

TR 27015 ISMS guidelines for financial

and services

TR 27008 ISMS Guide for auditors on

ISMS controls

CD 27009 Use and application of 27001 for

sector-specific 3rd party certifications

TR 27019 Energy industry ISMS

guidelines based on 27002

CD 27017 Code of practice for cloud computing

services based on 27002


ICT Readiness for business continuity (IS 27031)

Cybersecurity (IS 27032)

Network security (27033-x, six parts)

Application security (27034-x, six parts) Security info-objects for access control (TR 15816)

Security for supplier relationships (DIS 27036) Storage security (CD 27040)

TTP Services security (TR 14516; 15945) Time stamping services (TR 29149)

Information security incident management (IS 27035)

ICT Disaster recovery services (IS 24762)

Identification, collection and/or acquisition, and preservation of digital evidence (IS 37037)

Unknown or emerging security issues

Known security issues

Security breaches and compromises

SC 27/WG 4 Security Controls and Services


SC 27/WG 3 Security Evaluation Criteria

IT Security Evaluation Criteria (CC) (IS 15408)

Evaluation Methodology (CEM) (IS 18045)

PP/ ST Guide

(TR 15446)

Protection Profile Registration Procedures

(IS 15292)

A Framework for IT Security Assurance (TR 15443) Security Assessment of

Operational Systems (TR 19791)

Security Evaluation of Biometrics (IS 19792)

SSE-CMM (IS 21827)

Test Requirements for Cryptographic Modules

(IS 24759)

Security Requirements for Cryptographic Modules

(IS 19790)

Verification of Cryptographic Protocols

(IS 29128)

Vulnerability Disclosure (IS 29147)


Cryptographic Protocols

Message Authentication Digital Signatures

Encryption & Modes of Operation Parameter Generation

SC 27/WG 2 Cryptography and Security Mechanisms

Entity Authenticati

on (IS 9798)

Key Mgt (IS 11770)

Encryption (IS 18033)

Modes of Operation (IS 10116)

Hash Functions

(IS 10118)

Message Authenticati

on Codes (IS 9797)

Signatures giving Msg Recovery (IS 9796)

Non-Repudiation (IS 13888)

Signatures with

Appendix (IS 14888)

Check Character Systems

(IS 7064)

ECC Techniques (IS 15946)

Lightweight Crypto

(IS 29192)

Time Stamping Services

(IS 18014)

Random Bit Generation (IS 18031)

Prime Number

Generation (IS 18032)

Authenticated

Encryption (IS 19772)

Biometric Template Protection (IS 24745)


SC 27/WG 5 Identity Management & Privacy Technologies

WG 5 addresses security aspects of identity management, biometrics and the protection of personal data, including

Frameworks & Architectures

Ø  A framework for identity management (IS/DIS/CD 24760) Ø  Privacy framework (IS 29100) Ø  Privacy architecture framework (IS 29101) Ø  Entity authentication assurance framework (IS 29115 / ITU-T Xeaa)

Ø  Privacy impact assessment – Methodology (WD 29134) Ø  A framework for access management (CD 29146)

Protection Concepts

Ø  Biometric information protection (IS 24745) Ø  Requirements for partially anonymous, partially unlinkable authentication (IS 29191) Ø  Identity proofing (CD 29003)

Guidance on Context and Assessment

Ø  Authentication context for biometrics (IS 24761) Ø  Privacy capability assessment framework (PRF 29190)


ISO/IEC 29115:2013 Entity Authentication Assurance

ISO/IEC 29115 provides a framework for managing entity authentication assurance in a given context. In particular, it specifies

Ø  four levels of entity authentication assurance (LoA 1 to 4)

Ø  criteria and guidelines for achieving each of the four levels

Level Description Objective Control

LoA 1 – low

Little or no confidence in asserted ID

ID is unique within a context Self-asserted

LoA 2 – medium

Some confidence in asserted ID

ID is unique within context and entity exists objectively

Proof of ID through use of ID information from authoritative source

LoA 3 – high

High confidence in asserted ID

ID is unique within context, entity exists objectively, and ID is verified

Proof of ID through use of ID information from authoritative source + verification

LoA 4 – very high

Very high confidence in asserted ID

ID is unique within context, entity exists objectively, and ID is verified

Proof of ID through use of ID information from multiple authoritative sources + verification + entity witnessed in-person*

*) applies to human entities only


Challenge

Security Simplicity

Privacy


Conclusions

Ø  Personal authentication transactions are predicted to increase from millions to billions … and perhaps trillions*

Ø  Secure digital IDs and their efficient management are essential

Ø  Required technologies are largely available

Ø  Challenges include

Ø  Users need to become more security-aware ⇔ security needs to become more user-friendly

Ø  Security & privacy needs to be built-in rather than bolt-on Ø  Prepare for the future but do not reinvent the wheel

*) Source: Acuity Market Research, Nov 2013


Thank you very much for your kind attention

Defining Security Standardsdefiningstandards.com/wp-content/uploads/2014/11/... · Defining Security Standards – Challenges, Technologies & Solutions Dr. Walter Fumy ... BYOD !

Documents