Similar a Citizen centric digital and mobile-identity, personal data ecosystems and the internet of things: Assessing the nature of operational security issues
Online Paper Submission - International Journal of Network Security & Its App...IJNSA Journal
Similar a Citizen centric digital and mobile-identity, personal data ecosystems and the internet of things: Assessing the nature of operational security issues (20)
Long journey of Ruby standard library at RubyConf AU 2024
Citizen centric digital and mobile-identity, personal data ecosystems and the internet of things: Assessing the nature of operational security issues
1. CITIZEN CENTRIC DIGITAL AND
MOBILE-IDENTITY, PERSONAL
DATA ECOSYSTEMS AND THE
INTERNET OF THINGS:
ASSESSING THE NATURE OF
OPERATIONAL SECURITY ISSUES
Dr Rachel O’Connell
RSA Conference 2013, Europe
2. WHO AM I?
PhD online criminal activity: implications for investigative strategies
Chief Security Officer Bebo, VP AOL
Research Consultant
Oxford Internet Institute:
Effective Age Verification Techniques: Lessons to be Learnt from the Online
Gambling Industry
Ctrl_Shift
A market analyst and consulting: changing personal data landscape.
Member of OIX and the GSMA’s UK Assured legal working group
Advisor to commercial organisations on both the policy requirements and
business opportunities associated with digital and mobile ID
Co-founder of GroovyFuture.com.
7. ELECTRONIC AND MOBILE ID
NSTIC
STORK
IdAP
GSMA Mobile ID
Proposed regulation
8. PERSONAL INTERNET OF
THINGS
• Multi-tenancy cloud
based personal data
stores
• Targeted attacks,
• Cryptolocker virus
9. PATH TO ROI
Gigya's series
'Path to ROI',
focuses on the
different
technologies
and tools that
businesses can
leverage to
generate
valuable ROI
from their
marketing
efforts
11. IoT SECURITY AND TRUST
Inofsec properties of the IoT are often hidden in
pervasive systems and small devices manufactured
by a large number of vendors.
uTRUSTit enables system manufacturers and system
integrators to express the underlying security
concepts to users in a comprehensible way, allowing
them to make valid judgments on the trustworthiness
of such systems.
How security conscious is the average user of IoT
devices?
Data mining
End-to-end security telemetry – automated scripts,
correlating data points from multiple machines across
multiple sectors
14. PDETS TRUST FRAMEWORKS
Forging new social contracts
The Respect Trust Framework is designed to give individuals
control over the sharing of their personal data on the Internet.
Mydex, the personal data store and trusted identity provider,
has also had its “Mydex Trust Framework” listed by the Open
Identity Exchange.
Connet.me has had its Trust Model and Business Model for
Personal Data listed by OIX
The Personal Network: A New Trust Model and Business Model
for Personal Data
Access to data that companies make available and
authoritative personal data sources – university exam results
Penetration testing, SEIM, ISO27001,
15. GOVERNANCE AS A
SOFTWARE SERVICE
ID³ believes, governance principles should be expressed as
software that is then able to evolve to incorporate advances in
technology and to support changing market and societal
requirements.
Using these tools, people will be able to ensure the privacy of
their personal information, leverage the power of networked
data, and create new forms of online coordination, exchange
and self-governance.
Forge new “social contracts” and participate in new types of
legal and regulatory systems for managing organizations,
markets and their social and civic lives. These systems will
conform to both international legal standards and to the
specific social norms and priorities of its members.
16. LEGAL FRAMEWORK
European Network and Information Security Agency (ENISA)
comprehensive duties and responsibilities, which are inter
alia motivated by the protection of critical infrastructures
Cert (Computer Emergency Response Teams)
Directive and working paper
Proposal for a Directive of the EU Parliament and of the
Council concerning measures to ensure a high level of
network and information security across the Union
Cyber-security Strategy of the European Union: An open,
Safe and Secure Cyberspace
17. INCREASE IN NUMBER OF
THREATS VECTORS
Structured and unstructured data
Information security management systems – threat intelligence
Security Information and Event Management (SIEM) Access management – lessons from enterprise solution providers
Data access, control, leakage, revocation, audits,
Social engineering
Scale of attacks
Complex crypto based attacks, e.g. flame
Vulnerabilities of inter-operable trust frameworks
LoA’s associated with different ecosystems
18. NEW APPROACHES
Existing solutions – each ecosystem is an island
Security incident and management systems – usually utilised in
a single system (SIEM)
Stephen Trilling, Symantec, keynote speaker: Massive cloud
based security - SIEM on steroids – apps that run on security
telemetry data
New era of operational security
New attacks – automatically looking for anomalous behaviours
Forensic graph for Attack ID
Security system with a world view – looks across ecosystems,
industries and geographies …
Proportionate, self fulfilling prophecies, balance
Security in critical infrastructures – Future pre-condition for
operating license?
19. POINTS FOR DISCUSSION
Will the convergence between e-identity, Mobile ID
and personal data ecosystems in concert with the
Internet of Things, foster new and diverse commercial
opportunities, whilst pushing legal, security, policy
and regulatory debates into new terrain?
From a security perspective, what are the nature,
scale and extent of the threat vectors we can
expect to be associated with these nascent
ecosystems that are evolving at different rates?
Ubiquitous connectedness opens up pathways for
attacks however, a siloed approach to development
and oversight creates a perception issue, how can
this best be addressed?
Operational Security Assurance?
20. POINTS FOR DISCUSSION
Where should concerns lie – unsecured M2M or citizen
centric facing, or interactions between these
ecosystems?
Scale: Destructive attacks, cybercrimes, erosion of
privacy, trust
Will the operation of the IoT in concert with e.g. critical
infrastructure necessitate new sets of international
rules that address cyber security threats and govern
cyber warfare?
What can the security community do to address these
issues?
More things are connecting to the Internet than people — over 12.5 billion devices in 2010 alone. Cisco’s Internet Business Solutions Group (IBSG) predicts some 25 billion devices will be connected by 2015, and 50 billion by 2020. How will having lots of things connected change everything?
Trust is central to the operation of a data driven economy. In order to both provide and benefit from digital services, companies, public administrations and consumers need to distinguish between trusted and non-trusted counterparts online; they also need to be recognised as trusted parties themselves. At an operational level, trust frameworks can reduce the need to negotiate a multitude of individual commercial contracts.