Trust and Cybersecurity in Europe

Amardeo Sarma
sarma@neclab.eu
General Manager at NEC Laboratories Europe
Chairman of Trust in Digital Life (TDL)
An interdependent Triangle
© NEC Corporation / TDL - Trust and Cybersecurity in Europe 2 4 June 2013
Trust
Cybersecurity
Privacy
Ų The 27 member states of the European Union all have their own
legislation: The result is that products and services can often only
be sold in one or a few states.
Ų But the EU also offers common legislation: this
allows to harmonize laws and potentially enable
larger markets.
Ų There are also very different views in the EU
countries on social issues and in particular
on security ÷ so they often want to keep
their independence.
Ų EU Regulations are binding on all member states
Ų EU Directives are given a national "flavour¨


Background of Situation in Europe
© NEC Corporation / TDL - Trust and Cybersecurity in Europe 3 4 June 2013
Council Parliament
Decision
Legislation
Input material
for legislation
Commission
A short note on TDL
Ų TDL was founded in 2009 by Microsoft, Gemalto, Philips and Nokia
as an industry-driven consortium with the ambition to accelerate
the adoption of trustworthy ICT.
Ų TDL consists of a mix of more than 25 members representing
industry, knowledge institutes, universities and consumer
organisations that has steadily been growing.
Ų TDL is recognized by the European Commission in the Cyber
Security Strategy (2013) as independent public private platform
Ų Since April 2013, TDL is a non-profit registered society
4 June 2013 © NEC Corporation / TDL - Trust and Cybersecurity in Europe 4
From the TDL* Strategic Research Agenda
Ų Governments need to provide the legal basis to ensure
the rights of its citizens in the digital world, while
providing an attractive environment to business.
European values related to trust and privacy are
differentiators that enable business.
Ų Legislators should create a level playing field that
safeguards core values of the rule of law, and provide
for effective remedies in case of breaches.
Ų This is an opportunity to focus on solutions that
differentiate on security, privacy and trust as enablers to
enter business in areas where take-up has been
reluctant Æ particularly valid for European business
© NEC Corporation / TDL - Trust and Cybersecurity in Europe 5 4 June 2013
* TDL: Trust in Digital Life - http://www.trustindigitallife.eu/
The European Commission: Importance of Trust
Ų Commissioner Neelie Kroes
zImportance of Trust, especially in the Cloud context
zSingle seamless space for the digital market requires a
secure Internet and legal predictability
Ų Reiteration that Cloud requires Trust
zTrust recognized as the greatest challenge for migration to
Cloud
zPrivacy also remained an issue of core relevance: This is
an area for differentiation in Europe
Ų European Ecosystem
zNeed to make a profitable environment for large and small
companies in the Cloud
© NEC Corporation / TDL - Trust and Cybersecurity in Europe 6 4 June 2013
What is Trust
Ų The trustor is willing to rely on the actions of a trustee
Ų The trustor has no (direct) control over the trustee's actions.
Ų The trustor is usually uncertain about what the trustee will do
Ų The trustor needs to develop and evaluate expectations.
Ų Will the trustee behave as desired?
Ų Can the trustor come to harm?
Ų Loss or misuse of assets?

© NEC Corporation / TDL - Trust and Cybersecurity in Europe 7 4 June 2013
Expectations
Joint Communication ± The EU Cybersecurity Strategy
© NEC Corporation / TDL - Trust and Cybersecurity in Europe 8 4 June 2013
· For cyberspace to remain open and free, the same
norms, principles and values that the EU upholds
offline, should also apply online.
· Fundamental rights, democracy and the rule of law
need to be protected in cyberspace.
· Our freedom and prosperity increasingly depend on a
robust and innovative Internet.
An Open, Safe and Secure Cyberspace
Actions proposed by the European Commission
© NEC Corporation / TDL - Trust and Cybersecurity in Europe 9 4 June 2013
· Parliament and Council: adopt the proposal for a
Directive on a common high level of Network and
Information Security (NIS) across the Union [..] take up
of risk management practices and information sharing
· Industry: invest in a high level of cybersecurity and
develop best practices and information sharing [..]
ensuring a strong and effective protection of assets and
individuals, in particular through public-private
partnerships like EP3R and Trust in Digital Life (TDL).
The European Commission on Cybercrime
© NEC Corporation / TDL - Trust and Cybersecurity in Europe 10 4 June 2013
· Ensure swift transposition and implementation of the
cybercrime related directives.
· Urge those Member States that have not yet ratified the
Council of Europe's Budapest Convention on
cybercrime to ratify and implement its provisions as
early as possible.
· Support the recently launched European Cybercrime
Centre (EC3) as the European focal point in the fight
against cybercrime.
The European Commission: Cybersecurity resources
© NEC Corporation / TDL - Trust and Cybersecurity in Europe 11 4 June 2013
· Launch in 2013 a public-private platform on NIS solutions
to develop incentives for the adoption of secure ICT
solutions and the take-up of good cybersecurity
performance to be applied to ICT products used in Europe.
· Industry should adopt security standards and ensure that
software and hardware is equipped with stronger,
embedded and user-friendly security features.
· Develop industry-led standards for companies' performance
on cybersecurity and improve the information available to
the public
Data Protection and Privacy
Ų Data Protection and Privacy has for a while been high on the social
agenda with a lot of pressure groups pushing for more privacy
z Stronger in some countries e.g. Germany, Austria, Switzerland and
Scandinavian countries
z Big difference with the USA (recently China) leading to several
conflicts e.g. on providing passenger data
Ų Article 16(1) of Treaty on the Functioning of the European Union
(TFEU), as introduced by the Lisbon Treaty, establishes the
principle that everyone has the right to the protection of personal
data concerning him or her.
Ų Moreover, with Article 16(2) TFEU, the Lisbon Treaty introduced a
specific legal basis for the adoption of rules on the protection of
personal data.
Ų Article 8 of the Charter of Fundamental Rights of the EU enshrines
protection of personal data as a fundamental right.
© NEC Corporation / TDL - Trust and Cybersecurity in Europe 12 4 June 2013
Ensuring high NIS across the Union
Ų Several options were evaluated
1) Business as usual banking on voluntary action by Member States
2) Regulation: Member States are obliged to comply
3) Mixed Approach
Ų The level of achieved security and the economic and social impact
were compared
Ų Clear recommendation fot the second approach: Regulation
Ų Option 1 does not allow for a level playing field across Europe
Ų Quote: "The current situation in the EU, reflecting the purely
voluntary approach followed so far, does not provide sufficient
protection against NIS incidents and risks across the EU. Existing
NIS capabilities and mechanisms are simply insufficient to keep
pace with the fast-changing landscape of threats and to ensure a
common high level of protection in all the Member States.¨


© NEC Corporation / TDL - Trust and Cybersecurity in Europe 13 4 June 2013
Backdrop: Legislation Changes due in Europe
Ų Data protection: new EU Regulation due
z No national interpretations ÷ all EU countries obliged
z Mandatory data protection, privacy-by-design prescribed
z Stricter rules on data security ÷ breaches to be notified in 24h
z Obligations to implement technical and organizational measures
Ų Cybersecurity: EU Cybersecurity Directive proposed
z Obligation to implement appropriate technical and organizational
measures and to undergo security audits
z All sorts of market operators will be expected to oblige, e.g. social
networks, Cloud computing services, energy suppliers
z EU Member States required to lay down rules on sanctions
Ų Cloud computing: EU Strategy ± Standards and Certification
z Pan-European certification schemes by 2014
z Address data protection, especially data portability, and focus on
increased transparency of cloud service providers' security practices
© NEC Corporation / TDL - Trust and Cybersecurity in Europe 14 4 June 2013
Service Scenario Today
© NEC Corporation / TDL - Trust and Cybersecurity in Europe 15 4 June 2013
Trust?
Trust?
CLOUD
assets
assets
The Cloud changes our relationships
© NEC Corporation / TDL - Trust and Cybersecurity in Europe 16 4 June 2013
I
n
-
h
o
u
s
e

(
o
w
n

o
p
e
r
a
t
i
o
n
)

I
n
-
h
o
u
s
e

(
o
u
t
-
s
o
u
r
c
e
d

o
p
e
r
a
t
i
o
n
)

O
f
f
-
s
i
t
e

o
p
e
r
a
t
i
o
n

H
o
s
t
e
d

&

m
a
n
a
g
e
d

s
e
r
v
i
c
e
s

C
l
o
u
d

· Real or apparent loss of control
· Need to rely on what the other is going to do
· To the right the "other¨ gets more anonymous
· The providers become more like the users themselves ÷ often interchangeable
What citizens and users ask
Ų How good are the services?
Ų Are they dependable?
Ų What about the reputation of the provider?
Ų Will they continue to exist?
Ų Is my data safe and available?
Ų Do providers follow best practices?
Ų What if something goes wrong?
4 June 2013 © NEC Corporation / TDL - Trust and Cybersecurity in Europe 17
End-to-end Trust ± the Ends
© NEC Corporation / TDL - Trust and Cybersecurity in Europe 18 4 June 2013
CLOUD
User / Device
Enterprise
The security and privacy compontent of Trust
Ų User / Device
z New threats with smaller devices
· Loss of device and thus data
· Malicious apps stealing data
· Social attacks more likely
z Possible solutions:
· Ensure linkage of user and device ÷ shut off on separation, user change
· Create secure containers in device
· New, easier authentication schemes ÷ e.g. use biometrics
· Critical: Combine technical and "social¨ security / protection
Ų Cloud / Data Centers
z Ensure security, data protection, availability and performance
· Lack of trust a show stopper for business
· The test: Will large corporations use cloud services run by others?
© NEC Corporation / TDL - Trust and Cybersecurity in Europe 19 4 June 2013
loss of control
loss of device itself
Enabling Trust in the Cloud
Ų Option 1: Brand, tradition and inheritance of trust
z Large companies with known brands are often trusted
z Ìn the Cloud: inherit or establish "Chain of Trust¨
Ų Option 2: Recommendations of experts, friends and family
z This also happens in real life: What do you think of offering x ...
z Some services use this already (Amazon & Co.)
© NEC Corporation / TDL - Trust and Cybersecurity in Europe 20 4 June 2013
The Cloud needs all options Æ

A useful trust framework must combine several
options of how trust is associated with entities
Various Trust Frameworks emerging
© NEC Corporation / TDL - Trust and Cybersecurity in Europe 21 4 June 2013
ID and Attribute
Providers
Users
Relying Party
Rules and Regulations
Trust Frameworks
(Brand, Reputation, ...)
TDL addresses how to bridge the gap
© NEC Corporation / TDL - Trust and Cybersecurity in Europe 22 4 June 2013
Net user value for
trustworthy ICT
Trust = Benefit
Trust Paradigm Shift
Trust = Burden
Net user value for
trustworthy ICT
Impact of transparent incidents =
number times effect
· Who is going to pay for trust?
· Will a trustable services survive?
TDL: Pilots and test beds will be critical: Sprints!
© NEC Corporation / TDL - Trust and Cybersecurity in Europe 23 4 June 2013

"Certified¨
Ethical hackers
Technology providers of
Trustworthy solutions
User groups
Application domains
Provision
Feedback
Rules that apply
Test Bed
Integration
infra
content
Internet
Telecom
Webserver
SMS server
Enabling Infrastructure
Trustworthy
Platforms
ICT- Expert community
TDL USE CASE
on
Claim based Authentication
4 June 2013 © NEC Corporation / TDL - Trust and Cybersecurity in Europe 24


TDL USE CASES
on
Claim based Authentication



© NEC Corporation / TDL - Trust and Cybersecurity in Europe 25 4 June 2013
Architecture for complex Identity infrastructures
© NEC Corporation / TDL - Trust and Cybersecurity in Europe 26 4 June 2013

Public Sector as Identity
Provider


Public Sector as Relying
Party

Private Sector as Identity
Provider


Public Sector as Relying
Party


Public Sector as Identity
Provider

Private Sector as Relying
Party


Private Sector as Identity
Provider

Private Sector as Relying
Party

4 June 2013 © NEC Corporation / TDL - Trust and Cybersecurity in Europe 27
Six design principles



1.Composable architecture
2.Open for technology and standards evolution
3.Attributes remains with the source of the data
4.User consent
5.Privacy
6.Correctness and accountability

Architecture for complex Identity infrastructures
© NEC Corporation / TDL - Trust and Cybersecurity in Europe 28 4 June 2013
Use case E-health service: Claim based authentication
© NEC Corporation / TDL - Trust and Cybersecurity in Europe 29 4 June 2013
SPRI NT 1 Technical set - up e- Healt h service
SPRINT
GREEN
Traditional Healthcare Service Provider
EHR
HCP Front End Patients Front End
Healthcare
Professionals
eHealth Service Provider
Activity repository
Personal
Devices
interface
Health
SP
user
Front
End
Health
SP
Front
End
Health Service
Provider (e.g coach)
Patient/User
Token
gen.
Relying
party
policy
Token
Trust framework architecture Identity proofing
Token
Logon
page
Relying party:

Id provider:







Conclusion
© NEC Corporation / TDL - Trust and Cybersecurity in Europe 4 June 2013
Ų Trust, security and privacy are interdependent and
sometimes in conflict
Ų In Europe, there is a strong focus on privacy and data
protection
Ų A major European goal is to promote business by removing
trust barriers in the digital world
Ų TDL is working on improving Trust in the Digital World and
liaising with the European Commission
Ų Central in this context are the so-called sprints that enable
quick interoperability tests based on the TDL e-Authentication
architecture

30
Trust and Cybersecurity in Europe
Amardeo Sarma
sarma@neclab.eu
General Manager at NEC Laboratories Europe
Chairman of Trust in Digital Life (TDL)

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master Your Semester with a Special Offer from Scribd & The New York Times

Cancel anytime.