Data of critical services is currently migrating to the cloud. Software Defined Data Centers (SDDC) will become viable in the near future as numerous new services will emerge into the cloud for industry, government and citizens. Big data will be used for creating new services for end users, and therefore the partnerships between cloud service providers and security solution providers will become more common.
Cyber Trust program studied state-of-the-art security technologies and methods for cloud applications and services. The virtualisation of security measurements and security focused cloud service design aims at taking a step further towards cyber security as a service (CSaaS). By utilizing validated and vendor neutral security artefacts from security concept and component development, developers can piggyback solutions in the design of secure application services in more scalable manner.
Different services and products are increasingly reliant on IT, both directly, e.g., online banking and entertainment, and indirectly, for example health services and air traffic control. These services and products process or contain information that is sensitive in terms of information security, privacy or both.
The ultimate goal was to provide secure and cost efficient cloud security model where privacy, identity and resiliency issues were considered. Purpose was to utilize static security ensuring protection against known threats and also enable dynamic security for bringing adaptive mechanisms to provide added resiliency against yet unknown threats. This objective was achieved by analysing potential security threats, by developing solutions for effective resiliency for complete Cloud service systems and developing solutions for rapid recovery of cyber attack situation.
The trade offs between security, privacy, convenience and cost for end users were analyzed. Also situational awareness understanding, analysis technologies, and visualization means were developed to achieve required level of understanding from current security status of given operational environment. New methods and technologies for identity management, access control and management were created.
Proof of Concept for Secure and Resilient Cloud Based Services
The main objective was to enhance security and reliability of application production services so that customers can be confident to have their business critical applications to be hosted and managed by IT service providers. This requires correct and timely situation awareness information for the various stakeholders and laboratory environment to test and simulate the solutions.
New kinds of cloud services that are produced to end users via complex business ecosystem will emerge in the future. Consequently, it is an extreme challenge to protect the private data of individuals in these complex ecosystems with various service interdependencies. For instance, data with varying protection requirements may be composed in one service, which in turn violates requirements set in the data origin. This will require new kind of features for cloud services such as Business Support System (BSS).
Due to this trend of rapid increase in usage of cloud services in all sectors, comprehensive business operations management as well as novel security techniques, and management of security in cloud service environment are needed. The novel techniques include application continuity and availability management, governance model management, security policy management, identity and access management, and situational awareness, including forensic.
The outcomes of the Cybert Trust program were trusted and secure service frameworks, and technologies, processes and component implementations to support both the public sector and private companies with business critical applications. Moreover, a generic model and practices for secured application management – applicable in public and private sector organizations in Finland – were created.
Cyber Trust program developed comprehensive security model for all types of cloud based services to ensure confidentiality, integrity and end-users’ privacy even in complex and interdependent cloud services. The purpose was that the security solution for the cloud service environment is a service itself. Various cloud service scenarios for industry, government and private citizens were analyzed from cyber security view point. Common security related nominators as well as individual service case related security requirements were analyzed.
The current practices and utilization of all needed components for secure and resilient cloud services were analyzed together with potential security threats relevant for cloud services. Special attention was put to privacy and data protection, i.e., how to protect user and users’ data in the processing phase (not only in storage).
Research efforts combined with cross-company expertise provided fertile ground for new security enhancing approaches, innovations and breakthroughs in providing trustworthy ICT and situation-awareness services. Moreover, the program closely collaborated with the SAICS project (Situation Awareness in Information and Cyber Security) in order to share information with other companies and research parties working in the field. SAICS collaboration made it possible to find customers for the developed situation-awareness solutions from the industry.
There is big and growing market especially for healthcare, public sector and financial institutions, and great demand for secured “Internet-able” critical infrastructure ICT services. Sufficient security is required in service provision, and each vertical has dedicated security requirements and provision practices. Moreover, and not depending on the vertical domain, the security position of the target systems and running applications must be communicated to the relevant stakeholders with relevant accuracy.
Common Flexible Certificates
Part of the work of this research theme was to create common certificates as a guideline for the commercial projects so that the platform and services fulfill the requirements and are also scalable. The major difference compared to traditional practices is that guidelines are agile and transparent. Guidelines are thus flexible but they fulfill the criteria. Also ITIL (Information Technology Infrastructure Library) standard evaluation and analysis on security perspective was done.
There was a strong need to do research around common high level security standards. KATAKRI 2015, ISO 27001, and VAHTI 2 were chosen for research program. KATAKRI is the Finnish authorities’ auditing tool, which authority can use in assessing the target organization’s ability to protect classified information. KATAKRI can be used as an auditing tool when assessing a company’s security arrangements in the facility security clearance and in evaluations of the security of the authorities’ information systems. It can also be used to help companies, organisations and the authorities in other security work and in development of it. VAHTI, the Government Information Security Management Board, provides information security instructions that are one of the most comprehensive set of information security instructions in the world.
New guidelines were issued and new certificates were implemented. Companies participating in this research theme made experiments on access management and user rights in cloud service environment. Security analysis and evaluation on KATAKRI 3 cloud environment were made. KATAKRI 3 level data center is the strongest certification level currently being certified. Security and quality standards also worked well as a platform for system and best practice development.
Evaluating the business model, operations and security controls toward these standard´s requirements were in central part of whole research. Netox for example achieved the goals and finished their new head quarter construction which gave the company the possibility to certificate whole business against the KATAKRI and VAHTI standards as well.
Proof of concept trials were made on new secure features on cloud based IoT services. Some of them were applied to production use and are currently tested in actual services. Proof of concept design and implementation of IoT Cloud Service was implemented so that these can safely exploit off-the-shelf legacy alarm systems. The first proof-of-concept implementation was installed and experimented in the laboratory hosted by MPY.
One focus of Softera was to study BSS system associated with the use of mobile use cases mapping. Softera did experiment with web based services, which enables transactions for third-party devices and services. BSS system was able to generate customer contracts. Work orders were made, and after the installation system started charging automatically. Softera conducted NFC payment analysis and proof of concept application: BSS integration to the payment terminal that enables nearby NFC payment.
Softera started SIEM software evaluation and testing (eg. Alienvault Ossim). SIEM software would be possible at present to expand the use of IDS software (Intrusion Detection System).
In the first stage the testing was done confidentially through a VPN tunnel between the premised provided by VTT and target system. Therefore a remote connection to a computer with required test tools within the target system perimeter was needed. The tester’s computer must contain tools and virtual OS’s installed by the testers and also remote desktop and file transfer services are required,
Customer account for using Softera services is needed in the second stage. It is assumed that the customer account will enable the testers to make an encrypted connection to the target system in order to enable confidentiality of the testing. It is also assumed that the customer account will enable the testers to install necessary test tools within the system, operate the test tools and transfer file between VTT premises and the test system.
Privacy of Digital Personal Identities
Digital personal identity defines a person in the digital world, in the context of an online service or a software application, and represents the person in a digital product or service. People increasingly create multiple digital personal identities for the digital services and products they are using. A growing concern among people is the privacy and security of these digital identities against digital wrongdoers, ranging from identity theft for financial benefit to online bullying or stalking, to tracking the digital and physical behavior of people.
In this business case, F-Secure‘s aim was at essential improvements in understanding of the notion of privacy in the context of digital personal identities. F-Secure also planned to develop and validate solutions to enhance the capabilities for individuals and business users to access and use their preferred digital products and services in a trustworthy way, and ensure that their personal information stays private. As we are moving towards a more privacy-conscious era in online services, service providers who can communicate to their prospective users that their services will handle the users’ data in privacy, will have competitive advantage over less-private competitors. The studies will be extended to the area of public safety and use cases in governmental / state organizations with their special requirements and priorities.
Activities around credentials management software included analysis of security-related functionality of the product and studies of actual customer needs and preferences and ways of communicating the product features to the customers. The primary collaborators were Aalto University, University of Jyväskylä, and Tampere University of Technology.
Security in Cloud Services
The research by VTT enabled security-by-design approach in cloud service platform development and supported planning of secure service provision. There is increasing demand for cloud services. Companies are moving from dedicated server rooms to IaaS and private and public cloud services, for flexibility and economic reasons. Resiliency and security are expected of these services, often running business-critical systems and managing data with confidentiality requirements. Beside business criticality, the tightening governmental regulation and globally harshening security environment are posing new security requirements for these services. Jointly with the companies, VTT developed approaches to answer this call, to enable homemade data-centre services that are globally competitive and contending for best ROI in dedicated sectors (such as storage and management of personal private data, health data and classified data).
For the construction of novel cloud services, various security and safety aspects were studied and analysed, attributing to effective security controls, measurable system situation, and well-managed security of the service, and targeting to known security, with case-specific emphasis on the resiliency and security aspects set by the anticipated customers (e.g. via security regulations of the business vertical, or standards commonly applied in the business domain). The research covered cybersecurity risk analysis, information and network security measurement and security indicators, security and safety standards, novel authentication methods, and practical precautions and effective security controls in connected systems managing fleets of mobile and IoT devices.
- Security Risk Visualization with Semantic Risk Model
- A Tool for Security Measuring and Probe Management
- Secure, Usable and Privacy-Friendly User Authentication from Keystroke Dynamics
- Improving the Sphinx Mix Network
- A Study on the State of Practice in Security Situational Awareness
- Towards Security Metrics-Supported IP Traceback
- Recipient Privacy in Online Social Networks
- Evaluation of User Authentication Methods in the Gadget-Free World
Contributors of this research theme: F-Secure, Netox, MPY, Softera, VTT, Aalto University, University of Jyväskylä, Tampere University of Technology, Contrasec, Nixu, Silverskin