New Digital Security Models National IT & Telecom Agency Ministry of Science Technology and Innovation Denmark
Abstract Due to the extensive digitalisation of the public sector, as well as the private sector, the challenge of providing security and protecting privacy in IT- solutions is increasing. The traditional perception of IT-security is to protect systems by surrounding them by massive walls e.g. perimeter security or the walled-fortress metaphor. This perception is, however, out-dated. It is necessary to integrate security and privacy into the design of the solution (preventive action) as opposed to perceive it as an addition (curative action) to the developed business solution. At the same time there is a need to include interoperability in the model because security requirements change over time and because many, parallel solutions need to work together to foster competition and innovation. The traditional perception of security is challenged by e.g. cloud computing with data no longer being located within the organisation or in the data centre of a classic out sourcing company physical control of data is no longer sufficient as a means to provide against misconduct. Through cloud computing, public authorities can benefit enormously in terms of flexibility and cost savings in IT-operations. But before this can be utilized in all aspects, a series of questions on handling of sensitive data in cloud-based solutions must be addressed. For example, in many areas it is uncertain how existing laws and regulations concerning protection of information privacy are to be interpreted and used in cloud solutions. This is partly because there is no precedence in the area and partly because the existing laws and regulations have been formulated prior to cloud computing and, therefore, do not take the special circumstances within this area into account. Handling of user consent with traditional models is often complicated and not well-suited to express rights or ensure they are respected in cloud solutions the problem is even worse. The idea, that data is located in a particular server room in the basement, is challenged when data is moved around in large server centrals throughout the world and when data and applications are shared between many different organisations when using virtualisation (multi tenancy). Security models which to a higher degree can prevent inappropriate use of data are needed. Thus, it is necessary to supplement and develop the existing security models by new ones more capable of facing today s challenges both in terms of known types of solutions, but also open to new types of solutions. This discussion paper provides an initial recommendation for how to create such a further development. The discussion paper is inspired by two workshops held by the Danish National IT- and Telecom Agency (NITA) in the autumn of 2010 with a number of interested parties. Stephan J. Engberg from Priway facilitated the workshops and presented a number of visions and concepts (including Security by Design) and formulated those workshop cases the participants were to work with. For more information reference is made to [PRIW]. The main focus of the debate at the two workshops was how to design digital security models compliant with modern requirements. The discussions produced a variety of interesting thoughts and ideas, which form the basis for this publication. The discussion paper first presents the background and motivates the need for new security models. Then a suggestion for a new security model is described. The description is concluded by an outline of perspectives and a discussion of challenges. Lastly, the central terminology is defined. http://is.gd/fsgFxL -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
