[liberationtech] New Digital Security Models

Wed Dec 25 07:19:30 PST 2013

New Digital Security Models
National IT & Telecom Agency
Ministry of Science Technology and Innovation
Denmark

Abstract

Due to the extensive digitalisation of the public sector, as well as
the private sector, the challenge of providing security and protecting
privacy in IT- solutions is increasing. The traditional perception of
IT-security is to protect systems by surrounding them by massive walls
e.g. perimeter security or the walled-fortress metaphor. This
perception is, however, out-dated. It is
necessary to integrate security and privacy into the design of the
solution (preventive action) as opposed to perceive it as an addition
(curative action) to the developed business solution. At the same time
there is a need to include interoperability in the model because
security requirements change over time and because many, parallel
solutions need to work together to foster competition and innovation.
The traditional perception of security is challenged by e.g. cloud
computing with data no longer being located within the organisation or
in the data centre of a classic out sourcing company physical control
of data is no longer sufficient as a means to provide against
misconduct. Through cloud computing, public authorities can benefit
enormously in terms of flexibility and cost savings in IT-operations.
But before this can be utilized in all aspects, a series
of questions on handling of sensitive data in cloud-based solutions
must be addressed. For example, in many areas it is uncertain how
existing laws and regulations concerning protection of information
privacy are to be interpreted and used in
cloud solutions. This is partly because there is no precedence in the
area and partly because the existing laws and regulations have been
formulated prior to cloud computing and, therefore, do not take the
special circumstances within
this area into account. Handling of user consent with traditional
models is often complicated and not well-suited to express rights or
ensure they are respected in cloud solutions the problem is even
worse. The idea, that data is located in a particular server room in
the basement, is challenged when data is moved around in large server
centrals throughout the world and when data and applications are
shared between many different organisations when using virtualisation
(multi tenancy). Security models which to a higher degree can prevent
inappropriate use of data are needed. Thus, it is necessary to
supplement and develop the existing security models by new ones more
capable of facing today s challenges both in terms of known types of
solutions, but also open to new types of solutions. This discussion
paper provides an initial recommendation for how to create such a
further development.

The discussion paper is inspired by two workshops held by the Danish
National IT- and Telecom Agency (NITA) in the autumn of 2010 with a
number of interested parties. Stephan J. Engberg from Priway
facilitated the workshops and presented a number of visions and
concepts (including Security by Design) and formulated those workshop
cases the participants were to work with. For more information
reference is made to [PRIW]. The main focus of the debate at the two
workshops was how to design digital security models compliant with
modern requirements. The discussions produced a variety of interesting
thoughts and ideas, which form the basis for this publication. The
discussion paper first presents the background and motivates the need
for new security models. Then a suggestion for a new security model is
described.
The description is concluded by an outline of perspectives and a
discussion of challenges. Lastly, the central terminology is defined.

http://is.gd/fsgFxL