Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Security and Privacy in Academic Computing Terry Benzel Deputy Director Internet and Networked Systems Division Information Sciences Institute John.

Published byBernadette Neal Modified over 8 years ago

Similar presentations

Presentation on theme: "Data Security and Privacy in Academic Computing Terry Benzel Deputy Director Internet and Networked Systems Division Information Sciences Institute John."— Presentation transcript:

1 Data Security and Privacy in Academic Computing Terry Benzel Deputy Director Internet and Networked Systems Division Information Sciences Institute John Heidemann Senior Project Leader, Internet and Networked Systems Research Professor, Computer Science Department, USC

2 Data Security Data Security: – Confidentiality – Integrity – Availability Academic research needs focus on integrity and availability Tension between open access and security 2 Academic Computing 05-04-15

3 Data Security Strive for balance between control and open Implement controls for integrity Strong tracking and audit Requirements for availability Research in cyber security require safe experimental environments 3 Academic Computing 05-04-15

4 Data Privacy Academic environment needs more focused on sharing data than restricting On going work at ISI with collaborators at Colorado State, Los Alamos National Labs Defined Privacy Principles for Sharing 4 Academic Computing 05-04-15

5 Privacy Principles for Sharing Developed as part of work on Retro-Future Project: “Privacy Principles for Sharing Cyber Security Data”, to appear at IEEE Int’l Workshop on Privacy Engineering, May 2015 Calvin Ardi 1, Xun Fan 1, Gina Fisk 2, Mike Fisk 2, John Heidemann 1, Abdul Qadeer 1, Christos Papadopoulos 3, Neale Pickett 2, Darshan Washimkar 3, Han Zhang 3, Liang Zhu 1 1 USC/Information Sciences Institute 2 Los Alamos National Laboratory 3 Colorado State University 5 Academic Computing 05-04-15

6 Data Sharing Systems sharing data is easy sharing data properly is human-intensive sharing data properly and correctly is hard our goal: build a data sharing system this paper: its design principles 6 Academic Computing 05-04-15

7 Privacy Principles for organization that collect and share data, what are the responsibilities and liabilities? need principled risk and privacy management three principles 1. least disclosure 2. qualitative evaluation 3. forward progress 7 Academic Computing 05-04-15

8 1. Least Disclosure “how do we start sharing?” grant the minimum amount of data required …while still sharing! – ex: use netflow or packet headers, not full data asking and answering reveals info (both) 8 Academic Computing 05-04-15

9 1. Least Disclosure “how do we start sharing?” grant the minimum amount of data required …while still sharing! – ex: use netflow or packet headers, not full data asking and answering reveals info (both) – corollary (1 of 3 in LD): trade-off between what the question and the answer reveal “which IPs queried host.example.com?”: answer tells more “did 10.10.1.2 query host.example.com?”: question tells more 9 Academic Computing 05-04-15

10 2. Qualitative Evaluation “anonymize PII and we’re done, right?” – no: anon. often allows reidentification, ex: AOL and Netflix instead: sharing must always evaluate costs vs. benefits – is it legal? ethical? – would it promote progress? – decision is subjective: qualtative evaluation corollary (1 of 2 in QE): technical means alone are not sufficient 10 Academic Computing 05-04-15

11 3. Forward Progress “this is too troublesome–let’s share nothing!” controlled sharing data needed to push forward security and research – organizations control its own disclosure – utilize legal, ethical, and technical frameworks 11 Academic Computing 05-04-15

12 Applying the Principles principles provide the foundation applications of principles illustrate practicalities – policy and trust relationships having an organizational sharing policy minimal requisite fidelity least privilege – data management data confinment security the data archive anonymization and aging – query management moderating queries “poker queries” that disclose minimum information controlled disclosure: responding carefully 12 Academic Computing 05-04-15

13 Benefits of a Data Sharing System enables effective and efficient data sharing – understand and recover from attacks – develop and research prevention techniques reduces risk to data exposure and disclosure – better understanding of liabilities and responsibilities – justifies the sharing of data for cyber-security applications automation and auditing 13 Academic Computing 05-04-15

14 Challenges to Wide-spread Adoption is this enough to convince organizations to share? – same principles apply for sharing internally how do we work in a multi-org, multi-policy world? – one policy for all won’t work – organizations fine tune risk management based on relationships others are building data sharing systems for security information – interoperability requires care (ex: with ontologies like VERIS, STIX) 14 Academic Computing 05-04-15

15 Conculsions Academic research often involves tradeoffs Careful balance to meet goals – Open – Easily Shared – Experimental research Maintain high degree of data integrity and ethical approaches to sharing 15 Academic Computing 05-04-15

Download ppt "Data Security and Privacy in Academic Computing Terry Benzel Deputy Director Internet and Networked Systems Division Information Sciences Institute John."

Similar presentations

Protecting Cyber-TA Contributors: Risks and Challenges Vitaly Shmatikov The University of Texas at Austin.

Protecting Cyber-TA Contributors: Risks and Challenges Vitaly Shmatikov The University of Texas at Austin.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
DEFINING ETHICS “Conforming to the standards of conduct of a given profession or group” Agreements shared by researchers about what is proper & improper.

DEFINING ETHICS “Conforming to the standards of conduct of a given profession or group” Agreements shared by researchers about what is proper & improper.
Secure and Trustworthy Cyberspace (SaTC) Program Sam Weber Program Director March 2012.

Secure and Trustworthy Cyberspace (SaTC) Program Sam Weber Program Director March 2012.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Concurrent Engineering With respect to Sustainability.

Concurrent Engineering With respect to Sustainability.
The UK Statistics and Registrations Services Act Tanvi Desai Data Manager LSE Research Laboratory Research Laboratory IASSIST 2009 - Tampere.

The UK Statistics and Registrations Services Act Tanvi Desai Data Manager LSE Research Laboratory Research Laboratory IASSIST Tampere.
Trust, Privacy, and Security Moderator: Bharat Bhargava Purdue University.

Trust, Privacy, and Security Moderator: Bharat Bhargava Purdue University.
April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.

April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.
National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,
Control of Personal Information in a Networked World Rebecca Wright Boaz Barak Jim Aspnes Avi Wigderson Sanjeev Arora David Goodman Joan Feigenbaum ToNC.

Control of Personal Information in a Networked World Rebecca Wright Boaz Barak Jim Aspnes Avi Wigderson Sanjeev Arora David Goodman Joan Feigenbaum ToNC.
Implementing and Auditing Ethics Programs

Implementing and Auditing Ethics Programs
Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.

Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.

Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Information Security for the Data Management Professional Micheline Casey Chief Data Officer Federal Reserve Board.

Information Security for the Data Management Professional Micheline Casey Chief Data Officer Federal Reserve Board.
The University of California Strengthening Business Practices: The Language of Our Control Environment Dan Sampson Assistant Vice President Financial Services.

The University of California Strengthening Business Practices: The Language of Our Control Environment Dan Sampson Assistant Vice President Financial Services.
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
SANS Technology Institute - Candidate for Master of Science Degree Implementing and Automating Critical Control 19: Secure Network Engineering for Next.

SANS Technology Institute - Candidate for Master of Science Degree Implementing and Automating Critical Control 19: Secure Network Engineering for Next.
ETHICS, POLICY & SECURITY ISSUES 1CIIT---ETHICS,POLICY AND SECURITY ISSUES.

ETHICS, POLICY & SECURITY ISSUES 1CIIT---ETHICS,POLICY AND SECURITY ISSUES.
What Data Do We Need and Why Do We Need It? Jim Pepin Chief Technology Officer University of Southern California.

What Data Do We Need and Why Do We Need It? Jim Pepin Chief Technology Officer University of Southern California.

Similar presentations

Ads by Google