La ricerca europea sulla sicurezza in grande azienda ICT Italiana

Transcription

1 La ricerca europea sulla sicurezza in grande azienda ICT Italiana Seconda Giornata della Sicurezza Informatica in Sardegna Auditorium Parco Tecnologico di Pula 5 Novembre 2008 Domenico Presenza (domenico.presenza@eng.it) Laboratorio Ricerca e Sviluppo Area Ingegneria della Sicurezza Via S.Martino della Battaglia 56, Roma 06 November

2 The Group: offering System and Business Integration Outsourcing Consulting Solutions for each vertical market 06 November

3 Strength a strong 27-year leadership on the IT services market complete, flexible and clienttailored offering territorial coverage continuously striving for exellence in research and innovation 06 November

4 Group Companies 06 November

5 Market Segments A network of technological and business skills for each vertical market: Finance Central P.A. Local P.A. Defence Healthcare Industry, Services & Tlc Utilities Security 06 November

6 Security Identity and Access management Management of the lifecycle of digital certificates Cryptography Digital signature Web-based applications integration Client/server applications integration 06 November

7 Security 06 November

8 Business Lines Software Solutions 8% Outsourcing 34% System Integration and Consulting 58% 06 November

9 Market Segments Telco 12% Public Administration 31% Industry 27% Finance 30% 06 November

10 Strategy 06 November

11 internally Growth continoulsly striving for innovation and technological excellence externally through new business opportunities and strategic acquisitions 06 November

12 Excellence Factors TECHNOLOGICAL KNOW-HOW PROCESS COMPETENCES Research & Innovation OPERATION MANAGEMENT 06 November

13 Research & Innovation 06 November

14 Research & Innovation 200 highly skilled staff 7% of revenues invested yearly in research 25 awarded projects A network of more than 50 international partners 06 November

15 Service Engineering New Media Grid Computing Security Engineering Intelligent Systems Business Processes Research Areas 06 November

16 The European Software and Service Pltform Engineering together with 12 major European IT players is the promoter and coordinator of NESSI (Networked European Software and Services Initiative), the first European technological platform for software and services. Engineering plays an active role in NESSI s top management: Paolo Pandozy Board member Dario Avallone Chairman Steering Committee Stefano De Panfilis Manager of Working Group for the Strategic Research Agenda Today: the network has 200 members and received a 200 million contribution from the EU 06 November

17 Open Source as a business opportunity The first Java enterprise-wide framework developed in Italy download designed for Public Administration authorities and large-size enterprises released with OS license and equipped with supporting services The first free Business Intelligence platform developed by Italian researcher and players download designed for Public Administration authorities and large-size enterprises released with OS license and equipped with supporting services 06 November

18 Security Engineering Research Area 06 November

19 Security Engineering [Anderson, 2001] Security Engineering is about building systems to remain dependable in the face of malice, error or mischance Security Engineering focuses on Tools, Processes, Methods needed to: Design, test and implement complete systems Adapt existing systems as their environments evolve 06 November

20 Enterprise Security All organizational actions required to ensure freedom from danger and risk and precautions taken to guard against crime, attack, sabotage, espionage, accidents, and failures. 06 November

21 Engineering beliefs about Security Perfect security and dependability is not achievable or not economical. Unattended systems are neither secure nor dependable. Security and Dependability assurance is a ever-running (control) process: Attackers always create new threats Weakness strongly depend on context 06 November

22 Production/protection tension Organisations have to manage the tension generated by the need to achive somehow contrasting business and protection goals. 06 November

23 Resilient Security Resilience is the ability of systems to prevent and adapt to changing conditions in order to maintain control over a system property [Leveson et al. 2005] Focus on Security and Safety properties 06 November

24 Socio-technical perspective Nowdays security and dependability of systems largely depends on adaptivity provided by human components ( Liveware ) Flexibility provided by Liveware is often unpaired by current technology Any tentative to improve security and dependability cannot ignore Liveware 06 November

25 Unattended systems Protection Infrastructure S C 06 November

26 Avoid Flatland approach Business space Business Organisation ICT plane 06 November

27 Security as a collaborative effort In service provisioning settings assurance of a desired level of Security & Dependability depends also on the proper cooperative behaviour of responders. 06 November

28 Site A Workers Intranet A S&D Manager Site C Site B Public Network Intranet C Intranet B Customers/Users 06 November

29 Current Research Projects SERENITY MASTER DEWS 06 November

30 SERENITY Project System Engineering for Security and Dependability Integrated Project 15 organization from 9 contries 36 months 13,1 Milion Euro (Funding 7.8 Milion Euro) 06 November

31 SERENITY Main Assumptions Security and Dependability knowledge can be coded (made explicit) through Security & Dependability Patterns (S&D Patterns); S&D Patterns can be integrated by means of Integration Schemes; S&D Patterns can be monitored and, to some extent, enforced at run-time. 06 November

32 Holistic approach S&D Pattern/IS Net Pattern B&O Pattern Wf Pattern 06 November

33 ENGI aims to: ENG objectives in SERENITY investigate how the concept of S&D Patterns could be extended to describe patterns comprising Hardware, Software (processes) and Humans ( Liveware ) make prototypes of tools supporting S&D Patterns in socio-technical networks (SERENE) 06 November

34 SERENITY and ATM case study SERENITY and Air Traffic Management (ATM) can offer each other: ATM to SERENITY: the challenge to be able to describe S&D Patterns including Liveware; SERENITY to ATM: solutions (S&D Patterns and tools) to reuse S&D knowledge to implement future ATM systems. 06 November

35 MASTER Project Managing Assurance, Security and Trust for Services Integrated Project (FP7) 36 Months (1 February 2008) 14 organisations from 9 Countries 15 M Euro (funding 9,3 M Euro) 06 November

36 The Objective MASTER aims at providing methodologies and infrastructures that: facilitate to monitor, enforce, and audit quantifiable metrics on the security of a business process, provide manageable assurance of the security levels, trust levels and regulatory compliance of highly dynamic service- oriented architecture in centralized, distributed (multi-domain), and outsourcing contexts. 06 November

37 MASTER Objective 1 MASTER provides organisations with tools (conceptual and software) to manage the tension between business and protection goals. 06 November

38 MASTER Objective 2 MASTER provides auditors with tools (conceptual and software) to asses whether an organisation is able to retain control over its own performance. IT Auditor 06 November

39 MASTER: The approach Key components of MASTER are the following concepts: Key Assurance Indicator (KAI) is a measurable indicator negotiated by a client and a contractor to show that the client s business assurance goals are addressed e.g. the attacks or breaches that affect the clients assets. Key Security Indicator (KSI) measures technical security features used by contractors to achieve a high level of security, e.g. presence and quality of protection and regulatory models. 06 November

40 DEWS Project Distant Early Warning System STREP (FP6) 36 Months (1 February 2007) 22 organisations from 11 Contries Environment 6,4 M Euro (funding 4 M Euro) 06 November

41 The challange In the context of management of natural disaster there is an urgent need for much better and more efficient early warning system aimed to: shorten the time from detection and assessment of the hazard to taking action; improve and facilitate coordination and communication between competent authorities/sectors; provide a more efficient and earlier warning of the public at risk in natural disaster. 06 November