Consideration for Information Security Issues in Geospatial Information Services of Local...
31
Consideration for Information Security Issues in Geospatial Information Services of Local Governments Makoto Hanashima Institute for Areal Studies, Foundation (IAS), Tokyo Institute of Information Security (IISEC), Yokohama May 26, 2006
Consideration for Information Security Issues in Geospatial Information Services of Local Governments Makoto Hanashima Institute for Areal Studies, Foundation
Consideration for Information Security Issues in Geospatial
Information Services of Local Governments Makoto Hanashima
Institute for Areal Studies, Foundation (IAS), Tokyo Institute of
Information Security (IISEC), Yokohama May 26, 2006
Slide 2
Makoto Hanashima, IISEC 2 Outline of Presentation Background of
Research Governmental Guideline for Distribution of Geospatial Data
The Framework of Baseline Security for GIS in Local Government
Threat Analysis for Geospatial Information Service Outline of
Baseline Safeguard for Geospatial Information Service
Conclusion
Slide 3
May 26, 2006 Makoto Hanashima, IISEC 3 Introduction GIS is
changing its concept and is expanding its capability. Geospatial
Information Service GIS has been changing to the terminology
meaning Geospatial Information Service. Geographic Information
System + Web Service Technology + Interoperability Interoperability
and Web service technology are becoming key technology for GIS.
While a user's convenience and the quality of service improve
greatly, a possibility that many issues of an information security
will occur is also increasing.
Slide 4
May 26, 2006 Makoto Hanashima, IISEC 4 GIS in Japanese Local
Governments Recent GIS related action of Japanese government Jan.
1995: Hanshin-Awaji (Kobe) Earthquake Sep. 1995: GIS
relevant-ministries liaison conference Feb. 2002: GIS Action
Program 2002-2005 May 2003: The Guideline for Distribution of
Governmental Geographic Information Jun. 2004: Q&A for The
Guideline GIS introduced: Prefecture level : 100% City, Town level
: 40% based on The Annual Survey of GIS in Local Government 2004 by
NSDIPA (National Spatial Data Infrastructure Promoting
Association)
Slide 5
May 26, 2006 Makoto Hanashima, IISEC 5 Governmental Guideline
The Guideline for Distribution of Governmental Geographic
Information, 2003 This guideline is a de facto guideline of the
geospatial information service by the public institution in Japan.
When a local government considers distribution of geospatial
information, this guideline serves as a source of a security
policy. The requirements for a security policy which can be read in
this guideline are as follows.
Slide 6
May 26, 2006 Makoto Hanashima, IISEC 6 Security Requirements
for GIS in Local Government 1.Protection of geospatial information
regarding privacy 2.Ensuring of confidentiality of undisclosed
geospatial information 3.Ensuring integrity and authenticity of
geospatial information 4.Management of the access privilege of
geospatial information 5.Prevention from violation of the copyright
of geospatial information 6.Maintenance of accountability of local
government for geospatial information 7.Ensuring of availability of
geospatial information service
Slide 7
May 26, 2006 Makoto Hanashima, IISEC 7 Problem How does local
government implement the security policy into their own GIS? No
system guideline No IT security specialist No time, a pile of work
Interoperability problems will arise. In the case of the
interoperability of geospacial information service, complicated
processing is needed with the difference in the security level
during service. Redundant investments will continue by a lot of
local government.
Slide 8
May 26, 2006 Makoto Hanashima, IISEC 8 Framework for IT
Security One of the solution : To introduce a standard framework
for IT security. ISO/IEC TR 13335 Guidelines for the Management of
IT Security (GMITS) GMITS provides a systematic framework for IT
security management.
Slide 9
May 26, 2006 Makoto Hanashima, IISEC 9 Framework of IT Security
for GIS Information Security Policy of Local Government Related
StatuteGovernmental Guideline High Level Risk Analysis Detailed
Risk AnalysisBaseline Approach Selection of Safeguard IT Security
Policy for IT System IT Security Requirement Framework of ISO/IEC
TR 13335 GMITS
Slide 10
May 26, 2006 Makoto Hanashima, IISEC 10 Two Approaches for IT
Security Two approaches to specify IT security requirements An
approach based on Detailed Risk Analysis An approach based on
Baseline Safeguard (Baseline Approach)
Slide 11
May 26, 2006 Makoto Hanashima, IISEC 11 Two Approaches for IT
Security An approach based on Detailed Risk Analysis A detailed
risk analysis evaluates a risk based on detailed estimation of the
information property, the threat evaluation to them, and
vulnerability evaluation of IT system. This Approach is possible to
select the safeguard optimized to the target IT system. This
approach needs advanced technical knowledge and a great effort, it
requires many costs.
Slide 12
May 26, 2006 Makoto Hanashima, IISEC 12 Two Approaches for IT
Security An approach based on Baseline Safeguard (Baseline
Approach) Baseline approach selects a safeguard (baseline
safeguard) so that the minimum security level (baseline security)
decided for each type of IT system may be satisfied. Because this
approach can be implemented in the minimum time and effort for a
risk analysis or for selection of safeguards, for the system which
does not need a high security level, its cost benefit is far good.
This approach depends on the adequacy of baseline security.
Slide 13
May 26, 2006 Makoto Hanashima, IISEC 13 Baseline Security for
GIS If the requirements for an information security peculiar to
Geospatial Information Service become clear, the guideline which
included these requirements in Baseline Security can be proposed.
This approach may prevent following problems: In the case of the
interoperability of geospacial information service, complicated
processing is needed with the difference in the security level
during service. Redundant investments will continue in many local
governments to the security countermeasures which may not be so
effective. A risk peculiar to geospatial information service may
remain not discussing.
Slide 14
May 26, 2006 Makoto Hanashima, IISEC 14 Framework of IT
Security for GIS Information Security Policy of Local Government
Related StatuteGovernmental Guideline High Level Risk Analysis
Detailed Risk AnalysisBaseline Approach Selection of Safeguard IT
Security Policy for IT System IT Security Requirement Geospatial
Information Data Public Property Geospatial Information Service
(STSYEM) IT Asset Evaluation IT Asset Evaluation Baseline Security
for Geospatial Information Service Baseline Security for Geospatial
Information Service Threat Analysis Threat Analysis Framework of
ISO/IEC TR 13335 GMITS Domain of Research
Slide 15
May 26, 2006 Makoto Hanashima, IISEC 15 Process of Baseline
Approach Basic Assessments Identification of the Type of IT System
Identification of Physical/Environmental Conditions Assessment of
Existing/Planned Safeguards Simple or More Advanced Baseline
Approach Baseline Approach: Selection of Safeguards According to
The Type of IT System Generally Applicable Safeguards IT System
Specific Safeguards Selection of Safeguards According to Security
Concerns and Threats Assessment of Security Concerns Safeguards for
Confidentiality Safeguards for Integrity Safeguards for
Availability Safeguards for Accountability, Authenticity and
Reliability Flow Diagram for Selection of Safeguards GMITS Part4:
Selection of Safeguards
Slide 16
May 26, 2006 Makoto Hanashima, IISEC 16 Concept of Threat
Analysis - 1 Threat Typical Threat Specific Threat Enumerated by
"List of Possible Threat Types" in GMITS. Not enumerated by the
list. Specific Threats in GIS
Slide 17
May 26, 2006 Makoto Hanashima, IISEC 17 Concept of Threat
Analysis - 2 Coverage of Typical threat and Specific threat
Specific Threat Typical Threat Whole Threat
Slide 18
May 26, 2006 Makoto Hanashima, IISEC 18 Specific Threat for GIS
Ts-01:Tampering and forgery of data Ts-02:Illegal copy and
distribution of data Ts-03:Attack by unauthorized service
Ts-04:Attack to Web application Ts-05:Arrogation of an author or a
source Ts-06:Setting error of access privilege Ts-07: Exposure of
confidential information by connected referencability Ts-08:Data
error Ts-09:Tampering and deletion of audit log Ts-10:Failure of
interoperability of system
Slide 19
May 26, 2006 Makoto Hanashima, IISEC 19 Safeguards for Specific
Threat of GIS-1 Possible safeguards for Ts-01 Access control to
geospatial data Authentication of the geospatial data based on
digital signature PKI should be applied Tamper-proof data
generation Ts-01: Tampering and forgery of data Ts-02: Illegal copy
and distribution of data Ts-03: Attack by unauthorized service
Ts-04: Attack to Web application Ts-05: Arrogation of an author or
a source Ts-06: Setting error of access privilege Ts-07: Exposure
of confidential information by connected referencability Ts-08:
Data error Ts-09: Tampering and deletion of audit log Ts-10:
Failure of interoperability of system
Slide 20
May 26, 2006 Makoto Hanashima, IISEC 20 Safeguards for Specific
Threat of GIS-2 Possible safeguards for Ts-02 Authentication of the
geospatial data based on digital signature Authentication of the
data provider by digital signature Use of digital watermarking
Ts-01: Tampering and forgery of data Ts-02: Illegal copy and
distribution of data Ts-03: Attack by unauthorized service Ts-04:
Attack to Web application Ts-05: Arrogation of an author or a
source Ts-06: Setting error of access privilege Ts-07: Exposure of
confidential information by connected referencability Ts-08: Data
error Ts-09: Tampering and deletion of audit log Ts-10: Failure of
interoperability of system
Slide 21
May 26, 2006 Makoto Hanashima, IISEC 21 Safeguards for Specific
Threat of GIS-3 Possible safeguards for Ts-03 Two-way
authentication by security frameworks of Web Services Two-way
authentication in an application level Reinforcement of detection
capabilities against unauthorized services Ts-01: Tampering and
forgery of data Ts-02: Illegal copy and distribution of data Ts-03:
Attack by unauthorized service Ts-04: Attack to Web application
Ts-05: Arrogation of an author or a source Ts-06: Setting error of
access privilege Ts-07: Exposure of confidential information by
connected referencability Ts-08: Data error Ts-09: Tampering and
deletion of audit log Ts-10: Failure of interoperability of
system
Slide 22
May 26, 2006 Makoto Hanashima, IISEC 22 Safeguards for Specific
Threat of GIS-4 Possible safeguards for Ts-04 Reinforcement of
robustness of Web application Reinforcement of attack detection
method Using rich client e.g. Flex, Curl Ts-01: Tampering and
forgery of data Ts-02: Illegal copy and distribution of data Ts-03:
Attack by unauthorized service Ts-04: Attack to Web application
Ts-05: Arrogation of an author or a source Ts-06: Setting error of
access privilege Ts-07: Exposure of confidential information by
connected referencability Ts-08: Data error Ts-09: Tampering and
deletion of audit log Ts-10: Failure of interoperability of
system
Slide 23
May 26, 2006 Makoto Hanashima, IISEC 23 Safeguards for Specific
Threat of GIS-5 Possible safeguards for Ts-05 Authentication by
digital signature of an author or a source Authentication function
for Data Clearinghouse Service Some DRM protocol may be applied
Reinforcement of the attack detection method Use of digital
watermarking Ts-01: Tampering and forgery of data Ts-02: Illegal
copy and distribution of data Ts-03: Attack by unauthorized service
Ts-04: Attack to Web application Ts-05: Arrogation of an author or
a source Ts-06: Setting error of access privilege Ts-07: Exposure
of confidential information by connected referencability Ts-08:
Data error Ts-09: Tampering and deletion of audit log Ts-10:
Failure of interoperability of system
Slide 24
May 26, 2006 Makoto Hanashima, IISEC 24 Safeguards for Specific
Threat of GIS-6 Possible safeguards for Ts-06 Application of an
access-control model e.g. RBAC Use of an access-control framework
e.g. XACML Ts-01: Tampering and forgery of data Ts-02: Illegal copy
and distribution of data Ts-03: Attack by unauthorized service
Ts-04: Attack to Web application Ts-05: Arrogation of an author or
a source Ts-06: Setting error of access privilege Ts-07: Exposure
of confidential information by connected referencability Ts-08:
Data error Ts-09: Tampering and deletion of audit log Ts-10:
Failure of interoperability of system
Slide 25
May 26, 2006 Makoto Hanashima, IISEC 25 Safeguards for Specific
Threat of GIS-7 Possible safeguards for Ts-07 Distinction of a
connected referencability based on metadata Protection by
limitation of the resolution of geospatial data Ts-01: Tampering
and forgery of data Ts-02: Illegal copy and distribution of data
Ts-03: Attack by unauthorized service Ts-04: Attack to Web
application Ts-05: Arrogation of an author or a source Ts-06:
Setting error of access privilege Ts-07: Exposure of confidential
information by connected referencability Ts-08: Data error Ts-09:
Tampering and deletion of audit log Ts-10: Failure of
interoperability of system
Slide 26
May 26, 2006 Makoto Hanashima, IISEC 26 Safeguards for Specific
Threat of GIS-8 Possible safeguards for Ts-08 Early notification of
data error information Audit of the update log of data Ts-01:
Tampering and forgery of data Ts-02: Illegal copy and distribution
of data Ts-03: Attack by unauthorized service Ts-04: Attack to Web
application Ts-05: Arrogation of an author or a source Ts-06:
Setting error of access privilege Ts-07: Exposure of confidential
information by connected referencability Ts-08: Data error Ts-09:
Tampering and deletion of audit log Ts-10: Failure of
interoperability of system
Slide 27
May 26, 2006 Makoto Hanashima, IISEC 27 Safeguards for Specific
Threat of GIS-9 Possible safeguards for Ts-09 Reinforcement of
robustness of a logging system Ts-01: Tampering and forgery of data
Ts-02: Illegal copy and distribution of data Ts-03: Attack by
unauthorized service Ts-04: Attack to Web application Ts-05:
Arrogation of an author or a source Ts-06: Setting error of access
privilege Ts-07: Exposure of confidential information by connected
referencability Ts-08: Data error Ts-09: Tampering and deletion of
audit log Ts-10: Failure of interoperability of system
Slide 28
May 26, 2006 Makoto Hanashima, IISEC 28 Safeguards for Specific
Threat of GIS-10 Possible safeguards for Ts-10 Implementation of
the error- tracking function of a Web Service Ts-01: Tampering and
forgery of data Ts-02: Illegal copy and distribution of data Ts-03:
Attack by unauthorized service Ts-04: Attack to Web application
Ts-05: Arrogation of an author or a source Ts-06: Setting error of
access privilege Ts-07: Exposure of confidential information by
connected referencability Ts-08: Data error Ts-09: Tampering and
deletion of audit log Ts-10: Failure of interoperability of
system
Slide 29
May 26, 2006 Makoto Hanashima, IISEC 29 Summary of Safeguards
Safeguards can be implemented by : Web Service Security Secure data
transfer protocol Access control method Some technologies for
safeguard still should be discussed: Robustness of Web application
Traceability of Web service component Digital signature and
authentication protocol for OGCs open architecture
Slide 30
May 26, 2006 Makoto Hanashima, IISEC 30 Conclusion Baseline
Security Guideline is required for Geospatial Information Service
in Japanese local governments. "Specific Threats" to Geospatial
Information Service of local government have been considered. The
Safeguards to Specific Threats have been discussed. A number of
safeguards have necessity of more technical discussions. Continuous
research is required to make up baseline security for Geospatial
Information Service of local government.
Slide 31
May 26, 2006 Makoto Hanashima, IISEC 31 Thank you Please send
your comment: [email protected] Reference [1].Downs,R &
Lenhardt,C: Privacy and Confidentiality Issues with Spatial Data,
IASSIST 2003 [2].Taylor,K & Murty,J: Implementing Role Based
Access Control for Federated Information Systems on the Web,
Australasian Information Security Workshop 2003 (AISW2003)
[3].Belussi,A,et al.: An Authorization Model for Geographical Maps,
In Proc. GIS04, Nov.,12- 13,2004 [4].Joshi,J, et al.: Digital
Government Security Infrastructure Design Challenges, IEEE
Computer, 2001 [5].ISO/IEC TR 13335 Guideline for the management of
IT Security, JIS Handbook 2005 [6].ISO/IEC 15408 Evaluation
criteria for IT Security, JIS Handbook 2005 [7].OGC: OpenGIS web
services architecture description, Open Geospatial Consortium Inc.,
2005