Consideration for Information Security Issues in Geospatial Information Services of Local Governments Makoto Hanashima Institute for Areal Studies, Foundation

Consideration for Information Security Issues in Geospatial Information Services of Local Governments Makoto Hanashima Institute for Areal Studies, Foundation (IAS), Tokyo Institute of Information Security (IISEC), Yokohama May 26, 2006

Makoto Hanashima, IISEC 2 Outline of Presentation Background of Research Governmental Guideline for Distribution of Geospatial Data The Framework of Baseline Security for GIS in Local Government Threat Analysis for Geospatial Information Service Outline of Baseline Safeguard for Geospatial Information Service Conclusion

May 26, 2006 Makoto Hanashima, IISEC 3 Introduction GIS is changing its concept and is expanding its capability. Geospatial Information Service GIS has been changing to the terminology meaning Geospatial Information Service. Geographic Information System + Web Service Technology + Interoperability Interoperability and Web service technology are becoming key technology for GIS. While a user's convenience and the quality of service improve greatly, a possibility that many issues of an information security will occur is also increasing.

May 26, 2006 Makoto Hanashima, IISEC 4 GIS in Japanese Local Governments Recent GIS related action of Japanese government Jan. 1995: Hanshin-Awaji (Kobe) Earthquake Sep. 1995: GIS relevant-ministries liaison conference Feb. 2002: GIS Action Program 2002-2005 May 2003: The Guideline for Distribution of Governmental Geographic Information Jun. 2004: Q&A for The Guideline GIS introduced: Prefecture level : 100% City, Town level : 40% based on The Annual Survey of GIS in Local Government 2004 by NSDIPA (National Spatial Data Infrastructure Promoting Association)

May 26, 2006 Makoto Hanashima, IISEC 5 Governmental Guideline The Guideline for Distribution of Governmental Geographic Information, 2003 This guideline is a de facto guideline of the geospatial information service by the public institution in Japan. When a local government considers distribution of geospatial information, this guideline serves as a source of a security policy. The requirements for a security policy which can be read in this guideline are as follows.

May 26, 2006 Makoto Hanashima, IISEC 6 Security Requirements for GIS in Local Government 1.Protection of geospatial information regarding privacy 2.Ensuring of confidentiality of undisclosed geospatial information 3.Ensuring integrity and authenticity of geospatial information 4.Management of the access privilege of geospatial information 5.Prevention from violation of the copyright of geospatial information 6.Maintenance of accountability of local government for geospatial information 7.Ensuring of availability of geospatial information service

May 26, 2006 Makoto Hanashima, IISEC 7 Problem How does local government implement the security policy into their own GIS? No system guideline No IT security specialist No time, a pile of work Interoperability problems will arise. In the case of the interoperability of geospacial information service, complicated processing is needed with the difference in the security level during service. Redundant investments will continue by a lot of local government.

May 26, 2006 Makoto Hanashima, IISEC 8 Framework for IT Security One of the solution : To introduce a standard framework for IT security. ISO/IEC TR 13335 Guidelines for the Management of IT Security (GMITS) GMITS provides a systematic framework for IT security management.

May 26, 2006 Makoto Hanashima, IISEC 9 Framework of IT Security for GIS Information Security Policy of Local Government Related StatuteGovernmental Guideline High Level Risk Analysis Detailed Risk AnalysisBaseline Approach Selection of Safeguard IT Security Policy for IT System IT Security Requirement Framework of ISO/IEC TR 13335 GMITS

May 26, 2006 Makoto Hanashima, IISEC 10 Two Approaches for IT Security Two approaches to specify IT security requirements An approach based on Detailed Risk Analysis An approach based on Baseline Safeguard (Baseline Approach)

May 26, 2006 Makoto Hanashima, IISEC 11 Two Approaches for IT Security An approach based on Detailed Risk Analysis A detailed risk analysis evaluates a risk based on detailed estimation of the information property, the threat evaluation to them, and vulnerability evaluation of IT system. This Approach is possible to select the safeguard optimized to the target IT system. This approach needs advanced technical knowledge and a great effort, it requires many costs.

May 26, 2006 Makoto Hanashima, IISEC 12 Two Approaches for IT Security An approach based on Baseline Safeguard (Baseline Approach) Baseline approach selects a safeguard (baseline safeguard) so that the minimum security level (baseline security) decided for each type of IT system may be satisfied. Because this approach can be implemented in the minimum time and effort for a risk analysis or for selection of safeguards, for the system which does not need a high security level, its cost benefit is far good. This approach depends on the adequacy of baseline security.

May 26, 2006 Makoto Hanashima, IISEC 13 Baseline Security for GIS If the requirements for an information security peculiar to Geospatial Information Service become clear, the guideline which included these requirements in Baseline Security can be proposed. This approach may prevent following problems: In the case of the interoperability of geospacial information service, complicated processing is needed with the difference in the security level during service. Redundant investments will continue in many local governments to the security countermeasures which may not be so effective. A risk peculiar to geospatial information service may remain not discussing.

May 26, 2006 Makoto Hanashima, IISEC 14 Framework of IT Security for GIS Information Security Policy of Local Government Related StatuteGovernmental Guideline High Level Risk Analysis Detailed Risk AnalysisBaseline Approach Selection of Safeguard IT Security Policy for IT System IT Security Requirement Geospatial Information Data Public Property Geospatial Information Service (STSYEM) IT Asset Evaluation IT Asset Evaluation Baseline Security for Geospatial Information Service Baseline Security for Geospatial Information Service Threat Analysis Threat Analysis Framework of ISO/IEC TR 13335 GMITS Domain of Research

May 26, 2006 Makoto Hanashima, IISEC 15 Process of Baseline Approach Basic Assessments Identification of the Type of IT System Identification of Physical/Environmental Conditions Assessment of Existing/Planned Safeguards Simple or More Advanced Baseline Approach Baseline Approach: Selection of Safeguards According to The Type of IT System Generally Applicable Safeguards IT System Specific Safeguards Selection of Safeguards According to Security Concerns and Threats Assessment of Security Concerns Safeguards for Confidentiality Safeguards for Integrity Safeguards for Availability Safeguards for Accountability, Authenticity and Reliability Flow Diagram for Selection of Safeguards GMITS Part4: Selection of Safeguards

May 26, 2006 Makoto Hanashima, IISEC 16 Concept of Threat Analysis - 1 Threat Typical Threat Specific Threat Enumerated by "List of Possible Threat Types" in GMITS. Not enumerated by the list. Specific Threats in GIS

May 26, 2006 Makoto Hanashima, IISEC 17 Concept of Threat Analysis - 2 Coverage of Typical threat and Specific threat Specific Threat Typical Threat Whole Threat

May 26, 2006 Makoto Hanashima, IISEC 18 Specific Threat for GIS Ts-01:Tampering and forgery of data Ts-02:Illegal copy and distribution of data Ts-03:Attack by unauthorized service Ts-04:Attack to Web application Ts-05:Arrogation of an author or a source Ts-06:Setting error of access privilege Ts-07: Exposure of confidential information by connected referencability Ts-08:Data error Ts-09:Tampering and deletion of audit log Ts-10:Failure of interoperability of system

May 26, 2006 Makoto Hanashima, IISEC 19 Safeguards for Specific Threat of GIS-1 Possible safeguards for Ts-01 Access control to geospatial data Authentication of the geospatial data based on digital signature PKI should be applied Tamper-proof data generation Ts-01: Tampering and forgery of data Ts-02: Illegal copy and distribution of data Ts-03: Attack by unauthorized service Ts-04: Attack to Web application Ts-05: Arrogation of an author or a source Ts-06: Setting error of access privilege Ts-07: Exposure of confidential information by connected referencability Ts-08: Data error Ts-09: Tampering and deletion of audit log Ts-10: Failure of interoperability of system

May 26, 2006 Makoto Hanashima, IISEC 20 Safeguards for Specific Threat of GIS-2 Possible safeguards for Ts-02 Authentication of the geospatial data based on digital signature Authentication of the data provider by digital signature Use of digital watermarking Ts-01: Tampering and forgery of data Ts-02: Illegal copy and distribution of data Ts-03: Attack by unauthorized service Ts-04: Attack to Web application Ts-05: Arrogation of an author or a source Ts-06: Setting error of access privilege Ts-07: Exposure of confidential information by connected referencability Ts-08: Data error Ts-09: Tampering and deletion of audit log Ts-10: Failure of interoperability of system

May 26, 2006 Makoto Hanashima, IISEC 21 Safeguards for Specific Threat of GIS-3 Possible safeguards for Ts-03 Two-way authentication by security frameworks of Web Services Two-way authentication in an application level Reinforcement of detection capabilities against unauthorized services Ts-01: Tampering and forgery of data Ts-02: Illegal copy and distribution of data Ts-03: Attack by unauthorized service Ts-04: Attack to Web application Ts-05: Arrogation of an author or a source Ts-06: Setting error of access privilege Ts-07: Exposure of confidential information by connected referencability Ts-08: Data error Ts-09: Tampering and deletion of audit log Ts-10: Failure of interoperability of system

May 26, 2006 Makoto Hanashima, IISEC 22 Safeguards for Specific Threat of GIS-4 Possible safeguards for Ts-04 Reinforcement of robustness of Web application Reinforcement of attack detection method Using rich client e.g. Flex, Curl Ts-01: Tampering and forgery of data Ts-02: Illegal copy and distribution of data Ts-03: Attack by unauthorized service Ts-04: Attack to Web application Ts-05: Arrogation of an author or a source Ts-06: Setting error of access privilege Ts-07: Exposure of confidential information by connected referencability Ts-08: Data error Ts-09: Tampering and deletion of audit log Ts-10: Failure of interoperability of system

May 26, 2006 Makoto Hanashima, IISEC 23 Safeguards for Specific Threat of GIS-5 Possible safeguards for Ts-05 Authentication by digital signature of an author or a source Authentication function for Data Clearinghouse Service Some DRM protocol may be applied Reinforcement of the attack detection method Use of digital watermarking Ts-01: Tampering and forgery of data Ts-02: Illegal copy and distribution of data Ts-03: Attack by unauthorized service Ts-04: Attack to Web application Ts-05: Arrogation of an author or a source Ts-06: Setting error of access privilege Ts-07: Exposure of confidential information by connected referencability Ts-08: Data error Ts-09: Tampering and deletion of audit log Ts-10: Failure of interoperability of system

May 26, 2006 Makoto Hanashima, IISEC 24 Safeguards for Specific Threat of GIS-6 Possible safeguards for Ts-06 Application of an access-control model e.g. RBAC Use of an access-control framework e.g. XACML Ts-01: Tampering and forgery of data Ts-02: Illegal copy and distribution of data Ts-03: Attack by unauthorized service Ts-04: Attack to Web application Ts-05: Arrogation of an author or a source Ts-06: Setting error of access privilege Ts-07: Exposure of confidential information by connected referencability Ts-08: Data error Ts-09: Tampering and deletion of audit log Ts-10: Failure of interoperability of system

May 26, 2006 Makoto Hanashima, IISEC 25 Safeguards for Specific Threat of GIS-7 Possible safeguards for Ts-07 Distinction of a connected referencability based on metadata Protection by limitation of the resolution of geospatial data Ts-01: Tampering and forgery of data Ts-02: Illegal copy and distribution of data Ts-03: Attack by unauthorized service Ts-04: Attack to Web application Ts-05: Arrogation of an author or a source Ts-06: Setting error of access privilege Ts-07: Exposure of confidential information by connected referencability Ts-08: Data error Ts-09: Tampering and deletion of audit log Ts-10: Failure of interoperability of system

May 26, 2006 Makoto Hanashima, IISEC 26 Safeguards for Specific Threat of GIS-8 Possible safeguards for Ts-08 Early notification of data error information Audit of the update log of data Ts-01: Tampering and forgery of data Ts-02: Illegal copy and distribution of data Ts-03: Attack by unauthorized service Ts-04: Attack to Web application Ts-05: Arrogation of an author or a source Ts-06: Setting error of access privilege Ts-07: Exposure of confidential information by connected referencability Ts-08: Data error Ts-09: Tampering and deletion of audit log Ts-10: Failure of interoperability of system

May 26, 2006 Makoto Hanashima, IISEC 27 Safeguards for Specific Threat of GIS-9 Possible safeguards for Ts-09 Reinforcement of robustness of a logging system Ts-01: Tampering and forgery of data Ts-02: Illegal copy and distribution of data Ts-03: Attack by unauthorized service Ts-04: Attack to Web application Ts-05: Arrogation of an author or a source Ts-06: Setting error of access privilege Ts-07: Exposure of confidential information by connected referencability Ts-08: Data error Ts-09: Tampering and deletion of audit log Ts-10: Failure of interoperability of system

May 26, 2006 Makoto Hanashima, IISEC 28 Safeguards for Specific Threat of GIS-10 Possible safeguards for Ts-10 Implementation of the error- tracking function of a Web Service Ts-01: Tampering and forgery of data Ts-02: Illegal copy and distribution of data Ts-03: Attack by unauthorized service Ts-04: Attack to Web application Ts-05: Arrogation of an author or a source Ts-06: Setting error of access privilege Ts-07: Exposure of confidential information by connected referencability Ts-08: Data error Ts-09: Tampering and deletion of audit log Ts-10: Failure of interoperability of system

May 26, 2006 Makoto Hanashima, IISEC 29 Summary of Safeguards Safeguards can be implemented by : Web Service Security Secure data transfer protocol Access control method Some technologies for safeguard still should be discussed: Robustness of Web application Traceability of Web service component Digital signature and authentication protocol for OGCs open architecture

May 26, 2006 Makoto Hanashima, IISEC 30 Conclusion Baseline Security Guideline is required for Geospatial Information Service in Japanese local governments. "Specific Threats" to Geospatial Information Service of local government have been considered. The Safeguards to Specific Threats have been discussed. A number of safeguards have necessity of more technical discussions. Continuous research is required to make up baseline security for Geospatial Information Service of local government.

May 26, 2006 Makoto Hanashima, IISEC 31 Thank you Please send your comment: [email protected] Reference [1].Downs,R & Lenhardt,C: Privacy and Confidentiality Issues with Spatial Data, IASSIST 2003 [2].Taylor,K & Murty,J: Implementing Role Based Access Control for Federated Information Systems on the Web, Australasian Information Security Workshop 2003 (AISW2003) [3].Belussi,A,et al.: An Authorization Model for Geographical Maps, In Proc. GIS04, Nov.,12- 13,2004 [4].Joshi,J, et al.: Digital Government Security Infrastructure Design Challenges, IEEE Computer, 2001 [5].ISO/IEC TR 13335 Guideline for the management of IT Security, JIS Handbook 2005 [6].ISO/IEC 15408 Evaluation criteria for IT Security, JIS Handbook 2005 [7].OGC: OpenGIS web services architecture description, Open Geospatial Consortium Inc., 2005

Documents

Consideration for Information Security Issues in Geospatial Information Services of Local Governments Makoto Hanashima Institute for Areal Studies, Foundation