Emerging issues on public information management and information securityand information security

November 2011

Prof. Bae, Kyoung Yul

Sangmyung University

Contents

01 Introduction

Digital Convergence

Information Security

02

03

PKI

Conclusion

04

05

2/48

01 Introduction

3/48

Introduction

• Data & Information & Knowledge– Data: Raw, non-summarized and unanalyzed facts and figures

– Information: Data that have been converted into a meaningful and useful context for the receiver

– Knowledge: Human understanding of a subject matter – Knowledge: Human understanding of a subject matter that has been acquired through proper study and experience

4/48

Introduction

• What is Digital?– Generates, stores, and processes data in terms of two states: positive and non-positive.

– A digital system uses discrete (discontinuous) values, usually but not always symbolized numerically (hence called "digital") to represent information for input, called "digital") to represent information for input, processing, transmission, storage

– Digital technology is primarily used with new physical communications media. Electronic transmission was limited to analog technology, which conveys data as electronic signals of varying frequency or amplitude that are added to carrier waves of a given frequency.

5/48

Introduction

• What is Digital?

Digital Immigrant Digital Natives

How they

handle

information

Slow & controlled from

limited channels

Quickly from multiple

sources

How they view

information

Text before pictures,

sounds and video

Pictures, sounds and video

before text

How they

process

information

Sequential, linear and

logical

Random access to

hyperlinks multimedia

information

6/48

Introduction

• Why Digital?

Voice Data

Internet

IT/Service/NetworkDigitalization

Audio DMB, DMCConvergence

Wireless Broadcast

Satellite

Internet

Entertain

ment

InformationEducation

Computer

Tele

communi

cation

Appliance

Devices Contents

가나다라 A B C D

0101101001011···

Video

Text

Digital Home Media Center MP3, MPEG

7/48

Digital Convergence02

8/48

Digital Convergence

• Digital Convergence

Convergence

IT Service, Computing Networking,

Information Devices

Broadband

•VVVVV

•

•VVVVVVVVV

•VVVVVV

VV

VVVV

VV

VVV

VVVVVVVVVVVVVVVVV

VVVVVVVVVVVVVVVVVVVVVVV VVV

• VVVVVVVVVVVVVVVVVVV

VVVVVVVVVVVVVV

VVVVVVVVVVVVVVVVVVVVVVV VVV

Broadband

High Data Processing Power

Real Time Information Processing

Ubiquity

Anytime, Anyplace,

Any Device, Any Platform,

Mobility, Accessability

SeamlessIntelligence

Artificial Intelligence

Context Awareness Service

•VVVV

•VVVV

VVVV

VVVVVVVV

VVVVVVVVV

VVVVVVVV

VVVVVVVVVVVV

VVVVVVVV

VVVVVVVVVVVV

VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV

VV

VVVV

VVVV

VVVVVVVVVVVVVVVVVVVVVVVVVVV

9/48

Digital Convergence

• Digital Convergence

10/48

Digital Convergence

• What is ICT?– ICT, a driver of the socioeconomic “mega trend” leads to fundamental changes in the national society system

– A key to responding to future uncertainties and crisis

Design of

4th space

Real-time analysis

and control

Active information

security

Communication

through senses

- Body media

Interface detecting

all 5 senses

Nano robotu-Life

ICT TechnologyICT TechnologyICT TechnologyICT Technology

Employment

Energy

Environment

Welfare

Education

Industry

11/48

Digital Convergence

• The application of ICT in interactions between– Government and Citizens

– Government and Businesses

– Government and Employees

– Government and Government– Government and Government

Publish Interact Transact Integrate Transform

Information

available

online

Two-way

communicationTransaction

handled

online

Process,

system and

organisational

integration

Entirely new

services delivered

cross-agency

through a

centralized

enterprise portal

12/48

Digital Convergence

• Use of ICT in Governance

– Constraints and Recommendations

� Create one-stop government portal � Prioritization of Services

Constraints Recommendations

� Inadequate Access to ICT� Public Awareness about ICTs � Lack of integrated approach� Lack of regulatory/legal framework � Absence of processes and

systems

� Prioritization of Services� Improve ICT access by citizens� Emphasize Bangla interface for

citizen services � Need training and leadership from

the government� Awareness for the use of Open

Source� Payment Gateway

13/48

Digital Convergence

• Requirements for E-Government

14/48

Information Security03

15/48

Information Security

• Security– Freedom from risk or danger; safety.

– Freedom from doubt, anxiety, or fear; confidence.

– Something that gives or assures safety, as:

– A group or department of private guards: Call – A group or department of private guards: Call building security if a visitor acts suspicious.• Measures adopted by a government to prevent

espionage, sabotage, or attack.• Measures adopted, as by a business or homeowner,

to prevent a crime such as burglary or assault: Security was lax at the firm's smaller plant.…etc.

16/48

Information Security

• Data & Network Security?

17/48

Information Security

• Security Trend

Lifelines for society, economy, and daily life

Exclusive systems Big, host types C/S types PC, Internet Mobile & Ubiquitous

Small/medium

Personal use

Role of information systems

Direction of IT security InternetPC

Mobile/Ubiquitous

Efficient work style,competitiveness

2000

Users

National security,calculation use

Reliability ofsystems

E-commerceEconomic infrastructure

Government

Banking, transportation, energy sectors

Large enterprises

Small/mediumenterprises

Protection of military data.

Availability for critical infrastructure

Availability for IT systems in corporations

Network security for e-commerce

Security fore-government

Safe/reliable society

1950

18/48

Information Security

• Information Security Scope

19/48

Information Security

• Security Paradigm– Technical Control

• S/W security

• Access control, Information Security

• Technical Hacking

– Physical Control– Physical Control

• H/W security

• Physical Intrusion

– Managing Control

• Human security

• Effluence of information

20/48

Information Security

• Technical Control

– Fundamental Defense

• IPS (Intrusion Prevention System) • Secure Operating System• Multilevel SecurityData security– Data security

• Data Encryption • DRM• Watermarking

21/48

Information Security

• Physical Control

– Lock, DVR, guard

• Physical Security Systems– Biometrics

– Bio Smartcard– Bio Smartcard

22/48

Information Security

• Managing Security

23/48

Information Security

• Security for Network Communications

Interception

Confidentiality

Is Private?

Modification

Integrity

Has been altered?

Forgery

Authentication

Who am I dealing with?Is Private? Has been altered? Who am I dealing with?

Claim

Non-Repudiation

Who sent/received it?

Not SENT !

Denial of Service

Availability

Wish to access!!

Access Control

Have you privilege?

Unauthorised access

24/48

Information Security

• DRM

25/48

Information Security

• DRM

26/48

Information Security

• Long Term Digital Signature• For assuming paper documents and electronic documents, the same

and specific period is required. (For example 10 years)

27/48

PKI04

28/48

PKI

• Security for Network Communications

DB serverWeb server

Customer

informationExclusive line/Wired or Wireless

organization

InternetInternet

Subscriber

sectionCommunication network

section

Web server section Intranet,

user section

Application server

section

Data interception

Malware execution

Data bugging

Data alteration

Data processing error

Inadequate access control,

authorization

Inadequate authentication

Inadequate

security settings

Inadequate patch

management

Inadequate

access control

AP server

firewall firewallinternal staff

IPSuser

29/48

PKI

• On the Internet, Nobody knows you’re a dog

30/48

PKI

• PKI

� Breach of personal profile and credit card information at transaction

� Breach of personal profile in shared computer� Cyber stealing

Hacking on cyber securities & bank account / Stock price � Hacking on cyber securities & bank account / Stock price manipulation

� ID and password stealing

Need of Strong Security Protection Need of Strong Security Protection With With PKI technologyPKI technology

31/48

PKI

• PKI Solution

32/48

PKI

• PKI Solution

33/48

PKI

• PKI Solution

34/48

Information Security

• PKI Structure– A system of digital certificates, Certificate Authorities, and other registration authorities that verify and authenticate the validity of each party involved in an Internet transaction.

ThreatSecurityServices

Solution

Root-CA

Certificate Authority (CA)

Encryption

DigitalSignature

DigitalSignature

DigitalSignature

Data Leakage

Data Forgery

UnauthorizedUser

Repudiation

ThreatServices

Solution

Certificate

Issue Revoke RenewRegistrarion

Registration Authority (RA)

CorporationCorporation ServerServer S/MiMEIndividual

Certificate Authority (CA)

OperationOperationManagementManagement

CRLCRLManagementManagement

Confidentiality

Integrity

Authenticity

Non-repudiation

CertificateCertificateManagementManagement

C

R

Y

T

O

G

R

A

P

Y

PUBLIC

KEY

35/48

Information Security

• PKI Functions– When to apply PKI techniques in each business unit, Security functions (Authentication, Integrity, Confidentiality, Non-repudiation) are applied as follows

Problem Matched security method

Protection Technology

Difficult to verify user

security method

Authentication of identity

Digital Signature Technology(User authentication)

Easy to make forgery or modification on contents

Guarantee Integrity

Digital Signature Technology(Message authentication)

Technology

Repudiate transactions Non-repudiation Digital Signature Technology(Message authentication)

Breach information Confidentiality Encryption Technology(Message authentication)

36/48

Information Security

• Government PKI & National PKI

37/48

PKI

• Government PKI & National PKI

MutualRecognition

National Root CANational Root CA(KISA)(KISA)

Government Root CAGovernment Root CA(GCMA)(GCMA)

Accredited CA

Accredited CA

Certification issuance / Management

Accredited CA

Accredited CA

Certification issuance / Management

Subscriber Subscriber

E-Government Service Provider

E-Government Service Provider

Certification issuance / Management

Certification issuance / Management

……

……

……

……

38/48

PKI

• Government PKI & National PKI

39/48

PKI

• Government PKI & National PKI

40/48

PKI

• PKI in e-Government Applications

e-Government

Petition Service- Identify oneself online by certificates

Taxation - National Tax Agency - Access with certificates

Regional Administration- Service for counties- Access with certificates

Personal Management inside Government- All employees inside Government

Digital Signature & Seal-Distribute certificates-Develop and enhance system adopting certificatese-Government

ApplicationsE-Supply (G2B)- Online bidding with certificate

4 Major Insurances data exchange- Labor, Medical care, Pension, Industrial disaster- Internet access with certificate

National Financing Information System- Based on Internet banking, etc

Education Administration System-Teachers can assess with cert.

Electric document system- Interoperable with other systems

adopting certificates

Enhance computerization- Sharing national resource information

Public Key Infrastructure(PKI Center)

41/48

PKI

• PKI Services

– Public Services

• Housing subscription deposit system, Education, Medical information, e-bidding ('06)• Housing subscription, the year-end tax adjustment,

NEIS, National health Insurance, etc.NEIS, National health Insurance, etc.

42/48

PKI

• PKI Services

– Mobile Banking

• Mobile banking service with certificate ('07~)• Transferring a certificate from PC to mobile phone• Generating electronic signature in mobile phone

43/48

PKI

• PKI in Korea– Establishing a reliable u-Authentication System

– Extending the authentication means to Biometric, OTP with PKI certificate

– Extending the authentication object to devices

– Developing new PKI business model – Developing new PKI business model

44/48

PKI

• General PKI Issues

– PKI technologies have been matured

• However, lack of killer applications

– Long term signature retention is necessary

• Stable standards are needed for signature verification capability • Stable standards are needed for signature verification capability over long term period

– PKI supports high assurance security

• Many applications will reside on web services

– Trusted validation authority

• Out source validation service from client

45/48

Conclusion05

46/48

Conclusion

• Integrated Computing

47/48

Thank You

“Do not squander time; for that’s the stuff life is made of.”“Do not squander time; for that’s the stuff life is made of.”

- Benjamin Franklin

48/48