Digital Marketplaces Unleashed
Page 121
The PEI Service maintains a comprehensive database of available IT security products. This enables customers to easily identify up‐to‐date products for protecting their systems and services against security threads.
2.The PEI Testbed
The PEI team hosts various servers for simulating a corporate network infrastructure. The PEI testbed enables system administrators to quickly provide the setup for testing several security products in real world scenarios.
3.The PEI Production Line
This is the core of the PEI service: The PEI production line defines several modules for analyzing and testing security products with respect to various objectives. Most of the tests are performed after the product has been successfully integrated into the PEI testbed. For example, scalability of the product is tested; to this end, load tests are being performed in order to analyze whether the product is applicable in mid‐ to large‐scale environments.
In the following, these components are discussed more in depth.
79.3.2 The PEI Landscape of Security Products
The PEI service aims to provide a comprehensive and up‐to‐date database of security products. Products are classified and categorized in accordance to their intended purpose. Companies and users can benefit from this database by easily accessing information about how they can protect their networks against recent security threads. The PEI landscape provides the tools for monitoring the market of security solutions and guides the user to novel and/or alternative products for specific purposes. For example, a company/user observing recent attacking attempts, can refer to the landscape to quickly identify suitable products for protecting against these threats.
For this purpose, first, a unique taxonomy was developed and proposed by the PEI team allowing to clearly classify several security products into various categories. Subsequently, the categories are merged with the possible threats which they will prevent.
This taxonomy is based on technical guidelines presented by the BSI6 (the German Federal Office for Information Security) and others.
79.3.3 The PEI Testbed
The PEI testbed is a cloud‐based network infrastructure (private cloud) that enables testers to quickly install security products. The testbed simulates a company network with all the services that are commonly installed in those environments (e. g. several client systems, e‐mail services, databases, etc.). Testers can quickly integrate new products and perform several tests, e. g. functional testing, load testing, and penetration testing. Also, the compatibility of the product to other components of the testbed can be analyzed.
79.3.4 The PEI Production Line
In general, multiple IT security products can be investigated and analyzed simultaneously. For this to work, each product is placed on a virtual “production line” and runs through various “production steps”. As, in general, multiple products need to be investigated, several production lines are installed and run in parallel.
This is depicted in Fig. 79.1: Here, a production line is shown (denoted as “Production Line 1”). This production line provides several modules (e. g. the virtual “production steps”). Each module requires some input (e. g., information, results from another module, technical prerequisites etc.) and provides some technical or non‐technical output (e. g. analysis results, documentation, measurement results, etc.). Each module of a production line can be initiated as soon as the required input is available. This enables the PEI team to not only parallelize progress by working simultaneously on multiple, independent production lines; beyond this, work distribution is optimized by enabling the team to work efficiently on several modules that are part of the same production line.
Fig. 79.1Product Evaluation and Integration – Production Line
In the following, the particular modules of a production line are discussed, including their respective dependencies/requirements and the provided outcome. It might be noteworthy to mention that, despite of the fact that most production lines of the PEI service look very similar to the production line depicted here, some product‐related adaptations and extensions might be beneficial to the analysis of some products.
In general, the modules of a production line are as follows: 1.Evaluation of trustworthiness
To this end, the credibility of its origin (i. e. the vendor of the product or the organization behind the product) is evaluated and rated based on internal criteria. Furthermore, the trustworthiness of the product itself is evaluated. This is done by deeply analyzing the background of the product, screening security databases for known open issues and previous vulnerabilities that appeared in the past. Also, the responsiveness of the vendor is considered as an important factor; it is measured how fast and how extensive the vendor reacted in order to cope with open issues in the past.
2.Feature Analysis
In this step, relevant product features are identified and selected. In particular, vendor‐provided information is considered as an input for this module
3.Classification and Integration into Product Landscape
The previously selected features are weighted based on their importance and the product is integrated into the product landscape. Therefore, the product features are classified with respect to various categories of the landscape.
4.Specification of Test Cases
In this step, (technical) test cases are being defined as a pre‐requirement for further, technical analysis of the product. Despite the fact that this module discusses rather technical details of the PEI evaluation service, this does indeed involve some important management decisions: This module defines both the breadth and depth of all subsequent tests that will be performed for the respective product.
As part of this module, prerequisites are identified that are needed in order to perform further testing, including, but not limited to the following: Which features of the product should be tested, to what depth, and how?
How should load testing be performed? Which parts of the products should be analyzed with respect to various load settings?
What should be the focus of the penetration testing to be performed?
5.Setup and Integration into the testbed
In this step, the product to be tested is integrated into the PEI testbed installation. The product is linked to several other services of the testbed, e. g. for installing an antivirus product, e‐mail messaging servers are configured accordingly in such a way that all incoming/outgoing e‐mails are inspected before delivery.
The output of this module is twofold: first, it provides the installation of the product itself, which is a prerequisite for the load testing and penetration testing steps. Second, expert knowledge is derived from the installation process itself. Any difficulties that come with the integration of the product itself are documented, and all the odds and ends that need to be considered by the system administrator are mentioned.
6.Load Testing
This is a highly technical module: here, the product is tested with respect to different load settings, i. e., various load patterns are simulated inside the testbed installation and the performance of the product is examined. During these tests, CPU and memory usage are constantly being monitored in order to derive evidence whether the product is able to cope with various load settings.
7.Penetration Testing
This module analyzes certain security aspects of the product. Here, several penetration testing steps are being performed. Depending on the characteristics of the product, various standards are being considered by the PEI team (as an example, the recommendations of the OWASP Application Security Verification Standard are built into several test cases).
8.Evaluation Report
This is the overall outcome of all test modules of a production l
ine. All findings and insights made during the testing period are collected, scored, and documented.
In the foregoing section the three key components of the PEI Service were presented. It focused on the details of the PEI Landscape product taxonomy, the technical aspects of the PEI testbed and the different steps of the PEI product evaluation.
79.4 Conclusion, Portability, and Outlook
Indeed, cyber sovereignty is something desired by CISOs, SOC Managers and CIOs alike. The advisory board of DCSO has selected the PEI service to be among the top three services to be developed primarily.
The presented PEI service shows a way to profit from the idea of sovereignty in the cyber world without the limitations of national boundaries. To achieve sovereignty by knowledge, the national concept is abandoned in favor of a closed community group of users building a service that leverages the power of modern testing facilities with the combined knowledge and references of major business players and their expert teams.
The PEI service is available not only to DAX/MDAX companies or members of the DCSO advisory board but is made available in general to industrial users. To best share the efforts in costs for this service, the service is offered as a subscription.
The presented concept of community building for problems too big for a single player can be transferred to other areas as well. It is important to respect the needed prerequisites as stated in Sect. 79.1 and to facilitate the usability by a service company. If needed, this service company must be designed and founded just for that purpose. It is imperative to keep this company/service provider neutral and objective as far as vendors and security providers are concerned.
Coming back to the problem of finding suitable and effective security products and services, the PEI service does not only have the position of a testing service. In contrast to, e. g., state owned testing services the PEI service has the obligation to steer providers and give feedback to producers. Problems found in a product or service must be eradicated. Missing components must be named and roughly defined in order to give providers a chance to build better products and services to ensure the ongoing security of its customers, i. e. the community.
In addition to that the PEI service will play the role of a facilitator and promoter of new ideas and technology companies. It lies in the interest of the community to give new players a chance and foster start‐up companies to develop new ideas against attacks and vulnerabilities. Only through the constant evolution of security products and services can the race against attackers be followed.
Acknowledgements
The authors like to thank Dr. Ralf Schneider (CIO of Allianz) and Rainer Göttmann (CEO of metafinanz) for giving us the opportunity of working in this great project. Furthermore, we like to thank Mrs. Nina Schläger for the tedious proof‐reading work of our article.
Further Reading
1.
Open Web Application Security Project: Application Security Verification Standard 3.0, h. O. (kein Datum).
Footnotes
1Spot check of 4 major DAX companies in 2015 (financial, health care, automotive, and chemical industries).
2See e. g. “IT Security made in Germany” initiative from 2012.
3DCSO – www.dcso.de – established by Allianz SE, BASF SE, Bayer AG and Volkswagen AG in November 2015.
4CSSA: founded in November 2014 by seven major German companies as an alliance for jointly facing cyber security challenges in a proactive, fast and effective manner as an association (Cyber Security Sharing and Analytics e. V.) in Berlin.
5ESMT Berlin was founded in 2015 by leading global companies and institutions to support society on its secure way in the digital era.
6As a basis for the taxonomy various technical guidelines of the BSI such as BSI TR‐03108 or BSI TR‐03103 were used.
© Springer-Verlag GmbH Germany 2018
Claudia Linnhoff-Popien, Ralf Schneider and Michael Zaddach (eds.)Digital Marketplaces Unleashedhttps://doi.org/10.1007/978-3-662-49275-8_80
80. Smart Authentication, Identification and Digital Signatures as Foundation for the Next Generation of Eco Systems
Markus Hertlein1 , Pascal Manaras1 and Norbert Pohlmann2
(1)XignSys GmbH, Gelsenkirchen, Germany
(2)Institute for Internet-Security, Gelsenkirchen, Germany
Markus Hertlein (Corresponding author)
Email: hertlein@xignsys.com
Pascal Manaras
Email: manaras@xignsys.com
Norbert Pohlmann
Email: pohlmann@internet-sicherheit.de
80.1 Introduction
20 years ago only a few people would have thought, that the rise of the Internet would affect our lifestyles in such a fundamental way, as it’s the case today. The handling of transactions, the opening of a bank account and even shopping are only the beginning of internet‐based applications. As a whole, all provided services gain sensibility in the face of its users’ data, which is a part of their digital identities and thus needs to be stored in a secure manner. The access to and the use of a digital identity need to be restricted to the user, which it represents. To check if a user is the user he claims to be and if he is allowed to use a certain digital identity, different service providers use different forms of user authentication. On one hand this authentication chaos leads to many different trust levels of the provided digital identities. On the other hand the user has to manage all these different authentication forms (s. Fig. 80.1). The effect is that the usability and the security of the system are limited.
Fig. 80.1Overview of the different authentication forms
80.1.1 Trust Is Everything
Passwords & The Hack of TV Monde
The most prevalent form of authentication is the combination of an username and a corresponding password. This form is considered as insecure and longwinded [2]. To counteract these problems, XignSys developed a concept for a modern authentication and digital signature system called XignQR, that doesn’t rely on passwords, but on strong cryptography. Relying on a challenge response mechanism and backed by a PKI [3], XignQR eliminates the need for passwords completely. As passwords are the most prevalent form of authentication today, they have to be very secure, to prevent fraud or identity theft. Secure passwords have certain properties, such as a minimal length or special characters that must be contained, that add to the complexity of the use of passwords. As a result the password will be written down or stored in an insecure manner by most users.
The consequences of handling passwords that way were demonstrated by the hack of TV Monde a French TV broadcaster. The passwords needed for authentication were written down on piece of paper that was visible during a live news broadcast and were subsequently exploited by hackers.
Validity of Data
Since more and more commercial Internet services emerge, a service provider needs to have confidence in the data that is provided by its users. Therefore he must ensure that the data provided is valid, to prevent identity fraud and to protect its business. In this context XignQR offers two very trustworthy identification mechanisms that rely on the new German identity card. Besides being able to electronically read the information stored on the id card, XignQR supports a new mechanism called VideoIdent, with which the user is identified via a video chat application while presenting the id card and certain built in security features.
Several service providers depend on the personal data of users in order to deliver their services accordingly. Besides that, most users are registered with more than one of them (e. g. EBay and Amazon). That means, that their data is spread over all services they registered with. With XignQR the spread of personal user data can be reduced.
The whole system is designed to store and deliver information of different kinds in many different formats. Relying on standard technologies and protocols, the sys
tem can be integrated into a variety of services. Using the XignQR system the user has total control over the flow of his personal data, as he can also prevent the transmission of his data to the service provider.
80.1.2 Achieving Trust in the User’s Identity
Besides user identification, authentication is a main task for using a digital identity. The XignQR system uses the user’s personalized smartphone as a personal authentication device (PAD) and a QR Code for the identification of a service provider (e. g. Website, Terminal, Shop System, …). The authentication process can be described as: 1. Scan QR Code 2. Check the required and optional attributes 3. Confirm the process.
Due to the use of the QR Code, the XignQR System can be used everywhere a QR Code can be displayed or printed. Using smartphone as PAD results in to two main benefits: On one hand a personal digital identity could be used in a variety of use cases beginning from the login at webpages at home or at work to the authentication at terminals in urban areas. On the other hand it is possible to provide a very secure solution that is still easy to use.