ISSEC 2013 Book of Abstracts (Sept. 2013) | Page 7

Tuesday 17 September, 2013 11:40 – 12:20
Beyond Access Control – How data usage control can effectively protect business Assets Michael Eisenbarth Department Head, Information Systems Quality Assurance Fraunhofer IESE In modern IT applications and services, large amounts of business-critical and personalized data are processed and exchanged continuously. This may even happen unintentionally or unnoticed. It is therefore of crucial importance to both companies and individual users to be able to control the usage (including the dissemination) of sensitive or secret data in order to prevent any misuse right from the start. The lack of suitable security measures in this area can lead to identity theft, disclosure of secret official documents, or loss of reputation due to the violation of customer privacy. Data usage control, an extension of classic access control, offers an effective and flexible approach for this situation. It allows specifying and enforcing usage policies for regulating the usage of data after initial access was granted, controlling the dissemination and usage of your data. Data usage control extends established access control and digital right management solutions and can offer an added value in the area of data security, thus addressing many of the daily data privacy and business challenges of organizations. This includes the establishment of security policies of any degree of granularity that also cover time-related and frequency-based aspects. Granularity can range from strict separation of domains to protective mechanisms regulating the usage of concrete data. This allows guaranteeing comprehensive protection of data; at the same time, more rigorous security measures can be established for selected secret data. In this context, our research specifically focuses at the following attack models: ? Unintentional passing or usage of sensitive data. ? Conscious misuse in the sense of data sharing or usage by attackers without administrator rights. Current applied research and implementations in the area of data usage control have successfully illustrated the security gained by employing data usage control in an organization: ? When mobile devices are integrated into everyday business, it should be possible to use them for both business and private use, but personal and business data should not be mixed or disseminated inadvertently. ? Connecting various services in a company context is standard practice in business contexts today. Data usage control ensures that data do not inadvertently cross system boundaries let alone company borders. ? A continuing trend in the interconnection of services is cloud computing. In cloud environments, data usage control also offers a proven way to maintain control over the dissemination and usage of your data. ? Novel types of business models lead to increased interconnections between businesses and services. Data usage control offers efficient protective mechanisms for maintaining cross-company control over secret data in such a heterogeneous and confusing landscape. This talk will introduce the Fraunhofer IESE IND²UCE (Integrated Distributed Data Usage Control Enforcement) framework to the audience. The presentation will include a short introduction to all components that are necessary to assure comprehensive data usage control in organizations and summarize the current state of the art in this research area. The framework is based on common standards such as XACML, and its component-based structure allows achieving custom-tailored security for any usage area. Depending on the

7
©ISSEC2013