Trustworthy system operations

Being able to trust that systems are operating correctly is of utmost importance for system operations. How systems are deemed trustworthy or not is a multifaceted and complex topic, with factors such as security, privacy, reliability, transparency, and assurance to name a few. There is a growing awareness of the important role security plays in network services. Recent public revelations show that there are plenty of advanced threats to computer systems, all of which risk to reduce the use of network services by the erosion of trust. As an operator of network services, measures to increase security, and ultimately to build trust, can be divided into two parts: preventive and detective measures. Examples of preventive measures are firewalls, Intrusion Prevention Systems (IPSs), and proactively performing security assessments. Examples of detective measures are Intrusion Detection Systems (IDSs), Security EventManagement Systems (SEM/SIEM), and reactive security assessments, such as forensic analysis.

What often ties together preventing and detective technical measures is event logging. While, for example, firewalls and IPSs may prevent attacks by blocking unwanted network traffic, they also provide a means of detection simply by the fact that they have blocked some network traffic matching a potential attack according to their configuration. Detective technical measures, upon detection, generate events to be analysed and potentially acted upon.. An administrator configures technical security measures to prevent unwanted actions and detect unwanted events. Over time, these measures generate events that are transferred, stored, and later analysed using for example a SIEM.

We wish to address four problems: configuration of technical security measures, collection and transfer of event data, storage of events, and transparency towards third parties. Third parties that have an interest in transparency of data processing may include for instance regulators, auditors, service providers that have outsourced confidential or personal data to the cloud, or individuals whose personal data are processed (who have transparency rights according to privacy laws).

The configuration of technical security measures can be both complex and error prone. Too large rule sets can have a negative impact on performance, and misconfiguration can pose a security threat in and of itself. We aim to address these issues by advancing the state of the art by KAU in the area of usable access control rule sets to make configuration of different kinds of technical measures, such as firewalls or IDSs, easier and more efficient for administrators.

Collection of events are critical for intrusion detection, forensic analysis, and system recovery, but also for network management. For effective incident investigations and network monitoring, adequate event data from appropriate sources are needed. However, too much generated event data may consume large amounts of system resources, including network bandwidth, disk space, memory, and processing capacity, and thus adversely affects a system’s performance. Collection, modelling, and transfer of event data will be address in order to advances the work in.

How events are stored is closely related to how and if stored events can be used to increase transparency towards third parties. KAU plans to advance its state of the art research work in the setting to provide cryptographic protection of events in storage while enabling specific events to be shared with third parties, resulting in increased transparency, which ultimately increases trust.