Large and Complex Systems Security Issues and Perspectives

1
Large and Complex Systems Security Issues and
Perspectives
Huang, Ming-Yuh Boeing Phantom
Works ming-yuh.huang_at_boeing.com (425) 865-2490
2
Business Drivers

• New Definition - Business Model
• Complex system-of-systems
• e-Commerce tight business integration
• Regulatory requirements
• Increasing threats
• Total cost of ownership
• New Definition - Technology
• Distributed but integrated infrastructure
• Pervasive computing
• Remote access (xDSL), encryption (VPN, ExtraNet)
• Bandwidth Knowledge availability
• DEN, DEE

3
(No Transcript)
4
(No Transcript)
5
(No Transcript)
6
(No Transcript)
7
(No Transcript)
8
(No Transcript)
9
Example Command and Control
10
Dependable High-Performance Information Sharing
PKI
RBAC
Transformation Fusion Correlation
11
Coalition Warfare
12
Example Secure Zoning
PKI
13
Strong Authentication(Smart Card/Token X.509
Biometric Authentication)
Contact/Contactless Flexible Smart Card,
USB Token Devices
14
Strong Authentication Authorization
Trust Model, RBAC Policy-Based Data/Web Server
User Authentication
X.509
Computing Infrastructure PKI, LDAP, VPN RBAC
X.509
X.509
X.509
X.509
X.509
15
Policies (Axioms)

• Mechanical engineers who are US citizens have
  access to privileged information.
• Interns have no access to any information.
• Supervisors have access to secret information.
• Any one with access to secret information has
  access to both privileged and confidential
  information.
• Technicians have access to privileged information
  only if they have clearance.

16
Policy FormalizationComplexity/Correctness/Comple
teness

• ("x) ("y) (M(x) Ù C(x) Ù P(y) Þ A (x,y))
• ("x) ("y) (I(x) Ù (P(y) Ú ?(y) Ú S(y)) Þ ØA
  (x,y))
• ("x) ("y) (S(x) Ù S(y) Þ A (x,y))
• ("x) ("y) ("z) (S(y) Ù A (x,y) Þ (P(z) Ú ?(z)) Þ
  A (x,z))
• ("x) ("y) (T(x) Ù P(y) Ù A (x,y) Þ Cl(x)

17
System-of-Systems Enterprise
18
Example Message Backbone Data Dependency
Relation
Inbound R-Proxy
Outbound Proxy
A/V
Relay Hub
A/V
PSS
A/V
19
Service Provisioning Relation
Inbound R-Proxy
Outbound Proxy
DNS
DNS
DNS
A/V
Relay Hub
A/V
PSS
A/V
20
Application Hosting Relation
Inbound R-Proxy
Outbound Proxy
DNS
DNS
DNS
A/V
Relay Hub
A/V
PSS
A/V
21
Connectivity Relation
Inbound R-Proxy
Outbound Proxy
DNS
DNS
DNS
A/V
Relay Hub
A/V
PSS
A/V
22
Multi-level Element Relations
Business Process
Service
Application
Resource
23
Issues / Opportunities

• Strong Authentication/Authorization framework
  (human, hw, sw)
• Distributed Bio/Crypto with RBAC
• Policy formalization management
• Comsec layer intelligent routing QoS
• System component dependency modeling, pro-active
  monitoring, and intelligent inference
• Adaptive ID/fault detection

24
Perspectives

• Example IBM-Zurich/Boeing/AFWIC,
  IBM-Haifa/Boeing, Hitachi/Boeing
• Professional relationship
• Mutual benefits
• Business
• Technology
• Support framework
• Business
• RD funding
• Opportunities