Today, IT security is something that you and I don’t really understand – in spite of the fact that the levels of virus and hacker attacks have never been greater. Anti-virus software and firewalls are the traditional means of protection. However, these methods fall short when data systems are more complex and distributed across many servers.
Even software developers aren't experts in this field. In an industry experiencing tough competition and rapid change, security doesn’t always get high priority. Data systems are often made secure only in the aftermath of an attack by installing add-ons to existing software.
This is both expensive and inefficient.
As a result, the EU has launched several major projects addressing the issue of secure ICT infrastructure. Norwegian researchers from SINTEF ICT are taking part in five of these projects.
Adapting in the face of attacks
”Our objective is to devise more robust and operationally-secure IT services – whether you are booking concert tickets or submitting your tax returns”, says SINTEF researcher Per Håkon Meland.
”We want to enable services to adapt in the face of attacks”, he says. “Users won’t have to close a program and start up again when they get a message saying that ‘the service is unavailable at the moment’”, says Meland.
”The software will be monitored as it runs, and it will be possible to replace any weak components – preferably before an attack starts”, he says.
Researchers compare the principle with a car which has to get from A to B. A tyre bursts on the way, but we don’t want to stop. We want to change the tyre while the car is still going.
Who can we trust?
What is it about an IT service that earns, or undermines, the trust of the end user? How can users put their trust in software (such as an app) offered by company A, B or C?
Traditionally, a product’s security has been verified using a stamp and certification. This is an expensive and resource-demanding method. Product developers can also increase security levels by involving the end user. However, frequent questions about approvals and updates can irritate users.
”Many of us just click on ‘yes’ every time a question appears on the screen without giving any thought to its content”, says Meland.
ICT researchers are also studying how the reputation of, or rumours linked to, the security of a given data service can be assessed based on its past record and current trends. For example, it is possible to find out how many security gaps have been discovered, what negative impact the attacks have had, and how long it took carry out repairs.
Many are already familiar with similar online reputational mechanisms such as eBay and Google PageRank, where users participate both by influencing reputations, and by being influenced by reputation assessments made by others. Anyone selling anything gets a reputation, and we usually choose our product from the company with the best reputation.
The researchers’ idea is that an approach such as online reputation can also be used to market effective IT security. ”In the projects we are working with we will be able to offer tests of software components online”, says Meland.
Per Håkon Meland extends his analogy of the car – which is made up of many components from a variety of different suppliers.
”When a bumper is damaged, we replace it”, he says. ”A data service is put together in the same way – a composite of sub-services delivered by a number of different suppliers. The aim here too is to be able to replace a weaker component as quickly and inexpensively as possible.
But here we face an additional challenge”, explains Meland. “In contrast to cars, data systems are in a constant state of change, and new means of attack are always cropping up”, he says.
From the bottom up
The IT researchers want secure components to be designed from the bottom up, and for them to remain secure even if their operational environment and users change over time.
”We are turning the traditional development sequence on its head”, says Meland. ”We are working with security from the very start – using new design methods, and effective tools and development approaches.
For example, a data system must be assembled in such a way that it is possible to replace a weak component quickly and inexpensively", says Meland. ”The new systems with be able to notify the user when a security breach is discovered in a component by means of an alarm service built into the component itself”, he says.
Researchers at SINTEF are in no doubt that this current boost in the field of IT security will lead to results.
”Our aim is to be one step ahead of the hackers”, says Meland. ”We will succeed by making sure that we design effective tools which generate benefits both for the end user and those who rely on selling complex data services for a living”, he says.
BY ÅSE DRAGLAND
IT security is a hot issue getting high priority within the EU. SINTEF ICT has been working with this problem for many years and is currently participating in five active projects as part of the EU’s 7th Framework Program.
Aniketos (2010-2014). Budget EUR 14 million. SINTEF is heading the project and is currently defining its technical focus and designing pilot services.
The other projects are called Nessos, Secure Change, A4Cloud and Optet. (http://www.aniketos.eu/; http://www.nessos-project.eu/; http://www.securechange.eu/)