Information Security

advertisement
Coverage of Security
Issues
Pascal Jacques
ESTAT B0 Local Informatics Security Officer
Eurostat
The Context
•
Regulation (EC) No 223/2009 of the European Parliament and of the
Council
•
•
•
•
(pream) The confidential information which the national and Community statistical
authorities collect for the production of European statistics should be protected, in
order to gain and maintain the confidence of the parties responsible for providing that
information. The confidentiality of data should satisfy the same principles in all the
Member States.
(pream) For that purpose, it is necessary to establish common principles and guidelines
ensuring the confidentiality of data used for the production of European statistics and
the access to those confidential data with due account for technical developments and
the requirements of users in a democratic society.
The NSIs and other national authorities and the Commission (Eurostat) shall take all
necessary measures to ensure the harmonisation of principles and guidelines as regards
the physical and logical protection of confidential data.
COMMISSION DECISION of 17 September 2012 on Eurostat
(2012/504/EU)
•
The Director-General of Eurostat shall, in addition, take all necessary measures to
protect data whose disclosure would cause prejudice to Union interests, or to the
interests of the Member State to which they relate
Eurostat
Challenges
•
4 strategic directions of implementation of the vision
•
•
•
•
Network
• Secure connection of large databases (secured data warehouse architecture)
• Transfer/Access of confidential information between ESS partners
• Secure data formats and protocols
• Networks integration
Information Stores
• More and more exchange of microdata sets for data linking
• Combination of confidential/non confidential/administrative datasets.
Security/confidentiality of the output?
Modular Production
• Towards more exchange of SW. Ensure shared SW is secure (certification?)
Optimal Collaboration
• Secured access to datasets/rules for validation
• Procedures for collaboration/accesses/sharing/User management
• AAA Protocol: Authentication/Autorisation/Auditing.
Traceability/Privacy/Monitoring/Reporting
Needs to increase IT security in order to build
trust between ESS partners
Eurostat
The Threats
•
2012 Data Breach Investigations Report (DBIR)
• 855 incidents, 174 million compromised records in 2011.
•
•
Security incidents are capable of rendering critical government
functions unavailable for several days (i.e. the cyber-attacks against
Estonia in 2007), which severely affected not only the provisioning of
online services such as e-government and e-banking within the
country, but also prevented citizens from accessing online services
across borders.
Businesses and other organisations can be seriously affected if the
networks and information systems underpinning their industrial
processes are compromised. In 2009, 16 % of enterprises in the EU-27
had experienced some kind of NIS (Network and Information Security)
incident
•
(http://appsso.eurostat.ec.europa.eu/nui/show.do?dataset=isoc_cisce_ic&lang=en)
Eurostat
2007
2008
2009
2010
2011
2012
---------------------------------------------------------------
Estonia
--Monster.com
Lithuania
--Georgia
--Cables cuts
in the
Mediterranean
Google
---
Stuxnet
(origin
2007)
--Verisign
EU ETS
€30M
$175M
Emission
Trading
System
(EU ETS)
--French
Government
--EC and EEAS
--Sony
--DigiNotar
Flamer
--10% probability
Of a major CII
breakdown in
the next 10
years –
potential global
economic
cost of over
$250B
(Source WEF)
Global cybercrime: $388B/year
12-13 Jun 2012
5
Eurostat
The Request
• Creation of a new working group "ESS Security
and Secure exchange of data" (E4SWG)
• Further discuss its mandate
• Agree and comments/contribute on the list of
proposed actions
Eurostat
Role of the Working Group
•
Know better each other and our specificities
•
Exchange information and best practices on
• Security measures used in MS for data protection, running the data
centre, access to microdata for research purposes
• Projects/programmes linked to information security
• IT architecture in MS to better understand the MS’s capacity to join a
future shared secured datawarehouse
•
Agree on common rules, procedures, guidelines and standards for
secure communication (i.e. emails) and data storage, exchange
and transfer
•
Agree on security level of shared applications, shared services,
shared processes
7
Eurostat
Related projects
• ESSnet projects
• ESS-VIP projects
• data warehouse
• decentralised access
• EGR
•
•
•
•
•
• VIP projects
•
•
•
•
•
SICON
Data Validation
CENSUS Hub
SIMSTAT
Data Warehouse
NAPS
Data Warehouse
SIMSTAT
EBR
ICT
• FP7 projects
• Data Without Boundaries
• DASISH, ENGAGE, EUDAT
8
Eurostat
Proposed Actions
•
Ask opinion of ITDG on the creation of the WG
•
Organise « Enterprise Architecture Security Workshop » on 1314/12/2012 to discuss further the mandate
•
Discuss the possibility and opportunity to use existing and under
development infrastructure for exchange of secure messages like
CCN/CCN 2 or sTesta/sTesta II
•
Visits to some NSIs to understand their infrastructure
•
Set up a shared secured repository on information on security
aspects, people, roles, procedures, best practices and
documentation of infrastructures in MS
12-13 Jun 2012
9
Eurostat
State of Security 2012
McAfee/Evalueserve
Eurostat
Download