Blog-Kollektion

Further development of OpenSecurity

Michela Vignoli — 2014-11-28T09:30:00Z

The consortium plans to bring OpenSecurity as a product to the market. In addition the consortium plans to develop the prototype further on a European level by involving international experts, research institutes, and companies. In an EU-project the consortium hopes to extend the current network and to bring the subject matter closer to Big Data. The aim is to strengthen Europe’s competence in security related areas and to create a Europe-wide unified standard. In this manner, public authorities and institutions managing sensitive private data should be able to secure maximum protection.

The project partners AIT Austrian Institute of Technology GmbH and X-Net Services GmbH will pursue OpenSecurity in terms of cooperation and bring it to the market as a product. To this end the prototype will be adapted to the needs of the stakeholders (i.e. public institutions and commercial large scale enterprises).

Thanks to the complementary strengths of the project partners AIT Austrian Institute of Technology GmbH and X-Net Services GmbH, further development of OpenSecurity in terms of a cooperation model is an ideal basis for the success of the Open Source based solution.

X-Net Services GmbH has high level expertise in the implementation of large projects and especially in First and Second Level Support, which plays a major role in such projects. X-Net Services GmbH is in direct contact with customers ensuring a smooth cooperation and system maintenance. If required, X-Net Services GmbH can also adapt and newly implement OpenSecurity solutions within their sphere of competence.
AIT Austrian Institute of Technology GmbH acts as integrator with good contacts to industry and a solid reputation. Due to its large number of highly qualified developers, AIT Austrian Institute of Technology GmbH can acquire and promote large projects, and adapt OpenSecurity to the customers’ needs.

OpenSecurity: The Open Source Solution for Increasing Your Organisation's IT-Security

Michela Vignoli — 2014-11-28T09:24:05Z

Protection of personal and sensitive data finally came to the centre of attention when numerous internal and secret documents attesting the extent of surveillance practices by the United States National Security Agency (NSA) as well as the rest of the worldwide data espionage community were published. OpenSecurity offers its stakeholders not only a tool to impede data transfer, but at the same time builds a barrier for employees, which prevents them from sharing data deliberately and protects them from sharing data unintentionally and unknowingly (e.g. by means of malware infected USB-sticks, malware, insecure internet usage, or loss or theft of insecure media).

OpenSecurity points out that not all personal data and its interconnections should be freely accessible. Sensitive data as well as inferences from that data related to individuals and their preferences, characteristics, etc. must be safeguarded.

Both the results of the survey and the interviews, which have been conducted with IT-experts from the Linz City Administration and the Austrian Federal Ministry of Internal Affairs in the context of OpenSecurity, suggest distinctly that security aspects of IT-infrastructure in the public sector have gained momentum during the last years. We can assume that the situation is very similar in other public authorities and agencies – provided that those are of a similar size. In addition to the federal agencies (e.g. ministries, courts) and the state institutions (e.g. federal governments, regional courts, and state police departments), the regional administrative authorities and magistrates of bigger cities can be considered as potential prospects as well. Moreover OpenSecurity can be employed in public institutions like universities, museums or libraries. OpenSecurity can be adapted to the needs of larger NGOs/NPOs or commercial enterprises as well.

The software solution has the potential to expand to at least the German-speaking market. To introduce OpenSecurity to the international market the consortium plans to pursue the project on an EU level. The aim is to create a unified EU-standard for the public area as well as for offices and authorities.

Some features of OpenSecurity, which have an impact on the development of its potential, relate to its Open Source based approach.

Market situation: OpenSecurity is a valuable alternative to other currently available IT-security solutions, e.g. safe-browsing solutions like Bitbox (Sirrix), SurfCanister (Quick Heal Technologies), or Sandboxie (Sandboxie Holdings).
Implementation: OpenSecurity makes an unobtrusive integration into existing infrastructures possible. Smooth transfer and migration of single use cases on a large scale is possible during on-going operations. The administrative effort for migrating to OpenSecurity, or for a first installation of the Open Source solution is not more laborious than the change to a similar proprietary product.
Economical benefits: The software is available Open Source and can be downloaded for free from the website. The public sector can profit from savings mainly related to no licensing fees and low costs for further development. OpenSecurity can be fully integrated with existing IT-structures independently from the operating system, and can be adapted to existing usability and accustomed workflows. This means that for training only low or no costs can be expected.

Data, Information and System Security

Michela Vignoli — 2014-11-28T09:10:00Z

Information and Communication Technologies are being increasingly used in almost all social and economic areas. This has led to extensive changes during the last decades, e.g. in terms of optimising production processes or establishing new distribution models. The thereby created diverse and more flexible configuration possibilities are paralleled by a loss of control and security. That is why numerous security solutions have been developed to support this sector. The aim of IT-security is to protect organisations and humans from harm through failure, manipulations or abuse, which notably occurs in case of information- and data loss.


Image by www.perspecsys.com License: CC-BY-SA

In a nutshell, IT-security is about safe interaction with information and data. Risks and threats for IT systems always rise at the level of information or at transition points and interfaces where information is transformed from one form into another. An example is user authentication by password entry. A professional IT-security management must ensure protection of IT systems and information during their whole lifecycle, from data creation to editing, transfer, and storage, and finally to deletion.

The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik - BSI) in Germany lists five different threat categories in their baseline security manual. In general all ofthese threats can be attributed to a missing or inadequate IT-security concept. This comprises in particular IT-infrastructure security (e.g. server, network, computer, and mobile devices), building security, data security, computer virus protection, communication security (e.g. telephone, fax, e-mail, and internet), and contingency plans.

To minimise the risks, IT-security requires a comprehensive analysis of the organisation’s IT-structures and IT-systems. In addition to the exact definition of the devices and resources to be included (e.g. IT-systems, IT-infrastructure, processes) risk analysis is a key feature in order to establish the IT-security concept as substantial part of a risk management process. Such an IT-security concept must describe responses to potential risks and has to meet other requirements, in particular performance targets and quality or architecture requirements.

Reliable Open Source Solutions for Organisations

Michela Vignoli — 2014-11-28T08:56:51Z

Open Source Software (OSS) is an established alternative to commercial software in many application areas. There are many reasons for applying OSS in public institutions, in particular due to their cost-effective integration into existing IT-systems. The liberty to further develop the software gives public institutions the possibility to remain more independent, as they can adapt the employed OSS either by themselves or commission external developers to do so. In a study by the Fraunhofer Institute for Labour-Economy and Organisation (Fraunhofer Institut für Arbeitswirtschaft und Organisation) published in 2006, both cutting license costs and achieving independence from software producers were listed as main goals for public institutions in Germany. More arguments for employing OSS, in addition to economic aspects, are better access to open standards and requests for higher data protection and IT-security.

During the last years a number of public institutions in European cities and communities have successfully integrated Open Source Software in their IT landscape. Renowned examples are Munich (LiMux with Ubuntu Linux, KDE, OpenOffice, Gimp), Leipzig (OpenOffice), Schwäbisch Hall (SUSE Linux, KDE and OpenOffice) or Treuchtlingen (Linux, KDE, Gimp, Scribus, and Inkscape).

OpenSecurity 1.0 released

Michela Vignoli — 2014-11-28T08:55:00Z

OpenSecurity Version 1.0, released as Beta Software, fulfils a majority of the requirements defined within the scope of the project. Still open requirements have been addressed and are available as concepts, which can be implemented through specific extensions to the OpenSecurity framework. Thus an optimal adaptation to individual customers’ needs and infrastructure is possible. Link to Download

The Secure USB and Secure Web Browsing features have been integrated with an existing Windows-interface and with Windows user workflows. Data import and -export occur via the Windows Explorer. The Secure Browser opens as a window on the desktop and persists user bookmarks. In both mechanisms the user does not need to deal directly with the SecureVirtualMachine. If necessary the OpenSecurity user is being guided through any required steps by tray-notifications and dialogues.

OpenSecurity was tested under normal office conditions by the stakeholder IKT Linz. Additional requirements on the existing infrastructure could be modularly and flexibly implemented.

Secure USB

The current version of OpenSecurity allows data import from both unencrypted and encrypted USB-sticks. Imported data is automatically (and potentially centrally, if so configured) virus- and malware scanned. If a potential virus or malware is detected by the system, access to the data is denied. Potential viruses/rootkits that automatically activate upon access, can – if they are able to run on a Linux-system at all – only harm the used disposable SecureVirtualMachine, and not the user workstation.

It is also possible to export data to a USB-stick. In this case the user is requested to initialise the stick with an encrypted container. This way OpenSecurity prevents data loss by prohibiting export to devices other than encrypted USB-sticks.

In addition, it is possible for all data transactions to be recorded on a central logging- or monitoring server. In this way, potential data losses can be tracked.

Secure Web Browsing

By clicking the desktop- or tray-icon, the user can start the Secure Browser. In OpenSecurity Version 1.0 the open browser Chromium is being used. The browser is executed within a SecurityVirtualMachine, which is graphically integrated with the Windows-interface. It opens as a standard browser window in the usual desktop environment.

Also in this case a virus or malware attack originating from the browser can only affect the SecurityVirtualMachine and cannot contaminate the user workstation. Data from the browsing session can only be transferred via similar mechanisms and security measures as in the USB data import/export feature.

Preview: OpenSecurity at the D.A.CH 2014 Conference

Michela Vignoli — 2014-08-06T13:35:00Z

OpenSecurity protects users against potentially harmful internet resources and malware on USB removable storage devices as well as the unintentional disclosure of confidential information. With OpenSecurity each computer of an organisation is prevented from exchanging data in an uncontrolled manner. By means of virtualisation the system is extended with separate isolated subsystems – e.g. for safe internet-browsing, or accessing data on removable storage devices.

Figure 1: Secure Web Browsing

Figure 2: Secure USB

As a result, even if a virus is not detected by antivirus software the malware remains enclosed within OpenSecurity‘s isolated virtual machines, and due to the short lifecycles of the orchestrated disposable virtual machines, any malware is quickly disposed of. These features are important for public administration in particular, as these organisations often manage private citizen data. OpenSecurity users profit from the possibility to work safely with resources from unsafe networks within their institutional environment. OpenSecurity is an open source solution, which allows a smooth transfer and migration of single use cases on a large scale during business. Any application in standard subsystems can be transferred and run independently of the operating system – and therefore safely.

Link to the D.A.CH. Security Conference

Webinar presenting OpenSecurity

Michela Vignoli — 2014-08-06T14:30:00Z

The webinar details how the project OpenSecurity provides a solution for protecting employees from disclosing critical or sensitive data. OpenSecurity helps in cases of loss or theft of removable storage devices (e.g. USB-sticks), and against virus, Trojan or similar attacks on computers or notebooks. This is achieved by configuring each computer of an organisation with OpenSecurity software tools to prevent it from exchanging data in an uncontrolled manner.

Through the webinar (in German) you will learn about OpenSecurity’s security concept and gain an overview of current research approaches and the implemented solution.

This webinar is being organised by IT-NET Austria. IT-NET Austria is a coalition of independent companies with expert status in their fields.

http://www.it-net-austria.at

Presentation at the OPEN COMMONS_CONGRESS 2014

Michela Vignoli — 2014-08-01T11:30:00Z

For the third time, OPEN COMMONS_LINZ has organised a congress around current Open Commons topics. Nikolaus Dürk, CEO of X-Net Services, presented the OpenSecurity project in a talk (in German) with the title "OpenSecurity: an Open Source Security System for Sensitive, Citizen-Related Data in Public Administration".

The presentation (in German) can be downloaded here:

.odp
.ppt
.pdf

OPEN COMMONS_LINZ is an initiative of the city of Linz, which is committed to support and promote Open Commons (digital common properties). Its aim is to grow comprehension for Open Commons among the citizens, and to promote open, free, and transparent structures in the region of Linz. Fair use of cultural assets, conscious and self-determined handling with openness and closeness are central topics.

More information of the OPEN COMMONS_Congress 2014 (in German)

Social-scientific accompanying research

Michela Vignoli — 2014-05-06T09:30:00Z

In the context of OpenSecurity, accompanying research is being carried out from a social science perspective. The aim is to analyse contextual aspects of IT-security, usability, privacy, and user acceptance.

For this purpose the consortium member LIquA, the Institute for Qualitative Analyses in Linz, has conducted an online survey with one of the project stakeholders, the City Administration of Linz, in May and June 2013. An online questionnaire with 41 questions was sent to a statistical population of 1.385 users. The questionnaire covered six topics: personal details, using IT within the city administration, private use of IT, importance of IT-security and IT-security behaviour, and IT-security versus usability, as well as attitude towards the introduction of new IT-security measures. An initial analysis has already shown that IT-security is very important for the surveyed employees (with a response rate of 32%).

Detailed analyses regarding password handling, usage of data encryption, or concern for data corruption delivered further interesting insights. The results have also delivered timely additional input for the design of OpenSecurity services. In order to consolidate the results, additional qualitative interviews have been conducted with individual IT managers within the City Administration of Linz and at two other public stakeholders.

Currently the team is working on a third level of analysis by going through a number of studies, papers, and experience reports from the domain of IT-Security and Usability. As a next step the team will issue a potential-analysis from a social science perspective, in which the potential opportunties and risks for the implementation of an OpenSecurity-based solution at stakeholder institutions will be elaborated.

Malware and Threat Protection in OpenSecurity

Michela Vignoli — 2014-05-06T09:30:00Z

OpenSecurity defines a process that allows users to communicate with non-institutional networks by means of cryptography and virtualised isolation, as well as malware and threat classification.

IKARUS Security Software GmbH is a member of the OpenSecurity team and is primarily responsible for classification of data. For this IKARUS employs its own proprietary key technology for malware and threat detection. In addition to classification technologies OpenSecurity also employs IKARUS server applications developed for the scalable and highly performant server area.

OpenSecurity is a system with very modular design, which convinces by isolation and encapsulation. In addition to these design aspects it is a project goal to use primarily Open Source products to reduce integration costs. While IKARUS cannot license their products with an open license, they do support the integration of IKARUS software products with Open Source environments.

IKARUS sustains OpenSecurity with their technologies and know-how gained in more than 25 years’ experience in the sector. Due to the defined communication process OpenSecurity is complementary to conventional IKARUS products and adds the existing portfolio. IKARUS sees following benefits for institutions employing OpenSecurity:

1. Less effort due to centrally administrated scanning of devices;

2. Safe interaction with the internet without fear of being infected;

3. Minimal use of resources by client devices;

4. Low integration costs due to the Open Source approach.

OpenSecurity: Open Source Security Solutions Protecting Employees and Data in Public Institutions

Michela Vignoli — 2014-05-06T09:30:00Z

The OpenSecurity project was inspired in part by the Qubes OS approach to Security by Isolation. Qubes OS achieves a maximum degree of isolation between applications by instantiating these as virtual machine instances on top of the XEN bare-metal hypervisor. In addition, Qubes OS provides secure channels for file sharing, clipboard data exchange, and the user interface.

However, many public bodies in Austria have historically chosen Windows as their end-user environment, and due to path dependence, are highly constrained against moving away from this standard. As a result, it is required that the OpenSecurity project support deployment to Microsoft Windows clients (specifically, MS Windows 7 64-bit is our reference architecture).

It is clear that this is a suboptimal solution in terms of security; indeed, the shortcomings of Windows in this respect have already been analysed. However, given the prevalence of Windows, this solution will have a bigger potential impact on the public sector. And while the resulting implementation of security by isolation will not be perfectly secure, it will nonetheless offer greatly enhanced security that is also compatible with institutional IT rollout and management processes.

During the coming months, our services will be installed in a limited production environment of two public administration stakeholders. These users will be able to provide feedback directly through the OpenSecurity service, and will also participate in an evaluation workshop and online survey. This feedback will allow us to further refine the service in terms of stability and usability.

Image source: Wikipedia License: CC-BY-SA

Research interests of BMLVS in the project

Michela Vignoli — 2014-01-30T15:20:00Z

The Command Support Center (FüUZ) is a central service organisation of the Austrian Armed Forces (ÖBH). It provides the Federal Ministry of Defence and Sports (BMLVS) and the Austrian Armed Forces interoperable, safe, and innovative army command support and IT services, both for the use in Austria and abroad, as well as for administration activities.

One cannot imagine the daily office routine without a performant internet connection or communication via email. Avoiding unintentional transfer of classified information through these communication channels is a big concern.

The usage of external data storage and mobile devices (laptops, smartphones, etc.) implies the risk of bringing classified information into circulation in case of loss or theft of the devices. This risk can only be reduced by data loss prevention mechanisms (DLP), as well as by encoding the classified information. Next to DLP and in the context of using internet and email the implementation of efficient malware protection mechanisms is an essential component of safe IT systems and information.

The Command Support Center wants to contribute to the OpenSecurity project because DLP and protective measures against malware play an important role in the context of infrastructure. The security solutions developed in the project could be partially or wholly implemented in future IT systems.

Technical aspects of the OpenSecurity Project

Michela Vignoli — 2014-01-30T15:20:00Z

After collecting and evaluating different techniques and approaches to Security by Isolation, the OpenSecurity team focused on designing a concrete solution for two different user scenarios that were prioritised by the project stakeholders: the transfer of data to and from mass storage devices and secure Internet browsing.

The work so far has resulted in a set of isolated core components interacting together to orchestrate dedicated virtual machines. The OpenSecurity components created in this process share well-defined open interfaces: RESTful API, CIFS and SSH. These protocols cleanly separate the different components of the OpenSecurity solution space, thus allowing the upgrade or even the complete exchange of these components without disrupting the concept and benefit of the whole system.

The central component of the OpenSecurity design is the OpenSecurity Management daemon, which starts and stops disposable virtual machines. These machines are instantiated templates which are created from the dedicated OpenSecurity Linux distribution derived from Debian 7.2. Other components take care of user interaction, device driver overlays, and embedding access from and to the virtual machines with respect to the current user session.

The team presented a live proof-of-concept in December, which demonstrated independent Virtual Box machines handling USB mass storage device actions like virus scanning and/or encryption, as well as a tight integration of an Internet Browsing application run inside a virtual machine but shown natively on a Windows 7 user session.

The on-going implementation work is now directed towards making the system stable, performant and flexible. Though the software components written in this context are rather small and the interfaces are all widely known and understood, the complexity stems from the fact that messages often do cross operating system boundaries with impact at very low level system functionalities. This situation plus the special characteristics and divergences of partly closed-source operating systems behaviours - even if coined "standard" - makes this a demanding and sophisticated endeavour.

Finally installation challenges must also be addressed in order to support both simple single-user one-click download setup-files as well as a full blown rollout on to thousands machines directed by a central IT department. As the OpenSecurity integration also relies on a range of well-developed and open source third-party software, version management is yet another complex task of its own to be tackled next.

OpenSecurity: Open Source Security Solutions Protecting Employees and Data in Public Institutions

Michela Vignoli — 2014-01-30T15:20:00Z

Every organization must protect their cyber-infrastructure from threats – external or internal. In particular, public agencies that administer private citizen data (e.g. criminal and medical records or residency registers), or who manage national security information have a duty to protect this sensitive information. Whether arising from mistakes, external attacks, social engineering, or malicious intent, human beings will always be a weak link in the IT security chain. There is often an insufficient level of awareness of security risks, which leads to users being targeted by a variety of external threats. A second prevalent problem is that of lost devices (smartphones, tablet-PCs, USB-sticks, laptops etc.).

OpenSecurity should prevent the loss and (un)intentional misuse of sensitive, citizen-related data held by public bodies. The aim of our research is to achieve a higher level of data security and availability, while reducing effort in deployment management and maintenance. To this end, the feasibility and possible implementation of a centralized security layer will be examined based on the principles of security by isolation, virus detection, and encryption. This layer will control, verify, and encrypt any and all communication that takes place on client devices. OpenSecurity will be provided under a license that allows both public verification and customization within heterogeneous ICT-system landscapes.

OpenSecurity is a two-year project, running until October 2014, funded by the Austrian FFG KIRAS security program. The primary stakeholders in the project are the Austrian Ministry of Defence (BMLVS) and the IKT Linz. These stakeholders have provided use cases and requirements for the project and will test and validate the project results. The AIT Austrian Institute of Technology GmbH is the primary research partner, supporting the industrial partners X-NET Services GmbH and IKARUS Security Software GmbH. Under the technical coordination of X-NET, this team is carrying out the technical implementation of the OpenSecurity solutions. The Linz Institute for Qualitative Analysis (LIquA) rounds off the consortium by providing an analysis of the impact of OpenSecurity in the context of employee data protection and privacy.

Weiterführung des Projekts OpenSecurity

Michela Vignoli — 2014-11-28T09:30:00Z

Neben der Marktüberführung des Prototypen zu einem Produkt wird die Weiterführung von OpenSecurity auf europäischer Ebene unter Hinzunahme internationaler Experten, Forschungseinrichtungen und Unternehmen angestrebt. Eine Erweiterung des Netzwerks sowie eine Heranführung der Thematik an Big Data soll in einem EU-Projekt die Kompetenz Europas in sicherheitsrelevanten Bereichen verstärken und zu einem europaweit einheitlichen Standard führen. Auf diese Weise sollen öffentliche Einrichtungen und Institutionen, die sensible bürgerbezogene Daten verwalten, den höchstmöglichen Schutz erfahren.

OpenSecurity wird von den Projektpartnern AIT Austrian Institute of Technology GmbH und X-Net Services GmbH in Form einer Kooperation weitergeführt und als Produkt in den Markt eingeführt. Dazu wird der entwickelte Prototyp als Produkt an die Erfordernisse der Bedarfsträger (v.a. öffentliche Institutionen und kommerzielle Großunternehmen) angepasst.

Die Weiterführung von OpenSecurity in einem Kooperationsmodell ist aufgrund der unterschiedlichen, sich ergänzenden, Stärken der beiden Projektpartner AIT Austrian Institute of Technology GmbH und X-Net Services GmbH als ideale Voraussetzung für den Erfolg der entwickelten Open Source basierten Lösung zu sehen.

X-Net Services GmbH hat hohe Expertise in der Umsetzung von Großprojekten sowie vor allem in First und Second Level Support, der in solchen Projekten eine große Rolle spielt. Als direkter Ansprechpartner für Kunden sorgt X-Net Services GmbH für den reibungslosen Ablauf in der Zusammenarbeit mit den Kunden sowie für die Wartung des Systems und führt zudem Anpassungen und Adaptionen – sowie Neu-Implementierungen, die sich im Kompetenzbereich von X-Net Services GmbH befinden – der Lösung OpenSecurity nach Bedarf durch.
AIT Austrian Institute of Technology GmbH tritt als Integrator mit guten Kontakten in die Wirtschaft sowie einer hohen Reputation auf. Durch die Vielzahl an hochqualifizierten Entwicklern kann AIT Austrian Institute of Technology GmbH große Projekte akquirieren und vorantreiben sowie OpenSecurity an die Bedürfnisse der Kunden anpassen.