The National IT- and Telecom Agency in Denmark has launched a discussion paper on New Digital Security Models. The discussion paper presents the background and motivates the need for new security models.
Due to the changing nature of the Internet and the fact that the perimeter as security concept is vastly challenged it is necessary to evolve traditional security models in order to meet future requirements. In this discussion paper it is described how security models can meet these challenges by adopting the following principles:
- Provide security for all parties in a transaction (including users).
- De-couple user data from users' physical identity.
- Utilize attribute-based credentials and transaction isolation.
- Move from an identification-oriented paradigm towards a validation-orientated paradigm.
If these principles are built into the design of applications it will in many cases be possible to use cloud computing without significant risks, even though sensitive data are involved. If the application and its data are compromised they will not be linkable to physical persons but only virtual identities. Data will only have meaning for local transactions and can, therefore, not be connected to other data. Thereby the consequences of compromising data are confined to the local context. It is worth noticing that these advantages are attained without dependence on the cloud supplier.
1. Are the new security models in fact better?
- Is there a need for further developing digital security models in the direction sketched in this paper?
- Are the security models described in this paper secure and flexible enough?
2. How do we get to the new model – what challenges are there?
- What practical challenges are there by initiating new security models?
- What attitude needs to be changed to commence the new security models?
3. Where is it possible to implement the new model easily?
Can any of the principles presented in this paper be implemented on a smaller scale?
In what areas will it be relevant to use the new security models?
How are applications designed so that they are prepared for the new security models?
4. What do the new security models require from the users?
- The new security models may in some cases require that the users (or rather the users clients) administer a number of keys and credentials for different services. Are the requirements for the users’ competencies to high to interact with the application as well as making choices?
- The new models also require that the users actively decide on what information the user wants to provide the different services with. Is this something the average user will find interesting?
5. What solutions do you imagine?
We hope that you will participate in the debate below.
For further information please contact Morten Jørsum: firstname.lastname@example.org
Filer og referencer