Federated authentication using the Cloud (Cloud Aura)

Al Abdulwahid, Abdulwahid Abdullah

January 2017

Individuals, businesses and governments undertake an ever-growing range of activities online and via various Internet-enabled digital devices. Unfortunately, these activities, services, information and devices are the targets of cybercrimes. Verifying the user legitimacy to use/access a digital device or service has become of the utmost importance. Authentication is the frontline countermeasure of ensuring only the authorised user is granted access; however, it has historically suffered from a range of issues related to the security and usability of the approaches. Traditionally deployed in a point-of-entry mode (although a number of implementations also provide for re-authentication), the intrusive nature of the control is a significant inhibitor. Thus, it is apparent that a more innovative, convenient and secure user authentication solution is vital. This thesis reviews the authentication methods along with the current use of authentication technologies, aiming at developing a current state-of-the-art and identifying the open problems to be tackled and available solutions to be adopted. It also investigates whether these authentication technologies have the capability to fill the gap between the need for high security whilst maximising user satisfaction. This is followed by a comprehensive literature survey and critical analysis of the existing research domain on continuous and transparent multibiometric authentication. It is evident that most of the undertaken studies and proposed solutions thus far endure one or more shortcomings; for instance, an inability to balance the trade-off between security and usability, confinement to specific devices, lack or negligence of evaluating users’ acceptance and privacy measures, and insufficiency or absence of real tested datasets. It concludes that providing users with adequate protection and convenience requires innovative robust authentication mechanisms to be utilised in a universal manner. Accordingly, it is paramount to have a high level of performance, scalability, and interoperability amongst existing and future systems, services and devices. A survey of 302 digital device users was undertaken and reveals that despite the widespread interest in more security, there is a quite low number of respondents using or maintaining the available security measures. However, it is apparent that users do not avoid applying the concept of authentication security but avoid the inconvenience of its current common techniques (biometrics are having growing practical interest). The respondents’ perceptions towards Trusted Third-Party (TTP) enable utilising biometrics for a novel authentication solution managed by a TTP working on multiple devices to access multiple services. However, it must be developed and implemented considerately. A series of experimental feasibility analysis studies disclose that even though prior Transparent Authentication Systems (TAS) models performed relatively well in practice on real live user data, an enhanced model utilising multibiometric fusion outweighs them in terms of the security and transparency of the system within a device. It is also empirically established that a centralised federated authentication approach using the Cloud would help towards constructing a better user profile encompassing multibiometrics and soft biometric information from their multiple devices and thus improving the security and convenience of the technique beyond those of unimodal, the Non-Intrusive and Continuous Authentication (NICA), and the Weighted Majority Voting Fusion (WMVF) and what a single device can do by itself. Furthermore, it reduces the intrusive authentication requests by 62%-74% (of the total assumed intrusive requests without operating this model) in the worst cases. As such, the thesis proposes a novel authentication architecture, which is capable of operating in a transparent, continuous and convenient manner whilst functioning across a range of digital devices – bearing in mind it is desirable to work on differing hardware configurations, operating systems, processing capabilities and network connectivity but they are yet to be validated. The approach, entitled Cloud Aura, can achieve high levels of transparency thereby being less dependent on secret-knowledge or any other intrusive login and leveraging the available devices capabilities without requiring any external sensors. Cloud Aura incorporates a variety of biometrics from different types, i.e. physiological, behavioural, and soft biometrics and deploys an on-going identity confidence level based upon them, which is subsequently reflected on the user privileges and mapped to the risk level associated to them, resulting in relevant reaction(s). While in use, it functions with minimal processing overhead thereby reducing the time required for the authentication decision. Ultimately, a functional proof of concept prototype is developed showing that Cloud Aura is feasible and would have the provisions of effective security and user convenience.

005.8

Návrh zavedení bezpečnostních opatření v souladu s ISMS pro obchodní společnost / Design of security countermeasures implementation in accordance with ISMS for business company

Dočekal, Petr

January 2018

The master’s thesis focuses on area of security countermeasures in accordance with information security management system. Presents basic theoretical background of information and cyber security and describes a current state in the company. The thesis’s output is the design of security countermeasures implementation which contribute to information security in the company.

Zákon o kybernetické bezpečnosti a jeho dopady na povinné subjekty / The Cyber Security Act and its impacts on obliged entities

Draganov, Vojtěch

January 2016

The thesis looks into the act No. 181/2014 Coll. Cyber Security Act (hereinafter referred to as "CSA") and its impact on obliged entities with focus on the regional authorities of the Czech Republic. The thesis starts with introduction into the issue of the CSA and cybersecurity from the point of view of the state, subsequently it refocuses on the level of regulated organizations. The main pillar and contribution of the thesis is the CSA analysis with the aim to identify impact of the CSA in the obliged entities. Based on this analysis author designed the questionnaire survey of the CSA impact on the regional authorities. The survey relates to information security management system, kinds of burden stemmed from the CSA implementation, willingness to use funding from the European Regional Development Fund (ERDF) to implement the CSA, a possibility to outsource the cybersecurity and also opinions of the county council staff about the CSA. The survey shows that in spite of a pressure on standardization stemming from legal framework, county councils differs significantly in regard to information security management systems. On the other hand, respondents agreed on positive impact of the CSA on improvement of information and the cyber security although the CSA brings significant financial and organizational load to the organization. The survey also shows that some regional authorities only start to implement cybersecurity currently. The cybersecurity evolves in the researched organization quite dynamically and it would be beneficial to repeat the impact analyses again, after first wave of the CSA implementation will be finished.

Kyberbezpečnost v průmyslu / Cybersecurity in the engineering industry

Jemelíková, Kristýna

January 2021

The master’s thesis deals with the management of cyber security in a manufacturing company. The theoretical part contains concepts and knowledge of cyber security and discusses the current requirements of legislation and standards of the ISO/IEC 27000 series. In practical part are proposed measures to increase cyber security and information security based on the theoretical background and analysis of current state in the selected company.

Informační bezpečnost jako jeden z ukazatelů hodnocení výkonnosti v energetické společnosti / Information security as one of the performance indicators in energy company

Kubík, Lukáš

January 2017

Master thesis is concerned with assessing the state of information security and its use as an indicator of corporate performance in energy company. Chapter analysis of the problem and current situation presents findings on the state of information security and implementation stage of ISMS. The practical part is focused on risk analysis and assessment the maturity level of processes, which are submitted as the basis for the proposed security measures and recommendations. There are also designed metrics to measure level of information security.

GAP analýza systému řízení bezpečnosti informací / GAP analysis of information security management system

Konečný, Martin

January 2019

The master’s thesis focuses on GAP analysis of information security management system. The thesis consists of theoretical, analytical and practical part. The first part discusses the theoretical background of the issue of information and cyber security. The analytical part describes the current condition of the researched company. The thesis’s output is the draft of risk register and draft of security countermeasures implementation. The draft targets on countermeasures leading to increase information security in company.

Bezpečnostní rizika podle standardu ISO 27001 / Security risks according to ISO 27001

Doubková, Veronika

January 2020

This diploma thesis deals with the management of security information, according to ISO/IEC 27005 and it is implementation in the Verinice software environment. The risk information management process is applied to a critical infrastructure, that is connected to a optical fiber network. The work focuses on incidents aimed at threatening data from optical threats and active network elements in transmission systems. The result of the work is defined as a risk file in the .VNA format containing identified risks, for which appropriate measures are implemented in connection with the requirements of ISO/IEC 27001, for the protection of critical infrastructures and transmitted data in the transmission system.

Porovnání výuky informační a kybernetické bezpečnosti v České republice a Jižní Koreji s návrhy na zlepšení / Comparison of education information and cybernetic security in Czech republic and South Korea with suggestions for improvement

Šisler, Marcel

January 2020

This diploma thesis deals with a suggestions to improve the current state of education information and cyber security in the Czech Republic. These suggestions are from a comparison of education at the Brno University of Technology - Faculty of Business and Hallym University in South Korea. Another part is the analysis of trends in the field of cyber attacks and comparison of this area between the Czech Republic and South Korea.

Cyberpandemin: Att vaccinera sjukvården mot digitala hot / The cyber pandemic:Vaccinating healthcare against digital threats

Hermansson, Sandra, Jönsson, Wilma

January 2024

Digitaliseringens framväxt har utvecklat digitala arbetsmiljöer inom verksamheter där informationsteknologi tillämpas för att förbättra medarbetarnas produktivitet. Användningen av digital teknologi har ökat säkerhetsbehovet, med ett större fokus på cyber- och informationssäkerhet för att skydda mot digitala hot. Syftet med studien är att undersöka hur en offentlig verksamhet främjar IT-säkerhetsmedvetenhet i en digital arbetsmiljö, med fokus på hur en region inom hälso- och sjukvården arbetar med cyber- och informationssäkerhet. Forskningen grundar sig på en kvalitativ fallstudie där intervjuer har genomförts med medarbetare på säkerhetsavdelningen samt från sjukvården i den utvalda regionen. Resultatet visar att regionens arbete med att främja säkerhetsmedvetenhet i den digitala arbetsmiljön i flera avseenden anses vara bristfällig. Således belyser studien att en säkerhetsmedvetenhet kan främjas genom olika perspektiv såsom en tydlig kommunikation från verksamhetsledningen ut i organisationen samt att medarbetaren beaktar cyber- och informationssäkerhet som en del av det givna ansvarsområdet, oavsett arbetsuppgifter. Det är även väsentligt att anpassa den digitala arbetsmiljön där tekniken samspelar med människan. Ett förslag har utvecklats till regionen för att främja säkerhetsmedvetenhet och upprätthålla funktionsförmågan i en tidspressad arbetsmiljö, samtidigt som säkerheten prioriteras. / The rise of digitalization has developed digital work environments within organizations where information technology is applied to enhance employee productivity. The use of digital technology has increased security needs, with a greater focus on cyber and information security to protect against digital threats. This study aims to investigate how a public organization promotes IT security awareness in a digital work environment, focusing on a healthcare sector region's cyber and information security practices. The research, based on a qualitative case study where interviews have been conducted with employees of the security department and healthcare workers, indicates that the region's efforts to promote security awareness in the digital work environment are deficient in several respects. Thus, the study highlights that security awareness can be enhanced through various perspectives, such as clear communication from management throughout the organization and employees considering cyber and information security as part of their responsibilities, regardless of their work tasks. It is also essential to adapt the digital work environment where technology interacts with human elements. A proposal has been developed for the region to foster security awareness and maintain functionality in a time-sensitive work environment while prioritizing security.

Cyber and Information Security

IT Security Awareness

Digital work environment

Public Sector

Healthcare

Socio-technical perspective.

Cyber- och informationssäkerhet

IT-säkerhetsmedvetenhet

Digital arbetsmiljö

Offentlig verksamhet

Hälso- och sjukvården

Sociotekniskt perspektiv.

Information Systems