By Topic

IBM Journal of Research and Development

Issue 1 • Date Jan.-Feb. 2014

Cybersecurity for a Smarter Planet
Given the accelerating integration of technology into people's lives, the term cybersecurity has taken on a new meaning. No longer limited to national security or even IT security interests, modern cybersecurity protects all of us by ensuring the security and privacy of the Smarter Planet. This issue of the IBM Journal emphasizes new solutions, applications, services, analytics, software, and hardware technologies that form the building blocks for fostering both cybersecurity and cyberprivacy.

Filter Results

Displaying Results 1 - 14 of 14
  • [Front cover]

    Page(s): C1
    Save to Project icon | PDF file iconPDF (1387 KB)  
    Freely Available from IEEE
  • Table of contents

    Page(s): 1 - 2
    Save to Project icon | PDF file iconPDF (50 KB)  
    Freely Available from IEEE
  • Message from the Vice President, Cyber Security Innovation

    Page(s): 1
    Save to Project icon | PDF file iconPDF (55 KB)  
    Freely Available from IEEE
  • Preface: Cybersecurity for a Smarter Planet

    Page(s): 0:1 - 0:3
    Save to Project icon | PDF file iconPDF (54 KB)  
    Freely Available from IEEE
  • Open industry standards for mitigating risks to global supply chains

    Page(s): 1:1 - 1:13
    Save to Project icon | Click to expandQuick Abstract | PDF file iconPDF (392 KB)  

    Governments and large enterprises are cognizant of and appreciate the benefits of globalization. They also recognize their increasing reliance on commercial-off-the-shelf (COTS) information technology (IT) components (software and hardware) necessary to meet the needs of their business missions. As cyberattacks increase in sophistication, stealth, and severity, governments and larger enterprises are taking a more comprehensive approach to risk management and product assurance. Simply improving today's security practices is insufficient. A comprehensive approach involves understanding the practices commercial technology suppliers can employ to protect the integrity of their products and services in the global supply chain—including an understanding of how suppliers manage the risks inherent in globalized product development and manufacturing. This paper outlines the nature of the global technology supply chain, the challenges posed, and the impact on consumers. It describes the added importance of a framework for addressing these challenges based on an approach of IBM, as well as evolving industry open standards efforts to address technology supply chain risks. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Privacy protection in open information management platforms

    Page(s): 2:1 - 2:11
    Save to Project icon | Click to expandQuick Abstract | PDF file iconPDF (3520 KB)  

    Governments are increasingly interested in making their data accessible through open data platforms to promote accountability and economic growth. Since the first data.gov initiative was launched by the U.S. government, more than 150 city agencies and authorities have made over one million datasets available through open data portals. Open data are increasingly generating new business worldwide, providing citizens with a wealth of information that they can combine and aggregate in unprecedented ways. An important characteristic of open data environments is that once the data are published, it is difficult to anticipate how the data will be used. As a result, potentially innocuous datasets, once linked together, may lead to serious privacy violations, and powerful analytic tools may reveal sensitive patterns that were unknown at the time that the data were published. In this paper, we provide an introduction to data privacy and present some popular privacy models that have been proposed for privacy-preserving data publishing and knowledge hiding, focusing on their strengths and limitations. Subsequently, using QuerioCity (an open urban information management platform) as a use case, we explain the important challenges that open data platforms introduce with respect to data privacy. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Security on distributed systems: Cloud security versus traditional IT

    Page(s): 3:1 - 3:13
    Save to Project icon | Click to expandQuick Abstract | PDF file iconPDF (7301 KB)  

    Cloud computing is a popular subject across the IT (information technology) industry, but many risks associated with this relatively new delivery model are not yet fully understood. In this paper, we use a qualitative approach to gain insight into the vectors that contribute to cloud computing risks in the areas of security, business, and compliance. The focus is on the identification of risk vectors affecting cloud computing services and the creation of a framework that can help IT managers in their cloud adoption process and risk mitigation strategy. Economic pressures on businesses are creating a demand for an alternative delivery model that can provide flexible payments, dramatic cuts in capital investment, and reductions in operational cost. Cloud computing is positioned to take advantage of these economic pressures with low-cost IT services and a flexible payment model, but with certain security and privacy risks. The frameworks offered by this paper may assist IT professionals obtain a clearer understanding of the risk tradeoffs associated with cloud computing environments. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Bringing strong authentication and transaction security to the realm of mobile devices

    Page(s): 4:1 - 4:11
    Save to Project icon | Click to expandQuick Abstract | PDF file iconPDF (3132 KB)  

    Widespread usage of mobile devices in conjunction with malicious software attacks calls for the development of mobile-device-oriented mechanisms aiming to provide strong authentication and transaction security. This paper considers the eBanking application scenario and argues that the concept of using a trusted companion device can be ported to the mobile realm. Trusted companion devices involve established and proven techniques in the PC (personal computer) environment to secure transactions. Various options for the communication between mobile and companion devices are discussed and evaluated in terms of technical feasibility, usability, and cost. Accordingly, audio communication across the 3.5-mm audio jack—also known as tip-ring-ring-sleeve, or TRRS connector,—is determined to be quite appropriate. We present a proof-of-concept companion device implementing binary frequency shift keying across this interface. Results from a field study performed with the proof-of-concept device further confirm the feasibility of the proposed solution. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Stateless cryptography for virtual environments

    Page(s): 5:1 - 5:10
    Save to Project icon | Click to expandQuick Abstract | PDF file iconPDF (1584 KB)  

    Migrating systems onto virtualized environments, such as cloud platforms, is becoming a business imperative. Such platforms offer the promise of higher resilience combined with a relatively low cost of ownership. The platforms also involve a number of challenges that hinder their adoption, and a primary concern involves security. These security concerns stem in part from vulnerabilities that underlying virtualization functionality introduces, such as the ability to capture and replay the execution state of a virtualized machine. In systems where security is paramount, HSMs (hardware security modules) are often used. HSMs provide a tamper-resistant environment for storing sensitive cryptographic material and for executing cryptographic operations using this material. HSMs may appear to be important components for enhancing the security of virtual environments; however, current implementations are not well suited for this purpose. In this paper, we describe a typical HSM solution stack based on the de facto industry standard called PKCS #11 (Public Key Cryptography Standard # 11). We explain the challenges introduced by virtualized platforms and show why the typical architectures based on PKCS #11 are not suitable for such environments. Finally, we describe an alternative IBM HSM solution called EP11 (Enterprise PKCS #11) and show how it addresses many of these challenges. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Threat analysis in the software development lifecycle

    Page(s): 6:1 - 6:13
    Save to Project icon | Click to expandQuick Abstract | PDF file iconPDF (6312 KB)  

    Businesses and governments that deploy and operate IT (information technology) systems continue to seek assurance that software they procure has the security characteristics they expect. The criteria used to evaluate the security of software are expanding from static sets of functional and assurance requirements to complex sets of evidence related to development practices for design, coding, testing, and support, plus consideration of security in the supply chain. To meet these evolving expectations, creators of software are faced with the challenge of consistently and continuously applying the most current knowledge about risks, threats, and weaknesses to their existing and new software assets. Yet the practice of threat analysis remains an art form that is highly subjective and reserved for a small community of security experts. This paper reviews the findings of an IBM-sponsored project with the Fraunhofer Institute for Secure Information Technology (SIT) and the Technische Universität Darmstadt. This project investigated aspects of security in software development, including practical methods for threat analysis. The project also examined existing methods and tools, assessing their efficacy for software development within an open-source software supply chain. These efforts yielded valuable insights plus an automated tool and knowledge base that has the potential for overcoming some of the current limitations of secure development on a large scale. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Advanced security and privacy in connected vehicles

    Page(s): 7:1 - 7:9
    Save to Project icon | Click to expandQuick Abstract | PDF file iconPDF (3471 KB)  

    Designing secure vehicles is becoming increasingly important as a result of recent advances in potential cyber-attacks against vehicles. This security needs to be considered over the course of the product lifecycle and includes a consideration of requirements definitions, design, development, testing, and maintenance. Even though many technologies and guidelines have been proposed to address end-to-end security design problems for the IT (information technology) industry, there are often significant differences between securing IT equipment (such as servers and PCs) and securing vehicles. Thus, purely IT-based approaches often have limited applicability in the domain of vehicle security because human safety is a primary design consideration in the development of vehicles, while relatively less attention has been paid to IT security. In addition, the lifecycle of a vehicle is often much longer than the lifecycle of many PCs and related IT equipment. Security design tends to be performed in “silos” and is not well coordinated among all of the stakeholders who are involved in the development of a vehicle. We have devised a specialized approach for designing secure in-vehicle infotainment systems, including the electronic control system and software. Our approach is based on secure engineering, an established methodology used in the IT industry to cover the entire software lifecycle. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Augmenting security and accountability within the eHealth Exchange

    Page(s): 8:1 - 8:11
    Save to Project icon | Click to expandQuick Abstract | PDF file iconPDF (607 KB)  

    The increased use of electronic medical records and online sharing of such records is motivated by improved quality of healthcare delivery. However, this use has raised security and privacy concerns because sensitive medical data could be exposed to a variety of threats that exist in the online world, leading to problems such as medical identity theft and billing fraud. If not addressed, such concerns could become a barrier to the large-scale adoption and sharing of electronic medical records. To ease such concerns, we argue that the eHealth Exchange, which is a federal initiative for online exchange of healthcare information, needs to be augmented to provide greater patient awareness and control. We take an approach that informs the patient when her health data is accessed by a healthcare enterprise that is not already trusted by the patient. Such awareness is ensured even when some systems in the health information sharing environment become compromised. We enhance accountability support within eHealth Exchange by using digitally signed logs of sharing records that cannot be modified or refuted. We implement and evaluate these mechanisms in the open-source CONNECT system that follows the eHealth Exchange specifications. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Toward smarter healthcare: Anonymizing medical data to support research studies

    Page(s): 9:1 - 9:11
    Save to Project icon | Click to expandQuick Abstract | PDF file iconPDF (1387 KB)  

    Healthcare is a major industry in the Smarter Planet initiative of IBM and a key area where analytics can have a substantial impact by improving disease prediction and treatment. To facilitate healthcare analytics, patient data usually need to be widely disseminated. This, however, may risk the disclosure of private and sensitive patient information. In this paper, we illustrate the importance of preserving medical data privacy and the inapplicability of several popular techniques to preserve the privacy of structured medical data. Subsequently, we review a privacy-preserving approach for the dissemination of patient records. This approach involves patient record de-identification, anonymization of diagnosis codes contained in the records, and a method for balancing data utility with privacy. This approach is practical in that it allows healthcare data providers to specify fine-grained privacy and utility requirements, and it is able to construct anonymized data with a desired balance between utility and privacy. The effectiveness of the approach is demonstrated through a case study using electronic medical records. We conclude this paper with a roadmap for future trends in medical data privacy. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • IBM Secure Enterprise Desktop

    Page(s): 10:1 - 10:11
    Save to Project icon | Click to expandQuick Abstract | PDF file iconPDF (1009 KB)  

    Using software-only approaches makes it is practically impossible to completely secure software applications, as well as corporate information, against determined cyber-criminals. Therefore, in an era where any general-purpose operating system (OS) with end-user access can be hacked, we propose using dedicated security hardware to ensure that only authorized people obtain access to sensitive information. The fundamental principle involves booting the end-user computer from such a trusted mobile device without trusting any software installed on the computer. The device establishes a secure connection to the back-end infrastructure to provide access to the user's OS, e.g., through a remote terminal access or provisioned on the local computer. The solution is very simple to operate, as many corporate employees are not necessarily IT (information technology) savvy. In this paper, we discuss the combination of our dedicated tamper-resistant security boot-token operating user credentials with known defense mechanisms, such as OS virtualization, trusted boot, establishment of client-side and server-side authenticated secure channels to trustworthy back-ends, and client-side storage encryption. This novel combination forms an easy-to-use and highly mobile security solution that addresses security challenges of the BYOD (bring-your-own-device) approach. As a proof point for the latter claims, we report on initial real-world usability tests. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.

Aims & Scope

The IBM Journal of Research and Development is a peer-reviewed technical journal, published bimonthly, which features the work of authors in the science, technology and engineering of information systems.

Full Aims & Scope

Meet Our Editors

Editor-in-Chief
Clifford A. Pickover
IBM T. J. Watson Research Center