Invited talk by Christian D. Jensen

Abstract:
Digital systems are commonly composed of software and services from various providers that may in turn rely on other third party software and services. For a system to be considered secure, all of these software components and services must be secure, and the system must be orchestrated in a way that ensures security of the composition. Traditional security paradigms aim to defend the perimeter and ensure that all internal systems are secure. This makes interaction validation between trusted components easy, but integration of cloud services and third party services into the system architecture breaks the perimeter, so the assumed security of other components and services is often invalid.

Developing robust system architectures requires the ability to tolerate insecure (and possibly compromised) components in the system and reason about the risk imposed to the system if or when components are compromised. This explicit and dynamic evaluation of the trust placed in these different components lies at the core of computational trust and trust management, but it is also at the heart of the “assume breach” tenet of Zero Trust Architectures.

This talk examines the fundamental trust assumptions that are traditionally not considered by security professionals and presents a model, based on the trust constructs defined by McKnight and Chervaney. This model helps operationalize the different and somewhat nebulous tenets introduced in Zero Trust Architectures.

Bio:
Christian Damsgaard Jensen is a lecturer in the Cybersecurity Engineering section at the Technical University of Denmark. He holds a PhD from the University of Grenoble I (France), a M.Sc. degree from the University of Copenhagen and eMBA from the Technical University of Denmark and a M.A. (j.o.) from Trinity College Dublin. 

Dr. Jensen is internationally recognized for his contributions to the field of Computational Trust and Trust Management, where he received the William Winsborough Memorial Award in 2014. He is currently investigating the development of models, policies and mechanisms for security and privacy in cyber-physical systems. He is a member of the National Council for Cybersecurity (Da. "Cybersikkerhedsrådet",) which advises the Danish government on Cybersecurity issues. He is chairing the International Federation for Information Processing Working Group 11.11 on Trust Management and serves as the Danish national representative in IFIP TC 11. 

He is actively pursuing research in research focuses on security in ubiquitous computing, particularly on the development of models, policies, and mechanisms to support secure collaboration in open dynamic systems, such as pervasive computing environments, sensor networks and the Internet of Things (IoT). He is particularly interested in the problem of securing interactions between parties who do not necessarily share a common security infrastructure, e.g., sharing resources and information in open smart environments, across multiple organizations or across the Internet. He has proposed a number of abstractions that support context-aware security models, including: Persistent Authentication, which improves security usability through a combination of state-of-the-art authentication mechanisms and sensor based person tracking in an ambient intelligence environment, Sensor Enhanced Access Control, which includes physical properties (e.g. the risk of shoulder surfing) in access control decisions and Attribute Enhanced Role-Based Access Control, which provides a generalized framework for context-aware access control.

He has published more than 80 peer-reviewed papers on security and privacy in distributed systems and has served as program chair and general chair and program committee member for a large number of international conferences, symposia and workshops. He has participated in a number of nationally and internationally funded research projects including the SecDNS project (supported by Innovation Foundation Denmark), Secure and Applied Data (supported by Copenhagen Capital Region), Safer Copenhagen (supported by Copenhagen Capital Region), Managed Video as a Service (supported by Danish Advanced Technology Foundation), Resilient Infrastructure and Building security (EU-FP7-242497), the SECURE project (IST-2001-32486) and the iTrust thematic network (IST-2001-34910) on trust management in open distributed systems.