Jan Laufer stellte auf der 17th International Conference on Availability, Reliability and Security (ARES 2022) in Wien die Hintergründe des Ansatzes vor und zeigte die Einbindung in RADAR. RADAR (Run-time Adaptations for DAta pRotection) wurde in der SSE-Arbeitsgruppe entwickelt, um den Datenschutz in cloudbasierten Computersystemen zur Laufzeit zu gewährleisten. Experimente mit dem in RADAR integrierten Modell zeigen, dass sich mit Hilfe der Risikopriorisierung der Schaden, den Datenschutzlücken verursachen, maßgeblich verringern lässt.

Publikation

Sascha Sven Zmiewski, Jan Laufer and Zoltán Ádám Mann: Automatic Online Quantification and Prioritization of Data Protection Risks. In: Proceedings of the 17th International Conference on Availability, Reliability and Security ARES '22 , Association for Computing Machinery , New York, NY, USA , 2022 .   [DOI]

Abstract

Data processing systems operate in increasingly dynamic environments, such as in cloud or edge computing. In such environments, changes at run time can result in the dynamic appearance of data protection vulnerabilities, i.e., configurations in which an attacker could gain unauthorized access to confidential data. An autonomous system can mitigate such vulnerabilities by means of automated self-adaptations. If there are several data protection vulnerabilities at the same time, the system has to decide which ones to address first. In other areas of cybersecurity, risk-based approaches have proven useful for prioritizing where to focus efforts for increasing security. Traditionally, risk assessment is a manual and time-consuming process. On the other hand, addressing run-time risks requires timely decision-making, which in turn necessitates automated risk assessment.

In this paper, we propose a mathematical model for quantifying data protection risks at run time. This model accounts for the specific properties of data protection risks, such as the time it takes to exploit a data protection vulnerability and the damage caused by such exploitation. Using this risk quantification, our approach can make, in an automated process, sound decisions on prioritizing data protection vulnerabilities dynamically. Experimental results show that our risk prioritization method leads to a reduction of up to 15.8% in the damage caused by data protection vulnerabilities.