Table Of ContentNorbert Pohlmann | Helmut Reimer | Wolfgang Schneider (Eds.)
ISSE 2011 Securing Electronic Business Processes
IT
By the author:
Future of Trust in Computing
by D. Grawrock, H. Reimer, A.-R. Sadeghi and C. Vishik
______________________________________________
Autonomous Land Vehicles
by K. Berns and E. v. Puttkamer
Microsoft Dynamics NAV
by P. M. Diffenderfer and S. El-Assal
Using Microsoft Dynamics AX 2009
by A. Luszczak
From Enterprise Architecture to IT Governance
by K. D. Nieman
www.viewegteubner.de
Norbert Pohlmann | Helmut Reimer |
Wolfgang Schneider (Eds.)
ISSE 2011
Securing Electronic
Business Processes
Highlights of the Information Security Solutions
Europe 2011 Conference
With 103 Figures
Bibliographic information published by the Deutsche Nationalbibliothek
The Deutsche Nationalbibliothek lists this publication in the Deutsche Nationalbibliografie;
detailed bibliographic data are available in the Internet at http://dnb.d-nb.de.
Many of designations used by manufacturers and sellers to distinguish their products are claimed as
trademarks.
1st Edition 2012
All rights reserved
© Vieweg+Teubner Verlag | Springer Fachmedien Wiesbaden GmbH 2012
Editorial Office: Dr. Christel Roß | Andrea Broßler
Vieweg+Teubner Verlag is a brand of Springer Fachmedien.
Springer Fachmedien is part of Springer Science+Business Media.
www.viewegteubner.de
No part of this publication may be reproduced, stored in a retrieval system or
transmitted, in any form or by any means, electronic, mechanical, photocopying,
recording, or otherwise, without the prior written permission of the copyright holder.
Registered and/or industrial names, trade names, trade descriptions etc. cited in this publication
are part of the law for trade-mark protection and may not be used free in any form or by any means
even if this is not specifically marked.
Cover design:KünkelLopka Medienentwicklung, Heidelberg
Typesetting: Oliver Reimer, Jena
Printing company: AZ Druck und Datentechnik, Berlin
Printed on acid-free paper
Printed in Germany
ISBN 978-3-8348-1911-6
Contents
About this Book ______________________________________________ ix
The new German ID Card:
An Innovative System Gains Acceptance __________________________________1
Ulrich Hamann
Proof, not Promises:
Creating the Trusted Cloud _____________________________________________9
. . .
Arthur W. Coviello, Jr. Howard D. Elias Pat Gelsinger Richard McAniff
Cloud Computing & Enterprise Security Services _________________21
How Cloud Security Strongly Depends on Process Maturity,
Automation and Scale ________________________________________________23
.
Eberhard von Faber Michael Pauly
Market Overview of Security as a Service Systems ________________________34
.
Christian Senk Andreas Holzapfel
New Digital Security Model ____________________________________________43
Morten Jørsum
Connect to the Cloud - New Challenges for Enterprise Single Sign-on and
Identity Provisioning _________________________________________________53
Martin Raepple
From Trusted Cloud Infrastructures to Trustworthy Cloud Services __________64
.
Michael Gröne Norbert Schirmer
vi Contents
Awareness, Education, Privacy & Trustworthiness ________________77
Information Security Awareness Campaign “Sicher gewinnt!”:
A Joint Action of the German Federal Administration _____________________79
.
Käthe Friedrich Lydia Tsintsifa
Pebkac revisited – Psychological and Mental Obstacles in the Way of Effective
Awareness Campaigns ________________________________________________88
Dr. Johannes Wiele
Building a Long Term Strategy for International Cooperation
in Trustworthy ICT ____________________________________________________98
.
James Clarke John C. Mallery
Emerging Threats in 21st Century Cyberspace ___________________________109
Vaclav Jirovsky
Smart Grids, Mobile & Wireless Security ________________________121
Security Policy Automation for Smart Grids: Manageable Security &
Compliance at Large Scale ____________________________________________123
.
Ulrich Lang Rudolf Schreiner
Consumerization: Consequences of Fuzzy Work-Home Boundaries _________138
. . . .
Patrick Koeberl Jiangtao Li Anand Rajan Claire Vishik Marcin Wójcik
Smart Grid Privacy by Design: Ontario’s Advanced Distribution System _____154
.
Ann Cavoukian Michelle Chibba
How to have the cake and eat it, too:
Protecting Privacy and Energy Efficiency in the Smart Grid ________________164
Klaus Kursawe
Security of Wireless Embedded Devices in the Real World _________________174
. .
Timo Kasper David Oswald Christof Paar
Leveraging Strong Credentials and Government Standards
to secure the Mobility Cloud __________________________________________190
Philip Hoyer
Contents vii
Security Management, Identity & Access Management __________199
Security Architecture in a Collaborative De-Perimeterised Environment:
Factors of Success ___________________________________________________201
. .
Yulia Cherdantseva Omer Rana Jeremy Hilton
El Metodo – Managing Risks in Value Chains ____________________________214
. . . .
Maarten Hoeve Rieks Joosten Edwin Matthijssen Caroline van der Weerdt
Reinder Wolthuis
A Systematic Approach to Legal Identity Management –
Best Practice Austria _________________________________________________224
.
Herbert Leitold Arne Tauber
Provisioning without APIs ____________________________________________235
Michael Groß
A Structured Approach to the Design of Viable Security Systems ___________246
.
Jan Zibuschka Heiko Roßnagel
Fighting CNP fraud – a Case Study _____________________________________256
Marc Sel
eID & eGovernment __________________________________________265
ETSI STF 402 – Standardizing the pan-European Infrastructure for Registered
Electronic Mail and e-Delivery ________________________________________267
. . . . .
Juan Carlos Cruellas Jörg Apitzsch Luca Boldrin Andrea Caccia Santino Foti
.
Paloma Llaneza Gregory Sun
CEN/ETSI Rationalised Framework for
Electronic Signature Standardisation __________________________________279
. . . . . .
Nick Pope Olivier Delos Juan Carlos Marjo Geers Peter Lipp Paloma Llaneza Gonzales
. .
Béatrice Peirani Antoine de Lavernette Stefan Santesson
Integrating Components from the CIP ICT PSP LSP Projects with
a National eGovernment Infrastructure ________________________________290
Jon Ølnes
viii Contents
On Secure SOA Based e/m-Government Systems ________________________307
Milan Marković
PKI Implementation for Romanian Schengen Information System _________317
. . .
Adrian Floarea Constantin Burdun Ionut Florea Mihai Togan
The Electronic Visa – Solutions to Shift from Paper to Chip ________________330
Dan Butnaru
Device & Network Security ___________________________________339
Objectives and Added Value of an
Internet Key Figure System for Germany _______________________________341
. . .
Sebastian Feld Tim Perrei Norbert Pohlmann Matthias Schupp
Improved Feature Selection Method using SBS-IG-Plus ___________________352
. .
Maher Salem Ulrich Bühler Sven Reißmann
SCADA Security: A Risky Environment _________________________________362
Maarten B. Nieuwenhuis
ESUKOM: Smartphone Security for Enterprise Networks __________________371
. . . .
Ingo Bente Josef von Helden Bastian Hellmann Joerg Vieweg Kai-Oliver Detken
Index ______________________________________________________383
About this Book
The Information Security Solutions Europe Conference (ISSE) was started in 1999 by eema and
TeleTrusT with the support of the European Commission and the German Federal Ministry of
Technology and Economics. Today the annual conference is a fixed event in every IT security
professional’s calendar.
The integration of security in IT applications was initially driven only by the actual security is-
sues considered important by experts in the field; currently, however, the economic aspects of
the corresponding solutions are the most important factor in deciding their success. ISSE offers
a suitable podium for the discussion of the relationship between these considerations and for the
presentation of the practical implementation of concepts with their technical, organisational and
economic parameters.
From the beginning ISSE has been carefully prepared. The organisers succeeded in giving the
conference a profile that combines a scientifically sophisticated and interdisciplinary discussion
of IT security solutions while presenting pragmatic approaches for overcoming current IT secu-
rity problems.
An enduring documentation of the presentations given at the conference which is available to
every interested person thus became important. This year sees the publication of the nineth ISSE
book – another mark of the event’s success – and with about 30 carefully edited papers it bears
witness to the quality of the conference.
An international programme committee is responsible for the selection of the conference contri-
butions and the composition of the programme:
(cid:116)(cid:1)(cid:34)(cid:78)(cid:78)(cid:66)(cid:83)(cid:1)(cid:34)(cid:77)(cid:76)(cid:66)(cid:84)(cid:84)(cid:66)(cid:83), Sirrix AG (Germany)
(cid:116)(cid:1)(cid:51)(cid:80)(cid:79)(cid:79)(cid:90)(cid:1)(cid:35)(cid:75)(cid:80)(cid:79)(cid:70)(cid:84), Microsoft (Belgium)
(cid:116)(cid:1)(cid:49)(cid:66)(cid:87)(cid:70)(cid:77)(cid:1)(cid:583)(cid:70)(cid:77)(cid:70)(cid:69)(cid:66), Masaryk University (Czech Republic)
(cid:116)(cid:1)(cid:51)(cid:80)(cid:72)(cid:70)(cid:83)(cid:1)(cid:37)(cid:70)(cid:66)(cid:79), eema (United Kingdom)
(cid:116)(cid:1)(cid:43)(cid:66)(cid:79)(cid:1)(cid:37)(cid:70)(cid:1)(cid:36)(cid:77)(cid:70)(cid:83)(cid:68)(cid:82), HP (Belgium)
(cid:116)(cid:1)(cid:46)(cid:66)(cid:83)(cid:74)(cid:75)(cid:76)(cid:70)(cid:1)(cid:37)(cid:70)(cid:1)(cid:52)(cid:80)(cid:70)(cid:85)(cid:70), Security4Biz (Belgium)
(cid:116)(cid:1)(cid:43)(cid:80)(cid:84)(cid:1)(cid:37)(cid:86)(cid:78)(cid:80)(cid:83)(cid:85)(cid:74)(cid:70)(cid:83), K.U. Leuven (Belgium)
(cid:116)(cid:1)(cid:56)(cid:66)(cid:77)(cid:85)(cid:70)(cid:83)(cid:1)(cid:39)(cid:86)(cid:78)(cid:90), Bundesdruckerei (Germany)
(cid:116)(cid:1)(cid:51)(cid:74)(cid:68)(cid:68)(cid:66)(cid:83)(cid:69)(cid:80)(cid:1)(cid:40)(cid:70)(cid:79)(cid:72)(cid:73)(cid:74)(cid:79)(cid:74), S.N.G. (Italy)
(cid:116)(cid:1)(cid:46)(cid:74)(cid:68)(cid:73)(cid:66)(cid:70)(cid:77)(cid:1)(cid:41)(cid:66)(cid:83)(cid:85)(cid:78)(cid:66)(cid:79)(cid:79), SAP (Germany)
(cid:116)(cid:1)(cid:43)(cid:80)(cid:73)(cid:79)(cid:1)(cid:41)(cid:70)(cid:83)(cid:78)(cid:66)(cid:79)(cid:84), KPMG (The Netherlands)
N. Pohlmann, H. Reimer, W. Schneider (Editors): Securing Electronic Business Processes, Vieweg (2010), vii-x
