Balancing usability and security in the business cloud authentication

Jatkuvasti suosiotaan kasvattavat pilvipalvelut luovat monia uusia mahdollisuuksia etätyöntekijöille, yhteistyökumppaneille ja hakkereille päästä käyttämään yrityksen työkaluja ja asiakastietoja. Kun pilvipalveluissa olevan tärkeän yritysdatan määrä kasvaa, myös palveluiden tietoturvavaatimukset kovenevat. Pilvipalveluiden tietoturvallisessa suunnittelussa tulee ottaa huomioon lukuisia erilaisia hyökkäysreittejä monella eri palvelun tasolla aina verkon rajapinnasta yksittäisten ohjelmistokomponenttien haavoittuvuuksiin. Yksi isoimmista hyökkäysvektoreista on myös reitti, joka on pakko jättää osittain avoimeksi palvelun varsinaisia käyttäjiä varten – autentikointi, eli käyttäjien todentaminen palveluun kirjautumisen yhteydessä. Diplomityön tavoitteena oli löytää tasapainokohta ja siihen vaikuttavat tekijät pilvipalveluiden käytettävyyden ja tietoturvan väliltä. Käyttäjän autentikoinnin tulee olla tarpeeksi tietoturvallinen, etteivät mahdolliset hyökkääjät pääsisi käsiksi järjestelmän arvokkaisiin dataan ja resursseihin. Samaan aikaan autentikoinnin tulee olla myös tarpeeksi käytettävää, jotta varsinaiset käyttäjät pääsevät palveluihinsa tehokkaasti ja ilman tarpeetonta turhautumista. Aihetta lähestytään kirjallisuuskatsauksella aihealueen keskeiseen tutkimukseen ja pilvipalveluihin sopivien autentikointimenetelmien kartoittamisella. Näiden lisäksi työssä suunniteltiin ja järjestettiin kuudelle osallistujalle käytettävyystesti, jossa mitattiin käyttäjien suhtautumista neljään erilaiseen autentikointimenetelmään ja niitä yhdistelevään monen menetelmän autentikointiin (multi-factor authentication). Samalla käyttäjiltä kartoitettiin puolistrukturoiduilla haastatteluilla erilaisia tekijöitä, jotka vaikuttavat heidän kokemaansa käytettävyyden ja tietoturvan tasapainoon. Tutkimuksessa tunnistettiin useita tapoja parantaa käytettävyyden ja tietoturvan tasapainoa yritysten pilvipalveluissa. Monen keskivahvan autentikointimenetelmän yhdistelmän havaittiin olevan käyttäjäystävällisempi kuin samaan tietoturvan tasoon yltävän yhden menetelmän vahvan autentikaation. Käyttäjien kouluttamisella ja tietoturvan tavoitteiden selkeällä kommunikaatiolla oli myös iso merkitys, etenkin epävirallisten, tietoturvaa heikentävien ”kiertoteiden” välttämisessä. Unohtuneiden käyttäjätunnusten uudelleenasettaminen on myös eräs usein liian vähälle huomiolle jäävä tekijä, jolla on iso vaikutus sekä järjestelmän käytettävyyteen että tietoturvaan.Increasing wave of cloud services is creating many new ways for remote workers, outsourcing partners and hackers to access the essential tools and business data of the cloud-enabled companies. As the amount of business critical data in the cloud services increase, so does the need for securing it. Securing a cloud service needs balanced defenses against many different attack vectors in various levels of the service, starting from the edges of the public network and continuing deep inside the individual design of the each software component of the cloud service. One of the biggest attack vectors is also the one route that has to be left open for the legitimate users to use the service – user authentication. The goal for this thesis was to find balance between making the user authentication in business cloud services secure enough and usable enough. Authentication has to be secure enough to prevent malicious attackers from gaining access to the valuable data and resources inside the service. At the same time it has still to be usable enough for the legitimate users to be able to access their cloud services without unnecessary frustration. The topic is approached through literature review of relevant research and relevant authentication methods. In addition, several (n=6) usability tests are performed in combination with half-structured interviews to evaluate the user preference in authentication method selection and the factors affecting the experienced balance of security and usability. In addition, the thesis evaluates other important factors, in addition to the authentication method itself, that are affecting the security – usability –balance of the entire authentication process. As a result the thesis presents several ways to improve the balance of usability and security in business cloud services. Multifactor authentication is observed to be more usable than equally secure single-factor authentication. Educating the users and communicating the security needs clearly helps to reduce the unsanctioned security “shortcuts” that reduce the overall security. Authentication resetting is often neglected, but really essential factor both as usability hindrance and possible attack vector

IT Lightning Talks: session #2

IdeaSquare is a new pilot project meant to connect people inside and outside CERN to work together and helping the CERN-inspired innovations to create positive impact on society. We started our work last October with a five-month student project, Challenge Based Innovation (CBI) that has gathered some quite nice feedback along the way (http://cern.ch/go/wmM7), but is only one of our activities. Our big goal is scaling this collaboration up for different kinds of people all around the world to participate easily. We want to start by providing the student engineers, industrial designers and economists in the next round of CBI-course with better tools and services for working together and sharing their ideas. And in the long run, we want to create a scalable system that would allow a lot more people to work together and learn in similar constructive projects in the future. What are the tools at CERN we should use during the next round of CBI - Sharepoint, Vidyo, Owncloud, social.cern.ch... and something else? Interested to get involved in planning the next steps

Challenge Based Innovation gala

Challenge Based Innovation gala &nbsp; There&rsquo;s a new experiment starting in CERN called IdeaLab where we work together with detector R&amp;D researchers to help them to bridge their knowledge into a more human, societally oriented context. Currently we are located in B153, but will move our activities to a new facility next to the Globe in May 2014. One of our first pilot projects is a 5 month course CBI (Challenge Based Innovation) where two multidisciplinary student teams join forces with Edusafe &amp; TALENT projects at CERN. Their goal is to discover what kind of tools for learning could be created in collaboration with the two groups. After months of user interviews and low resolution prototyping they are ready to share the results with us in the form of an afternoon gala. We warmly welcome you to join us to see the students&#39; results and experience the prototypes they have conceived. The event is in three parts, you are welcome to visit all of them, or just the one(s) that your personal schedule allows. For the remote participants, the presentations (part 1) wil be available through a CERN webcast (webcast.cern.ch) 14.30 - 16.45 (GMT+1). &nbsp; Part I 14.30 Project presentations at&nbsp;222 Filtration plant Part II 17:00 Prototype demonstrations at B153 Part III 19:00 The afterparty at B153 &nbsp; For more information Challenge Based Innovation course blog CBI introduction video CBI contact Tuuli Utriainen ([email protected]) or Lauri Repokari ([email protected]) IdeaLab contact Harri Toivonen ([email protected]) &nbsp; &nbsp; <br /

Mixing design, management and engineering students in challenge-based projects

The aim of this work is to describe and discuss the benefits and limitations that have been detected along two iterations of a learning experience that has been carried out by three institutions located in Barcelona: Istituto Europeo di Design (IED), ESADE Business School and UPC-Telecom BCN. Design, management and ICT engineering students are mixed together in multidisciplinary teams to face a design challenge along a semester. The framework of these projects is the Challenge Based Innovation (CBI) program, a structure promoted by CERN in which students from different disciplines and countries are challenged to design solutions to social needs following the Design Thinking approach. The international and multidisciplinary teams perform several stays (four weeks in total) at IdeaSquare (http://ideasquare.web.cern.ch/), a creative environment built at the CERN Meyrin site, in Switzerland. They also devote a weekly working day in their home institutions along a semester. In that day they work in multidisciplinary teams with coaching from faculty of the three institutions. While at IdeaSquare, the students consult with scientists and knowledge transfer experts about their challenges and about the possible use of CERN technologies in the proposed solutions. The challenges are quite open and, according to the Design Thinking methodology, the students follow several divergence-convergence phases: they devote approximately one third of the time identifying relevant needs into the challenge scope and choosing one of them. Another third identifying possible solutions for the chosen need and converging to a single one through low-resolution prototyping and testing. Finally, the last third is spent exploring the business aspects and possible technological implementations of the solution and developing a functional prototype, able to provide a proof of concept of the idea. All students (6 per team) participate in all phases of the design process. The evident benefits of this multidisciplinary approach are the enrichment of the ideation process thanks to the coexistence of different points of view and the ability of going deeper in the different aspects of the implementation respect of the separate capabilities of each partner. Although the whole experience has several interesting aspects, the aim of this paper is to emphasize the aspects related with engineering education. A constructive confrontation between Design Thinking and Analytical Design approaches arises and several tradeoffs have to be set. Usually, the UPC engineering students start their regular projects from requirements defined by the faculty or by external stakeholders, and often with a-priori restrictions about the technology. In this experience, however, they participate in the conceiving phase but have less time to develop completely a complex final product and to learn about technology along this process. On the other hand, the ability of developing disruptive and high-impact solutions is higher with this approach, although engineering students tend to take into account technology restrictions even in the early phases of the process. The review of relevant literature on design approaches and on challenge-based learning, the considerations about the benefits, limitations and tradeoffs and the lessons learnt will be developed in the extended version of this paper.Peer Reviewe

Benefits of diverse and interdisciplinary co-creation for HEP - a showcase

THE Port association organises interdisciplinary co-creational humanitarian hackathons at CERN. Combining physicists and engineers working on HEP related topics in their day job with entrepreneurs, artists, researchers, designers, humanitarian workers and other creative minds helps identifying similar material and engineering solutions for humanitarian challenges. It allow cross collaboration between many different disciplines. Concentrating on humanitarian and social benefitting topics the technology opportunities identify new methods, materials and processes, that can be feed back into HEP. The methodology of humanitarian hackathons is described and some examples of challenge outcomes are showcased

Distributed experiments in design sciences, a next step in design observation studies?

This paper describes and proposes a new method for conducting globally distributed design research. Instead of using e.g. a software we tried out a completely analogue approach: Five carefully prepared packages, containing all the necessary materials and instructions for a design challenge, were sent out to supervisors in Norway, Finland, Italy, and Australia. These local supervisors then conducted the egg-drop exercise with students that are part of an international course held at CERN. As the task is conducted according to a previously tested protocol, the results gathered with this new method can then be benchmarked with this available data. This new approach to globally conducted engineering design activities avoids local bias and enables for gathering large amounts of diverse data points. One can also think of a research community where every member can send out one experiment per year and, in return, receives data points from across the world. Based on the feedback from the supervisors we can say that from an organisational standpoint of view, this method works well. The comparison to the existing data has yet to be done