Monday, June 22, 2015

"The university is essential in the future of the cybersecurity"

Juan Troncoso-Pastoriza. Researcher from Universidad de Vigo. Speaker in the summer course Innovation in security applied to the protection of digital identity.




Juan Troncoso-Pastoriza achieved in 2005 the prize as the best graduated student from the Ministry of Education and Science. He also reached a prize for the best doctoral thesis from Universidad de Vigo and the  Instituto de Ingenieros de Telecomunicaciones (COIT). During his brilliant career, he's participated in several national and european projects related to the security of the information and the protection of privacy, an area where he has written many articles in international magazines, taking part in lectures as well. Besides, he also owns some international patents. His interests include the safe processing of signals, the privacy protection, multimedia security and the modeling of images.    


How did you get into this?

It's not easy to find a simple reason in my choice of working in the research of the information security. The research in itself is a vocational path, so I think the short answer is that I love challenges. Security and privacy are crossed issues which affect all kind of TIC services and systems in many diverse areas where it's easy to find unresolved problems and new challenges.  

Additionally, interdisciplinarity of fields like multimedia security in general terms and the encrypted processing or the protection of data privacy and sensitive signals specifically, make them challenges which require the use and application of very different concepts and tools; not only of cryptography and signal processing but also about the particularities in the field of application, even a certain knowledge of the regulations in order to have in account the legal framework related to data protection. Is this interdisciplinarity, combined with a wide applicability and the importance of the security and privacy problems what attracted me from the beginning.    

What drives you moving forward?

During the last years, there's been a growing awareness about cybersecurity, privacy and data protection, which means not only a greater demand in terms of system design requirements, but also a more effective applicability of techniques that were only theoric schemes before.

The existence and popularization of these techniques opens aarchitectures abd services with privacy guarantees, provided by the technology itself, in contrast with the current guarantees, based in the mutual confidence. This creates a continuous evolution circle where more technology is demanded to cover the new aspects of privacy protection.

A very clear example, which I work with very close is the one related to the encrypted processing: the SPED (Signal Processing in the Encrypted Domain) technics consist in protecting data from the first moment when they are moved to an unreliable environment; for that, unconventional schemes of encryption are used, whose objective is provide safe services which, under the SPED paradigm will work in a "blind" mode over encrypted data, providing a full privacy guarantee.

A few years ago, these kind of techniques were only seen as an entelechy, some theoric tools whose convenience had not been seriously considered, whereas, right now, they start to enter the industry and to have a real presence as real solutions for the privacy protection.

What worries you in the actual world of cybersecurity? 

Conventionally, the field of security has advanced like the cat and mouse game, where the systems are refined as we know new attacks and vulnerabilities. My research and my work are focused on the privacy protection. This is often perceived like something related to security, when it's really a problem in itself, almost independent and difficult to approach, measure and ensure properly. 

As a simple example, A may want to communicate with B using a message service provided by C; this service could be perfectly safe against external attacks, from the point of view of A, B and C communication and the data storage in C; but this security doesn't guarantee that C could have access to the conversation among A and B, or how can use this information.

Now, we're entering in the privacy field, and guarantee it requires more complex confidence models and more modern techniques than the ones used to ensure communication and storage: it's necessary to ensure the processing. This part of the privacy is not estrablished or present in the design and evaluation of safe systems, but the growing awareness I've said before can change this situation, giving a bigger role to the privacy protection.

Any quote that's your motto day by day?

Investigation in general terms could be sometimes a very disappointing task, but extremely rewarding too. The relationship between frustration and reward use to be linked to the part of the work tah becomes rutine, because to solve research problems is always necessary to look for breaking and clever solutions, many times different from the usual path or applying techniques from other fields. This is a little bit like a well known quote attributed to Albert Einstein, which I reproduce: “We cannot solve our problems with the same thinking we used when we created them”

You have some national awards for your educational career. What role do you think the university plays nowadays educating the future professionals of this area?  

Many times, when we talk about the university role, it's immediately compared to education; however, the university develops two necessary and fundamental tasks, both in the cybersecurity field and in another areas: the educational, of course, but the researching one too. When both work together, the university becomes an essential base which educates professionals in the most advanced techniques. whereas it produces and attracts research talent which maintains it at the I+D forefront. Education and investigation can't be separated, because little by little, it would remain overdue, not responding to the new challenges which arise all the time.  

Having said this, the university is essential in the cybersecurity future. This is an ambit where the industry doesn't like to accept security solutions till they are completely verified, proven, and tested against attackers and hackers; this way is necessary an investigation group which advances the art status, designing new and breaking solutions, acting against attacks and risks. Only the university can develope this role and, departing from this investigation and innovation, provide an advanced education which could create professionals who know how to deal not only with the recent cybersecurity problems, but also looking to future challenges.

You are a well known expert in the world of the information security and the data privacy. Which sectors do you think could be improved and how? 

The information security and the privacy are wide fields, and any strategy can be improved, starting by the adoption of more proactive approaches instead of reactive against the security risks and vulnerabilities, as well as the research and educational focus from the university, mentioned before, and necessary to achieve this proactive change.  

However, I prefer to focus on a particular fact, which is related to the design process of safe systems and the privacy protection, where we can already see a change tendency, but not enough established: we're talking about the new concepts of Privacy and Security by design, where the fact of protection becomes an integral and inherent part of the system, tied to its own issues and properties.

It's basic to know that a system isn't safe only by adding to it cryptographic mechanisms, because it`s necessary to start from a deep knowledge, redesigning it to make it a default safe system. This may seem the opposite concept to the traditional divide and rule, the separation of problems to approach them individually in a simple way; however, this isn't possible when the problems aren't independent; in fact, the data we use can't be separated from their privacy properties, so the applied protection mechanisms must be designed in an informed way, having in account the nature of the data, signals and the involved processes, not as an additional layer. This change of conception makes easier to understand and approach properly the security risks, but it's absolutely fundamental in the case of privacy protection.        

Among all your wide range of projects and patents, the study of the multimedia security is specially remarkable. Could you tell us more about that?
Media presents unique security challenges that distinguish it from other areas. As an example, the fundamental difference between a numerical record in a database and a multimedia, signal is the nature of the relevant information they contain. While for the former is easily interpretable and removable, in the second such information can be captured in a perceptual mode (forms and textures in an image or a melody instruments) and can be linked directly to an individual (his face in a photo, his walk in a video ...) and therefore, directly or indirectly identify.

The nature of multimedia signals and, in particular, the independence of the information given regarding the format (structure, container, compression, ...) make it necessary to adapt security strategies to the content itself, not the format. In this case, it is more evident the need to approach the style "Privacy-by-design" that take into account a deeper knowledge to produce privacy protection systems content.

Within the multimedia security, one of the research in which more work is actively processing encrypted signals (SPED, Signal Processing in the Encrypted Domain). This line combines applied cryptography and signal processing, adapting and shaping the cryptosystems used to the structure and properties of managed multimedia signals, so it can filter them, process them, operate them and interpret them in a "blind" without having to decipher and, therefore, without revealing any sensitive information in the process. This enables, among others, the provision of outsourced services (Cloud Computing) in which all signals and processes that take place in (the service provider) an unreliable environment are protected. Some examples of application of these technologies include: secure biometric authentication (face, iris, fingerprint, ...), secure telemedicine systems, genetic analysis, video surveillance services systems guarantees privacy by design or smart metering systems (Smart metering)secure.

0 comments:

Post a Comment