FUJITSU SCIENTIFIC & TECHNICAL JOURNAL (FSTJ)
FSTJ is published quarterly by FUJITSU LIMITED to introduce the FUJITSU Group's research and development activities, cutting-edge technologies, products, and solution services.
Special Issue: Security
Vol. 52, No. 3, July 2016
In this special issue, we introduce Fujitsu's efforts in providing safety and security to its customers around the world through advanced technologies for constructing a safe ICT environment, extensive education and training of personnel, and operation know-how cultivated through in-house practices.
Japanese version: Magazine FUJITSU (Vol. 67, No. 1, January 2016)
- Special Issue on Security (464 KB)
Tango Matsumoto, Corporate Executive Officer, EVP, Vice Head of Digital Service Business, pp.1-2
- FUJITSU Security Initiative (984 KB)
Taishu Ohta, pp.3-7
- We are now 15 years into the 21st century and entering an age of uncertainty that was unthinkable in the past. As information and communications technology (ICT) is utilized as social infrastructure and use of the Internet is increasingly widespread, safe and secure operation of ICT is strongly desired. Security has conventionally been seen mostly from the perspective of accidental leakage of personal information and preventive measures. However, the growing frequency of cyber attacks means that ICT-related organizations must now embrace the fact that security incidents are bound to occur. This paper presents the FUJITSU Security Initiative, which systematizes this new concept of security. It also describes three technical requirements in particular that need strengthening and Fujitsu's approach to doing this. We intend to establish safe and secure operation of ICT by working with organizations to ensure that they understand these requirements and take steps to meet them. In addition, as we are now in an age in which the Internet of Things (IoT) is quickly being implemented and data is becoming even more valuable, we also aim to help realize a society in which both safe and secure operation of ICT is ensured.
- In-house Practice of Cloud-based Authentication Platform Service Focusing on Palm Vein Authentication (683 KB)
Yuko Suzuki, Atsuko Niigata, Masayuki Hamada, pp.8-14
- Fujitsu has been working on constructing a cloud-based authentication platform service that provides multiple means of high-security authentication, making use of device characteristics. In this service, the central role is played by palm vein authentication, which Fujitsu has cultivated up to now. This service is realized by cross-functionally bringing together knowledge relating to biometrics and authentication services at Fujitsu. Fujitsu intends to offer it to customers and society after it has been thoroughly utilized and brushed up by in-house practice. The authentication means offered include biometrics such as palm vein, iris, and fingerprint authentication and one-time password (OTP) not requiring dedicated devices. In addition, as authentication federation interfaces, multiple standard protocols including Security Assertion Markup Language (SAML) are available. This paper describes the safe and secure authentication features offered by this cloud-based authentication platform service, mainly including Fujitsu's palm vein authentication technology, which can boast of having one of the highest authentication accuracies in the industry.
- Authentication Support Solution for Realizing Safe and Secure Society: Trust Eye (747 KB)
Hideaki Sakatou, Kouji Toyoshima, Satoshi Yoshida, Toshiaki Utsugi, pp.15-22
- The recent development and diffusion of information and communications technology (ICT) has led to a dramatic increase in opportunities for acquiring, delivering, and utilizing information, regardless of whether those activities are done by individuals or organizations. Meanwhile, ICT is also used as "infrastructure" for large-scale and organized crimes such as cyber crimes and international terrorism, posing a significant threat to public security. In this situation, at an early stage Fujitsu started offering security products and services by gathering cutting-edge solutions from around the world to comprehensively provide the optimum combination and operation for each customer. Trust Eye, an authentication support solution, is a service that makes it possible to detect suspicious individuals using falsified official identification (ID) documents and prevent unauthorized use of official ID documents by authenticating such IDs. This paper outlines the Trust Eye products, services, and their authentication technologies. In addition, it describes activities and a future outlook for creating new businesses by making advanced use of official IDs and biometric authentication.
- Biometric Authentication Technologies of Client Terminals in Pursuit of Security and Convenience (657 KB)
Hiroshi Yokozawa, Takashi Shinzaki, Akira Yonenaga, Atsushi Wada, pp.23-27
- An environment is now in place that can offer services utilizing information and communications technology (ICT) in various scenes of daily life, and a wide range of operations and commercial transactions are becoming cloud-based. In this situation, biometric authentication is becoming widespread as a reliable and simple means of user authentication. Fujitsu started providing biometric authentication devices for PCs in 1999. Subsequently, we have worked on the development of biometric authentication technologies for notebook PCs and smartphones, pursuing convenience as well as security. This paper presents Fujitsu's activities related to biometric authentication technologies, centering on the integration of a slimmed-down palm vein sensor in tablets and the successful integration of iris authentication in a smartphone for the first time in the world.
Privacy Protection and Encryption Technologies
- De-identification and Encryption Technologies to Protect Personal Information (751 KB)
Koichi Ito, Jun Kogure, Takeshi Shimoyama, Hiroshi Tsuda, pp.28-36
- The volumes of data in society are anticipated to further increase for reasons such as expansion of big data analysis and future development of the Internet of Things (IoT). There are high hopes that it will be possible to utilize the data gathered in these processes as information linked with individuals (personal information) and create new businesses. Meanwhile, there have been a series of cases of large-scale leakage of personal information due to cyber attacks and internal fraud, along with discontinuance of services that did not pay sufficient attention to privacy. In addition, legal regulations are being tightened as seen in Japan's "My Number (Individual Number)" system, the amendment to Japan's Personal Information Protection Act, and the EU's General Data Protection Regulation. Fujitsu Laboratories has been developing technologies for de-identification and encryption of personal information in accordance with these measures and regulations. This paper describes the de-identification technologies such as k-anonymization and encryption technologies such as homomorphic encryption developed by Fujitsu Laboratories for safe handling of personal information.
- NESTGate-Realizing Personal Data Protection with k-Anonymization Technology (619 KB)
Yoshihiro Morisawa, Shinji Matsune, pp.37-42
- Anonymization is attracting attention as a technology that can prevent the identification of a specific individual from data representing personal information (name, address, age, etc.) and private information (location information, route information, purchase history, etc.). NESTGate is a personal data protection tool implementing Fujitsu Laboratories' version of k-anonymization technology. This technology, which is being heavily researched around the world, can process data representing personal information so that at least k individual records have the same attributes. NESTGate provides a user interface that can easily handle k-anonymization in business operations, and it processes data to make it difficult to identify individuals from a large volume of information. NESTGate also features an authentication function to control access to personal information that includes sensitive information and a job management function to monitor the state of job execution and prevent the simultaneous execution of multiple anonymization processes. NESTGate is a product that can be rapidly incorporated and used in cloud computing and business systems handling personal data. This paper discusses points of concern in handling personal data and describes NESTGate functions.
- Leading-edge Cryptography (672 KB)
Takeshi Shimoyama, Kazuya Takemoto, Arnab Roy, Avradip Mandal, pp.43-51
- Cryptography, a fundamental information security technology, is used in diverse aspects of daily life including digital TV broadcasting, digital money, and mobile phones. It is no exaggeration to say that the history of cryptography is the history of cryptanalysis. Even ciphers said to be absolutely safe have eventually become exposed to risks (become compromised) due to the discovery of new cryptanalysis methods or rapid advances in computers and networks, which has led, in turn, to the development of new encryption techniques. This paper describes recent developments in cryptography with a focus on activities at Fujitsu Laboratories. It also introduces technology for correctly determining the lifetime of a cipher considering advances in cryptanalysis and a new encryption technique having novel functions not found in conventional ciphers. Finally, it explains quantum cryptography, which is said to be the ultimate unbreakable cipher.
Security Intelligence Technologies
- Practice within Fujitsu of Security Operations Center: Operation and Security Dashboard (591 KB)
Takayoshi Sadamatsu, Yoshihiko Yoneyama, Kai Yajima, pp.52-58
- Recently, cyber crimes have been rapidly increasing in Japan and overseas and their methods are becoming more complicated and sophisticated. Targets of cyber attacks are shifting from individuals to enterprises, and cyber spy activities targeting confidential information of enterprises have become conspicuous. Under the circumstances, there is a global need to improve capabilities to promptly identify risks and quickly respond to incidents, in addition to improving security measures that can respond to the actual conditions for defending against cyber attacks. The Fujitsu Group has been implementing in-house activities to quickly detect signs of cyber attacks and other cyber threats for immediate incident response at the security operations center (SOC). With the existing operation model, however, there still remains demand for global-level standardization of the incident response process for faster responses. This paper describes an approach to meeting this challenge. It involves analyzing the actual business processes and standardizing their operations before introducing an automation tool, with which incident response time can be reduced and potential risks in the corporate network can be eliminated at an early stage. In addition, it presents a security dashboard that visualizes the operation status of the SOC by using key performance indicators (KPIs).
- Fujitsu's Know-how and Latest Technology for Measures against Information Leakage by Cyber Attacks (737 KB)
Michio Masuno, Atsushi Wataki, pp.59-65
- While the scope of application of information and communications technology (ICT) is expanding, finding a way to take measures against cyber attacks, which are becoming increasingly advanced and sophisticated, is posing a significant challenge for enterprises. These cyber attacks call for measures premised on intrusion, not to mention measures to prevent intrusion. In the event that a company's defenses are breached, the speed and reliability with which it can respond has a great impact on the risk of information leakage and spread of infection. Fujitsu has developed and offered FUJITSU Software Systemwalker Security Control, which navigates and automates the response according to the specified operation process as a means to deal with this problem. This middleware reduces the cost of the procedure from formulating an operation process to actual security management and allows reliable operation with the elimination of human error by automating response. This paper uses an information leakage accident caused by a cyber attack that occurred in Japan in 2015 as a case example to describe measures that utilize Fujitsu's know-how in internal operation. It also describes the latest technology for measures against cyber attacks, and presents middleware that integrates such operational know-how and the latest technology of Fujitsu.
- Cyber Attack Countermeasure Technologies Using Analysis of Communication and Logs in Internal Network (642 KB)
Masanobu Morinaga, Yuji Nomura, Kazuyoshi Furukawa, Shoji Temma, pp.66-71
- The threat of cyber attacks is continuously on the increase and causing major social issues. In particular, cyber attacks intended to steal information by targeting specific corporations and individuals, which are called targeted attacks, are becoming increasingly clever and persistent. With conventional inbound and endpoint measures such as firewalls and antivirus software, it is not possible to completely prevent malware from intruding into organizations. This paper presents internal countermeasure technology that detects any targeted attack in an organization and analyzes the extent of impact of the attack. This technology is composed of high-speed capture technology for efficiently analyzing a large number of packets that flow in the internal network, attack detection technology based on analysis of the context of malware communications that intruded into the internal network and technology for validating the impact of the attack by analyzing malware detection information and peripheral device log information. An advanced countermeasure solution against targeted attacks can be realized by combining these technologies.
- Proactive Defense Model Based on Cyber Threat Analysis (669 KB)
Takeshi Osako, Tomoyoshi Suzuki, Yoichi Iwata, pp.72-77
- To defend against cyber attacks, enterprises are establishing computer security incident response teams (CSIRTs) and ensuring they have defense in depth. However, such measures are not sufficient for achieving a perfect defense against attacks, and the number of security incidents is increasing day by day. It has reached the stage where, to further strengthen protection, it is necessary to implement proactive defense as well as to improve reactive defense. Each attacker tends to have unique peculiarities, and "cyber threat intelligence" can be extracted from them. Extracting this intelligence from the various signs and artifacts of attacks is defined as "cyber threat analysis." Establishing a proactive defense model based on this definition is a useful approach to detecting attacks targeting a specific organization, which have been increasing in recent years and are difficult to detect and defend against with existing security measures. This paper describes the standardization of cyber threat analysis techniques including analysis of malware and extraction of cyber threat intelligence. It also describes a model that provides proactive defense against future cyber attacks by utilizing cyber threat intelligence.
- Security Measures Based on Human Behavior Characteristics (1.12 MB )
Takeaki Terada, Yoshinori Katayama, Satoru Torii, Hiroshi Tsuda, pp.78-84
- Recently, the number of targeted attacks has been rapidly increasing. Attackers limit their target to specific organizations or users and send targeted e-mails that cannot be easily identified as being malicious and steal data. In addition, large-scale information leakage accidents have occurred due to human errors such as missending of e-mail, and internal fraud. As a measure against missending of e-mail, Fujitsu has developed a tool that warns its users about making a mistake with regards to the recipients or attachments at the time of sending. To deal with targeted e-mails, we have extended the tool to alert users to suspicious incoming e-mails based on detection of differences with the header information of e-mails they have received before. Furthermore, we have also developed a technology to detect behavioral characteristics of individuals who are vulnerable to cyber-attacks by examining psychological characteristics and PC operation behavior of people who have experienced virus infection, fraud, or information leakage. These technologies will enable flexible security management based on the risk characteristics of individuals and organizations. This paper presents our technologies for reducing users' security risks, such as user interfaces that warn of e-mail missending and issue alerts for suspicious incoming e-mails, and risk assessment technology based on analysis of psychological characteristics and PC operation behavior of users.
- Practice of Training Security Engineers Desired in Cyber Society (638 KB)
Kosetsu Kayama, Shinichiro Yamashita, Masayuki Okuhara, pp.85-91
- The training of security engineers with advanced technical skills has been a key issue both in Japan and overseas and various reference models have been proposed for it. Meanwhile, for vendors of information and communications technology (ICT) with a wide variety of security-related operations in their corporate group, such as Fujitsu, it was difficult to use the conventional models for security engineers, as they were, in the systematic training of engineers with skills required to perform these operations. Accordingly, Fujitsu defined its original program for the human resources of security engineers, called Security Meister, and started implementing a human resource certification system based on it in January 2014. In addition to the security division, we have formulated models for security engineers including those for systems development, ICT operation, corporate and other divisions. They can be used to define human resources required for the respective divisions, discover human resources and provide training programs. This paper presents the details of the activities in the respective organizations based on these human resource models and the results.