The security-by-design techniques developed by S&T take into account the legal constraints imposed by regulations (e.g., the use of a second factor authentication to access healthcare data) to develop identity solutions that offer the best trade-off between security, privacy, and usability.
S&T works on assessing legal compliance regulations of IT systems with emphasis on privacy restrictions. In this context, S&T has developed automated techniques for checking compliance with respect to the privacy regulations imposed by the EU. This is a first substantial step towards the development of techniques for aligning security (from a technological point of view) and privacy (from a legal point of view) to improve the governance of data and services in the system.
Our focus:
- Automated compliance checking of legal provisions for privacy
- Compliance of high-level designs against EU Data Protection Directive (DPD)
- Porting it to General Data Protection Regulation (GDPR)
- Data Protection Impact Assessment
- eIDAS, electronic IDentification, Authentication and trust Services
Related Publications
-
Amir Sharif, Matteo Ranzi, Roberto Carbone, Giada Sciarretta, Silvio Ranise
SoK: A Survey on Technological Trends for (pre)Notified eIDAS Electronic Identity Schemes
In: 17th International Workshop on Frontiers in Availability, Reliability and Security (FARES2022) (DOI, complementary material, news) -
Salimeh Dashti, Amir Sharif, Roberto Carbone, Silvio Ranise
Automated Risk Assessment and What-if Analysis of OpenID Connect and OAuth 2.0 Deployments
In: Proceedings of the 35th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec 2021) (news) -
Majid Mollaeefar, Alberto Siena, Silvio Ranise
Multi-Stakeholder Cybersecurity Risk Assessment for Data Protection
In: 17th International Conference on Security and Cryptography (SECRYPT 2020) (DOI) -
Federico Sinigaglia, Roberto Carbone, Gabriele Costa, Nicola Zannone
A Survey on Multi-Factor Authentication for Online Banking in the Wild
In: Computers & Security Journal (COSE) (DOI, complementary material, news) -
Salimeh Dashti, Silvio Ranise
A Tool-assisted Methodology for the Data Protection Impact Assessment
In: 16th International Conference on Security and Cryptography (SECRYPT 2019) (DOI, news) -
Paolo Guarda, Silvio Ranise, Hari Siswantoro
Security Analysis and Legal Compliance Checking for the Design of Privacy-friendly Information Systems
In: 22nd ACM Symposium on Access Control Models And Technologies (SACMAT 2017) (DOI) -
Silvio Ranise, Hari Siswantoro
Automated Legal Compliance Checking by Security Policy Analysis
In: International Conference on Computer Safety, Reliability, and Security (SAFECOMP 2017) (DOI) -
Federico Sinigaglia, Gabriele Costa, Roberto Carbone
Strong Authentication for e-Banking: a Survey on European Regulations and Implementations
In: 14th International Conference on Security and Cryptography (SECRYPT 2017) (DOI, news)
Related Theses
-
Alessandro Pegoraro (Bachelor's Thesis, University of Trento, 2021)
Payment Services Directive 2 in the Wild - A comparison between Open Banking UK and NextGenPSD2
Supervisor: Silvio Ranise | Co-supervisors: Giada Sciarretta, Salvatore Manfredi -
Salimeh Dashti (PhD Thesis, University of Genoa, 2021)
An Assisted Methodology to Conduct Data Protection Impact Assessment (link)
Supervisor: Silvio Ranise -
Alessio Valenza (Bachelor's Thesis, University of Trento, 2020)
Autenticazione bancaria post-PSD2: siamo al sicuro? Analisi automatica del rischio di protocolli di autenticazione
Supervisor: Silvio Ranise | Co-supervisors: Giada Sciarretta, Marco Pernpruner -
Nadia Metoui (PhD Thesis, University of Trento, 2018)
Privacy-Aware Risk-Based Access Control Systems (link)
Supervisor: Alessandro Armando | Co-supervisor: Michele Bezzi -
Hari Siswantoro (PhD Thesis, 2018)
Automated Analysis and Synthesis for the Compliance of Privacy and Other Legal Provisions (link)
Supervisor: Silvio Ranise | Co-supervisor: Alessandro Armando