SlideShare a Scribd company logo
Copyright © The Open Group 2011
Joint Workshop on Security Modeling
ArchiMate Forum and Security Forum
Facilitators:
Erik Proper, Senior Research Manager and
Christophe Feltus, Senior Research Engineer,
Public Research Center Henri Tudor
Iver Band, Enterprise Architect,
Standard Insurance Company
Copyright © The Open Group 2011
Workshop Agenda
2
• Welcome and purpose
• Introductions
• Research spotlight: Strengthening RBAC with Responsibility Modeling
• Motivation: The Inaction Problem in Information Security
• Open Discussion:
• Complementing TOGAF® and ArchiMate® with enhanced security modeling
• Identification and prioritization of challenges
• Next steps and adjourn
Copyright © The Open Group 2011
Workshop Purpose
• The acceptance and maturity of TOGAF and ArchiMate present
opportunities to
• Improve the conceptual and visual modeling of enterprise
information security
• Drive usage of TOGAF and ArchiMate for security architecture
• Enable information security stakeholders to make better decisions
about protecting their interests
• Enable all business leaders to understand the impact of information
security or the lack thereof
• We are here to identify and prioritize these opportunities, and to plan
efforts to exploit them
3
Copyright © The Open Group 2011
Brief Personal Introductions
• Name
• Organization and position
• Involvement in The Open Group
• Security and modeling background and interests
4
Copyright © The Open Group 2011
Sponsored by
Christophe Feltus
Senior R&D Engineer
christophe.feltus@tudor.lu
Public Research Centre Henri Tudor
29, avenue John F. Kennedy
L-1855 Luxembourg-Kirchberg
Tel +352 42 59 91 - 1
Fax +352 42 59 91 - 777
www.tudor.lu
Research Spotlight: Strengthening RBAC with
Responsibility Modeling
The Open Group Conference,
San Francisco, USA, Feb 2, 2012
Copyright © The Open Group 2011
Outline
6
• Context of the research
• The problem / the research approach
• What is RBAC ?
• Case study
• 1st research question: How should responsibility be
modelled, both in general and specifically in ArchiMate ?
• 2nd research question: How can models of responsibility
be used to improve access rights management ?
• Conclusions
Copyright © The Open Group 2011
The Problem
The research addresses two problems arising from security and
governance requirements, such as Basel II and Sarbanes-Oxley
• Enterprises must precisely provision access rights according to
business needs, principles such as least privilege and separation of
duties as well as statutory requirements.
• RBAC partially solves that problem
• Enterprises must precisely define responsibilities and stakeholders
must understand them.
• Today, there is no standard business definition of responsibility
 Both problems are linked: Responsibility definition enables precise
provisioning of access rights
7
Copyright © The Open Group 2011
Approach
• In order to solve the problem:
• We explore a model to define responsibilities
• We consider access rights provisioning based on the
model
8
Copyright © The Open Group 2011
RBAC
9
• A widely implemented mechanism for protecting system resources. Relies on user
authentication, which in turn relies on identity management
• Defines and applies relationships between
• Users − often human, but can also be systems
• Roles − job functions defined for an organization
• Permissions − organizational consent to perform specific operations
• Ensures that each user can execute only those operations authorized through roles that
are both assigned to that user and activated for that user’s session
• Four standard and cumulative levels (hierarchical, constraint,…)
Users Roles
Sessions
Operations Objects
Permissions
(UA) User
Assignment
(PA)
Permission
Assignment
user_sessions Session_roles
Modeling RBAC with SABSA, TOGAF and
ArchiMate, Creating a Foundation for
Understanding and Action,
Iver Band, CISSP
Open Group Conference, Austin, Texas
Copyright © The Open Group 2011
Administration framework
10
Modeling RBAC with SABSA, TOGAF and
ArchiMate, Creating a Foundation for
Understanding and Action,
Iver Band, CISSP
Open Group Conference, Austin, Texas
Business
Actor
Business
object
Business
Role
Business
process /
function /
interaction
• The data object Users
corresponds to the Business Actor
• The data object Roles
Corresponds to the
Business Role
• The data object
Permissions corresponds to
the access to data object
Copyright © The Open Group 2011
Case study
11
Project management
• The role of project manager is assigned to four processes that compose the
project management service
• Each of these processes accesses specific data
• Bob is a project manager
Project
manager
Manage team
Prepare budget
Manage risk
Review results
Patrick
Bob
Secretary
Team Mgt data
Budget data
Risk Mgt data
Results data
Copyright © The Open Group 2011
Case study
12
• Bob has too much work and delegates the preparation of the budget to his
secretary, Patrick.
•  How can Bob assign Patrick the necessary rights?
Project
manager
Manage team
Prepare budget
Manage risk
Review results
Patrick
Bob
Secretary
Team Mgt data
Budget data
Risk Mgt data
Results data
?
Copyright © The Open Group 2011
Case study
13
• In this model, the Secretary role is assigned to the Prepare Budget Process
• What happens to the other secretaries?
 They receive too many rights
Project
manager
Manage team
Prepare budget
Manage risk
Review results
Patrick
Bob
Secretary
Team Mgt data
Budget data
Risk Mgt data
Results data
?
Copyright © The Open Group 2011
Case study
14
• In this model, Patrick gets a special-purpose role
• Is Patrick the only person who can manage the budget ?
Role just for
Patrick
Project
manager
Manage team
Prepare budget
Manage risk
Review results
Patrick
Bob
Secretary
Team Mgt data
Budget data
Risk Mgt data
Results data
?
Copyright © The Open Group 2011
What we need to model
15
Therefore, we introduce RESPONSIBILITY
Copyright © The Open Group 2011
Responsibility Modeling
16
• How should responsibility be modelled, both in
general and specifically in ArchiMate ?
• New concepts
• Relation between those concepts and ArchiMate
 Illustrations with the case study
Copyright © The Open Group 2011
New Concepts
17
duty to report or explain the action or
someone else's action to a given authority
Name Symbol Meaning
Responsibility A property assigned to a business actor that aggregates a
set of obligations and rights
Obligation An obligation is a duty to perform a task
Right An ability granted to a business actor by the enterprise in
order to enable the business actor to perform a specific
task.
Capability An ability of a business actor that has not been granted by
the enterprise.
Justification A justification is a duty to report and explain the action to
a given authority
Responsibility
Right
Capability
Justification
Obligation
Copyright © The Open Group 2011
Responsibility Modeling
18
Responsibility
Business
object
Right
To access
requires
Is necessary for
Business
role
Business
actor
assigned to
assigned to
Business
process concerns
Obligation
Copyright © The Open Group 2011
Responsibility Modeling
19
Business
actor
Business
role
Business
object
Business
Process
Responsibility
Obligation
Right
To access
assigned torequires
Is necessary for
concerns
assigned to
Capability
requires
Is necessary for
Justification
Copyright © The Open Group 2011 20
Prepare
budget
Read
and
write
requiresconcerns
Responsibility
to prepare the
budget
Do
concerns
Patrick
Budget data
Project
manager
Bob
Control
Responsibility
to review the
budgetRead
requires
concerns
Responsibilities to
perform and control
the budget
necessary
for
necessary
for
Copyright © The Open Group 2011
Outline
21
• Context of the research
• The problem / the research approach
• What is RBAC ?
• Case study
• 1st research question: How should responsibility be
modelled, both in general and specifically in ArchiMate ?
• 2nd research question: How can models of responsibility
be used to improve access rights management ?
• Conclusions
Copyright © The Open Group 2011
Second research question
22
• How to include the responsibility with RBAC and
with RBAC administration framework ?
• Introduction of the responsibility at the business
layer and at the application layer
• Association of the responsibility with the Business
role and the RBAC role.
 Illustration with the case study
Copyright © The Open Group 2011
Administrative Framework without Responsibility
23
Business
Role
RBAC Role
Business
Actor
User
ApplicationLayerBusinessLayer
Assignment
Inappropriate !
Permission
Copyright © The Open Group 2011
Administrative Framework with Responsibility
24
RBAC Role
Business
Role
Responsibility
Responsibility Business
Actor
User
ApplicationLayerBusinessLayer
Business Role
Assignment
Permission
Copyright © The Open Group 2011 25
Responsibility
to review the
budget
Bob Patrick
Budget data
Read
concerns
Write
concerns
Responsibility
to prepare the
budget
Business Actor
Responsibilities
Permission
Project
manager
Case Study with
Responsibility
RBAC Role #1 RBAC Role #2
Copyright © The Open Group 2011
Conclusion
26
• In order to meet security and governance requirements, enterprises
must precisely define responsibilities and provision access rights
• The proposed responsibility extension to ArchiMate enables this
precision
RolePermission
Role
Role
Role
Role
Hierarchy
Permission
Role
Hierarchy
Respons.
Obligation
Role
Role
Role
Role
Copyright © The Open Group 2011
Conclusion
27
• The responsibility concept aligns access rights between the ArchiMate
Business and Application layers.
Copyright © The Open Group 2011
Motivation: The Inaction Problem in Information
Security
28
Copyright © The Open Group 2011
Stakeholder Inaction Causes Great Harm
• According to an international study of 761 data compromise
incidents in 20101
• 83% of victims were targets of opportunity, the same as 2009
• 92% of attacks were not highly difficult, up 7% from 2009
• 96% of breaches were avoidable through simple or
intermediate controls, the same as 2009
• 89% of victims subject to the Payment Card Industry Data
Security Standard2 had not achieved compliance
29
Copyright © The Open Group 2011
Why Don’t Stakeholders Act?
• Economic explanations fall into categories such as3
• Misaligned incentives
• Breach victims often suffer more than individuals responsible for preventing
breaches
• Employees are often more motivated to do things quickly and cheaply than
securely
• Asymmetric information
• Market participants are variously incented to exaggerate or minimize risk
• Exaggerated claims about premium countermeasures make customers unwilling
to pay extra for better security
• Network Externalities
• Embracing weak security often helps build market share
• Early countermeasure adopters must often await broader adoption to realize
benefits
• Externalities of Insecurity
• The social cost of asset compromise is often greater than the owners’ cost
30
Copyright © The Open Group 2011
Why Don’t Stakeholders Act?
• Security measures are always trade-offs, but our innate psychology causes us to
misinterpret risk. Bruce Schneier4 identifies five areas that we often get wrong
• Risk severity
• Risk probability
• Risk impact
• Effectiveness of countermeasures
• Comparison of disparate risks and costs
• For example, we often4
• Exaggerate spectacular but rare risks and downplay common ones
• Have trouble estimating risks for anything outside our normal situation
• Perceive personified risks as greater than anonymous risks
• Underestimate risks we willingly take or have some control over, but overestimate
risks we can’t control
• Overestimate risks that are receiving great publicity, that are new, or are man-made
relative to risks that are less publicized, commonplace or natural in origin
31
Copyright © The Open Group 2011
Why Don’t Stakeholders Act?
• We are much better equipped to address imminent threats versus
those looming in the distance. As Schneier4 says
• “We are very well adapted to dealing with the security environment
endemic to hominids living in small family groups on the highland
plains of East Africa”
• In fact, our “Abstract concepts are largely metaphorical”5. For
example, we
• Punch a hole in the firewall
• Experience security breaches
• Analyze attack surfaces
• All too often, end up between a rock and a hard place
32
Copyright © The Open Group 2011
Questions for Discussion
• How can security architects use the ArchiMate
visual modeling language to
• Align stakeholders’ perceptions of risk with the
logical and mathematical reality of enterprise risk?
• Enable the sponsors, designers and implementers of
controls to make the best possible protective
decisions for their enterprise?
• How can The Open Group build on ArchiMate 2.0
to better support security architecture?
33
Copyright © The Open Group 2011
Thank You!
34
Copyright © The Open Group 2011
Supplementary Material
35
Copyright © The Open Group 2011
Motivation References
1. W. Baker, A. Hutton, C.D. Hylender, J. Pamula, C. Porter, M. Spitler, et. al.
2011 Data Breach Investigations Report [Online], 2011.
http://www.verizonbusiness.com/resources/reports/rp_data-breach-
investigations-report-2011_en_xg.pdf
2. PCI Security Standards Council. Payment Card Industry Data Security
Standard version 2.0 [Online], 2010.
https://www.pcisecuritystandards.org/security_standards/documents.php?docu
ment=pci_dss_v2-0#pci_dss_v2-0
3. T. Moore, R. Anderson. Economics and Internet Security: a Survey of
Recent Analytical, Empirical and Behavioral Research [Online], 2011.
ftp://ftp.deas.harvard.edu/techreports/tr-03-11.pdf
4. B. Schneier. The Psychology of Security [Online], 2008.
http://www.schneier.com/essay-155.html
5. Lakoff, George, Johnson, Mark. Philosophy in the Flesh. Basic Books,
1999.
36
Copyright © The Open Group 2011
Responsibility References
1. Christophe Feltus, Eric Dubois, Erik Proper, Iver Band, Michaël Petit, Enhancing the ArchiMate® Standard with a
Responsibility Modeling Language for Access Rights Management, 5th ACM International Conference on Security of
Information and Networks (ACM SIN 2012), 22-27/10/2012, Jaipur, Rajastan, India. ISBN: 978-1-4503-1668-2
2. Christophe Feltus, Michaël Petit, Eric Dubois, ReMoLa: Responsibility Model Language to Align Access Rights with
Business Process Requirements, Fifth IEEE International Conference on Research Challenges in Information Science
(IEEE RCIS 2011), 19-21/5/2011, Guadeloupe - French West Indies, France
3. Christophe Feltus, Eric Dubois, Michaël Petit, Conceptualizing a Responsibility based Approach for Elaborating
and Verifying RBAC Policies Conforming with CobiT Framework Requirements, Third International Workshop on
Requirements Engineering and Law (RELAW10), in conjunction with the 18th IEEE International Requirements
Engineering Conference (RE2010), 27/9-1/10/2010, Sydney, Australia.
4. Christophe Feltus, Michaël Petit, Morris Sloman, Enhancement of Business IT Alignment by Including
Responsibility Components in RBAC, 5th International Workshop on Business/IT Alignment and Interoperability
(BUSITAL 2010), an International Workshop of the 22th Conference on Advanced Information Systems Engineering
(CAISE2010), 7-11/6/2010, Hammamet, Tunisia
5. Christophe Feltus, Michaël Petit, Eric Dubois, Strengthening Employee’s Responsibility to Enhance Governance of
IT - COBIT RACI Chart Case Study, The 1st ACM Workshop on Information Security Governance (ACM WISG 2009)
held in conjunction with the 16th ACM Conference on Computer and Communications Security (ACM CCS 2009),
13/11/2009, Chicago, Illinois, USA.
6. Christophe Feltus, Michaël Petit, Building a Responsibility Model Including Accountability, Capability and
Commitment, Fourth International Conference on Availability, Reliability and Security (“ARES 2009 – The International
Dependability Conference”) IEEE, 16-19/3/2009, Fukuoka, Japan. (SCOPUS)
7. Christophe Feltus, Michaël Petit, Building a Responsibility Model using Modal Logic - Towards Accountability,
Capability and Commitment Concepts, The seventh ACS/IEEE International Conference on Computer Systems and
Applications (AICCSA-09) IEEE, 10-13/5/2009, Rabat, Morocco
37

More Related Content

What's hot

Enterprise Architecture - An Introduction from the Real World
Enterprise Architecture - An Introduction from the Real World Enterprise Architecture - An Introduction from the Real World
Enterprise Architecture - An Introduction from the Real World
Daljit Banger
 
Archi mate views_and_viewpoints
Archi mate views_and_viewpointsArchi mate views_and_viewpoints
Archi mate views_and_viewpoints
Igor Igoroshka
 
Software Architecture: Why and What?
Software Architecture: Why and What?Software Architecture: Why and What?
Software Architecture: Why and What?
Chris F Carroll
 
Zachman’s Framework & TOGAF for EA in Research Institute: Case Study of Indo...
Zachman’s Framework & TOGAF for EA in Research Institute:Case Study of Indo...Zachman’s Framework & TOGAF for EA in Research Institute:Case Study of Indo...
Zachman’s Framework & TOGAF for EA in Research Institute: Case Study of Indo...
Riri Kusumarani
 
Modeling TOGAF with ArchiMate
Modeling TOGAF with ArchiMateModeling TOGAF with ArchiMate
Modeling TOGAF with ArchiMate
Iver Band
 
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise ITCOBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
Mark Constable
 
EAPJ Vol IV July 2017
EAPJ Vol IV July 2017EAPJ Vol IV July 2017
EAPJ Vol IV July 2017
Darryl_Carr
 
SharePoint Business Track Part 1 of 2
SharePoint Business Track Part 1 of 2SharePoint Business Track Part 1 of 2
SharePoint Business Track Part 1 of 2
NextLabs, Inc.
 
How to pass cobit exam
How to pass cobit exam   How to pass cobit exam
How to pass cobit exam
Egyptian Engineers Association
 
Cobit5 introduction
Cobit5 introductionCobit5 introduction
Cobit5 introduction
Markus Yaldu
 
Why Program Management is Essential for IT Projects
Why Program Management is Essential for IT ProjectsWhy Program Management is Essential for IT Projects
Why Program Management is Essential for IT Projects
bbigelow
 
An Introduction to Enterprise Architecture Visual Modeling with The ArchiMate...
An Introduction to Enterprise Architecture Visual Modeling with The ArchiMate...An Introduction to Enterprise Architecture Visual Modeling with The ArchiMate...
An Introduction to Enterprise Architecture Visual Modeling with The ArchiMate...
Enterprise Architecture Professional Journal
 
IntelliSense EA Practice - EA Framework Comparison
IntelliSense EA Practice - EA Framework ComparisonIntelliSense EA Practice - EA Framework Comparison
IntelliSense EA Practice - EA Framework Comparison
Carl Barnes
 
Enterprise Architecture Overview
Enterprise Architecture OverviewEnterprise Architecture Overview
Enterprise Architecture Overview
Tim Murphy
 
IS.IT. Project Office set-up in complex environment. A post-merger case ( PRA...
IS.IT. Project Office set-up in complex environment. A post-merger case ( PRA...IS.IT. Project Office set-up in complex environment. A post-merger case ( PRA...
IS.IT. Project Office set-up in complex environment. A post-merger case ( PRA...
Manuel Lacarte
 
TOGAF Reference Models
TOGAF Reference ModelsTOGAF Reference Models
TOGAF Reference Models
Paul Sullivan
 
Cobit 2019 framework by ISACA
Cobit 2019 framework by ISACACobit 2019 framework by ISACA
Cobit 2019 framework by ISACA
MDFazlaRabbiAbir
 
Erp 03
Erp 03Erp 03
Enterprise reference architecture v1.1.ppt
Enterprise reference architecture   v1.1.pptEnterprise reference architecture   v1.1.ppt
Enterprise reference architecture v1.1.ppt
Ahmed Fattah
 

What's hot (19)

Enterprise Architecture - An Introduction from the Real World
Enterprise Architecture - An Introduction from the Real World Enterprise Architecture - An Introduction from the Real World
Enterprise Architecture - An Introduction from the Real World
 
Archi mate views_and_viewpoints
Archi mate views_and_viewpointsArchi mate views_and_viewpoints
Archi mate views_and_viewpoints
 
Software Architecture: Why and What?
Software Architecture: Why and What?Software Architecture: Why and What?
Software Architecture: Why and What?
 
Zachman’s Framework & TOGAF for EA in Research Institute: Case Study of Indo...
Zachman’s Framework & TOGAF for EA in Research Institute:Case Study of Indo...Zachman’s Framework & TOGAF for EA in Research Institute:Case Study of Indo...
Zachman’s Framework & TOGAF for EA in Research Institute: Case Study of Indo...
 
Modeling TOGAF with ArchiMate
Modeling TOGAF with ArchiMateModeling TOGAF with ArchiMate
Modeling TOGAF with ArchiMate
 
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise ITCOBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
 
EAPJ Vol IV July 2017
EAPJ Vol IV July 2017EAPJ Vol IV July 2017
EAPJ Vol IV July 2017
 
SharePoint Business Track Part 1 of 2
SharePoint Business Track Part 1 of 2SharePoint Business Track Part 1 of 2
SharePoint Business Track Part 1 of 2
 
How to pass cobit exam
How to pass cobit exam   How to pass cobit exam
How to pass cobit exam
 
Cobit5 introduction
Cobit5 introductionCobit5 introduction
Cobit5 introduction
 
Why Program Management is Essential for IT Projects
Why Program Management is Essential for IT ProjectsWhy Program Management is Essential for IT Projects
Why Program Management is Essential for IT Projects
 
An Introduction to Enterprise Architecture Visual Modeling with The ArchiMate...
An Introduction to Enterprise Architecture Visual Modeling with The ArchiMate...An Introduction to Enterprise Architecture Visual Modeling with The ArchiMate...
An Introduction to Enterprise Architecture Visual Modeling with The ArchiMate...
 
IntelliSense EA Practice - EA Framework Comparison
IntelliSense EA Practice - EA Framework ComparisonIntelliSense EA Practice - EA Framework Comparison
IntelliSense EA Practice - EA Framework Comparison
 
Enterprise Architecture Overview
Enterprise Architecture OverviewEnterprise Architecture Overview
Enterprise Architecture Overview
 
IS.IT. Project Office set-up in complex environment. A post-merger case ( PRA...
IS.IT. Project Office set-up in complex environment. A post-merger case ( PRA...IS.IT. Project Office set-up in complex environment. A post-merger case ( PRA...
IS.IT. Project Office set-up in complex environment. A post-merger case ( PRA...
 
TOGAF Reference Models
TOGAF Reference ModelsTOGAF Reference Models
TOGAF Reference Models
 
Cobit 2019 framework by ISACA
Cobit 2019 framework by ISACACobit 2019 framework by ISACA
Cobit 2019 framework by ISACA
 
Erp 03
Erp 03Erp 03
Erp 03
 
Enterprise reference architecture v1.1.ppt
Enterprise reference architecture   v1.1.pptEnterprise reference architecture   v1.1.ppt
Enterprise reference architecture v1.1.ppt
 

Similar to Joint workshop on security modeling archimate forum and security forum

User-Centric Design: How to Leverage Use Cases and User Scenarios to Design S...
User-Centric Design: How to Leverage Use Cases and User Scenarios to Design S...User-Centric Design: How to Leverage Use Cases and User Scenarios to Design S...
User-Centric Design: How to Leverage Use Cases and User Scenarios to Design S...
SPTechCon
 
Sim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access managementSim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access management
Luxembourg Institute of Science and Technology
 
Sim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access managementSim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access management
christophefeltus
 
An agent based framework for identity management the unsuspected relation wit...
An agent based framework for identity management the unsuspected relation wit...An agent based framework for identity management the unsuspected relation wit...
An agent based framework for identity management the unsuspected relation wit...
christophefeltus
 
An agent based framework for identity management the unsuspected relation wit...
An agent based framework for identity management the unsuspected relation wit...An agent based framework for identity management the unsuspected relation wit...
An agent based framework for identity management the unsuspected relation wit...
Luxembourg Institute of Science and Technology
 
Who govern my responsibilities sim a methodology to align business and it pol...
Who govern my responsibilities sim a methodology to align business and it pol...Who govern my responsibilities sim a methodology to align business and it pol...
Who govern my responsibilities sim a methodology to align business and it pol...
Luxembourg Institute of Science and Technology
 
Methodology to align business and it policies use case from an it company
Methodology to align business and it policies   use case from an it companyMethodology to align business and it policies   use case from an it company
Methodology to align business and it policies use case from an it company
christophefeltus
 
Methodology to align business and it policies use case from an it company
Methodology to align business and it policies   use case from an it companyMethodology to align business and it policies   use case from an it company
Methodology to align business and it policies use case from an it company
Luxembourg Institute of Science and Technology
 
Soa 2013
Soa 2013Soa 2013
Fear and Loathing in Agility: Long Live the Accounting Department
Fear and Loathing in Agility: Long Live the Accounting DepartmentFear and Loathing in Agility: Long Live the Accounting Department
Fear and Loathing in Agility: Long Live the Accounting Department
Accenture | SolutionsIQ
 
Project Organizational Responsibility Model - ORM
Project Organizational Responsibility Model -  ORMProject Organizational Responsibility Model -  ORM
Project Organizational Responsibility Model - ORM
Guttenberg Ferreira Passos
 
Enterprise Architecture - An Introduction
Enterprise Architecture - An Introduction Enterprise Architecture - An Introduction
Enterprise Architecture - An Introduction
Daljit Banger
 
How to improve an ECM system
How to improve an ECM systemHow to improve an ECM system
How to improve an ECM system
Atle Skjekkeland
 
PMP Training Course - Project Management Framework
PMP Training Course - Project Management FrameworkPMP Training Course - Project Management Framework
PMP Training Course - Project Management Framework
Skillogic Solutions
 
Enabling the Definition and Enforcement of Governance Rules in Open Source Sy...
Enabling the Definition and Enforcement of Governance Rules in Open Source Sy...Enabling the Definition and Enforcement of Governance Rules in Open Source Sy...
Enabling the Definition and Enforcement of Governance Rules in Open Source Sy...
Javier Canovas
 
Governance Rules for Open Source Software Systems
Governance Rules for Open Source Software Systems Governance Rules for Open Source Software Systems
Governance Rules for Open Source Software Systems
Jordi Cabot
 
Enterprise Agile at Lockheed Martin - 4th February 2014
Enterprise Agile at Lockheed Martin - 4th February 2014Enterprise Agile at Lockheed Martin - 4th February 2014
Enterprise Agile at Lockheed Martin - 4th February 2014
Association for Project Management
 
Taxonomy Design for the Short on Time
Taxonomy Design for the Short on TimeTaxonomy Design for the Short on Time
Taxonomy Design for the Short on Time
Fred Leise
 
Is Your E-Business Suite Data Visible After An M&A Event?
Is Your E-Business Suite Data Visible After An M&A Event?Is Your E-Business Suite Data Visible After An M&A Event?
Is Your E-Business Suite Data Visible After An M&A Event?
SmartDog Services
 
Lecture 1_System Integration & Architecture
Lecture 1_System Integration & ArchitectureLecture 1_System Integration & Architecture
Lecture 1_System Integration & Architecture
CAPINPINSerelyn
 

Similar to Joint workshop on security modeling archimate forum and security forum (20)

User-Centric Design: How to Leverage Use Cases and User Scenarios to Design S...
User-Centric Design: How to Leverage Use Cases and User Scenarios to Design S...User-Centric Design: How to Leverage Use Cases and User Scenarios to Design S...
User-Centric Design: How to Leverage Use Cases and User Scenarios to Design S...
 
Sim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access managementSim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access management
 
Sim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access managementSim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access management
 
An agent based framework for identity management the unsuspected relation wit...
An agent based framework for identity management the unsuspected relation wit...An agent based framework for identity management the unsuspected relation wit...
An agent based framework for identity management the unsuspected relation wit...
 
An agent based framework for identity management the unsuspected relation wit...
An agent based framework for identity management the unsuspected relation wit...An agent based framework for identity management the unsuspected relation wit...
An agent based framework for identity management the unsuspected relation wit...
 
Who govern my responsibilities sim a methodology to align business and it pol...
Who govern my responsibilities sim a methodology to align business and it pol...Who govern my responsibilities sim a methodology to align business and it pol...
Who govern my responsibilities sim a methodology to align business and it pol...
 
Methodology to align business and it policies use case from an it company
Methodology to align business and it policies   use case from an it companyMethodology to align business and it policies   use case from an it company
Methodology to align business and it policies use case from an it company
 
Methodology to align business and it policies use case from an it company
Methodology to align business and it policies   use case from an it companyMethodology to align business and it policies   use case from an it company
Methodology to align business and it policies use case from an it company
 
Soa 2013
Soa 2013Soa 2013
Soa 2013
 
Fear and Loathing in Agility: Long Live the Accounting Department
Fear and Loathing in Agility: Long Live the Accounting DepartmentFear and Loathing in Agility: Long Live the Accounting Department
Fear and Loathing in Agility: Long Live the Accounting Department
 
Project Organizational Responsibility Model - ORM
Project Organizational Responsibility Model -  ORMProject Organizational Responsibility Model -  ORM
Project Organizational Responsibility Model - ORM
 
Enterprise Architecture - An Introduction
Enterprise Architecture - An Introduction Enterprise Architecture - An Introduction
Enterprise Architecture - An Introduction
 
How to improve an ECM system
How to improve an ECM systemHow to improve an ECM system
How to improve an ECM system
 
PMP Training Course - Project Management Framework
PMP Training Course - Project Management FrameworkPMP Training Course - Project Management Framework
PMP Training Course - Project Management Framework
 
Enabling the Definition and Enforcement of Governance Rules in Open Source Sy...
Enabling the Definition and Enforcement of Governance Rules in Open Source Sy...Enabling the Definition and Enforcement of Governance Rules in Open Source Sy...
Enabling the Definition and Enforcement of Governance Rules in Open Source Sy...
 
Governance Rules for Open Source Software Systems
Governance Rules for Open Source Software Systems Governance Rules for Open Source Software Systems
Governance Rules for Open Source Software Systems
 
Enterprise Agile at Lockheed Martin - 4th February 2014
Enterprise Agile at Lockheed Martin - 4th February 2014Enterprise Agile at Lockheed Martin - 4th February 2014
Enterprise Agile at Lockheed Martin - 4th February 2014
 
Taxonomy Design for the Short on Time
Taxonomy Design for the Short on TimeTaxonomy Design for the Short on Time
Taxonomy Design for the Short on Time
 
Is Your E-Business Suite Data Visible After An M&A Event?
Is Your E-Business Suite Data Visible After An M&A Event?Is Your E-Business Suite Data Visible After An M&A Event?
Is Your E-Business Suite Data Visible After An M&A Event?
 
Lecture 1_System Integration & Architecture
Lecture 1_System Integration & ArchitectureLecture 1_System Integration & Architecture
Lecture 1_System Integration & Architecture
 

More from Luxembourg Institute of Science and Technology

Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-TopicsSmart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Luxembourg Institute of Science and Technology
 
Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Alignment of remmo with rbac to manage access rights in the frame of enterpri...Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Luxembourg Institute of Science and Technology
 
Modeling enterprise risk management and secutity with the archi mate language
Modeling enterprise risk management and secutity with the archi mate languageModeling enterprise risk management and secutity with the archi mate language
Modeling enterprise risk management and secutity with the archi mate language
Luxembourg Institute of Science and Technology
 
Aligning access rights to governance needs with the responsibility meta model...
Aligning access rights to governance needs with the responsibility meta model...Aligning access rights to governance needs with the responsibility meta model...
Aligning access rights to governance needs with the responsibility meta model...
Luxembourg Institute of Science and Technology
 
Towards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk managementTowards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk management
Luxembourg Institute of Science and Technology
 
Towards a hl7 based metamodeling integration approach for embracing the priva...
Towards a hl7 based metamodeling integration approach for embracing the priva...Towards a hl7 based metamodeling integration approach for embracing the priva...
Towards a hl7 based metamodeling integration approach for embracing the priva...
Luxembourg Institute of Science and Technology
 
Solution standard de compensation appliquée à une architecture e business séc...
Solution standard de compensation appliquée à une architecture e business séc...Solution standard de compensation appliquée à une architecture e business séc...
Solution standard de compensation appliquée à une architecture e business séc...
Luxembourg Institute of Science and Technology
 
Strengthening employee’s responsibility to enhance governance of it – cobit r...
Strengthening employee’s responsibility to enhance governance of it – cobit r...Strengthening employee’s responsibility to enhance governance of it – cobit r...
Strengthening employee’s responsibility to enhance governance of it – cobit r...
Luxembourg Institute of Science and Technology
 
Service specification and service compliance how to consider the responsibil...
Service specification and service compliance  how to consider the responsibil...Service specification and service compliance  how to consider the responsibil...
Service specification and service compliance how to consider the responsibil...
Luxembourg Institute of Science and Technology
 
Responsibility aspects in service engineering for e government
Responsibility aspects in service engineering for e governmentResponsibility aspects in service engineering for e government
Responsibility aspects in service engineering for e government
Luxembourg Institute of Science and Technology
 
Reputation based dynamic responsibility to agent assignement for critical inf...
Reputation based dynamic responsibility to agent assignement for critical inf...Reputation based dynamic responsibility to agent assignement for critical inf...
Reputation based dynamic responsibility to agent assignement for critical inf...
Luxembourg Institute of Science and Technology
 
Remola responsibility model language to align access rights with business pro...
Remola responsibility model language to align access rights with business pro...Remola responsibility model language to align access rights with business pro...
Remola responsibility model language to align access rights with business pro...
Luxembourg Institute of Science and Technology
 
Process assessment for use in very small enterprises the noemi assessment met...
Process assessment for use in very small enterprises the noemi assessment met...Process assessment for use in very small enterprises the noemi assessment met...
Process assessment for use in very small enterprises the noemi assessment met...
Luxembourg Institute of Science and Technology
 
Preliminary literature review of policy engineering methods
Preliminary literature review of policy engineering methodsPreliminary literature review of policy engineering methods
Preliminary literature review of policy engineering methods
Luxembourg Institute of Science and Technology
 
Organizational security architecture for critical infrastructure
Organizational security architecture for critical infrastructureOrganizational security architecture for critical infrastructure
Organizational security architecture for critical infrastructure
Luxembourg Institute of Science and Technology
 
Open sst based clearing mechanism for e business
Open sst based clearing mechanism for e businessOpen sst based clearing mechanism for e business
Open sst based clearing mechanism for e business
Luxembourg Institute of Science and Technology
 
On designing automatic reaction strategy for critical infrastructure scada sy...
On designing automatic reaction strategy for critical infrastructure scada sy...On designing automatic reaction strategy for critical infrastructure scada sy...
On designing automatic reaction strategy for critical infrastructure scada sy...
Luxembourg Institute of Science and Technology
 
Noemi, a collaborative management for ict process improvement in sme experien...
Noemi, a collaborative management for ict process improvement in sme experien...Noemi, a collaborative management for ict process improvement in sme experien...
Noemi, a collaborative management for ict process improvement in sme experien...
Luxembourg Institute of Science and Technology
 
Multi agents system service based platform in telecommunication security inci...
Multi agents system service based platform in telecommunication security inci...Multi agents system service based platform in telecommunication security inci...
Multi agents system service based platform in telecommunication security inci...
Luxembourg Institute of Science and Technology
 
Multi agents based architecture for is security incident reaction
Multi agents based architecture for is security incident reactionMulti agents based architecture for is security incident reaction
Multi agents based architecture for is security incident reaction
Luxembourg Institute of Science and Technology
 

More from Luxembourg Institute of Science and Technology (20)

Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-TopicsSmart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
 
Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Alignment of remmo with rbac to manage access rights in the frame of enterpri...Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Alignment of remmo with rbac to manage access rights in the frame of enterpri...
 
Modeling enterprise risk management and secutity with the archi mate language
Modeling enterprise risk management and secutity with the archi mate languageModeling enterprise risk management and secutity with the archi mate language
Modeling enterprise risk management and secutity with the archi mate language
 
Aligning access rights to governance needs with the responsibility meta model...
Aligning access rights to governance needs with the responsibility meta model...Aligning access rights to governance needs with the responsibility meta model...
Aligning access rights to governance needs with the responsibility meta model...
 
Towards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk managementTowards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk management
 
Towards a hl7 based metamodeling integration approach for embracing the priva...
Towards a hl7 based metamodeling integration approach for embracing the priva...Towards a hl7 based metamodeling integration approach for embracing the priva...
Towards a hl7 based metamodeling integration approach for embracing the priva...
 
Solution standard de compensation appliquée à une architecture e business séc...
Solution standard de compensation appliquée à une architecture e business séc...Solution standard de compensation appliquée à une architecture e business séc...
Solution standard de compensation appliquée à une architecture e business séc...
 
Strengthening employee’s responsibility to enhance governance of it – cobit r...
Strengthening employee’s responsibility to enhance governance of it – cobit r...Strengthening employee’s responsibility to enhance governance of it – cobit r...
Strengthening employee’s responsibility to enhance governance of it – cobit r...
 
Service specification and service compliance how to consider the responsibil...
Service specification and service compliance  how to consider the responsibil...Service specification and service compliance  how to consider the responsibil...
Service specification and service compliance how to consider the responsibil...
 
Responsibility aspects in service engineering for e government
Responsibility aspects in service engineering for e governmentResponsibility aspects in service engineering for e government
Responsibility aspects in service engineering for e government
 
Reputation based dynamic responsibility to agent assignement for critical inf...
Reputation based dynamic responsibility to agent assignement for critical inf...Reputation based dynamic responsibility to agent assignement for critical inf...
Reputation based dynamic responsibility to agent assignement for critical inf...
 
Remola responsibility model language to align access rights with business pro...
Remola responsibility model language to align access rights with business pro...Remola responsibility model language to align access rights with business pro...
Remola responsibility model language to align access rights with business pro...
 
Process assessment for use in very small enterprises the noemi assessment met...
Process assessment for use in very small enterprises the noemi assessment met...Process assessment for use in very small enterprises the noemi assessment met...
Process assessment for use in very small enterprises the noemi assessment met...
 
Preliminary literature review of policy engineering methods
Preliminary literature review of policy engineering methodsPreliminary literature review of policy engineering methods
Preliminary literature review of policy engineering methods
 
Organizational security architecture for critical infrastructure
Organizational security architecture for critical infrastructureOrganizational security architecture for critical infrastructure
Organizational security architecture for critical infrastructure
 
Open sst based clearing mechanism for e business
Open sst based clearing mechanism for e businessOpen sst based clearing mechanism for e business
Open sst based clearing mechanism for e business
 
On designing automatic reaction strategy for critical infrastructure scada sy...
On designing automatic reaction strategy for critical infrastructure scada sy...On designing automatic reaction strategy for critical infrastructure scada sy...
On designing automatic reaction strategy for critical infrastructure scada sy...
 
Noemi, a collaborative management for ict process improvement in sme experien...
Noemi, a collaborative management for ict process improvement in sme experien...Noemi, a collaborative management for ict process improvement in sme experien...
Noemi, a collaborative management for ict process improvement in sme experien...
 
Multi agents system service based platform in telecommunication security inci...
Multi agents system service based platform in telecommunication security inci...Multi agents system service based platform in telecommunication security inci...
Multi agents system service based platform in telecommunication security inci...
 
Multi agents based architecture for is security incident reaction
Multi agents based architecture for is security incident reactionMulti agents based architecture for is security incident reaction
Multi agents based architecture for is security incident reaction
 

Recently uploaded

Biochar impregnation as slow release fertilizer - Violeta Alexandra Ion
Biochar impregnation as slow release fertilizer - Violeta Alexandra IonBiochar impregnation as slow release fertilizer - Violeta Alexandra Ion
Biochar impregnation as slow release fertilizer - Violeta Alexandra Ion
Faculty of Applied Chemistry and Materials Science
 
Adjusted NuGOweek 2024 Ghent programme flyer
Adjusted NuGOweek 2024 Ghent programme flyerAdjusted NuGOweek 2024 Ghent programme flyer
Adjusted NuGOweek 2024 Ghent programme flyer
pablovgd
 
Concept of Balanced Diet & Nutrients.pdf
Concept of Balanced Diet & Nutrients.pdfConcept of Balanced Diet & Nutrients.pdf
Concept of Balanced Diet & Nutrients.pdf
SELF-EXPLANATORY
 
A NICER VIEW OF THE NEAREST AND BRIGHTEST MILLISECOND PULSAR: PSR J0437−4715
A NICER VIEW OF THE NEAREST AND BRIGHTEST MILLISECOND PULSAR: PSR J0437−4715A NICER VIEW OF THE NEAREST AND BRIGHTEST MILLISECOND PULSAR: PSR J0437−4715
A NICER VIEW OF THE NEAREST AND BRIGHTEST MILLISECOND PULSAR: PSR J0437−4715
Sérgio Sacani
 
Complementary interstellar detections from the heliotail
Complementary interstellar detections from the heliotailComplementary interstellar detections from the heliotail
Complementary interstellar detections from the heliotail
Sérgio Sacani
 
Post RN - Biochemistry (Unit 1) Basic concept of Chemistry
Post RN - Biochemistry (Unit 1) Basic concept of ChemistryPost RN - Biochemistry (Unit 1) Basic concept of Chemistry
Post RN - Biochemistry (Unit 1) Basic concept of Chemistry
Areesha Ahmad
 
Celebrity Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl S...
Celebrity Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl S...Celebrity Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl S...
Celebrity Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl S...
bellared2
 
Phytoremediation: Harnessing Nature's Power with Phytoremediation
Phytoremediation: Harnessing Nature's Power with PhytoremediationPhytoremediation: Harnessing Nature's Power with Phytoremediation
Phytoremediation: Harnessing Nature's Power with Phytoremediation
Gurjant Singh
 
atom, elements, molecule and compounds in telugu.pptx
atom, elements, molecule and compounds in telugu.pptxatom, elements, molecule and compounds in telugu.pptx
atom, elements, molecule and compounds in telugu.pptx
ManjulaVani3
 
Types of Hypersensitivity Reactions.pptx
Types of Hypersensitivity Reactions.pptxTypes of Hypersensitivity Reactions.pptx
Types of Hypersensitivity Reactions.pptx
Isha Pandey
 
Burn child health Nursing 3rd year presentation..pptx
Burn child health Nursing 3rd year presentation..pptxBurn child health Nursing 3rd year presentation..pptx
Burn child health Nursing 3rd year presentation..pptx
sohil4260
 
PART 1 & PART 2 The New Natural Principles of Newtonian Mechanics, Electromec...
PART 1 & PART 2 The New Natural Principles of Newtonian Mechanics, Electromec...PART 1 & PART 2 The New Natural Principles of Newtonian Mechanics, Electromec...
PART 1 & PART 2 The New Natural Principles of Newtonian Mechanics, Electromec...
Thane Heins
 
MARIGREEN PROJECT - overview, Oana Cristina Pârvulescu
MARIGREEN PROJECT - overview, Oana Cristina PârvulescuMARIGREEN PROJECT - overview, Oana Cristina Pârvulescu
MARIGREEN PROJECT - overview, Oana Cristina Pârvulescu
Faculty of Applied Chemistry and Materials Science
 
Review Article:- A REVIEW ON RADIOISOTOPES IN CANCER THERAPY
Review Article:- A REVIEW ON RADIOISOTOPES IN CANCER THERAPYReview Article:- A REVIEW ON RADIOISOTOPES IN CANCER THERAPY
Review Article:- A REVIEW ON RADIOISOTOPES IN CANCER THERAPY
niranjangiri009
 
All-domain Anomaly Resolution Office Supplement to Oak Ridge National Laborat...
All-domain Anomaly Resolution Office Supplement to Oak Ridge National Laborat...All-domain Anomaly Resolution Office Supplement to Oak Ridge National Laborat...
All-domain Anomaly Resolution Office Supplement to Oak Ridge National Laborat...
Sérgio Sacani
 
Synopsis: Analysis of a Metallic Specimen
Synopsis: Analysis of a Metallic SpecimenSynopsis: Analysis of a Metallic Specimen
Synopsis: Analysis of a Metallic Specimen
Sérgio Sacani
 
Introduction to Space (Our Solar System)
Introduction to Space (Our Solar System)Introduction to Space (Our Solar System)
Introduction to Space (Our Solar System)
vanshgarg8002
 
Speed-accuracy trade-off for the diffusion models
Speed-accuracy trade-off for the diffusion modelsSpeed-accuracy trade-off for the diffusion models
Speed-accuracy trade-off for the diffusion models
sosukeito
 
Surface properties of the seas of Titan as revealed by Cassini mission bistat...
Surface properties of the seas of Titan as revealed by Cassini mission bistat...Surface properties of the seas of Titan as revealed by Cassini mission bistat...
Surface properties of the seas of Titan as revealed by Cassini mission bistat...
Sérgio Sacani
 
VIII-Geography FOR CBSE CLASS 8 INDIA.pdf
VIII-Geography FOR CBSE CLASS 8 INDIA.pdfVIII-Geography FOR CBSE CLASS 8 INDIA.pdf
VIII-Geography FOR CBSE CLASS 8 INDIA.pdf
poorvarajgolkar
 

Recently uploaded (20)

Biochar impregnation as slow release fertilizer - Violeta Alexandra Ion
Biochar impregnation as slow release fertilizer - Violeta Alexandra IonBiochar impregnation as slow release fertilizer - Violeta Alexandra Ion
Biochar impregnation as slow release fertilizer - Violeta Alexandra Ion
 
Adjusted NuGOweek 2024 Ghent programme flyer
Adjusted NuGOweek 2024 Ghent programme flyerAdjusted NuGOweek 2024 Ghent programme flyer
Adjusted NuGOweek 2024 Ghent programme flyer
 
Concept of Balanced Diet & Nutrients.pdf
Concept of Balanced Diet & Nutrients.pdfConcept of Balanced Diet & Nutrients.pdf
Concept of Balanced Diet & Nutrients.pdf
 
A NICER VIEW OF THE NEAREST AND BRIGHTEST MILLISECOND PULSAR: PSR J0437−4715
A NICER VIEW OF THE NEAREST AND BRIGHTEST MILLISECOND PULSAR: PSR J0437−4715A NICER VIEW OF THE NEAREST AND BRIGHTEST MILLISECOND PULSAR: PSR J0437−4715
A NICER VIEW OF THE NEAREST AND BRIGHTEST MILLISECOND PULSAR: PSR J0437−4715
 
Complementary interstellar detections from the heliotail
Complementary interstellar detections from the heliotailComplementary interstellar detections from the heliotail
Complementary interstellar detections from the heliotail
 
Post RN - Biochemistry (Unit 1) Basic concept of Chemistry
Post RN - Biochemistry (Unit 1) Basic concept of ChemistryPost RN - Biochemistry (Unit 1) Basic concept of Chemistry
Post RN - Biochemistry (Unit 1) Basic concept of Chemistry
 
Celebrity Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl S...
Celebrity Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl S...Celebrity Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl S...
Celebrity Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl S...
 
Phytoremediation: Harnessing Nature's Power with Phytoremediation
Phytoremediation: Harnessing Nature's Power with PhytoremediationPhytoremediation: Harnessing Nature's Power with Phytoremediation
Phytoremediation: Harnessing Nature's Power with Phytoremediation
 
atom, elements, molecule and compounds in telugu.pptx
atom, elements, molecule and compounds in telugu.pptxatom, elements, molecule and compounds in telugu.pptx
atom, elements, molecule and compounds in telugu.pptx
 
Types of Hypersensitivity Reactions.pptx
Types of Hypersensitivity Reactions.pptxTypes of Hypersensitivity Reactions.pptx
Types of Hypersensitivity Reactions.pptx
 
Burn child health Nursing 3rd year presentation..pptx
Burn child health Nursing 3rd year presentation..pptxBurn child health Nursing 3rd year presentation..pptx
Burn child health Nursing 3rd year presentation..pptx
 
PART 1 & PART 2 The New Natural Principles of Newtonian Mechanics, Electromec...
PART 1 & PART 2 The New Natural Principles of Newtonian Mechanics, Electromec...PART 1 & PART 2 The New Natural Principles of Newtonian Mechanics, Electromec...
PART 1 & PART 2 The New Natural Principles of Newtonian Mechanics, Electromec...
 
MARIGREEN PROJECT - overview, Oana Cristina Pârvulescu
MARIGREEN PROJECT - overview, Oana Cristina PârvulescuMARIGREEN PROJECT - overview, Oana Cristina Pârvulescu
MARIGREEN PROJECT - overview, Oana Cristina Pârvulescu
 
Review Article:- A REVIEW ON RADIOISOTOPES IN CANCER THERAPY
Review Article:- A REVIEW ON RADIOISOTOPES IN CANCER THERAPYReview Article:- A REVIEW ON RADIOISOTOPES IN CANCER THERAPY
Review Article:- A REVIEW ON RADIOISOTOPES IN CANCER THERAPY
 
All-domain Anomaly Resolution Office Supplement to Oak Ridge National Laborat...
All-domain Anomaly Resolution Office Supplement to Oak Ridge National Laborat...All-domain Anomaly Resolution Office Supplement to Oak Ridge National Laborat...
All-domain Anomaly Resolution Office Supplement to Oak Ridge National Laborat...
 
Synopsis: Analysis of a Metallic Specimen
Synopsis: Analysis of a Metallic SpecimenSynopsis: Analysis of a Metallic Specimen
Synopsis: Analysis of a Metallic Specimen
 
Introduction to Space (Our Solar System)
Introduction to Space (Our Solar System)Introduction to Space (Our Solar System)
Introduction to Space (Our Solar System)
 
Speed-accuracy trade-off for the diffusion models
Speed-accuracy trade-off for the diffusion modelsSpeed-accuracy trade-off for the diffusion models
Speed-accuracy trade-off for the diffusion models
 
Surface properties of the seas of Titan as revealed by Cassini mission bistat...
Surface properties of the seas of Titan as revealed by Cassini mission bistat...Surface properties of the seas of Titan as revealed by Cassini mission bistat...
Surface properties of the seas of Titan as revealed by Cassini mission bistat...
 
VIII-Geography FOR CBSE CLASS 8 INDIA.pdf
VIII-Geography FOR CBSE CLASS 8 INDIA.pdfVIII-Geography FOR CBSE CLASS 8 INDIA.pdf
VIII-Geography FOR CBSE CLASS 8 INDIA.pdf
 

Joint workshop on security modeling archimate forum and security forum

  • 1. Copyright © The Open Group 2011 Joint Workshop on Security Modeling ArchiMate Forum and Security Forum Facilitators: Erik Proper, Senior Research Manager and Christophe Feltus, Senior Research Engineer, Public Research Center Henri Tudor Iver Band, Enterprise Architect, Standard Insurance Company
  • 2. Copyright © The Open Group 2011 Workshop Agenda 2 • Welcome and purpose • Introductions • Research spotlight: Strengthening RBAC with Responsibility Modeling • Motivation: The Inaction Problem in Information Security • Open Discussion: • Complementing TOGAF® and ArchiMate® with enhanced security modeling • Identification and prioritization of challenges • Next steps and adjourn
  • 3. Copyright © The Open Group 2011 Workshop Purpose • The acceptance and maturity of TOGAF and ArchiMate present opportunities to • Improve the conceptual and visual modeling of enterprise information security • Drive usage of TOGAF and ArchiMate for security architecture • Enable information security stakeholders to make better decisions about protecting their interests • Enable all business leaders to understand the impact of information security or the lack thereof • We are here to identify and prioritize these opportunities, and to plan efforts to exploit them 3
  • 4. Copyright © The Open Group 2011 Brief Personal Introductions • Name • Organization and position • Involvement in The Open Group • Security and modeling background and interests 4
  • 5. Copyright © The Open Group 2011 Sponsored by Christophe Feltus Senior R&D Engineer christophe.feltus@tudor.lu Public Research Centre Henri Tudor 29, avenue John F. Kennedy L-1855 Luxembourg-Kirchberg Tel +352 42 59 91 - 1 Fax +352 42 59 91 - 777 www.tudor.lu Research Spotlight: Strengthening RBAC with Responsibility Modeling The Open Group Conference, San Francisco, USA, Feb 2, 2012
  • 6. Copyright © The Open Group 2011 Outline 6 • Context of the research • The problem / the research approach • What is RBAC ? • Case study • 1st research question: How should responsibility be modelled, both in general and specifically in ArchiMate ? • 2nd research question: How can models of responsibility be used to improve access rights management ? • Conclusions
  • 7. Copyright © The Open Group 2011 The Problem The research addresses two problems arising from security and governance requirements, such as Basel II and Sarbanes-Oxley • Enterprises must precisely provision access rights according to business needs, principles such as least privilege and separation of duties as well as statutory requirements. • RBAC partially solves that problem • Enterprises must precisely define responsibilities and stakeholders must understand them. • Today, there is no standard business definition of responsibility  Both problems are linked: Responsibility definition enables precise provisioning of access rights 7
  • 8. Copyright © The Open Group 2011 Approach • In order to solve the problem: • We explore a model to define responsibilities • We consider access rights provisioning based on the model 8
  • 9. Copyright © The Open Group 2011 RBAC 9 • A widely implemented mechanism for protecting system resources. Relies on user authentication, which in turn relies on identity management • Defines and applies relationships between • Users − often human, but can also be systems • Roles − job functions defined for an organization • Permissions − organizational consent to perform specific operations • Ensures that each user can execute only those operations authorized through roles that are both assigned to that user and activated for that user’s session • Four standard and cumulative levels (hierarchical, constraint,…) Users Roles Sessions Operations Objects Permissions (UA) User Assignment (PA) Permission Assignment user_sessions Session_roles Modeling RBAC with SABSA, TOGAF and ArchiMate, Creating a Foundation for Understanding and Action, Iver Band, CISSP Open Group Conference, Austin, Texas
  • 10. Copyright © The Open Group 2011 Administration framework 10 Modeling RBAC with SABSA, TOGAF and ArchiMate, Creating a Foundation for Understanding and Action, Iver Band, CISSP Open Group Conference, Austin, Texas Business Actor Business object Business Role Business process / function / interaction • The data object Users corresponds to the Business Actor • The data object Roles Corresponds to the Business Role • The data object Permissions corresponds to the access to data object
  • 11. Copyright © The Open Group 2011 Case study 11 Project management • The role of project manager is assigned to four processes that compose the project management service • Each of these processes accesses specific data • Bob is a project manager Project manager Manage team Prepare budget Manage risk Review results Patrick Bob Secretary Team Mgt data Budget data Risk Mgt data Results data
  • 12. Copyright © The Open Group 2011 Case study 12 • Bob has too much work and delegates the preparation of the budget to his secretary, Patrick. •  How can Bob assign Patrick the necessary rights? Project manager Manage team Prepare budget Manage risk Review results Patrick Bob Secretary Team Mgt data Budget data Risk Mgt data Results data ?
  • 13. Copyright © The Open Group 2011 Case study 13 • In this model, the Secretary role is assigned to the Prepare Budget Process • What happens to the other secretaries?  They receive too many rights Project manager Manage team Prepare budget Manage risk Review results Patrick Bob Secretary Team Mgt data Budget data Risk Mgt data Results data ?
  • 14. Copyright © The Open Group 2011 Case study 14 • In this model, Patrick gets a special-purpose role • Is Patrick the only person who can manage the budget ? Role just for Patrick Project manager Manage team Prepare budget Manage risk Review results Patrick Bob Secretary Team Mgt data Budget data Risk Mgt data Results data ?
  • 15. Copyright © The Open Group 2011 What we need to model 15 Therefore, we introduce RESPONSIBILITY
  • 16. Copyright © The Open Group 2011 Responsibility Modeling 16 • How should responsibility be modelled, both in general and specifically in ArchiMate ? • New concepts • Relation between those concepts and ArchiMate  Illustrations with the case study
  • 17. Copyright © The Open Group 2011 New Concepts 17 duty to report or explain the action or someone else's action to a given authority Name Symbol Meaning Responsibility A property assigned to a business actor that aggregates a set of obligations and rights Obligation An obligation is a duty to perform a task Right An ability granted to a business actor by the enterprise in order to enable the business actor to perform a specific task. Capability An ability of a business actor that has not been granted by the enterprise. Justification A justification is a duty to report and explain the action to a given authority Responsibility Right Capability Justification Obligation
  • 18. Copyright © The Open Group 2011 Responsibility Modeling 18 Responsibility Business object Right To access requires Is necessary for Business role Business actor assigned to assigned to Business process concerns Obligation
  • 19. Copyright © The Open Group 2011 Responsibility Modeling 19 Business actor Business role Business object Business Process Responsibility Obligation Right To access assigned torequires Is necessary for concerns assigned to Capability requires Is necessary for Justification
  • 20. Copyright © The Open Group 2011 20 Prepare budget Read and write requiresconcerns Responsibility to prepare the budget Do concerns Patrick Budget data Project manager Bob Control Responsibility to review the budgetRead requires concerns Responsibilities to perform and control the budget necessary for necessary for
  • 21. Copyright © The Open Group 2011 Outline 21 • Context of the research • The problem / the research approach • What is RBAC ? • Case study • 1st research question: How should responsibility be modelled, both in general and specifically in ArchiMate ? • 2nd research question: How can models of responsibility be used to improve access rights management ? • Conclusions
  • 22. Copyright © The Open Group 2011 Second research question 22 • How to include the responsibility with RBAC and with RBAC administration framework ? • Introduction of the responsibility at the business layer and at the application layer • Association of the responsibility with the Business role and the RBAC role.  Illustration with the case study
  • 23. Copyright © The Open Group 2011 Administrative Framework without Responsibility 23 Business Role RBAC Role Business Actor User ApplicationLayerBusinessLayer Assignment Inappropriate ! Permission
  • 24. Copyright © The Open Group 2011 Administrative Framework with Responsibility 24 RBAC Role Business Role Responsibility Responsibility Business Actor User ApplicationLayerBusinessLayer Business Role Assignment Permission
  • 25. Copyright © The Open Group 2011 25 Responsibility to review the budget Bob Patrick Budget data Read concerns Write concerns Responsibility to prepare the budget Business Actor Responsibilities Permission Project manager Case Study with Responsibility RBAC Role #1 RBAC Role #2
  • 26. Copyright © The Open Group 2011 Conclusion 26 • In order to meet security and governance requirements, enterprises must precisely define responsibilities and provision access rights • The proposed responsibility extension to ArchiMate enables this precision RolePermission Role Role Role Role Hierarchy Permission Role Hierarchy Respons. Obligation Role Role Role Role
  • 27. Copyright © The Open Group 2011 Conclusion 27 • The responsibility concept aligns access rights between the ArchiMate Business and Application layers.
  • 28. Copyright © The Open Group 2011 Motivation: The Inaction Problem in Information Security 28
  • 29. Copyright © The Open Group 2011 Stakeholder Inaction Causes Great Harm • According to an international study of 761 data compromise incidents in 20101 • 83% of victims were targets of opportunity, the same as 2009 • 92% of attacks were not highly difficult, up 7% from 2009 • 96% of breaches were avoidable through simple or intermediate controls, the same as 2009 • 89% of victims subject to the Payment Card Industry Data Security Standard2 had not achieved compliance 29
  • 30. Copyright © The Open Group 2011 Why Don’t Stakeholders Act? • Economic explanations fall into categories such as3 • Misaligned incentives • Breach victims often suffer more than individuals responsible for preventing breaches • Employees are often more motivated to do things quickly and cheaply than securely • Asymmetric information • Market participants are variously incented to exaggerate or minimize risk • Exaggerated claims about premium countermeasures make customers unwilling to pay extra for better security • Network Externalities • Embracing weak security often helps build market share • Early countermeasure adopters must often await broader adoption to realize benefits • Externalities of Insecurity • The social cost of asset compromise is often greater than the owners’ cost 30
  • 31. Copyright © The Open Group 2011 Why Don’t Stakeholders Act? • Security measures are always trade-offs, but our innate psychology causes us to misinterpret risk. Bruce Schneier4 identifies five areas that we often get wrong • Risk severity • Risk probability • Risk impact • Effectiveness of countermeasures • Comparison of disparate risks and costs • For example, we often4 • Exaggerate spectacular but rare risks and downplay common ones • Have trouble estimating risks for anything outside our normal situation • Perceive personified risks as greater than anonymous risks • Underestimate risks we willingly take or have some control over, but overestimate risks we can’t control • Overestimate risks that are receiving great publicity, that are new, or are man-made relative to risks that are less publicized, commonplace or natural in origin 31
  • 32. Copyright © The Open Group 2011 Why Don’t Stakeholders Act? • We are much better equipped to address imminent threats versus those looming in the distance. As Schneier4 says • “We are very well adapted to dealing with the security environment endemic to hominids living in small family groups on the highland plains of East Africa” • In fact, our “Abstract concepts are largely metaphorical”5. For example, we • Punch a hole in the firewall • Experience security breaches • Analyze attack surfaces • All too often, end up between a rock and a hard place 32
  • 33. Copyright © The Open Group 2011 Questions for Discussion • How can security architects use the ArchiMate visual modeling language to • Align stakeholders’ perceptions of risk with the logical and mathematical reality of enterprise risk? • Enable the sponsors, designers and implementers of controls to make the best possible protective decisions for their enterprise? • How can The Open Group build on ArchiMate 2.0 to better support security architecture? 33
  • 34. Copyright © The Open Group 2011 Thank You! 34
  • 35. Copyright © The Open Group 2011 Supplementary Material 35
  • 36. Copyright © The Open Group 2011 Motivation References 1. W. Baker, A. Hutton, C.D. Hylender, J. Pamula, C. Porter, M. Spitler, et. al. 2011 Data Breach Investigations Report [Online], 2011. http://www.verizonbusiness.com/resources/reports/rp_data-breach- investigations-report-2011_en_xg.pdf 2. PCI Security Standards Council. Payment Card Industry Data Security Standard version 2.0 [Online], 2010. https://www.pcisecuritystandards.org/security_standards/documents.php?docu ment=pci_dss_v2-0#pci_dss_v2-0 3. T. Moore, R. Anderson. Economics and Internet Security: a Survey of Recent Analytical, Empirical and Behavioral Research [Online], 2011. ftp://ftp.deas.harvard.edu/techreports/tr-03-11.pdf 4. B. Schneier. The Psychology of Security [Online], 2008. http://www.schneier.com/essay-155.html 5. Lakoff, George, Johnson, Mark. Philosophy in the Flesh. Basic Books, 1999. 36
  • 37. Copyright © The Open Group 2011 Responsibility References 1. Christophe Feltus, Eric Dubois, Erik Proper, Iver Band, Michaël Petit, Enhancing the ArchiMate® Standard with a Responsibility Modeling Language for Access Rights Management, 5th ACM International Conference on Security of Information and Networks (ACM SIN 2012), 22-27/10/2012, Jaipur, Rajastan, India. ISBN: 978-1-4503-1668-2 2. Christophe Feltus, Michaël Petit, Eric Dubois, ReMoLa: Responsibility Model Language to Align Access Rights with Business Process Requirements, Fifth IEEE International Conference on Research Challenges in Information Science (IEEE RCIS 2011), 19-21/5/2011, Guadeloupe - French West Indies, France 3. Christophe Feltus, Eric Dubois, Michaël Petit, Conceptualizing a Responsibility based Approach for Elaborating and Verifying RBAC Policies Conforming with CobiT Framework Requirements, Third International Workshop on Requirements Engineering and Law (RELAW10), in conjunction with the 18th IEEE International Requirements Engineering Conference (RE2010), 27/9-1/10/2010, Sydney, Australia. 4. Christophe Feltus, Michaël Petit, Morris Sloman, Enhancement of Business IT Alignment by Including Responsibility Components in RBAC, 5th International Workshop on Business/IT Alignment and Interoperability (BUSITAL 2010), an International Workshop of the 22th Conference on Advanced Information Systems Engineering (CAISE2010), 7-11/6/2010, Hammamet, Tunisia 5. Christophe Feltus, Michaël Petit, Eric Dubois, Strengthening Employee’s Responsibility to Enhance Governance of IT - COBIT RACI Chart Case Study, The 1st ACM Workshop on Information Security Governance (ACM WISG 2009) held in conjunction with the 16th ACM Conference on Computer and Communications Security (ACM CCS 2009), 13/11/2009, Chicago, Illinois, USA. 6. Christophe Feltus, Michaël Petit, Building a Responsibility Model Including Accountability, Capability and Commitment, Fourth International Conference on Availability, Reliability and Security (“ARES 2009 – The International Dependability Conference”) IEEE, 16-19/3/2009, Fukuoka, Japan. (SCOPUS) 7. Christophe Feltus, Michaël Petit, Building a Responsibility Model using Modal Logic - Towards Accountability, Capability and Commitment Concepts, The seventh ACS/IEEE International Conference on Computer Systems and Applications (AICCSA-09) IEEE, 10-13/5/2009, Rabat, Morocco 37