Information security covers many areas within an enterprise. Each area has security
vulnerabilities and, hopefully, some corresponding countermeasures that raise the security level and provide better protection. The fundamental concepts in information security are the security model, which outlines how security is to be implemented. A security policy outlines how data is accessed, what level of security is required, and what actions should be taken when these requirements are not met. A security model is a statement that outlines the requirements necessary to properly support and implement a certain security policy. An important concept in the design and analysis of secure systems is the security model, because it incorporates the security policy that should be enforced in the system. A model is a symbolic representation of a policy. It maps the desires of the policy makers into a set of rules that are to be followed by a computer system. In the paper we propose a model driven security assessment and verification for business service. The Security Assessment and Verification verifies whether the Application and Services are secure based on the Service Level Agreement and generates the report on the level of security features. It is designed to help business owners, operators and staff to assess the security of their business. It covers potential areas of vulnerability, and provides suggestions for adapting your security to reduce the risk of crime against your business. A security policy states that no one from a lower security level should be able to view or modify information at a higher security level, the supporting security model will outline the necessary logic and rules that need to be implemented to ensure that under no circumstances can a lower-level subject access a higher-level object in an unauthorized manner. The security policy is an abstract term that represents the objectives and goals a system must meet and accomplish to be deemed secure and acceptable.
Enterprise Architecture and Information SecurityJohn Macasio
A thinking tool to ask and describe the alignment requirements of business, information, technology and security to improve and secure the management of process, data, application and infrastructure of performance.
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Craig Martin
Ana Kukec, Lead Enterprise Security Consultant, Enterprise Architects, Australia
The Open Group Architecture Forum and Security Forum agree that the coverage of security in TOGAF should be updated and improved. The understanding and focus of security architecture has moved from a threat-driven approach of addressing non-normative flaws through systems and applications to a risk-driven and business outcome-focused methodology of enabling a business strategy.
Following this trend, we defined fundamental characteristics of effective security architecture. 1) Capabilities are primary assets at risk, while information systems and technology components are secondary assets at risk supporting the primary assets. 2) Security requirements include the business aspects and not only the technology aspects of confidentiality, integrity and availability. 3) IT risk management is business-opportunity-driven. It requires understanding of risk appetite across business, information systems and technology architecture to manage security risks of vulnerabilities and compliance issues, which may arise at any layer of enterprise architecture in a business-outcome-focused way. 4) Security services are aligned to business drivers, goals and objectives, and managed in a risk-driven way.
Yet, there is no single security architecture development methodology to deliver these characteristics. We believe that existing information security standards and frameworks in a combination with the TOGAF are sufficient to meet the aforementioned fundamental characteristics of effective security architecture. However the challenge is in their integration. Our Enterprise Security Architecture Framework integrates key industry standards and best practices for information security and risk management, such as COBIT 5 for Information Security, ITILv3 Security Service Management, ISO/IEC 27000 and ISO/IEC 31000 families of standards, using the TOGAF Architecture Development Method and Content Meta-model as the key integrators. It is a pragmatic security architecture framework which establishes a common language between IT, security, risk and business organisations within an enterprise and ensures effective and efficient support of long-term security needs of both business and IT, with a risk-driven enterprise as a final outcome.
We will present a case study of the implementation of the aforementioned business-outcome-focused and risk-driven Enterprise Security Architecture Framework at the University of New South Wales.
Key takeaways:
-- Overview of a risk-driven and business-outcome-focused security architecture methodology seamlessly integrated with the TOGAF
-> Security strategic planning
-> Enterprise-wide compliance, internal (policies and standards) and external (laws and regulations
-> Business-opportunity driven management of security risk of threats, vulnerabilities and compliance issues across business, information systems and technology architecture
Making IA Real: Planning an Information Architecture StrategyChiara Fox Ogan
Presented at Internet Librarian conference in 2001. Provides an introduction to what information architecture is and how you can use the methods to develop a good website.
A Proposed Security Model for Web Enabled Business Process Management SystemCSCJournals
Many organizations in industry and civilian government start deploying Business Process Management systems (BPMS) and technology in their IT applications. This could lead to a dramatic operational efficiency improvement on their business and administrative environments. With these atmospheres, the security issue is becoming a much more important challenge in the BPMS literature. The Role-Based Access Control (RBAC) model has been accepted as a promise security model solution and standard. RBAC is able to accomplish the central administration of an organizational specific security policy. It is also able to meet the secure processing needs of many commercial and civilian government organizations. In spite of these facts, RBAC model is not reliable when applying to the BPMS without further modifications and extensions. RBAC is modified to fit with Service oriented (SRBAC), but still not reliable enough to handle BPMS. Authors of that research proposed a security model based on SRBAC model to be more reliable when using with BPMS. Authors of that research named that proposed security model as Improved Role Based Access Control (IRBAC). The IRBAC model is directly applicable to the BPMS. Authors defined a graphical representation and technical implementation of the IRBAC model. This IRBAC model is tested using simple case study. The test compares between the IRBAC model and SRBAC model where IRBAC is implemented in two cases (IRBAC with caching and IRBAC with no caching). The test results show the validity and performability of the IRBAC model.
Information security plays an important role in
governments. Its realm has been increased nowadays, especially
with resent viruses’ attacks in different governmental
organizations. The authentication is aspect of information
security, its current scheme used nowadays in the systems is
depend on the login by user name and password in addition to
one-time password or traditional secret questions, which in turn
is usually easy to predicate. This paper proposes enhanced
knowledge based authentication solution which ensures and
provides more security and usability levels for governmental
organizations.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Enterprise Architecture and Information SecurityJohn Macasio
A thinking tool to ask and describe the alignment requirements of business, information, technology and security to improve and secure the management of process, data, application and infrastructure of performance.
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Craig Martin
Ana Kukec, Lead Enterprise Security Consultant, Enterprise Architects, Australia
The Open Group Architecture Forum and Security Forum agree that the coverage of security in TOGAF should be updated and improved. The understanding and focus of security architecture has moved from a threat-driven approach of addressing non-normative flaws through systems and applications to a risk-driven and business outcome-focused methodology of enabling a business strategy.
Following this trend, we defined fundamental characteristics of effective security architecture. 1) Capabilities are primary assets at risk, while information systems and technology components are secondary assets at risk supporting the primary assets. 2) Security requirements include the business aspects and not only the technology aspects of confidentiality, integrity and availability. 3) IT risk management is business-opportunity-driven. It requires understanding of risk appetite across business, information systems and technology architecture to manage security risks of vulnerabilities and compliance issues, which may arise at any layer of enterprise architecture in a business-outcome-focused way. 4) Security services are aligned to business drivers, goals and objectives, and managed in a risk-driven way.
Yet, there is no single security architecture development methodology to deliver these characteristics. We believe that existing information security standards and frameworks in a combination with the TOGAF are sufficient to meet the aforementioned fundamental characteristics of effective security architecture. However the challenge is in their integration. Our Enterprise Security Architecture Framework integrates key industry standards and best practices for information security and risk management, such as COBIT 5 for Information Security, ITILv3 Security Service Management, ISO/IEC 27000 and ISO/IEC 31000 families of standards, using the TOGAF Architecture Development Method and Content Meta-model as the key integrators. It is a pragmatic security architecture framework which establishes a common language between IT, security, risk and business organisations within an enterprise and ensures effective and efficient support of long-term security needs of both business and IT, with a risk-driven enterprise as a final outcome.
We will present a case study of the implementation of the aforementioned business-outcome-focused and risk-driven Enterprise Security Architecture Framework at the University of New South Wales.
Key takeaways:
-- Overview of a risk-driven and business-outcome-focused security architecture methodology seamlessly integrated with the TOGAF
-> Security strategic planning
-> Enterprise-wide compliance, internal (policies and standards) and external (laws and regulations
-> Business-opportunity driven management of security risk of threats, vulnerabilities and compliance issues across business, information systems and technology architecture
Making IA Real: Planning an Information Architecture StrategyChiara Fox Ogan
Presented at Internet Librarian conference in 2001. Provides an introduction to what information architecture is and how you can use the methods to develop a good website.
A Proposed Security Model for Web Enabled Business Process Management SystemCSCJournals
Many organizations in industry and civilian government start deploying Business Process Management systems (BPMS) and technology in their IT applications. This could lead to a dramatic operational efficiency improvement on their business and administrative environments. With these atmospheres, the security issue is becoming a much more important challenge in the BPMS literature. The Role-Based Access Control (RBAC) model has been accepted as a promise security model solution and standard. RBAC is able to accomplish the central administration of an organizational specific security policy. It is also able to meet the secure processing needs of many commercial and civilian government organizations. In spite of these facts, RBAC model is not reliable when applying to the BPMS without further modifications and extensions. RBAC is modified to fit with Service oriented (SRBAC), but still not reliable enough to handle BPMS. Authors of that research proposed a security model based on SRBAC model to be more reliable when using with BPMS. Authors of that research named that proposed security model as Improved Role Based Access Control (IRBAC). The IRBAC model is directly applicable to the BPMS. Authors defined a graphical representation and technical implementation of the IRBAC model. This IRBAC model is tested using simple case study. The test compares between the IRBAC model and SRBAC model where IRBAC is implemented in two cases (IRBAC with caching and IRBAC with no caching). The test results show the validity and performability of the IRBAC model.
Information security plays an important role in
governments. Its realm has been increased nowadays, especially
with resent viruses’ attacks in different governmental
organizations. The authentication is aspect of information
security, its current scheme used nowadays in the systems is
depend on the login by user name and password in addition to
one-time password or traditional secret questions, which in turn
is usually easy to predicate. This paper proposes enhanced
knowledge based authentication solution which ensures and
provides more security and usability levels for governmental
organizations.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Does Anyone Remember Enterprise Security Architecture?rbrockway
The concept of Enterprise Security Architecture (ESA) is not new (Gartner 2006), yet the numbers from the past several years’ worth of breach data indicates that most organizations continue to approach security on a project by project basis or from a compliance perspective. This talk will refresh the ESA concept and communicate tangible and realistic steps any organization can take to align their security processes, architecture and management to their business strategies, reduce business risks and significantly improve their overarching security posture.
SECURE SERVICES: INTEGRATING SECURITY DIMENSION INTO THE SA&D cscpconf
Services security is often assimilated to a set of software solutions (Firewall, data encryption.) but rarely consider the organizational security rules as a fundamental part of the Services security policy. With the increasing use of new Services architectures (Open Services architecture, distributed database, multi web server, multi-tier application servers) security leaks become crucial and every security problem is harmful to the organization business continuity. To reduce and detect major security risks at an earlier step of the Services project, our approach is based on different knowledge exchange between end users, analyst, designers and developers collaborating at the Services project. The knowledge is mainly oriented to the detection of weak signals inside the organization. In this paper, we present the different knowledge surroundings an Services project and a knowledge pattern structure that can be used for the formalization aspects of the established exchange that should be established during the Services project between the different participants
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...CSCJournals
Software Reliability is the probability of failure-free software operation for a specified period of time in a specified environment. Cyber threats on software security have been prevailing and have increased exponentially, posing a major challenge on software reliability in the cyber physical systems (CPS) environment. Applying patches after the software has been developed is outdated and a major security flaw. However, this has posed a major software reliability challenge as threat actors are exploiting unpatched and insecure software configuration vulnerabilities that are not identified at the design phase. This paper aims to investigate the SDLC approach to software reliability and quality assurance challenges in CPS security. To demonstrate the applicability of our work, we review existing security requirements engineering concepts and methodologies such as TROPOS, I*, KAOS, Tropos and Secure Tropos to determine their relevance in software security. We consider how the methodologies and function points are used to implement constraints to improve software reliability. Finally, the function points concepts are implemented into the CPS security components. The results show that software security threats in CPS can be addressed by integrating the SRE approach and function point analysis in the development to improve software reliability.
Software security risk mitigation using object oriented design patternseSAT Journals
Abstract It is now well known that requirement and the design phase of software development lifecycle are the phases where security incorporation yields maximum benefits.In this paper, we have tried to tie security requirements, security features and security design patterns together in a single string. It is complete process that will help a designer to choose the most appropriate security design pattern depending on the security requirements. The process includes risk analysis methodology at the design phase of the software that is based on the common criteria requirement as it is a wellknown security standard that is generally used in the development of security requirements. Risk mitigation mechanisms are proposed in the form of security design patterns. Exhaustive list of most reliable and well proven security design patterns is prepared and their categorization is done on the basis of attributes like data sensitivity, sector, number of users etc. Identified patterns are divided into three levels of security. After the selection of security requirement, the software designer can calculate the percentage of security features contribution and on the basis of this percentage; design pattern level can be selected and applied.
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
The presentations should help security professionals create security architecture that supports business objectives, covers all areas of security technology, and allows for effective measurement of security value.
The presentation was given at BrighTalk
Analyzing and Surveying Trust In Cloud Computing Environmentiosrjce
IOSR Journal of Computer Engineering (IOSR-JCE) is a double blind peer reviewed International Journal that provides rapid publication (within a month) of articles in all areas of computer engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in computer technology. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
this research was conducted to find out the level of
information security in organization to give recommendations
improvements in information security management at the
organization. This research uses the ISO 27002 by involving the
entire clause that exists in ISO 27002 check-lists. Based on the
analysis results, 13 objective controls and 43 security controls
were scattered in 3 clauses of ISO 27002. From the analysis it
was concluded that the maturity level of information system
security governance was 2.51, which means the level of security
is still at level 2 planned and tracked is planned and tracked
actively) but is approaching level 3 well defined.
A UML Profile for Security and Code Generation IJECEIAES
Recently, many research studies have suggested the integration of safety engineering at an early stage of modeling and system development using Model-Driven Architecture (MDA). This concept consists in deploying the UML (Unified Modeling Language) standard as aprincipal metamodel for the abstractions of different systems. To our knowledge, most of this work has focused on integrating security requirements after the implementation phase without taking them into account when designing systems. In this work, we focused our efforts on non-functional aspects such as the business logic layer, data flow monitoring, and high-quality service delivery. Practically, we have proposed a new UML profile for security integration and code generation for the Java platform. Therefore, the security properties will be described by a UML profile and the OCL language to verify the requirements of confidentiality, authorization, availability, data integrity, and data encryption. Finally, the source code such as the application security configuration, the method signatures and their bodies, the persistent entities and the security controllers generated from sequence diagram of system’s internal behavior after its extension with this profile and applying a set of transformations.
Enhancing security features in cloud computing for healthcare using cipher an...eSAT Journals
Abstract Health Care is the most important unindustrialized field. Cloud is an emerging trend in software industry. In medical field, there are large dataset comprising highly sensitive data about patient’s medical records. Based on these records, diagnosis for the patient will be given. Moving data to the cloud makes to explore a large information for diagnosis as expert documentation will also be stored as part of health record. Physicians from anywhere at any time can get access over these reports for better treatment. The Medicare industry vacillates to store these data to the cloud as the patients might feel insecure about their health records. This work introduces the idea of combining Cipher Cloud, Inter Cloud and ABE schemes, proposes an innovative method to enhance security features in the cloud by double encryption using algorithms and tools. By this, only authorized entities are proficient of accessing these records. Rather than storing data in single cloud, Inter Cloud (Multi-cloud) also adds advantage for our proposed work. Keywords: Virtualization, Cipher cloud, Trust, Encryption, Inter cloud
Enhancing security features in cloud computing for healthcare using cipher an...eSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology
Information Security Governance: Concepts, Security Management & MetricsOxfordCambridge
The goal of information security governance is to establish and maintain a framework to provide assurance that information security strategies are aligned with the business objectives and consistent with applicable laws and regulations.
AN EXTENDED SECURITY MEASUREMENT FRAMEWORK FOR OPEN-SOURCE ENTERPRISE RESOURC...IJNSA Journal
Modern organizations are adopting new ways of measuring their level of security for compliance and justification of security investments. The highly interconnected environment has seen organizations generate lots of personal information and sensitive organizational data. Easiness in automation provided by open-source enterprise resource planning (ERP) software has accelerated its acceptability. The study aimed at developing a security measurement framework for open-source ERP software. The motivation was twofold: paradigm shift towards open-source ERP software and the need for justified investment on information security. Product quality evaluation method based on ISO 25010 framework guided the selection of attributes and factors. A security measurement framework with security posture at the highest level, attributes and factors was developed presenting a mechanism for assessing organization’s level of security. Security posture promotes customers’ confidence and gives management means to leverage resources for information security investment. The future work includes definition of metrics based on the framework.
Security has always been a great concern for all software systems due to the increased incursion of the wireless devices in recent years. Generally software engineering processes tries to compel the security measures during the various design phases which results into an inefficient measure. So this calls for a new process of software engineering in which we would try to give a proper framework for integrating the security requirements with the SDLC, and in this requirement engineers must discover all the security requirements related to a particular system, so security requirement could be analyzed and simultaneously prioritized in one go. In this paper we will present a new technique for prioritizing these requirement based on the risk measurement techniques. The true security requirements should be easily identified as early as possible so that these could be systematically analyzed and then every architecture team can choose the most appropriate mechanism to implement them.
Discussion 1Recommend three countermeasures that could enhance.docxelinoraudley582231
Discussion 1
Recommend three countermeasures that could enhance the information security measures of an enterprise. Justify your recommendations.
1. Upon extensive review of existing IT EBK and what new measures needed to be taken, Homeland Security came to the conclusion that a comprehensive approach information security including the steps of manage, design, implement, and evaluate would best serve to safeguard against future threats. Manage: calls for the oversight of security programs to come from the highest levels of chains of command with constant focus on “ensuring its currency with changing risk and threat” (2007, p. 9). Design: calls for analyzing a program to assess what types of “procedures and processes” will best direct its successful execution. Implement: refers to how programs and policies are instituted within the company. Evaluate: this final step calls for a final critique of the new program or policy’s successful ability to [achieve] its purpose (2007, p. 9).
2. Homeland Security also recommended a “Competency and Functional Framework for IT Workplace Development” that placed strong emphasis on a clear chain of command and communication with clear job titles and IT employee roles being placed into a group of Executive, Functional or Corollary employees (2007, p. 17).
3. The report stressed the primary role of “the IT Security Compliance Professional is . . . overseeing, evaluating, and supporting compliance issues pertinent to the organization” (Homeland Security, 2007, p.16). Thus, the report logically concluded that IT professionals must know and be able to properly define terms such as evaluation, compliance and assessment in order to properly perform their duties (p. 14).
Propose three cybersecurity benefits that could be derived from the development of a strategic governance process. Select the benefit you find most important and explain why.
The National Computing Centre points out that there are numerous benefits to having a rigorous strategic governance process in place. Among them, increased transparency and accountability which leads to an “improved transparency of IT costs, IT process, [and] IT portfolio (2005, p. 6). This increased transparency and accountability also leads to an “improved understanding of overall IT costs and their input to ROI cases” which in turn often brings about “an increased return on investment/stakeholder value” (p. 6). Finally, the authors point to the fact that with increased transparency comes increased accountability and companies avoid “unnecessary expenditures” (p. 7).
Discussion 2
Categorize the roles described by the Information Technology Security Essential Body of Knowledge (EBK), in terms of executive, functional, and corollary competencies. Select two of these roles that you believe enhance the security countermeasures of an organization the most and justify your response.
As mentioned previously, Homeland Security’s 2007 report emphasized the importance of properly .
Does Anyone Remember Enterprise Security Architecture?rbrockway
The concept of Enterprise Security Architecture (ESA) is not new (Gartner 2006), yet the numbers from the past several years’ worth of breach data indicates that most organizations continue to approach security on a project by project basis or from a compliance perspective. This talk will refresh the ESA concept and communicate tangible and realistic steps any organization can take to align their security processes, architecture and management to their business strategies, reduce business risks and significantly improve their overarching security posture.
SECURE SERVICES: INTEGRATING SECURITY DIMENSION INTO THE SA&D cscpconf
Services security is often assimilated to a set of software solutions (Firewall, data encryption.) but rarely consider the organizational security rules as a fundamental part of the Services security policy. With the increasing use of new Services architectures (Open Services architecture, distributed database, multi web server, multi-tier application servers) security leaks become crucial and every security problem is harmful to the organization business continuity. To reduce and detect major security risks at an earlier step of the Services project, our approach is based on different knowledge exchange between end users, analyst, designers and developers collaborating at the Services project. The knowledge is mainly oriented to the detection of weak signals inside the organization. In this paper, we present the different knowledge surroundings an Services project and a knowledge pattern structure that can be used for the formalization aspects of the established exchange that should be established during the Services project between the different participants
Software Reliability and Quality Assurance Challenges in Cyber Physical Syste...CSCJournals
Software Reliability is the probability of failure-free software operation for a specified period of time in a specified environment. Cyber threats on software security have been prevailing and have increased exponentially, posing a major challenge on software reliability in the cyber physical systems (CPS) environment. Applying patches after the software has been developed is outdated and a major security flaw. However, this has posed a major software reliability challenge as threat actors are exploiting unpatched and insecure software configuration vulnerabilities that are not identified at the design phase. This paper aims to investigate the SDLC approach to software reliability and quality assurance challenges in CPS security. To demonstrate the applicability of our work, we review existing security requirements engineering concepts and methodologies such as TROPOS, I*, KAOS, Tropos and Secure Tropos to determine their relevance in software security. We consider how the methodologies and function points are used to implement constraints to improve software reliability. Finally, the function points concepts are implemented into the CPS security components. The results show that software security threats in CPS can be addressed by integrating the SRE approach and function point analysis in the development to improve software reliability.
Software security risk mitigation using object oriented design patternseSAT Journals
Abstract It is now well known that requirement and the design phase of software development lifecycle are the phases where security incorporation yields maximum benefits.In this paper, we have tried to tie security requirements, security features and security design patterns together in a single string. It is complete process that will help a designer to choose the most appropriate security design pattern depending on the security requirements. The process includes risk analysis methodology at the design phase of the software that is based on the common criteria requirement as it is a wellknown security standard that is generally used in the development of security requirements. Risk mitigation mechanisms are proposed in the form of security design patterns. Exhaustive list of most reliable and well proven security design patterns is prepared and their categorization is done on the basis of attributes like data sensitivity, sector, number of users etc. Identified patterns are divided into three levels of security. After the selection of security requirement, the software designer can calculate the percentage of security features contribution and on the basis of this percentage; design pattern level can be selected and applied.
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
The presentations should help security professionals create security architecture that supports business objectives, covers all areas of security technology, and allows for effective measurement of security value.
The presentation was given at BrighTalk
Analyzing and Surveying Trust In Cloud Computing Environmentiosrjce
IOSR Journal of Computer Engineering (IOSR-JCE) is a double blind peer reviewed International Journal that provides rapid publication (within a month) of articles in all areas of computer engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in computer technology. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
this research was conducted to find out the level of
information security in organization to give recommendations
improvements in information security management at the
organization. This research uses the ISO 27002 by involving the
entire clause that exists in ISO 27002 check-lists. Based on the
analysis results, 13 objective controls and 43 security controls
were scattered in 3 clauses of ISO 27002. From the analysis it
was concluded that the maturity level of information system
security governance was 2.51, which means the level of security
is still at level 2 planned and tracked is planned and tracked
actively) but is approaching level 3 well defined.
A UML Profile for Security and Code Generation IJECEIAES
Recently, many research studies have suggested the integration of safety engineering at an early stage of modeling and system development using Model-Driven Architecture (MDA). This concept consists in deploying the UML (Unified Modeling Language) standard as aprincipal metamodel for the abstractions of different systems. To our knowledge, most of this work has focused on integrating security requirements after the implementation phase without taking them into account when designing systems. In this work, we focused our efforts on non-functional aspects such as the business logic layer, data flow monitoring, and high-quality service delivery. Practically, we have proposed a new UML profile for security integration and code generation for the Java platform. Therefore, the security properties will be described by a UML profile and the OCL language to verify the requirements of confidentiality, authorization, availability, data integrity, and data encryption. Finally, the source code such as the application security configuration, the method signatures and their bodies, the persistent entities and the security controllers generated from sequence diagram of system’s internal behavior after its extension with this profile and applying a set of transformations.
Enhancing security features in cloud computing for healthcare using cipher an...eSAT Journals
Abstract Health Care is the most important unindustrialized field. Cloud is an emerging trend in software industry. In medical field, there are large dataset comprising highly sensitive data about patient’s medical records. Based on these records, diagnosis for the patient will be given. Moving data to the cloud makes to explore a large information for diagnosis as expert documentation will also be stored as part of health record. Physicians from anywhere at any time can get access over these reports for better treatment. The Medicare industry vacillates to store these data to the cloud as the patients might feel insecure about their health records. This work introduces the idea of combining Cipher Cloud, Inter Cloud and ABE schemes, proposes an innovative method to enhance security features in the cloud by double encryption using algorithms and tools. By this, only authorized entities are proficient of accessing these records. Rather than storing data in single cloud, Inter Cloud (Multi-cloud) also adds advantage for our proposed work. Keywords: Virtualization, Cipher cloud, Trust, Encryption, Inter cloud
Enhancing security features in cloud computing for healthcare using cipher an...eSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology
Information Security Governance: Concepts, Security Management & MetricsOxfordCambridge
The goal of information security governance is to establish and maintain a framework to provide assurance that information security strategies are aligned with the business objectives and consistent with applicable laws and regulations.
AN EXTENDED SECURITY MEASUREMENT FRAMEWORK FOR OPEN-SOURCE ENTERPRISE RESOURC...IJNSA Journal
Modern organizations are adopting new ways of measuring their level of security for compliance and justification of security investments. The highly interconnected environment has seen organizations generate lots of personal information and sensitive organizational data. Easiness in automation provided by open-source enterprise resource planning (ERP) software has accelerated its acceptability. The study aimed at developing a security measurement framework for open-source ERP software. The motivation was twofold: paradigm shift towards open-source ERP software and the need for justified investment on information security. Product quality evaluation method based on ISO 25010 framework guided the selection of attributes and factors. A security measurement framework with security posture at the highest level, attributes and factors was developed presenting a mechanism for assessing organization’s level of security. Security posture promotes customers’ confidence and gives management means to leverage resources for information security investment. The future work includes definition of metrics based on the framework.
Security has always been a great concern for all software systems due to the increased incursion of the wireless devices in recent years. Generally software engineering processes tries to compel the security measures during the various design phases which results into an inefficient measure. So this calls for a new process of software engineering in which we would try to give a proper framework for integrating the security requirements with the SDLC, and in this requirement engineers must discover all the security requirements related to a particular system, so security requirement could be analyzed and simultaneously prioritized in one go. In this paper we will present a new technique for prioritizing these requirement based on the risk measurement techniques. The true security requirements should be easily identified as early as possible so that these could be systematically analyzed and then every architecture team can choose the most appropriate mechanism to implement them.
Discussion 1Recommend three countermeasures that could enhance.docxelinoraudley582231
Discussion 1
Recommend three countermeasures that could enhance the information security measures of an enterprise. Justify your recommendations.
1. Upon extensive review of existing IT EBK and what new measures needed to be taken, Homeland Security came to the conclusion that a comprehensive approach information security including the steps of manage, design, implement, and evaluate would best serve to safeguard against future threats. Manage: calls for the oversight of security programs to come from the highest levels of chains of command with constant focus on “ensuring its currency with changing risk and threat” (2007, p. 9). Design: calls for analyzing a program to assess what types of “procedures and processes” will best direct its successful execution. Implement: refers to how programs and policies are instituted within the company. Evaluate: this final step calls for a final critique of the new program or policy’s successful ability to [achieve] its purpose (2007, p. 9).
2. Homeland Security also recommended a “Competency and Functional Framework for IT Workplace Development” that placed strong emphasis on a clear chain of command and communication with clear job titles and IT employee roles being placed into a group of Executive, Functional or Corollary employees (2007, p. 17).
3. The report stressed the primary role of “the IT Security Compliance Professional is . . . overseeing, evaluating, and supporting compliance issues pertinent to the organization” (Homeland Security, 2007, p.16). Thus, the report logically concluded that IT professionals must know and be able to properly define terms such as evaluation, compliance and assessment in order to properly perform their duties (p. 14).
Propose three cybersecurity benefits that could be derived from the development of a strategic governance process. Select the benefit you find most important and explain why.
The National Computing Centre points out that there are numerous benefits to having a rigorous strategic governance process in place. Among them, increased transparency and accountability which leads to an “improved transparency of IT costs, IT process, [and] IT portfolio (2005, p. 6). This increased transparency and accountability also leads to an “improved understanding of overall IT costs and their input to ROI cases” which in turn often brings about “an increased return on investment/stakeholder value” (p. 6). Finally, the authors point to the fact that with increased transparency comes increased accountability and companies avoid “unnecessary expenditures” (p. 7).
Discussion 2
Categorize the roles described by the Information Technology Security Essential Body of Knowledge (EBK), in terms of executive, functional, and corollary competencies. Select two of these roles that you believe enhance the security countermeasures of an organization the most and justify your response.
As mentioned previously, Homeland Security’s 2007 report emphasized the importance of properly .
The disconcerting increase in the number of security attacks on software calls for an imminent need for including secure development practices within the software development life cycle. The software security management system has received considerable attention lately and various efforts have been made in this direction. However, security is usually only considered in the early stages of the development of software. Thus, this leads to stating other vulnerabilities from a security perspective. Moreover, despite the abundance of security knowledge available online and in books, the systems that are being developed are seldom sufficiently secure. In this paper, we have highlighted the need for including application context sensitive modeling within a case-based software security management system. Furthermore, we have taken the context-driven and ontology-based frameworks and prioritized their attributes according to their weights which were achieved by using the Fuzzy AHP methodology.
DEPENDABLE WEB SERVICES SECURITY ARCHITECTURE DEVELOPMENT THEORETICAL AND PRA...cscpconf
This research “Designing Dependable Web Services Security Architecture Solutions” addresses
the innovative idea of Web Services Security Engineering using Web Services Security
Architecture with a research motivation of Secure Service Oriented Analysis and Design. It deals
with Web Services Security Architecture for Web Services Secure application design, for
Authentication and authorization, using Model Driven Architecture (MDA) based Agile Modeled
Layered Security Architecture design, which eventually results in enhanced dependable (privacy)
management. All the above findings are validated with appropriate case studies of Web 2.0
Services, its extension to Web 2.0 Mashups Spatial Web Services and various financial
applications. In this paper we discuss about Research Methodology for Designing Dependable Agile Layered Security Architectures, with validations on Spatial Web Services Case study.
Grid computing is concerned with the sharing and use of resources in dynamic distributed virtual
organizations. The dynamic nature of Grid environments introduces challenging security concerns that
demand new technical approaches. In this brief overview we review key Grid security issues and outline
the technologies that are being developed to address those issues. We focus on works done by Globus
Toolkits to provide security and also we will discuss about the cyber security in Grid.
Essay QuestionsAnswer all questions below in a single document, pr.docxjenkinsmandie
Essay Questions
Answer all questions below in a single document, preferably below the corresponding topic.
Responses should be no longer than half a page.
One
1. A security program should address issues from a strategic, tactical, and operational view. The
security program should be integrated at every level of the enterprise’s architecture. List a
security program in each level and provide a list of security activities or controls applied in these
levels. Support your list with real-world application data.
2. The objectives of security are to provide availability, integrity, and confidentiality protection to
data and resources. List examples of these security states where an asset could lose these
security states when attacked, compromised, or became vulnerable. Your examples could
include fictitious assets that have undergone some changes.
3. Risk assessment can be completed in a qualitative or quantitative manner. Explain each risk
assessment methodology and provide an example of each.
Two
1. Access controls are security features that are usually considered the first line of defense in
asset protection. They are used to dictate how subjects access objects, and their main goal is to
protect the objects from unauthorized access.
These controls can be administrative, physical, or technical in nature and should be applied in a
layered approach, ensuring that an intruder would have to compromise more than one
countermeasure to access critical assets. Explain each of these controls of administrative,
physical, and technical with examples of real-world applications.
2. Access control defines how users should be identified, authenticated, and authorized. These
issues are carried out differently in different access control models and technologies, and it is up
to the organization to determine which best fits its business and security needs. Explain each of
these access control models with examples of real-world applications.
3. The architecture of a computer system is very important and comprises many topics. The
system has to ensure that memory is properly segregated and protected, ensure that only
authorized subjects access objects, ensure that untrusted processes cannot perform activities
that would put other processes at risk, control the flow of information, and define a domain of
resources for each subject. It also must ensure that if the computer experiences any type of
disruption, it will not result in an insecure state. Many of these issues are dealt with in the
system’s security policy, and the security model is built to support the requirements of this
policy. Given these definitions, provide an example where you could better design computer
architecture to secure the computer system with real-world applications. You may use fictitious
examples to support your argument.
Three
1. Our distributed environments have put much more responsibility on the individual user, facility
management, and administrative procedures and controls than in th.
DEPENDABLE PRIVACY REQUIREMENTS BY AGILE MODELED LAYERED SECURITY ARCHITECTUR...cscpconf
Software Engineering covers the definition of processes, techniques and models suitable for its
environment to guarantee quality of results. An important design artifact in any software
development project is the Software Architecture. Software Architecture’s important part is the
set of architectural design rules. A primary goal of the architecture is to capture the
architecture design decisions. An important part of these design decisions consists of
architectural design rules In an MDA (Model-Driven Architecture) context, the design of the
system architecture is captured in the models of the system. MDA is known to be layered
approach for modeling the architectural design rules and uses design patterns to improve the
quality of software system. And to include the security to the software system, security patterns
are introduced that offer security at the architectural level. More over, agile software
development methods are used to build secure systems. There are different methods defined in
agile development as extreme programming (XP), scrum, feature driven development (FDD),
test driven development (TDD), etc. Agile processing is includes the phases as agile analysis,
agile design and agile testing. These phases are defined in layers of MDA to provide security at
the modeling level which ensures that security at the system architecture stage will improve the
requirements for that system. Agile modeled Layered Security Architectures increase the
dependability of the architecture in terms of privacy requirements. We validate this with a case
study of dependability of privacy of Web Services Security Architectures, which helps for secure
service oriented security architecture. In this paper the major part is given to model
architectural design rules using MDA so that architects and developers are responsible to
automatic enforcement on the detailed design and easy to understand and use by both of them.
This MDA approach is implemented in use of Agile strategy in three different phases covering
three different layers to provide security to the system. With this procedure a premise
conclusion has been given that with the system security the requirements for that system are
improved. This paper summarizes that security is essential for every system at initial stage and
upon introduction of security at middle stage must lead to the change in the system i.e., an
improvement to system requirements.
Abstraction and Automation: A Software Design Approach for Developing Secure ...iosrjce
IOSR Journal of Computer Engineering (IOSR-JCE) is a double blind peer reviewed International Journal that provides rapid publication (within a month) of articles in all areas of computer engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in computer technology. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
The project work explores in detail, the security issues in a SOA environment and also describes the various approaches to these issues. The different approaches to SOA security (i.e. message level security, security as a service and policy driven security) are not standalone solutions, but can be deployed as mix and match solutions. A SOA security solution can make use of all the approaches to address specific security concerns. Finally the project work describes a generic SOA security model which acts as a reference model to identify security vulnerabilities in enterprise application integration (EAI). These vulnerabilities can then be addressed by the different approaches to security.
MANAGING SECURITY AND COMPLIANCE RISKS OF OUTSOURCED IT PROJECTScsandit
Several constraints, such as business, financial, and legal can lead organizations to outsource some of their IT services. Consequently, this might introduce different security risks to major security services such as confidentiality, integrity and availability. Analysing and managing the potential security risks in the early stages of project execution allows organizations to avoid or minimize such security risks. In this paper, we propose an approach that is capable of managing the security and compliance risks of outsourced IT projects. Such an approach aims to allow organizations to minimize, mitigate, or eliminate security risks in the early stages of project execution. It is designed to manage variation in security requirements, as well as provide a methodology to guide organizations for the purpose of security management and implementation
A dynamic policy based security-as-a-service infrastructure for cloud environ...eSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
Security issues often neglected until coding step in
software development process, and changing in this step leads to
maximize time and cost consuming depending on the size of the
project. Applying security on design phase can fix vulnerabilities
of the software earlier in the project and minimize the time and
cost of the software by identifying security flaws earlier in the
software life cycle. This work concerns with discussing security
metrics for object oriented class design, and implementing these
metrics from Enterprise Architect class diagram using a
proposed CASE tool.
Similar to MODEL-DRIVEN SECURITY ASSESSMENT AND VERIFICATION FOR BUSINESS SERVICES (20)
ACEP Magazine edition 4th launched on 05.06.2024Rahul
This document provides information about the third edition of the magazine "Sthapatya" published by the Association of Civil Engineers (Practicing) Aurangabad. It includes messages from current and past presidents of ACEP, memories and photos from past ACEP events, information on life time achievement awards given by ACEP, and a technical article on concrete maintenance, repairs and strengthening. The document highlights activities of ACEP and provides a technical educational article for members.
Water billing management system project report.pdfKamal Acharya
Our project entitled “Water Billing Management System” aims is to generate Water bill with all the charges and penalty. Manual system that is employed is extremely laborious and quite inadequate. It only makes the process more difficult and hard.
The aim of our project is to develop a system that is meant to partially computerize the work performed in the Water Board like generating monthly Water bill, record of consuming unit of water, store record of the customer and previous unpaid record.
We used HTML/PHP as front end and MYSQL as back end for developing our project. HTML is primarily a visual design environment. We can create a android application by designing the form and that make up the user interface. Adding android application code to the form and the objects such as buttons and text boxes on them and adding any required support code in additional modular.
MySQL is free open source database that facilitates the effective management of the databases by connecting them to the software. It is a stable ,reliable and the powerful solution with the advanced features and advantages which are as follows: Data Security.MySQL is free open source database that facilitates the effective management of the databases by connecting them to the software.
HEAP SORT ILLUSTRATED WITH HEAPIFY, BUILD HEAP FOR DYNAMIC ARRAYS.
Heap sort is a comparison-based sorting technique based on Binary Heap data structure. It is similar to the selection sort where we first find the minimum element and place the minimum element at the beginning. Repeat the same process for the remaining elements.
NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...Amil Baba Dawood bangali
Contact with Dawood Bhai Just call on +92322-6382012 and we'll help you. We'll solve all your problems within 12 to 24 hours and with 101% guarantee and with astrology systematic. If you want to take any personal or professional advice then also you can call us on +92322-6382012 , ONLINE LOVE PROBLEM & Other all types of Daily Life Problem's.Then CALL or WHATSAPP us on +92322-6382012 and Get all these problems solutions here by Amil Baba DAWOOD BANGALI
#vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore#blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #blackmagicforlove #blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #Amilbabainuk #amilbabainspain #amilbabaindubai #Amilbabainnorway #amilbabainkrachi #amilbabainlahore #amilbabaingujranwalan #amilbabainislamabad
Harnessing WebAssembly for Real-time Stateless Streaming PipelinesChristina Lin
Traditionally, dealing with real-time data pipelines has involved significant overhead, even for straightforward tasks like data transformation or masking. However, in this talk, we’ll venture into the dynamic realm of WebAssembly (WASM) and discover how it can revolutionize the creation of stateless streaming pipelines within a Kafka (Redpanda) broker. These pipelines are adept at managing low-latency, high-data-volume scenarios.
6th International Conference on Machine Learning & Applications (CMLA 2024)ClaraZara1
6th International Conference on Machine Learning & Applications (CMLA 2024) will provide an excellent international forum for sharing knowledge and results in theory, methodology and applications of on Machine Learning & Applications.
6th International Conference on Machine Learning & Applications (CMLA 2024)
MODEL-DRIVEN SECURITY ASSESSMENT AND VERIFICATION FOR BUSINESS SERVICES
1. International Journal on Web Service Computing (IJWSC), Vol.1, No.2, December 2010
DOI : 10.5121/ijwsc.2010.1203 31
MODEL-DRIVEN SECURITY ASSESSMENT
AND VERIFICATION FOR BUSINESS
SERVICES
Thirumaran.M1
and Dhavachelvan.P2
and Abarna.S3
and Thanigaivel. K4
1
Department of Computer science and Engineering, Pondicherry Engg College, India.
thirumaran@pec.edu
2
Department of Computer science and Engineering, Pondicherry University, India.
dhavachelvan@gmail.com
3
Department of Computer science and Engineering, Pondicherry Engg College, India.
abarna.pec@gmail.com
4
Department of Computer science and Engineering, Pondicherry Engg College, India.
thanigaivel20@pec.edu
1. ABSTRACT
Information security covers many areas within an enterprise. Each area has security
vulnerabilities and, hopefully, some corresponding countermeasures that raise the security level and
provide better protection. The fundamental concepts in information security are the security model,
which outlines how security is to be implemented. A security policy outlines how data is accessed, what
level of security is required, and what actions should be taken when these requirements are not met. A
security model is a statement that outlines the requirements necessary to properly support and implement
a certain security policy. An important concept in the design and analysis of secure systems is the
security model, because it incorporates the security policy that should be enforced in the system. A model
is a symbolic representation of a policy. It maps the desires of the policy makers into a set of rules that
are to be followed by a computer system. In the paper we propose a model driven security assessment
and verification for business service. The Security Assessment and Verification verifies whether the
Application and Services are secure based on the Service Level Agreement and generates the report on
the level of security features. It is designed to help business owners, operators and staff to assess the
security of their business. It covers potential areas of vulnerability, and provides suggestions for
adapting your security to reduce the risk of crime against your business. A security policy states that no
one from a lower security level should be able to view or modify information at a higher security level,
the supporting security model will outline the necessary logic and rules that need to be implemented to
ensure that under no circumstances can a lower-level subject access a higher-level object in an
unauthorized manner. The security policy is an abstract term that represents the objectives and goals a
system must meet and accomplish to be deemed secure and acceptable.
2. KEYWORDS: Service Level Agreement (SLA), Security Policies, Security assessment and
verification.
3. INTRODUCTION
A security policy is a set of rules and practices dictating how sensitive information is
managed, protected, and distributed. A security policy expresses exactly what the security level
should be by setting the goals of what the security mechanisms are to accomplish. The security
goals are based on legal compliance regulations and risk assessments, define how security
configurations are determined, decide upon the ways in which a company’s assets are
2. International Journal on Web Service Computing (IJWSC), Vol.1, No.2, December 2010
32
protected, and how the availability of resources is managed in the context of process-aware
information systems [1].The security policy is an important element that has a major role in
defining the design of the system, because it incorporates the security policy that should be
enforced in the system [6]. A model is a symbolic representation of a policy. It maps the desires
of the policy makers into a set of rules that are to be followed by a computer system. The
security policy is a foundation for the specifications of a system and provides the baseline for
evaluating a system. Many of these security issues must be thought through before and during
the design and architectural phase for a product. Many processes are security critical in the
sense that security requirements are a central part of process requirements and security
mechanisms are required for their realization. Examples range from the authorization of a
military engagement, to an enterprise purchase process, to even the coordination of the
sequence of user interface masks displayed to a user .In such examples, the security policy can
be quite complex and may be comprised of a collection of requirements, which are associated
with different points of execution and checked and enforced at these points [11]. Hence
Security is best if it is designed and built into the foundation of operating systems and
applications and not added on as an afterthought. Once security is integrated as an important
part of the design, it has to be engineered, implemented, tested, audited, evaluated, certified and
accredited. The security that a product provides has to be rated on the availability, integrity, and
confidentiality it claims [1]. Consumers then use these ratings to determine if specific products
provide the level of security they require. This is a long road, with many entities involved with
different responsibilities. So in a very general and simplistic example, if a security policy states
that subjects need to be authorized to access objects, the security model would provide the
mathematical relationships and formulas explaining how x can access y only through outlined
specific methods. Specifications are then developed to provide a bridge to what this means in a
computing environment and how it maps to components and mechanisms that need to be coded
and developed. The developers then write the program code to produce the mechanisms that
provide a way for a system to use access control lists and give administrators some degree of
control. This mechanism presents the network administrator with a GUI representation, like
check boxes, to choose which subjects can access what objects, to be able to set this
configuration within the operating system. This is a rudimentary example because security
models can be very complex, but it is used to demonstrate the relationship between the security
policy and the security model. Hence the final step is to verify whether the Application and
Services are secured based on the Service Level Agreement this is done using Security
Assessment and Verification and generates the report on the level of security features.
4. RELATED WORKS
Christian Wolter present security policy and policy constraint models and discuss a
translation of security annotated business processes into platform specific target languages,
such as XACML or AXIS2 security configurations. To demonstrate the suitability of this
approach an example transformation is presented based on an annotated process [1].
Nagaratnam et al discusses an approach to overcome this shortage by expressing security
requirements in the context of business processes and how to monitor and manage them on the
different enterprise architecture levels [2]. Similar concepts are addressed by Rodríguez et al.
[3] and Sadiq et al. [4]. Both define a meta-model that links security requirement and
compliance regulations stereotypes to sequence objects of a business process and proposed
graphical annotation elements to visually enrich the process model with related security
requirements, but both consider a model-driven scenario as future work. Michiaki Tatsubori
proposed the domain of model-driven security in the context of business processes is an
emerging research area. The need to support the application scenario and related security
policies for web services on an abstract level is discussed in [5]. The authorization concepts are
refined by Dong Huang in a semantic policy-based security framework for business processes
identifying two levels of security for business processes. On the task or activity level, security
3. International Journal on Web Service Computing (IJWSC), Vol.1, No.2, December 2010
concerns, such as non-repudiation, confidentiality
process level, general compliance rules, such as requir
[6].Tom Goovaerts presented an open architecture for enforcing and composing
policies that can depend on the available services in the
flexible run-time architecture that maximizes interoperability, adaptability, ev
prototyped the architecture on an Enterprise Service Bus and illustrate how the solution
supports realistic and complex policies [7].
Process for Web Service Security (PWSSec), to a real web servi
manner in which security in inter
and implemented by applying PWSSec, which combines a risk analysis and management, along
with a security architecture and a standard
built to provide support to the PWSSec process
RBAC model (GB-RBAC) and applied it for authorization management in collaborations by
introducing the concept of virtual
multi-groups, where all members
and perform operations for the collaborative work [9].
model and an authorization model for supporting dynamic business processes. More
specifically, authorization policies are expressed in an SQL
rewritten into query sentences for execution. In addition, the framework supports dynamic
integration and execution of multiple access control polices from disparate enterprise resources
[10].David Basin propose a modular approach to constructing modelling
this process, which combines languages
modelling security. They also present an application to constructing systems
models, where we combine a UML
language for formalizing access control requirements. From mo
they automatically generate security
5. SECURITY ARCHITECTURE
Figure 1. Security Architecture
International Journal on Web Service Computing (IJWSC), Vol.1, No.2, December 2010
repudiation, confidentiality, and data integrity are considered. On the
process level, general compliance rules, such as required by Sarbanes–Oxley are defined
Tom Goovaerts presented an open architecture for enforcing and composing
policies that can depend on the available services in the environment. They have created a
time architecture that maximizes interoperability, adaptability, evolution and
prototyped the architecture on an Enterprise Service Bus and illustrate how the solution
supports realistic and complex policies [7].Carlos Gutiérrez proposed the application of the
Process for Web Service Security (PWSSec), to a real web service-based case study. The
manner in which security in inter-organizational information systems can be analyzed, designed
implemented by applying PWSSec, which combines a risk analysis and management, along
architecture and a standard-based approach. They additionally present a tool
provide support to the PWSSec process [8]. Xinwen Zhang proposed group
RBAC) and applied it for authorization management in collaborations by
introducing the concept of virtual group. A virtual group is built for collaboration between
groups, where all members build trust relation within the group and are authorized to join
the collaborative work [9]. Jian Cao proposed an organizational
an authorization model for supporting dynamic business processes. More
specifically, authorization policies are expressed in an SQL-like language which can be easily
rewritten into query sentences for execution. In addition, the framework supports dynamic
integration and execution of multiple access control polices from disparate enterprise resources
propose a modular approach to constructing modelling languages supporting
this process, which combines languages for modelling system design with languages for
modelling security. They also present an application to constructing systems from process
models, where we combine a UML-based process design language with a security modelling
for formalizing access control requirements. From models in the combined language,
they automatically generate security architectures for distributed applications [11].
SECURITY ARCHITECTURE
Figure 1. Security Architecture
International Journal on Web Service Computing (IJWSC), Vol.1, No.2, December 2010
33
, and data integrity are considered. On the
Oxley are defined
Tom Goovaerts presented an open architecture for enforcing and composing complex
environment. They have created a
olution and
prototyped the architecture on an Enterprise Service Bus and illustrate how the solution
Carlos Gutiérrez proposed the application of the
based case study. The
organizational information systems can be analyzed, designed
implemented by applying PWSSec, which combines a risk analysis and management, along
present a tool
proposed group-based
RBAC) and applied it for authorization management in collaborations by
group. A virtual group is built for collaboration between
build trust relation within the group and are authorized to join
Jian Cao proposed an organizational
an authorization model for supporting dynamic business processes. More
like language which can be easily
rewritten into query sentences for execution. In addition, the framework supports dynamic
integration and execution of multiple access control polices from disparate enterprise resources
languages supporting
ith languages for
from process
process design language with a security modelling
dels in the combined language,
4. International Journal on Web Service Computing (IJWSC), Vol.1, No.2, December 2010
The Security Specification is the requirements given by the customer and it’s
considered as input of the architecture. This Security Specification contains some
implementation codes which are called as Security Routine. The Security Model contains many
inbuilt existing models and these security models are compared with the Security
Using the Security Routine, Security Annotation checks whether the customer requirements
match with the existing models. If the security model satisfies all the requirements of the
customer they provide the existing model or else the securit
Service Level Agreement contains all the security agreements for the application and services.
The Security Assessment and Verification verifies whether the Application and Services are
secure based on the Service Level Ag
features. It is designed to help business owners, operators and staff to assess the security of
their business. It covers potential areas of vulnerability, and provides suggestions for adapting
your security to reduce the risk of crime against your business.
6. SECURITY POLICY MODEL
Figure 2. Security Policy Model
The security aspects can be defined by specifying a set of security goals, such as
confidentiality, integrity, authentication,
defined in the context of a security policy. As indicated in above Fig
by a constraint related to concerned entities
Specification. The specification is defined as contract and it should match with the security
pattern. Both the specification and contract enforces the security services to build the effect
As shown in Fig.2 policies are interpreted and enforced by a
support specific security patterns to guarantee
used to map high level security requirements to concrete technical mechanisms that
the enforcement of security constraints.
International Journal on Web Service Computing (IJWSC), Vol.1, No.2, December 2010
The Security Specification is the requirements given by the customer and it’s
considered as input of the architecture. This Security Specification contains some
implementation codes which are called as Security Routine. The Security Model contains many
inbuilt existing models and these security models are compared with the Security Specification.
Using the Security Routine, Security Annotation checks whether the customer requirements
match with the existing models. If the security model satisfies all the requirements of the
customer they provide the existing model or else the security analyst design a new model. The
Service Level Agreement contains all the security agreements for the application and services.
The Security Assessment and Verification verifies whether the Application and Services are
secure based on the Service Level Agreement and generates the report on the level of security
features. It is designed to help business owners, operators and staff to assess the security of
their business. It covers potential areas of vulnerability, and provides suggestions for adapting
security to reduce the risk of crime against your business.
SECURITY POLICY MODEL
Figure 2. Security Policy Model
The security aspects can be defined by specifying a set of security goals, such as
egrity, authentication, authorization and auditing. These security goals are
security policy. As indicated in above Fig.2 each goal is described
by a constraint related to concerned entities .The basic entity in a security policy model is an
The specification is defined as contract and it should match with the security
pattern. Both the specification and contract enforces the security services to build the effect
policies are interpreted and enforced by a security module that
support specific security patterns to guarantee the defined constraints. Security patterns are
security requirements to concrete technical mechanisms that
the enforcement of security constraints.
International Journal on Web Service Computing (IJWSC), Vol.1, No.2, December 2010
34
The Security Specification is the requirements given by the customer and it’s
considered as input of the architecture. This Security Specification contains some
implementation codes which are called as Security Routine. The Security Model contains many
Specification.
Using the Security Routine, Security Annotation checks whether the customer requirements
match with the existing models. If the security model satisfies all the requirements of the
y analyst design a new model. The
Service Level Agreement contains all the security agreements for the application and services.
The Security Assessment and Verification verifies whether the Application and Services are
reement and generates the report on the level of security
features. It is designed to help business owners, operators and staff to assess the security of
their business. It covers potential areas of vulnerability, and provides suggestions for adapting
The security aspects can be defined by specifying a set of security goals, such as
These security goals are
each goal is described
The basic entity in a security policy model is an
The specification is defined as contract and it should match with the security
pattern. Both the specification and contract enforces the security services to build the effect.
module that
the defined constraints. Security patterns are
security requirements to concrete technical mechanisms that implement
5. International Journal on Web Service Computing (IJWSC), Vol.1, No.2, December 2010
35
6.1 Authentication
The process of identifying an individual usually based on a username and password. In
security systems, authentication is distinct from authorization, which is the process of giving
individuals access to system objects based on their identity. Authentication merely ensures that
the individual is who he or she claims to be, but says nothing about the access rights of the
individual. As shown in fig.3, The Administrator checks the User Credentials and it should
match the predefined credentials using security algorithm and performs the Encryption and
Decryption operation. Finally returns the Authentication Success or Failure.
Figure 3. Authentication Model
6.2Authorization
Authorization is the process of giving someone permission to do or have something. In
multi-user computer systems, a system administrator defines for the system which users are
allowed access to the system and what privileges of use (such as access to which file
directories, hours of access, amount of allocated storage space, and so forth). Assuming that
someone has logged in to a computer operating system or application, the system or application
may want to identify what resources the user can be given during this session. Thus,
authorization is sometimes seen as both the preliminary setting up of permissions by a system
administrator and the actual checking of the permission values that have been set up when a
user is getting access. As shown in fig.4, The Administrator Identifies Roles & Access
Permission of the User and matches with a Predefined Roles & Responsibility, if it matches
allows the user to perform and make an entry in Audit log or else Deny.
Figure 4. Authorization model
6. International Journal on Web Service Computing (IJWSC), Vol.1, No.2, December 2010
6.3 Confidentiality
Confidentiality is a set of rules or a promise that limits access or places restrictions on
certain types of information. Confidentiality is the protection of transmitted data from passive
attacks. With respect to the content of a data transmission, several levels of protection can be
identified. The broadest service protects all user data transmitted between tw
period of time. As shown in fig.
and the resources should be classified based on the level of confidentiality.
6.4 Integrity
Integrity is the assurance that data received are exactly as sent by an authorized entity
(i.e., contain no modification, insertion, deletion, or replay).As with confidentiality, integrity
can apply to a stream of messages, a single message, or selected fields within a messag
the most useful and straightforward approach is total stream protection. As shown in fig.
Administrator monitors the Operation & Business Function and check the consistency of the
operation. Finally the administrator ensures the Data and th
6.5 Audit
The general definition of an
process, enterprise, project or product. The term most commonly refers to audits in accounting,
but similar concepts also exist in project management, quality management, and for energy
conservation. As shown in fig.7, The Administrator matches with the policy, constraint and rule
International Journal on Web Service Computing (IJWSC), Vol.1, No.2, December 2010
Confidentiality is a set of rules or a promise that limits access or places restrictions on
information. Confidentiality is the protection of transmitted data from passive
attacks. With respect to the content of a data transmission, several levels of protection can be
identified. The broadest service protects all user data transmitted between two users over a
period of time. As shown in fig.5, The data should be protected from unauthorized disclosure
and the resources should be classified based on the level of confidentiality.
Figure 5. Confidentiality Model
urance that data received are exactly as sent by an authorized entity
(i.e., contain no modification, insertion, deletion, or replay).As with confidentiality, integrity
can apply to a stream of messages, a single message, or selected fields within a messag
the most useful and straightforward approach is total stream protection. As shown in fig.
Administrator monitors the Operation & Business Function and check the consistency of the
operation. Finally the administrator ensures the Data and the Functional Integrity.
Figure 6. Integrity Model
The general definition of an audit is an evaluation of a person, organization, system,
process, enterprise, project or product. The term most commonly refers to audits in accounting,
oncepts also exist in project management, quality management, and for energy
, The Administrator matches with the policy, constraint and rule
International Journal on Web Service Computing (IJWSC), Vol.1, No.2, December 2010
36
Confidentiality is a set of rules or a promise that limits access or places restrictions on
information. Confidentiality is the protection of transmitted data from passive
attacks. With respect to the content of a data transmission, several levels of protection can be
o users over a
, The data should be protected from unauthorized disclosure
urance that data received are exactly as sent by an authorized entity
(i.e., contain no modification, insertion, deletion, or replay).As with confidentiality, integrity
can apply to a stream of messages, a single message, or selected fields within a message. Again,
the most useful and straightforward approach is total stream protection. As shown in fig.6, The
Administrator monitors the Operation & Business Function and check the consistency of the
is an evaluation of a person, organization, system,
process, enterprise, project or product. The term most commonly refers to audits in accounting,
oncepts also exist in project management, quality management, and for energy
, The Administrator matches with the policy, constraint and rule
7. International Journal on Web Service Computing (IJWSC), Vol.1, No.2, December 2010
37
of the user and Audit every legal and illegal access on the resources as well as legal and illegal
access by the user. If the access is legal then generate the report based on the audit result else
diagnose the overall system security.
Figure 7. Audit Model
Authentication
<Authentication>
Algorithm =”RSA / SHA”
Operation = Encryption / Decryption
<Entity [Username, Password]>
</Authentication>
Authorization
<Authorization>
Algorithm =”RSA”
Operation = Permission Check
<Entity [User, Resource, Permission]>
</Authorization>
Confidentiality
<Confidentiality>
Algorithm =”SHA”
Operation = Protect, Maintain Level of Confidentiality
<Entity [Data, Resource]>
</Confidentiality>
8. International Journal on Web Service Computing (IJWSC), Vol.1, No.2, December 2010
38
7. FRAMEWORK FOR SECURITY ASSESSMENT AND VERIFICATION
Service Request can be of two types, new services with security model or existing
services with Add-on security model. In our scenario we provide an Add-on security model
which can be interoperable with new or existing business services acquired from our service
provider. The Requirement Analyzer will analyze the Requirement of the Customer and the
Service Request will intimate what service the customer needs. Security Requirements is the
major component which will insets the security features for recommend business services.
Service Request will give the requested service to the Service discovery Engine and it will
insets what type of service suitable for the request made by the customer and the service
selected will be managed by the Service Repository. The Service Description is for all the user
using the service but Service profile is for the Service provider which content the business logic
for the particular business service. Security requirements will then be analyzed in two steps the
first one is the functional analyzer it will analyze the functionality of the security requirement
for the recommend services. The second is security analyzer it will analyze the security features
for the requested services. After analyzing the two steps for the requested services the main
thing is to select the suitable security model, security policy and security requirement. From the
security model we generate the schema which will intimate how the model will work and what
operation the model performs. The schema generator also as the security template for the
suitable security model and the schema will be added in the SLA planner in the form of
contract and policy in order to reduce the overhead between the consumer and the service
Integrity
<Integrity>
Algorithm =”SHA”
Operation = Consistency check
<Entity [User, Business function]>
</Integrity>
Audit
<Audit>
Algorithm =”Matching”
Operation = Matching
<Entity [Policies, Constraints, Rule]>
</Audit>
9. International Journal on Web Service Computing (IJWSC), Vol.1, No.2, December 2010
39
provider. Once the schema is added in the SLA planner Security recommender will suggest the
appropriate security service for requested business service based on the security specifications.
Figure 7. Framework for Security Assessment and verification
These security services can also be customize according to the need and requirements
of the consumer using security customizer. The Audit log verifies whether the customized
security services meet the consumer request and match with the security models using the
Observer and Diagnoser. As the name insets Observer will observe the operations or
mechanism take place while working where as Diagnoser will analysis overall security model.
Security Adaptor is a special object that can be plugged to an existing class or function to
change its behavior and control whether the Model is secured based on the specification and
requirements. The Model Driver will drive a specific model for the consumer requirement and
give the model as input to Security wrapper. Security Wrapper is an adapter program that
converts plain XML exchanges to and from SOAP with WS-Security. It's designed to be used
by applications which need access to secure Web services but do not have full SOAP
10. International Journal on Web Service Computing (IJWSC), Vol.1, No.2, December 2010
40
implementations available. The Wrapper serves as an intermediary for the application, adding
SOAP and WS-Security to their input messages for submission to the service, then verifying
the WS-Security on the response and sending the actual response message data back to the
application. Service Integration is used to integrate the Add-on service, Security Services and
Client Interface to the consumer dynamically in order not to take much effect. Redeployment
does in two ways Run Time Manager and Exception Handler. Run time Manager will run the
security model along with the business services dynamically where as the exception handler
will look after the bugs and error in the service. The final step is the Service invocation is done
based on the request of the consumer by the service invoker.
7.1 ALGORITHM
i. Get Service Request
R=(WSreq,Sreq)
ii. Get Security Requirement
Sreq=(Smethod,Spolicy,Context)
iii. Analyzer Security Requirement
Compare [Sreq=(Smethod,Spolicy,Context), (Smodel,Spolicy,Sspec)]
iv. Find Service & service Profile
wsx=Lookup(Registry[ws1,ws2,ws3,…..wsn])
ServiceDiscription(wsx)= Match(ws_profile,wsdl_repository)
v. Extract Service Functional
Wsx=Extract[wsx(businesslogic,systemlogic,securitylogic)]
vi. Call Security Analyzer
Compare [Sreq=(Smethod,Spolicy,Context), (Smodel,Spolicy,Sspec)]
ServiceDiscription(wsx)= Match(ws_profile,wsdl_repository)
Wsx=Extract[wsx(businesslogic,systemlogic,securitylogic)]
vii. Choose Security Model-ensure security Policy
Select(Smodels,Sploicy)
viii. Generate security specification
Sspec=wsx[Smodel,Sschema,context]
11. International Journal on Web Service Computing (IJWSC), Vol.1, No.2, December 2010
41
Sschema=[Spropery,SAlg]
ix. Import Schema to SLA
SLA={BusinessAgreement,Sspec}
x. Call SLA Planner
Get(Sschema,Sspec,Sreq)
Wsx= Match(Sspec,Sreq)
xi. Recommend Security models
Set(Sspec,Smodels)
Set Sservice
xii. Customize Security service
Wsx=customize(Sservice,Sspec,Smodels)
xiii. Call Observer
Validate(Sservice,Sreq,Sspec)
xiv. Audit & confirm the SLA
Record(Sservice,Sreq,Sspec)
xv. Invoke Security Adaptor
Call Sservice,wsx
Generate proxy[Sservice]
xvi. Call Service Integration
Add-on[wsx,Sservice]
xvii. Verify Integration Policy
Compose[Ws1,Sreq] where Spolicy=true
xviii. Call Add-on Service, Proxy & Wrapper and client Interface
xix. Evaluate Security Assessment & Verification
xx. Generate Audit Report
12. International Journal on Web Service Computing (IJWSC), Vol.1, No.2, December 2010
42
8. CONCLUSION
In this paper, we proposed a model driven security assessment and verification for
business service. The Security Assessment and Verification verifies whether the Application
and Services are secure based on the Service Level Agreement and generates the report on the
level of security features. We also proposed a security model that verifies confidentiality,
integrity, authentication, authorization and auditing. It is designed to help business owners,
operators and staff to assess the security of their business. It covers potential areas of
vulnerability, and provides suggestions for adapting your security to reduce the risk of crime
against your business.
9. REFERENCES
[1]Christian Wolter, Michael Menzel, Andreas Schaad, Philip Miseldine and ChristophMeinel,
“Model-driven business process security requirement specification”, (ELSEVIER) Journal of
Systems Architecture 55, (2009) 211-223.
[2] N. Nagaratnam, A. Nadalin, M. Hondo, M. McIntosh, P. Austel, “Business-driven
application security: from modeling to managing secure applications”, IBM Syst. J. 44 (4)
(2005).
[3] Alfonso Rodríguez, Eduardo Fernández-Medina, Mario Piattini, “Towards a UML 2.0
extension for the modeling of security requirements in business processes”, in: TrustBus, 2006,
pp. 51–61
[4] ShaziaWasimSadiq, Guido Governatori, KioumarsNamiri,” Modeling control objectives for
business process compliance”, in: BPM, 2007, pp. 149–164.
[5] Michiaki Tatsubori, Takeshi Imamura, Yuhichi Nakamura,” Best-practice patterns and tool
support for configuring secure web services messaging”, in: ICWS, IEEE Computer Society,
2004. pp. 244–251
[6] Dong Huang, “Semantic Policy-based security framework for business processes”, in:
Proceedings of the Semantic Web and Policy Workshop, 2005.
[7]Tom Goovaerts, Bart De Win, and WouterJoosen, A Flexible Architecture for Enforcing
andComposing Policies in a Service-OrientedEnvironment, IFIP International Federation for
Information Processing 2007, pp. 253–266.
[8]Carlos Gutiérrez , David G. Rosado and Eduardo Fernández-Medina, “The practical
application of a process for eliciting and designing securityin web service systems”,
Information and Software Technology 51 (2009) 1712–1738.
[9] Qi Li, Xinwen Zhang, MingweiXu and Jianping Wu,“Towards secure dynamic
collaborations withgroup-based RBAC model”, Computers & Security 28 (2009) 260-275.
[10] Jian Cao,JinjunChen, HaiyanZhao and MingluLi, “A policy-
basedauthorizationmodelforworkflow-enabled dynamic processmanagement”, Journal of
Network and Computer Applications 32 (2009) 412– 422.
[11]David Basin, Jürgen Doser and TorstenLodderstedt, ”Model Driven Security for
ProcessOrientedSystems”, SACMAT’03, June 2003, Italy.
13. International Journal on Web Service Computing (IJWSC), Vol.1, No.2, December 2010
43
Authors
Thirumaran.M, working as Asst.Professor in Pondicherry Engineering
College, Pondicherry, India, one of India’s premier institutions providing high quality
education and a great platform for research. He pursued his B.Tech and M.Tech in
Computer Science and Engineering from the Pondicherry University. The author is
specialized in Web Services and Business Object Model and possesses a very profound
knowledge in the same. He has worked on evaluating web services based on various QoS criterias,
establishing the Business Object Model and Business Logic System with respect to Web Service
Computation, Web Service Composition and Web Service Customization. His flair for research has made
him explore deep in this domain and he has published more than 20 papers in various International
Conferences, Journals and Magazines. Currently he is working on developing a model for Business
Logic Systems for various E-Commerce systems.
Dr. P.Dhavachelvan is working as Professor, Department of Computer Science,
Pondicherry University, India. He has obtained his M.E. and Ph.D. in the field of
Computer Science and Engineering in Anna University, Chennai, India. He is having
around a decade of experience as an academician and his research areas include Software
Engineering and Standards, Software Agents and Distributed Systems. He has published
around 50 research papers in National and International Journals and Conferences. He is
heading two research groups working towards to develop the standards for Attributes Specific SDLC
Models & Design of Business Object Model and Evaluation of Web Services.
S.Abarna is pursuing second year M.Tech in Information Security Department
of Computer Science and Engineering in Pondicherry Engineeringllege, Puducherry,
India. She received her B.Tech degree in Information Technology from Pondicherry
university in the year 2008. She is currently working in the area of Web services.
The name of the author is Thanigaivel. K, studying in Pondicherry Engineering
College, Pondicherry, India. He received his B.Tech degree in Computer Science and
Engineering from the Pondicherry University in the year 2009. He currently pursuing
M.Tech., degree in Computer Science and Engineering at Pondicherry University and he
is currently working in the area of Web services.