Fig 1 - uploaded by Matthias Schunter
Content may be subject to copyright.
Service-oriented Assurance

Service-oriented Assurance

Source publication
Chapter
Full-text available
Flexibility to adapt to changing business needs is a core requirement of today’s enterprises. This is addressed by decomposing business processes into services that can be provided by scalable service-oriented architectures. Service-oriented architectures enable requesters to dynamically discover and use subservices. Today, service selection does n...

Context in source publication

Context 1
... is par- ticularly important in a cross-domain scenario involving different organizations, where the result may be an actual financial recourse. Figure 1 summarizes the use of assurances. We mainly consider the gray component on the left, e.g., a business process. ...

Similar publications

Article
Full-text available
58. Mohapatra Sanjay, Choudhury Anupam, (2016), Readiness Framework for Business Process Re-engineering, Strategic Change, Volume 25, issue 5, Pp DOI: 10.1002/jsc.2077
Article
Full-text available
In this paper we present an approach and algorithm for selecting the "best" secure architecture for supporting a business process according to a variety of assurance indicators. The key difficulty is to select an architectural design in presence of multiple indicators that might offer alternative notions of minimality. Therefore we must use the not...

Citations

... In addition, the system states (such as established security policies), events, certificates, and other security verification evidence from the third parties are required. The study proved that security properties could be specified and verified objectively in various services using the security-oriented assurance model [26]. ...
... However, security is not considered in the selection of services and sub-services. Therefore, service-oriented assurance is required to assure the security assurances of services as well as assess the security of sub-services [26]. ...
... Operational phase [26]. ...
Article
Full-text available
System security assurance provides the confidence that security features, practices, procedures, and architecture of software systems mediate and enforce the security policy and are resilient against security failure and attacks. Alongside the significant benefits of security assurance, the evolution of new information and communication technology (ICT) introduces new challenges regarding information protection. Security assurance methods based on the traditional tools, techniques, and procedures may fail to account new challenges due to poor requirement specifications, static nature, and poor development processes. The common criteria (CC) commonly used for security evaluation and certification process also comes with many limitations and challenges. In this paper, extensive efforts have been made to study the state-of-the-art, limitations and future research directions for security assurance of the ICT and cyber–physical systems (CPS) in a wide range of domains. We conducted a systematic review of requirements, processes, and activities involved in system security assurance including security requirements, security metrics, system and environments and assurance methods. We highlighted the challenges and gaps that have been identified by the existing literature related to system security assurance and corresponding solutions. Finally, we discussed the limitations of the present methods and future research directions.
... Regarding the configuration of security requirements specified through SLA documents, a few proposal exist. Karjoth et al. [29] introduce the concept of Service-Oriented Assurance (SOAS). SOAS adds security providing assurances (an assurance is a statement about the properties of a component or service) as part of the SLA negotiation process. ...
Article
Full-text available
The perception of lack of control over resources deployed in the cloud may represent one of the critical factors for an organization to decide to cloudify or not its own services. The flat security features offered by commercial cloud providers to every customer, from simple practitioners to managers of huge amounts of sensitive data and services, is an additional problem. In recent years, the concept of Security Service Level Agreements (Security SLAs) is assuming a key role for the secure provisioning of cloud resources and services. This paper illustrates how to develop cloud applications that deliver services covered by Security SLAs by means of the services and tools provided by the SPECS framework, developed in the context of the SPECS (Secure Provisioning of Cloud Services based on SLA Management) European Project. The whole (SPECS) application's life cycle is dealt with, in order to give a comprehensive view of the different parties involved and of the processes needed to offer security guarantees on top of cloud services. The discussed development process is exemplified by means of a real-world case study consisting in a cloud application offering a secure web container service.
... On the other hand, to the best of our knowledge, not so much work has been done in the area of configuring security requirements specified through SLA documents. Karjoth et al. [9] introduce the concept of Service-Oriented Assurance (SOAS). SOAS adds security providing assurances (an assurance is a statement about the properties of a component or service) as part of the SLA negotiation process. ...
... Not so much work has been done in the area of configuring security requirements specified through SLA documents. Karjoth et al. [20] introduce the concept of Service-Oriented Assurance (SOAS). SOAS adds security providing assurances (an assurance is a statement about the properties of a component or service) as part of the SLA negotiation process. ...
... To the best of our knowledge not much work has been done in the area of configuring security requirements specified through WS-Agreement documents. Karjoth et al. [18] introduce the concept of Service-Oriented Assurance (SOAS). SOAS is a new paradigm that defines the security as an integral part of serviceoriented architectures. ...
Conference Paper
Full-text available
Cloud Computing represents both a technology for using distributed computing infrastructures in a more effcient way, and a business model for renting computing services and resources. It is an opportunity for customers to reduce costs and increase effciency. Moreover, it gives to small and medium enterprises the possibility of using services and technologies that were prerogative of large ones, by paying only for the used resources and avoiding unnecessary investment. The possibility of dynamically acquire and use resources and services on the base of a payby-use model, implies an incredible exibility in terms of management, which is otherwise often hard to address. In this paper, we propose an approach to to build up SLA-oriented Cloud applications, which enable a Cloud provider to o�er service customized on the customer security needing. In particular, by using a Cloud-oriented API derived from thenmOSAIC project, the developer can implement security features that can be offered by the Cloud provider within their Service Level Agreement. In particular, we focus on providing an intrusion tolerance service to grant an application service availability even when the host system is under attack.
... To the best of our knowledge not much work has been done in the area of configuring security requirements specified through WS-Agreement documents. Karjoth et al. [16] introduce the concept of Service-Oriented Assurance (SOAS). SOAS is a new paradigm defining security as an integral part of service-oriented architectures. ...
Conference Paper
Full-text available
Cloud Computing is a new computing paradigm. Among the incredible number of challenges in this field two of them are considered of great relevance: Service Level Agreement management and security management. A Service Level Agreement (SLA) is an agreement between a Service Provider and a customer. It aims at offering a simple and clear way to build up an agreement between the final users and the Service Provider in order to establish what is effectively granted in terms of quality. Cloud Computing assumes that everything from hardware to application layers are delegated to the network, accessed in a self-service way and following a pay-per-use business model. In this paper we will try to show how it is possible, using a Cloud-oriented API derived from the mOSAIC project, to build up an SLA-oriented Cloud application, which enables the delivery of security solutions as a service. We will focus on intrusion tolerance solutions, i.e., systems that grant a system maintain a (limited) availability even when a security attack takes place.
... others. These trends have a profound impact on the trust models, security policies, security procedures, and security infrastructure that companies need to develop and maintain [13,14]. Indeed, traditional security research has been concerned with the protection of data such as access control in its classical form [21] or in more sophisticated variants such as history-based [15], usage based [20,8,22], workflow-based [26,6], or purpose-based [1] access control. ...
Article
Advanced methodologies for compliance such as CobiT identify a number of maturity levels that must be reached: first the existence of an infrastructure for the enforcement of security controls; second, the ability to continuously monitor and audit quantifiable indicators for the controls put in place; and third, the ability to react when a policy violation is detected. In this paper, we go further and define a governance and compliance maturity model (GoCoMM) that is process-oriented. As an instance of the highest level of governance and compliance, we suggest a method of goal correlation that provides measurable indicators of security and compliance by systematically refining business processes and regulatory goals. We also introduce a run-time architecture to support this model.
... This requires different security models, policies, infrastructures and trust establishment mechanisms (see e.g. [13,12]). A large part of the WS security standards (WS-Federation, WS-Trust, WS-Security) are geared to solve some of these problems. ...
Conference Paper
Full-text available
The problem of supporting the secure execution of potentially mali- cious third-party applications has received a considerable amount of attention in the past decade. In this paper we describe a security architecture for Web 2.0 applications that supports the flexible integration of a variety of advanced tech- nologies for such secure execution of applications, including run-time monitor- ing, static verification and proof-carrying code. The architecture also supports the execution of legacy applications that have not been developed to take advantage of our architecture, though it can provide better performance and additional ser- vices for applications that are architecture-aware. A prototype of the proposed architecture has been built that offers substantial security benefits compared to standard (state-of-practice) security architectures, even for legacy applications.
... Rather whole workflows must be orchestrated and run in a decentralized manner. This happens in business-to-business cooperations [12] [16] [10] in mobile environment [3] [9], in grid systems [29], in peer-to-peer networks [5, 20, 30], etc. From a security perspective, outsourcing has a profound impact on the trust models, security policies, security procedures, and security infrastructures that companies need to develop and maintain [19] [18]. One of the major changes over traditional models of access control for workflows [4] [17] [26] is that we can no longer assume that there is a single entity in charge of the enforcements of access control rules. ...
Conference Paper
The workflow of a Virtual Organization is often divided into f rag- ments that are run by different entities having different cl earance level or accessibility permissions. Therefore, an importa nt issue is a decomposition of the overall business process into workflow views that can be outsourced to the side of the corresponding con- tractors. In this paper, we introduce the notion of business process security view and present an algorithm for the automatic derivation of such views from a security specification that may express c ondi- tional accessibility based on the actual data flowing across business process. Our solution borrows the idea of virtual views from re- lational database views. We also discuss an architecture and an implementation for workflow view synchronization.
... The "for" loop (lines [8][9][10][11][12][13][14][15][16][17][18][19][20][21] terminates when all edges of a node are scanned. Inside the loop for each edge there is a comparison at line 9. Also for each e P Ec and e P Eq there are comparisons at lines 11 and 16 respectively. ...
... There are few works which deal with negotiation of security indicators between clients and contractors. One of the first works claiming that security requirements must be reflected in the contract is [17]. Casola [7] et. ...
... For each appraisal node the minimal alternative is chosen (lines[17][18][19][20]. The complexity is at most O(jQj £ jCj). ...
Conference Paper
Full-text available
In order to provide certified security services we must provide indi- cators that can measure the level of assurance that a complex busi- ness process can offer. Unfortunately the formulation of security indicators is not amenable to efficient algorithms able to evaluate the level of assurance of complex process from its components. In this paper we show an algorithm based on FD-Graphs (a vari- ant of directed hypergraphs) that can be used to compute in polyno- mial time (i) the overall assurance indicator of a complex business process from its components for arbitrary monotone composition functions, (ii) the subpart of the business process that is responsi- ble for such assurance indicator (i.e. the best security alternative).