Security services for applications of OSI in banking

The protection of financial information has always been critical to success in banking. Security has become much more visible now that the automation and interconnection of banking processes is becoming widespread. Most financial institution are moving towards international systems interworkng, eventually using products based on the Open Systems Interconnection model. Thus, it is essential that basic security services be incorporated into the OSI architecture. This paper reviews security needs for banking communications, surveys on-going standardization work in TC68 (Banking) and TC97/SC21, and concludes that the planned security services in OSI should satisfy banking requirements if completed quickly.     

混合多策略视图安全模型

传统的MLS策略侧重于信息机密性保护,却很少考虑完整性,也无法有效实施信道控制策略,在解决不同安全级别信息流动问题时采用的可信主体也存在安全隐患.同时,应用环境的多样性导致了安全需求的多样化,而当前的安全模型都只侧重于其中一种或几种安全需求.本文给出的混合多策略模型一MPVSM模型有机组合了BLP,Biba,DTE和RBAC等安全模型的属性和功能,消除了MLS模型的缺陷,提高了信道控制能力和权限分配的灵活度,对可信主体的权限也进行了有力的控制和约束,同时为实现多安全策略视图提供了一个框架.文中给出了MPVSM模型的描述和形式化系统,并给出了几种典型策略的配置实例.     

基于标记变迁系统的可信计算平台信任链测试

可信计算是当今世界信息安全领域的重要潮流之一.根据国家有关规定,信息安全产品需要经过测评认证,但目前国内外对可信计算测试的理论与技术研究还非常不完善,也无相应测试工具或系统,这必然影响可信计算的发展.该文着眼于规范定义的信任链行为特征,以进程代数作为指称语义描述工具,以标记变迁系统作为操作语义,对规范定义的信任链行为特征进行了形式化描述,提出了一种基于标记变迁系统的信任链测试模型框架.针对信任链规范与实现之间的问题,从易测性出发对测试集进行了有效约简;并论证了信任链的规范实现与规范说明之间的关系,为测试用例构造方法提供了理论依据,从而解决了信任链测试这一难题.     

云计算安全问题

安全是阻碍云计算应用的主要因素之一。当前,全球主要云计算服务商制定了云平台安全策略,各国对云计算安全问题高度重视,美国为确保政府应用云计算的安全,出台了联邦云计算安全战略、加快制定标准明确云计算安全控制要求、实施联邦风险和授权管理项目。近年来,我国政府、产业界等对云计算应用日益关注,确保云计算安全越来越重要。本文在分析云计算安全问题、云服务提供商的安全策略和机制、美国确保政府采用云计算安全作法的基础上,提出了确保我国云计算安全的建议,包括出台云计算应用指导政策、加快建立云计算安全标准体系、加强对云服务提供商的安全管理。     

The security challenges for mobile ubiquitous services

It is envisaged that in future mobile ubiquitous environments, users will be able to seamlessly, search, access and consume a rich offering of services and content from an array of Service/Content Providers, whilst they are on the move, anytime, anywhere. Unfortunately, this new computing paradigm also brings along new and unique security challenges. Novel security solutions are therefore required. But, in order for appropriate security solutions to be devised, all possible security threats must first be thoroughly analysed, and the corresponding security requirements be identified. In this paper, we examine the security issues germane to a mobile ubiquitous environment. We then suggest some possible solutions which may be employed to address these security issues. Open research issues are also highlighted.     

基于等级保护基本要求的云计算安全研究

随着云计算的进一步推进和发展,云计算面临的安全问题变得越来越突出,特别是在云计算安全中的用户数据机密性、完整性和可用性方面尤为突出,云计算安全已经成为云计算推进过程中的首要障碍和难题。从云计算应用安全和系统安全两个层面,提出了云计算安全中应用安全和系统安全的威胁所在以及相应的基本保护要求。     

MNCRS: industry specifications for the mobile NC

In June 1997 an industry consortium announced that it was working on a mobile extension of the Open Group's Network Computer Reference Profile (NCRP) to address the unique requirements of the many new mobile computing devices. This specification will propose a set of standards for developers deploying a Java based light weight network computing solution for mobile use. It will also include a new set of trimmed down Java APIs to support disconnected operation, secure remote access, manage power requirements, and ensure device adaptivity to different network environments. The Network Computer Reference Specification (NCRS) defined a network computer (NC) as a lightweight, ubiquitous, extensible, secure, and easy to administer system using widely deployed technologies such as HTTP, HTML, and Java to ensure universality. The Mobile Network Computer Reference Specification (MNCRS) extends the concept of a network computer to define a mobile network computer (MNC). The extension will define open standards that specify APIs visible to applications, network protocols, and server interactions. Naturally, these standards will have implications for software developers, original equipment manufacturers, operating system vendors, and service providers. Since the intent is to enable MNCs and servers from various manufacturers to interoperate, the consortium will adopt industry standards wherever possible. Accordingly, ongoing convergence efforts with entities such as the NCRP and the Internet Engineering Task Force are intended to avoid duplication of efforts in overlapping areas such as security, communications, tunneling     

移动节点间安全关联管理方案设计

在IETF的IKEv2方案中,离线移动后的安全关联(SA)更新过程中可能存在无法通信的情况,而MOBIKE方案的SA更新效率低,且无法抵御恶意反射攻击。为此,通过改进SA的建立过程,减少移动节点的SA重协商次数,采取安全关联与移动节点家乡地址相关联的方法,提出一种安全管理方案。分析结果表明,与MOBIKE方案相比,该方案可以在离线移动情况下确保安全关联的更新,并具有更高的切换效率和安全性。     

网格计算的安全性研究与技术实现

网格计算环境必须以现有的Internet为通信支撑平台,由于Internet本身的开放性和异构性,决定了网格计算面临着各种各样的安全威胁,因此网格安全已成为网格计算环境中的一个核心问题。该文简述了网格安全需求,分析了网格安全技术,并给出了基于Globus项目中网格安全的主要技术手段。     

Mobile agent middleware for mobile computing

Mobile computing requires an advanced infrastructure that integrates suitable support protocols, mechanisms, and tools. This mobility middleware should dynamically reallocate and trace mobile users and terminals and permit communication and coordination of mobile entities. In addition, open and untrusted environments must overcome system heterogeneity and grant the appropriate security level. Solutions to these issues require compliance with standards to interoperate with different systems and legacy components and a reliable security infrastructure based on standard cryptographic mechanisms and tools. Many proposals suggest using mobile agent technology middleware to address these issues. A mobile agent moves entities in execution together with code and achieved state, making it possible to upgrade distributed computing environments without suspending service. We propose three mobile computing services: user virtual environment (UVE), mobile virtual terminal (MVT), and virtual resource management (VRM). UVE provides users with a uniform view of their working environments independent of current locations and specific terminals. MVT extends traditional terminal mobility by preserving the terminal execution state for restoration at new locations, including active processes and subscribed services. VRM permits mobile users and terminals to maintain access to resources and services by automatically requalifying the bindings and moving specific resources or services to permit load balancing and replication     

Standards-Based Computing Capabilities for Distributed Geospatial Applications

Researchers face increasingly large repositories of geospatial data stored in different locations and in various formats. To address this problem, the Open Geospatial Consortium and the Open Grid Forum are collaborating to develop standards for distributed geospatial computing.     

OASSF：一个灵活的Web应用服务器安全框架*

安全框架OASSF是在安全参考模型OASSRM的基础上提出来的一个分层结构的框架,它通过各种可配置的安全策略提供WAS（Web应用服务器）的安全服务,为在WAS中集成和管理不同的安全机制提供了高度的灵活性和扩展性。该框架在中科院软件所自主研制的OnceAS应用服务器中得到了实现。     

Organization Security Metrics: Can Organizations Protect Themselves?

ABSTRACT

Organizations normally do not possess a way to communicate those needs back to the rest of an organization. This paper demonstrates that organizations are vigilant to activity within their environment, so this research project will focus on process improvement to better organizations through internal processes. Prior to this project, Company X was unable to communicate and address threats to their organization. Prior to this project, each employee was not trained on security. However, each employee understood the norms and values of company processes on an individual level. Each employee was able to contribute details of security issues as they perceived them to make a comprehensive security model. This Security Working Group (SWG) project describes the steps necessary to create a self-educating, self-perpetuating process that spurns co-generative learning among an entire organization. Security training prepared each employee to be more attentive to risks to potential security issues. The result of this research proves that employees can detect threats in an organization with relatively little training.     

Ontology-based access control model for security policy reasoning in cloud computing

There are many security issues in cloud computing service environments, including virtualization, distributed big-data processing, serviceability, traffic management, application security, access control, authentication, and cryptography, among others. In particular, data access using various resources requires an authentication and access control model for integrated management and control in cloud computing environments. Cloud computing services are differentiated according to security policies because of differences in the permitted access right between service providers and users. RBAC (Role-based access control) and C-RBAC (Context-aware RBAC) models do not suggest effective and practical solutions for managers and users based on dynamic access control methods, suggesting a need for a new model of dynamic access control that can address the limitations of cloud computing characteristics. This paper proposes Onto-ACM (ontology-based access control model), a semantic analysis model that can address the difference in the permitted access control between service providers and users. The proposed model is a model of intelligent context-aware access for proactively applying the access level of resource access based on ontology reasoning and semantic analysis method.     

Standardization in Information Technology Security

The author overviews the international standards developed by SC 27 “IT Security techniques” of the ISO/IEC Joint Technical Committee “Information technologies.” The standards include cryptographic mechanisms, evaluation and testing of products and information systems, countermeasures, and security services. Both published standards and those under development are considered.     

OATH – the answer to ID theft?

Online commerce and communication has long been hampered by fears about consumer security and privacy combined with a lack of standards and high costs for technologies that attempt to address these concerns. To resolve these issues, a new industry-wide collaboration was launched earlier this year. Tasking itself with the development of an open reference architecture by leveraging existing open standards for the universal adoption of strong authentication technology across all networks, the Open Authentication Reference Architecture (OATH) group aims to develop authentication, giving customers the confidence to conduct commerce online.     

IT convergence security

A recent emerging issue in information technology is the convergence of different kinds of applications. Convergence brings a user-centric environment to provide computing and communication services. In order to realize IT advantages, it requires the integration of security and data management to be suitable for pervasive computing environments. Security convergence refers to the convergence of two historically distinct security functions—physical security and information security—within enterprises; both are integral parts of any coherent risk management program. In this special issue, we have discussed current IT-Converged security issues, security policy and new security services which will lead to successful transfer smart space which is a new paradigm of future.     

基于IPSEC的VPN的安全功能要求的设计与分析

《计算机信息系统安全保护等级划分准则》是我国计算机安全产品和系统必须遵循的标准,而CC是一个新的国际性通用标准,设计一个满足CC标准的网络安全产品或系统,目前国内还没有借鉴之处。文章对国际国内的安全标准现状进行了分析比较,研究了将我国的计算机信息系统安全保护等级的要求用CC标准来描述的问题,并对基于IPSEC的VPN的安全功能要求的实现进行了研究。     

Organizational Characteristics Influencing SME Information Security Maturity

In the current business environment, many organizations use popular standards such as the ISO 27000x series, COBIT, and related frameworks to protect themselves against security incidents. However, these standards and frameworks are overly complicated for small to medium-sized enterprises, leaving these organizations with no easy to understand toolkit to address their security needs. This research builds upon the recent Information Security Focus Area Maturity (ISFAM) model for SME information security as a cornerstone in the development of an assessment tool for tailor-made, fast, and easy-to-use information security advice for SMEs. By performing an extensive literature review and evaluating the results with security experts, we propose the Characterizing Organizations’ Information Security for SMEs (CHOISS) model to relate measurable organizational characteristics in four categories through 47 parameters to help SMEs distinguish and prioritize which risks to mitigate.