Applying Security within a Service-Oriented Architecture

ABSTRACT

To paraphrase Calvin Coolidge, the business of the Internet is business ^{1 1}Coolidge, C. (1925, January 17). The press under a free government. Given before the American Society of Newspaper Editors in Washington, DC, The quote is actually “After all, the chief business of the American people is business.” . The more business done on the Internet, the more need for regulation of that business. Many of the existing government and industry regulations deal with security measures, and for that reason it's more important than ever to secure your company's IT infrastructure, no matter how large or small your company. Even if for some reason you're not subject to regulations, it's still a very good idea to secure your assets as if you were. At some point, your status might change, and besides, nobody wants to be hacked.     

General Misconceptions about Information Security Lead to an Insecure World

ABSTRACT

It is becoming clear that the underground hacking industry as a whole (not just individual hackers) is continually gaining ground despite the best efforts of the information security industry. It seems the latter should have an overwhelming advantage, as a multibillion dollar industry staffed with hundreds of thousands of security professionals. However, the efforts of the information security industry are almost always reactive, and in most cases amount to losing ground on the defensive. The unfortunate and seldom acknowledged truth is that the underground hacking industry is always one step ahead. Why are we so slow to respond when all evidence indicates that such delays lead to enormous business losses? Is it possible that the fundamental way our information system security is organized has some inherited deficiencies which are prohibiting us from successfully mounting an effective defense?

Today's losses are becoming too great to say that we are just in need of some evolutionary improvements. Instead, we need to reevaluate the way we go about security business as a whole. In this article, we consider various processes common to both information systems and information system security based on both well-known cases and personal experience. This is our initial attempt to analyze how information system security is organized and to suggest some core changes to its processes.     

Preemptive Security Through Information Analytics

ABSTRACT

Business security and threat actors continue to play a dangerous cat-and-mouse game with businesses intellectual property, customer data, and business reputations at stake. Businesses need to delve into a new way of doing business security to break out of this game. Businesses are sitting on repositories full of security-relevant data that is not being capitalized upon with the current information security and physical security organizations within businesses. This article poses the introduction of a data scientist role and a new supporting central data correlation technology platform based on big data predictive analytics into business security functions. The goal is to intelligently and autonomously identify, correlate and pinpoint normally innocuous or unnoticed security event attributes to allow security personnel to preemptively remediate physical and information risks before exploitation or loss of intellectual property occurs.     

Information Security Awareness Status of Business College: Undergraduate Students

Abstract

Because end users are often the weakest link in a security chain, students need to practice security controls properly to improve information security on campus. This study surveyed undergraduate students in a business college to investigate their understanding and attitudes toward information security. Survey findings show that college students understand most information security topics suggested by National Institute of Standards and Technology (NIST) Special Report 800-50. Universities should provide easily accessible security training programs for students. Practical suggestions are provided to encourage students to participate in security training to enhance their security awareness level.     

A Strategy for Network Planning and Control

Abstract

Planning and implementing a data communications network is a complex task involving organizational as well as technical issues. The network design process must be integrated with the organization's business goals and strategies. Because network planning, implementation, and maintenance require skills not usually found in a batch-oriented DP environment, training is critical.     

Enforcement of entailment constraints in distributed service-based business processes

ContextA distributed business process is executed in a distributed computing environment. The service-oriented architecture (SOA) paradigm is a popular option for the integration of software services and execution of distributed business processes. Entailment constraints, such as mutual exclusion and binding constraints, are important means to control process execution. Mutually exclusive tasks result from the division of powerful rights and responsibilities to prevent fraud and abuse. In contrast, binding constraints define that a subject who performed one task must also perform the corresponding bound task(s).ObjectiveWe aim to provide a model-driven approach for the specification and enforcement of task-based entailment constraints in distributed service-based business processes.MethodBased on a generic metamodel, we define a domain-specific language (DSL) that maps the different modeling-level artifacts to the implementation-level. The DSL integrates elements from role-based access control (RBAC) with the tasks that are performed in a business process. Process definitions are annotated using the DSL, and our software platform uses automated model transformations to produce executable WS-BPEL specifications which enforce the entailment constraints. We evaluate the impact of constraint enforcement on runtime performance for five selected service-based processes from existing literature.ResultsOur evaluation demonstrates that the approach correctly enforces task-based entailment constraints at runtime. The performance experiments illustrate that the runtime enforcement operates with an overhead that scales well up to the order of several ten thousand logged invocations. Using our DSL annotations, the user-defined process definition remains declarative and clean of security enforcement code.ConclusionOur approach decouples the concerns of (non-technical) domain experts from technical details of entailment constraint enforcement. The developed framework integrates seamlessly with WS-BPEL and the Web services technology stack. Our prototype implementation shows the feasibility of the approach, and the evaluation points to future work and further performance optimizations.     

Hacking the Nation-State: Security,Information Technology and Policies of Assurance∗

ABSTRACT

The transmission and storage of information in digital form coupled with the widespread proliferation of networked computers has created new issues for policy. An indispensable business tool and knowledge-sharing device, the networked computer is not without vulnerability, including the disruption of service and the theft, manipulation, and destruction of electronic data. This paper seeks to identify frame analysis of the security of information resources. Historical review of security issues presented by electronic communication since the inception of the telegraph is conducted so as to produce salient points for study regarding the security of more recently developed computer networks. The authors aim to inform the blossoming area of study falling under the label information security with a primer on the key pieces of what may be considered a theory of digital statecraft, drawing back to the nineteenth century.     

Alternate Approaches to Business Impact Analysis

ABSTRACT

Business impact analysis (BIA) is an important process that probes into business processes to determine and list critical processes that are vital to keep the business going. It is necessary to understand business environments, gather data and information, identify critical processes needed to carry out vital business operations and finally prepare a BIA report enlisting your findings to be submitted to the top management. Efforts toward consideration of internal and external environments and risks that impact financial position as well as the goodwill of the organization must be considered. Effectiveness of the business impact analysis is reflected by the management's commitment of people and technological resources to mitigate risks of business continuity projected by your findings. Buy-in is important to make the Business Continuity Management System efficient and sustainable by providing funding and setting a system for management oversight on a continuous basis.     

Using Business Intelligence Tools to Help Manage Costs and Effectiveness of Business-to-Business Inside-Sales Programs

Abstract

Record-high transportation costs and unprecedented travel difficulties are driving up the expenses and uncertainties associated with use of an outside sales team. As a result, sales managers operating in today's high-cost and high-risk environment need to invest in sophisticated data analytics to support inside sales teams that do not travel. This paper describes how predictive analytics, data mining, and other business intelligence tools help inside sales teams to effectively manage their costs and generate sales.     

Security requirement analysis of business processes

Economic globalization leads to complex decentralized company structures calling for the extensive use of distributed IT-systems. The business processes of a company have to reflect these changes of infrastructure. In particular, due to new electronic applications and the inclusion of a higher number of—potentially unknown—persons, the business processes are more vulnerable against malicious attacks than traditional processes. Thus, a business should undergo a security analysis. Here, the vulnerabilities of the business process are recognized, the risks resulting from the vulnerabilities are calculated, and suitable safeguards reducing the vulnerabilities are selected. Unfortunately, a security analysis tends to be complex and affords expensive security expert support. In order to reduce the expense and to enable domain experts with in-depth insight in business processes but with limited knowledge about security to develop secure business processes, we developed the framework MoSS_BP facilitating the handling of business process security requirements from their specification to their realization. In particular, MoSS _BP provides graphical concepts to specify security requirements, repositories of various mechanisms enforcing the security requirements, and a collection of reference models and case studies enabling the modification of the business processes. In this paper, the MoSS _BP -framework is presented. Additionally, we introduce a tool supporting the MoSS_BP-related security analysis of business processes and the incorporation of safeguards. This tool is based on object-oriented process models and acts with graph rewrite systems. Finally, we clarify the application of the MoSS_BP-framework by means of a business process for tender-handling which is provided by anonymity-preserving safeguards. Peter Herrmann studied computer science at the University of Karlsruhe, Germany (diploma in 1990). Afterwards, he worked as a Ph.D. student (doctorate in 1997) and postdoctoral researcher in the Computer Networks and Distributed Systems Group of the Computer Science Department at the University of Dortmund, Germany. Since 2005 he is a full professor for formal methods at the Department for Telematics of the Norwegian University of Science and Technology (NTNU) in Trondheim, Norway. His research interests include the formal-based development of networked systems and the engineering of distributed services. Moreover, he is interested in security and trust aspects of component structured distributed software. Gaby Herrmann studied computer science at the University of Karlsruhe, Germany (diploma in 1991). Afterwards, she worked as a researcher in the Communication Group and the Information Systems Group at University of Duisburg-Essen (Doctorate in 2001, topic: security of business processes). Since 2000 she works as executive secretary at the Department of Economics, Business Studies and Computer Sciences at the same university.     

Measurement of Compliance Distance in Business Processes

Abstract

Ensuring that work practice is compliant to regulations and industrial standards is an increasingly important issue in business systems. Whereas as an understanding of control objectives that stem from various legislative, standard and contractual sources may be found at strategic or tactical levels, an assessment of their effective adoption in operational practices is extremely hard. In this paper, we propose a method for assessing the level of compliance in business work practice. The method builds upon business process management platforms, and provides the ability to objectively measure the compliance distance of existing processes within the organization. This in turn empowers process designers and business analysts to quantify the effort required to achieve a compliant process.     

Using intentional fragments to bridge the gap between organizational and intentional levels

ContextBusiness process models provide a natural way to describe real-world processes to be supported by software-intensive systems. These models can be used to analyze processes in the system-as-is and describe potential improvements for the system-to-be. But, how well does a given business process model satisfy its business goals? How can different perspectives be integrated in order to describe an inter-organizational process?ObjectiveThe aim of the present paper is to link the local and the global perspectives of the inter-organizational business process defined in BPMN 2.0 (Business Process Model and Notation) to KAOS goal models (Keep All Objectives Satisfied). We maintain a separation of concerns between the intentional level captured by the goal model and the organizational level captured by the process model. The paper presents the concept of intentional fragment (a set of flow elements of the process with a common purpose) and assess its usefulness.MethodWe conducted empirical experiments where the proposed concepts – here the intentional fragments – are validated by users. Our method relies on an iterative improvement process led by users feedback.ResultsWe find that the concept of intentional fragment is useful for (1) analyzing the business process model (2) reasoning about the relations between the goal model and the business process model and (3) identifying new goals. In a previous work we focused on BPMN 2.0 collaboration models (local view). This paper extends the previous work by integrating the global view given by choreography models in the approach.ConclusionWe conclude that the notion of intentional fragment is a useful mean to relate business process models and goal models while dealing with their different nature (activity oriented vs goal oriented). Intentional fragments can also be used to analyze the process model and to infer new goals in an iterative manner.     

基于贡献度证明共识机制的去中心化联邦学习框架

在大数据背景下,保证数据可信共享是数据联邦的基本要求.区块链技术代替传统的主从架构,可以提高联邦学习(federated learning,FL)的安全性.然而,现有工作中,模型参数验证与数据持久化所产生的巨大通信成本和存储消耗,已经成为数据联邦中亟待解决的问题.针对上述问题,设计了一种高效的去中心化联邦学习框架(efficient decentralized federated learning framework, EDFL),能够降低存储开销,并显著提升FL的学习效率.首先,提出了一种基于贡献度证明(proof-of-contribution)的共识机制,使得区块生成者的选举基于历史贡献度而不采用竞争机制,从而有效发避免了挖矿过程产生的区块生成延迟,并以异步方式缓解模型参数验证中的阻塞问题;其次,提出了一种角色自适应激励算法,因为该算法基于节点的工作强度和EDFL所分配的角色,所以能够激励合法节点更积极地进行模型训练,并有效地识别出恶意节点;再者,提出一种区块链分区存储策略,使得多重局部修复编码块(local reconstruction code)可被均匀地分布到网络的各个节点...     

Automating correctness verification of artifact-centric business process models

ContextThe artifact-centric methodology has emerged as a new paradigm to support business process management over the last few years. This way, business processes are described from the point of view of the artifacts that are manipulated during the process.ObjectiveOne of the research challenges in this area is the verification of the correctness of this kind of business process models where the model is formed of various artifacts that interact among them.MethodIn this paper, we propose a fully automated approach for verifying correctness of artifact-centric business process models, taking into account that the state (lifecycle) and the values of each artifact (numerical data described by pre and postconditions) influence in the values and the state of the others. The lifecycles of the artifacts and the numerical data managed are modeled by using the Constraint Programming paradigm, an Artificial Intelligence technique.ResultsTwo correctness notions for artifact-centric business process models are distinguished (reachability and weak termination), and novel verification algorithms are developed to check them. The algorithms are complete: neither false positives nor false negatives are generated. Moreover, the algorithms offer precise diagnosis of the detected errors, indicating the execution causing the error where the lifecycle gets stuck.ConclusionTo the best of our knowledge, this paper presents the first verification approach for artifact-centric business process models that integrates pre and postconditions, which define the behavior of the services, and numerical data verification when the model is formed of more than one artifact. The approach can detect errors not detectable with other approaches.     

Detecting Insider Threats: Solutions and Trends

ABSTRACT

Insider threats pose significant challenges to any organization. Many solutions have been proposed in the past to detect insider threats. Unfortunately, given the complexity of the problem and the human factors involved, many solutions which have been proposed face strict constraints and limitations when it comes to the working environment. As a result, many past insider threat solutions have in practice failed in their implementations. In this work, we review some of the recent insider threat detection solutions and explore their benefits and limitations. We also discuss insider threat issues for emerging areas such as cloud computing, virtualization, and social networking.     

EFSOC: A Layered Framework for Developing Secure Interactions between Web-Services

Enterprises are rapidly extending their relatively stable and internally-oriented business processes and applications with loosely-coupled enterprise software services in order to support highly dynamic, cross-organizational business processes. These services are no longer solely based on internal enterprise systems, but often implemented, deployed and executed by diverse, external service providers. The ability to dynamically configure cross-organizational business processes with a mixture of internal and external services imposes new security requirements on existing security models. In this paper, we address the problem of defining and enforcing access control rules for securing service invocations in the context of a business process. For this purpose, we amortize existing role-based access control models that allow for dynamic delegation and retraction of authorizations. Authorizations are assigned on an event-driven basis, implementing a push-based interaction protocol between services. This novel security model is entitled the Event-driven Framework for Service Oriented Computing (EFSOC). In addition, this article presents an experimental prototype that is explored using a realistic case study. This work has been partially funded by the Netherlands Organization for Scientific Research (NWO) as part of the PRONIR project. Recommended by: Asuman Dogac     

A study of the suitability of videophones for psychometric assessment

Abstract

In order to determine whether videophones are appropriate communication tools for psychometric assessments, we need to determine whether the quality of videophones is adequate to enable this type of assessment or whether it places a burden on the communication. The purpose of this study is to measure the subjective quality of video and audio features of commercially available videophones in the context of a psychometric assessment session. We recruited 52 subjects who used the videophone to participate in a psychometric assessment using the Perceived Stress Scale. After each session, participants filled out the ITU-T P.920 that assesses the context-specific quality of the video-call. Findings indicate that the overall audio and image quality of the video-call was satisfactory and participants perceived the videophones as useful in the context of psychometric assessment. These findings strengthen the call for use of video mediated communication in home and hospice settings and disease management.     

Differentiated management strategies on cloud computing data security driven by data value

ABSTRACT

Data security is a primary concern for the enterprise moving data to cloud. This study attempts to match the data of different values with the different security management strategies from the perspective of the enterprise user. With the help of core ideas on data value evaluation in information lifecycle management, this study extracts usage features and user features from the operating data of the enterprise information system, and applies K-means to cluster the data according to its value. A total of 39,348 records of logon log and 120 records of users from the information system of a ship-fitting manufacturer in China were collected for an empirical study. The functional modules of the manufacturer’s information system are divided into five classes according to their value, which is proven reasonable by the discriminant function obtained via discriminant analysis. The differentiated data security management strategies on cloud computing are formulated for a case study with five types of data to enhance the enterprise’s active cloud computing data security defense.     

Investigating Information Security Awareness: Research and Practice Gaps

ABSTRACT

The aim of this survey is largely exploratory, namely, to discover patterns and trends in the way that practitioners and academics alike tackle the security awareness issue and to have a better understanding of the reasons why security awareness practice remains an unsolved problem. Open coding analysis was performed on numerous publications (articles, surveys, standards, reports and books). A classification scheme of six categories of concern has emerged from the content analysis (e.g., terminology ambiguity), and the chosen publications were classified based on it. The paper identifies ambiguous aspects of current security awareness approaches and the proposed classification provides a guide to identify the range of options available to researchers and practitioners when they design their research and practice on information security awareness.     

Towards the Design of a Secure and Fault Tolerant Cloud Storage in a Multi-Cloud Environment

ABSTRACT

This paper addresses the problem of data security and fault tolerance in the Cloud. The application of the proposed model includes organizations, business groups, and establishments where the data are highly confidential and need to be kept in a very secure manner among a number of users. The paper recommends a model to enhance the security measure and a model to increase the fault tolerance capability. To increase the overall security, the security measure needs to be followed at the user side. The work is carried out on a multi-cloud environment where the data are encrypted, split, and stored. The storage details are held by the owner in a file that is encrypted and the key is retained by a set of owners using secret sharing scheme. The model would work continuously when one of the Cloud Service Providers goes in for a failure and another model has been proposed which would work when two Cloud Service Providers go down. The method increases the security and provides improved fault tolerance.