Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Solution Model and Tool for Supporting the Negotiation of Security Decisions in E-Business Collaborations Presented by Ashish Joshi Master of Business.

Published byPiers Daniels Modified over 9 years ago

Similar presentations

Presentation on theme: "A Solution Model and Tool for Supporting the Negotiation of Security Decisions in E-Business Collaborations Presented by Ashish Joshi Master of Business."— Presentation transcript:

1 A Solution Model and Tool for Supporting the Negotiation of Security Decisions in E-Business Collaborations Presented by Ashish Joshi Master of Business Consulting1

2 Security in E business In today’s world people are using web services more and more with the increase in the enabling technologies The security related questions are also increasing and E business has become a driving factor behind many security initiatives There are lots of security related challenges that an organization has to face to realize the scope of the use of E business Also in the collaboration of B2B business, the security of interactions between two companies has to be maintained with high priority A very good example of this security challenge is the E partnering companies, who have to share, compare and negotiate their individual security requirements The ability to negotiate security contracts is a very important aspect for trustworthy and flexible Business to Business web services interactions 2 Sources: A Solution Model and Tool for Supporting the Negotiation of Security Decisions in E-Business Collaborations Jason R. C. Nurse and Jane E. Sinclair An Evaluation of BOF4WSS and the Security Negotiations Model and Tool used to Support it Jason R. C. Nurse and Jane E. Sinclair http://icsa.cs.up.ac.za/issa/2009/Proceedings/Full/36_Paper.pdfhttp://icsa.cs.up.ac.za/issa/2009/Proceedings/Full/36_Paper.pdf, a frame work for Web services Security Policy negotiations

3 Business Oriented Framework for enhancing Web Services –security for e Business Emphasizes on a detailed cross enterprise development methodology to ensure the secured and trusted interactions between two collaborating e Business This framework helps to reach the agreed security levels between the companies and to develop the cooperation required to work together This framework encompasses technologies, processes, policies and strategies to create a multilayered security solution Provide a framework for security policy negotiation system that can be used to negotiate a security contract A very good example of this security challenge is the E partnering companies, who have to share, compare and negotiate their individual security requirements 3 Source: An Evaluation of BOF4WSS and the Security Negotiations Model and Tool used to Support it Jason R. C. Nurse and Jane E. Sinclair

4 Security actions and Requirements This work focuses specifically on the negotiation of security actions and requirements The security action is defined as any high level way in which a company handles a risk it faces The security requirement is a high to medium level desire to mitigate a risk Problems faced by the companies in the transition stage of individually accomplished requirements elicitation stage to the subsequent negotiation stage These problems include: Understanding other companies security documentation Understanding the motivation behind security actions requirements Matching and comparing of security actions which signifies the same situation Compiling motivating security actions to apply to the foreseen business scenario The solution model and tool for the security negotiation is created considering the above mentioned difficulties Aims to streamline the negotiation task and to ease the transition phase for both the companies 4 Source: An Evaluation of BOF4WSS and the Security Negotiations Model and Tool used to Support it Jason R. C. Nurse and Jane E. Sinclair

5 BOF4WSS Framework The BOF4WSS framework consists of nine phases 5 Source: An Evaluation of BOF4WSS and the Security Negotiations Model and Tool used to Support it Jason R. C. Nurse and Jane E. Sinclair

6 The Requirement Elicitation Phase This phase is to determine the requirements for the expected web service business scenario This phase is to determine the requirements for the expected web service business scenario each company largely works by itself and analyses the internal business objectives, constraints, relevant laws, security policies and so on each company largely works by itself and analyses the internal business objectives, constraints, relevant laws, security policies and so on Involves gathering relevant knowledge about the process domain and what influences it and then analyzing and modeling of current processes Involves gathering relevant knowledge about the process domain and what influences it and then analyzing and modeling of current processes Then there should be a modeling of new processes and at last actual requirement determination 6 Source: An Evaluation of BOF4WSS and the Security Negotiations Model and Tool used to Support it Jason R. C. Nurse and Jane E. Sinclair

7 The Negotiation Phase teams consisting of project managers, business and system analysts, domain experts and IT security professional from each company meet teams consisting of project managers, business and system analysts, domain experts and IT security professional from each company meet bring together their requirements from the requirement elicitation stage for discussions and negotiations bring together their requirements from the requirement elicitation stage for discussions and negotiations inputs are used to map an agreed path for the business requirements as per the varying expectations of the companies towards the security inputs are used to map an agreed path for the business requirements as per the varying expectations of the companies towards the security Discussion and negotiation on functional and quality requirements, Security actions and requirements 7 Source: An Evaluation of BOF4WSS and the Security Negotiations Model and Tool used to Support it Jason R. C. Nurse and Jane E. Sinclair

8 The Agreement Phase legal contract is made between the companies to cement the understanding of the requirements legal contract is made between the companies to cement the understanding of the requirements followed by a construct called Interaction security strategy followed by a construct called Interaction security strategy The ISS defines high level, cross enterprise security directives to guide the interaction The ISS defines high level, cross enterprise security directives to guide the interaction 8 Source: An Evaluation of BOF4WSS and the Security Negotiations Model and Tool used to Support it Jason R. C. Nurse and Jane E. Sinclair

9 The Analysis Architectural Phase This phase aims at defining the conceptual business process model for the interactions Creates a blue print for the high to medium level process flow and respective security architectures 9 Source: An Evaluation of BOF4WSS and the Security Negotiations Model and Tool used to Support it Jason R. C. Nurse and Jane E. Sinclair

10 The Agreement Phase BOF4WSS advises another –agreement for a more intensive legal contract Detailed requirement and expectations of the companies involved Workflow model of the agreement phase 10 Source: An Evaluation of BOF4WSS and the Security Negotiations Model and Tool used to Support it Jason R. C. Nurse and Jane E. Sinclair

11 The System -Design Phase The design phase aims to define the conceptual model from the architectural phase The design phase aims to define the conceptual model from the architectural phase The identification of the relevant WS standards Trade off analysis of their use and the actual application standards where appropriate 11 Source: An Evaluation of BOF4WSS and the Security Negotiations Model and Tool used to Support it Jason R. C. Nurse and Jane E. Sinclair

12 The Agreements (for QoS) Phase This is the agreement phase that focuses on the agreements at the Qualities of service level This is the agreement phase that focuses on the agreements at the Qualities of service level this agreement is to specify the mutual understanding of the priorities, responsibilities, and guarantees expected by each business this agreement is to specify the mutual understanding of the priorities, responsibilities, and guarantees expected by each business 12 Source: An Evaluation of BOF4WSS and the Security Negotiations Model and Tool used to Support it Jason R. C. Nurse and Jane E. Sinclair

13 The Development & Testing Phase In this phase the actual development, implementation, deployment and testing of services and system is carried out carried out by the companies individually however joint interactions are appreciated for testing and system verification to previously established requirements 13 Source: An Evaluation of BOF4WSS and the Security Negotiations Model and Tool used to Support it Jason R. C. Nurse and Jane E. Sinclair

14 The Maintenance Phase After the development of the multilayered security solution the upkeep and maintenance becomes the crucial task After the development of the multilayered security solution the upkeep and maintenance becomes the crucial task This phase involves functional enhancement and also continued updating and enforcement of security measures both in developed systems and ISS This phase involves functional enhancement and also continued updating and enforcement of security measures both in developed systems and ISS 14 Source: An Evaluation of BOF4WSS and the Security Negotiations Model and Tool used to Support it Jason R. C. Nurse and Jane E. Sinclair

15 Supporting BOF4WSS and the transition between its phases The Stage Transition Problem The stage transition problem was analysed by inteviewing the security professional This analysis relates to the problem faced by the companies using BOF4WSS framework during Requirement elicitation and negotiation stages Three main aspects were concluded out of this analysis: 1.Understanding the security actions document of the company before the negotiation can take place. This problem relates to the semantic issue 2.Understanding the motivation behind other companies’ security actions and requirements to determine exactly why that security desire existed 3.Comparison of companies security actions and requirements to match the implicit or explicit security actions of the companies which targeted the same situation and risks 15 Source: A Solution Model and Tool for Supporting the Negotiation of Security Decisions in E-Business Collaborations Jason R. C. Nurse and Jane E. Sinclair

16 The Solution Model in depth analysis of the security actions and requirements particularly in the risk management field to derive to some critical factors like motivation behind a security action Ontology design is used to provide a common understanding of the security actions and risk management based on the analysis from security action analysis Ontology design is used to provide a common understanding of the security actions and risk management based on the analysis from security action analysis formal language is used at the end of requirement elicitation which would allow the automation so that the encoded data could be processed by machine. For language definition purpose an XML based language is preferred This catalogue contains an updatable extensive listing of security risks which can be used by companies as a common input to their risk management processes This catalogue contains an updatable extensive listing of security risks which can be used by companies as a common input to their risk management processes 16 Source: A Solution Model and Tool for Supporting the Negotiation of Security Decisions in E-Business Collaborations Jason R. C. Nurse and Jane E. Sinclair

17 Security action specification and comparison system (SASaCS) SASaCS is the software implementation of the Solution model It contains the necessary elements for the presentation, negotiation, sharing, comparison and negotiation of security actions between comoanies in B2B Web services After the companies complete their risk management activities and have compiled their individual security actions the compiled data is transferred to SASaCS tool The three features of this system are: 1.Data entry interface 2.Comparison system report output 3.The encoding system (XML language) 17 Source: A Solution Model and Tool for Supporting the Negotiation of Security Decisions in E-Business Collaborations Jason R. C. Nurse and Jane E. Sinclair

18 Security action specification and comparison system (SASaCS) Security action data entry assuming two companies Supplier and Buyer 18 Source: A Solution Model and Tool for Supporting the Negotiation of Security Decisions in E-Business Collaborations Jason R. C. Nurse and Jane E. Sinclair

19 Security action Report Output 19 Source: A Solution Model and Tool for Supporting the Negotiation of Security Decisions in E-Business Collaborations Jason R. C. Nurse and Jane E. Sinclair

20 The Language The encoding of the Data is done by presenting the XML based language XML is markup language that is used to encode data in a format that is readable for machines and human both In this case the language is called Security Actions Definitions Markup Language (SADML) This language was structured to represent the information captured in the ontology Risk action for auditing/logging... Auditing/logging of interactions... + SOX Act was key to this mitigation decision based on... + + + 20 Source: A Solution Model and Tool for Supporting the Negotiation of Security Decisions in E-Business Collaborations Jason R. C. Nurse and Jane E. Sinclair

21 Evaluation First area of investigation was whether the framework BOF4WSS is an applicable, practical proposal which would enhance the security and trust between the organizations Second whether, the solution model and tool provides a viable solution to support transition between requirement elicitation and negotiation phases Compatibility of SASCS and ontology and to assess the use of SASCS in the negotiation process using the BOF4WSS framework For First two investigation a qualitative research strategy was chosen in which digitally recorded, semi structured interviews were employed in order to gather the insightful data for the analysis The interviewees consisted of security professionals with good experience To evaluate the compatibility two risk management approaches were chosen i.e. CORAS and EBIOS CORAS is a method for conducting a security risk analysis and provides a customized language EBIOS has a methodological approach and provides a consistent view of Information system security 21 Source: A Solution Model and Tool for Supporting the Negotiation of Security Decisions in E-Business Collaborations Jason R. C. Nurse and Jane E. Sinclair An Evaluation of BOF4WSS and the Security Negotiations Model and Tool used to Support it Jason R. C. Nurse and Jane E. Sinclair

22 Findings and Conclusion Framework Analysis With the help of this framework companies consider all the factors Help an inexperienced person and create a level of visibility and ability to audit Interviewees gave a positive feedback on the matter of trust This framework get the companies together to interact, collaborate, and discuss and plan interactions security BOF4WSS would be beneficial for the small and medium sized companies seeking to build long term partnerships The frameworks detailed guidance would be quite useful because there might be a lack of expertise and experience 22 Source: An Evaluation of BOF4WSS and the Security Negotiations Model and Tool used to Support it Jason R. C. Nurse and Jane E. Sinclair

23 Findings and Conclusion Solution Model Analysis The professionals interviewed observed the transition problem as severe and viewed them as serious issues in projects Companies are not aware of the motivation behind the security actions and the inexperience of the negotiator in the negotiation process Enhance trust and existing relationship since the companies are required to share detailed information on related risks and security actions Experienced security professionals supported for the viability of the solution model in aiding the transition between requirement elicitation and negotiations phases of BOF4WSS 23 Source: An Evaluation of BOF4WSS and the Security Negotiations Model and Tool used to Support it Jason R. C. Nurse and Jane E. Sinclair

24 Findings and Conclusion Analysis on SASaCS Software SASaCS proved to be compatible solution since it was able to capture most of the information output from CORAS and EBIOS The core concept such as risks, security, security actions, risk treatment and security requirements were covered In the ontology and therefore in SASaCS based on the investigation, it was concluded that security actions primary originated to handle risks This was disproved by EBIOS as a security action could be created to directly address constraints, regulations, or security rules and policies In the ontology and tool, laws and regulation, security and business policies and security budgets were defined as prime factors which motivated a risks treatment Mapping evaluation however showed that here were various other aspects which influenced and by themselves lead to the creation of security actions SASaCS proved to be compatible solution since it was able to capture most of the information output from CORAS and EBIOS The core concept such as risks, security, security actions, risk treatment and security requirements were covered In the ontology and therefore in SASaCS based on the investigation, it was concluded that security actions primary originated to handle risks This was disproved by EBIOS as a security action could be created to directly address constraints, regulations, or security rules and policies In the ontology and tool, laws and regulation, security and business policies and security budgets were defined as prime factors which motivated a risks treatment Mapping evaluation however showed that here were various other aspects which influenced and by themselves lead to the creation of security actions 24 Source: A Solution Model and Tool for Supporting the Negotiation of Security Decisions in E-Business Collaborations Jason R. C. Nurse and Jane E. Sinclair

25 Presented by Ashish Joshi Master of Business Consulting 25 Thanks for Your Kind Attention

Download ppt "A Solution Model and Tool for Supporting the Negotiation of Security Decisions in E-Business Collaborations Presented by Ashish Joshi Master of Business."

Similar presentations

A Systems Approach To Training

A Systems Approach To Training
2009 – E. Félix Security DSL Toward model-based security engineering: developing a security analysis DSML Véronique Normand, Edith Félix, Thales Research.

2009 – E. Félix Security DSL Toward model-based security engineering: developing a security analysis DSML Véronique Normand, Edith Félix, Thales Research.
ISO 9001:2000 Documentation Requirements

ISO 9001:2000 Documentation Requirements
Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
Microsoft ® System Center Configuration Manager 2007 R3 and Forefront ® Endpoint Protection Infrastructure Planning and Design Published: October 2008.

Microsoft ® System Center Configuration Manager 2007 R3 and Forefront ® Endpoint Protection Infrastructure Planning and Design Published: October 2008.
Environment case Episode 3 - CAATS II Final Dissemination Event Brussels, 13 & 14 Oct 2009 Hellen Foster, Jarlath Molloy NATS, Imperial College London.

Environment case Episode 3 - CAATS II Final Dissemination Event Brussels, 13 & 14 Oct 2009 Hellen Foster, Jarlath Molloy NATS, Imperial College London.
Presented by: Virginia Hendricks Information Audit.

Presented by: Virginia Hendricks Information Audit.
OASIS Reference Model for Service Oriented Architecture 1.0

OASIS Reference Model for Service Oriented Architecture 1.0
CAP 252 Lecture Topic: Requirement Analysis Class Exercise: Use Cases.

CAP 252 Lecture Topic: Requirement Analysis Class Exercise: Use Cases.
Lecture 2b: Software Project Management CSCI102 - Introduction to Information Technology B ITCS905 - Fundamentals of Information Technology.

Lecture 2b: Software Project Management CSCI102 - Introduction to Information Technology B ITCS905 - Fundamentals of Information Technology.
Analysis Concepts and Principles

Analysis Concepts and Principles
Creating Architectural Descriptions. Outline Standardizing architectural descriptions: The IEEE has published, “Recommended Practice for Architectural.

Creating Architectural Descriptions. Outline Standardizing architectural descriptions: The IEEE has published, “Recommended Practice for Architectural.
1 Introduction to System Engineering G. Nacouzi ME 155B.

1 Introduction to System Engineering G. Nacouzi ME 155B.
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
The Software Product Life Cycle. Views of the Software Product Life Cycle  Management  Software engineering  Engineering design  Architectural design.

The Software Product Life Cycle. Views of the Software Product Life Cycle  Management  Software engineering  Engineering design  Architectural design.
Course Instructor: Aisha Azeem

Course Instructor: Aisha Azeem
Prepared by Long Island Quality Associates, Inc. ISO 9001:2000 Documentation Requirements Based on ISO/TC 176/SC 2 March 2001.

Prepared by Long Island Quality Associates, Inc. ISO 9001:2000 Documentation Requirements Based on ISO/TC 176/SC 2 March 2001.
Software Life Cycle Model

Software Life Cycle Model
Enterprise Architecture

Enterprise Architecture
1 Data Strategy Overview Keith Wilson Session 15.

1 Data Strategy Overview Keith Wilson Session 15.

Similar presentations

Ads by Google