Presentation is loading. Please wait.

Presentation is loading. Please wait.

Model Driven Security Framework for Definition of Security Requirements for SOA Based Applications Authors: Muhammad Qaisar Saleem, Jafreezal Jaafar, and.

Similar presentations


Presentation on theme: "Model Driven Security Framework for Definition of Security Requirements for SOA Based Applications Authors: Muhammad Qaisar Saleem, Jafreezal Jaafar, and."— Presentation transcript:

1 Model Driven Security Framework for Definition of Security Requirements for SOA Based Applications Authors: Muhammad Qaisar Saleem, Jafreezal Jaafar, and Mohd Fadzil Hassan An ICCAIE Publication Presented by Raef Mousheimish

2 Overview Background –Service oriented architecture Web Services –Model Driven Software Development Model Driven Security Current MDS Approaches –Frameworks –Problems Proposed MDS Framework –Case study Conclusion & Future Works References

3 Service Oriented Architecture (SOA) The SOA is the dominant paradigm nowadays when building business application It facilitates the merging of Business IT Domain SOA Functional Business Application

4 Web Services (WSs) When applying the SOA on the Web, WSs are the primary concepts. Business Process = distributed and collaborative WSs Business Process -Organizational assets and resources -Different security infrastructure

5 Model Driven Software Development (MDSD) PIM PSM ISM Modeling Languages:

6 Model Driven Security (MDS) The research community projected the MDSD to the security domain They created the MDS frameworks MDS frameworks are considered an acceptable and an applicable solution to adopt in the SOA Extend the modeling languages to add security concepts to the model The Application model PIM The Application model PIM And the Security Goals

7 Typical MDS illustration 1.Security Goals in the Business Requirement Analysis 2.Security intents when modeling at the PIM level 3.The concrete security configuration at the PSM level

8 CURRENT MDS APPROACHES Hafner et al. [1] Memon et al. [2] Wolter et al. [3]

9 Hafner et al. [1] ISM PSM PIM It’s called SECTEC Security Objectives: Access Rights (Authentication and Authorization) Security Annotation are at the PIM level integrated with the application model Adopt OMG’s MDE approach

10 Memon et al. [2] ISM PSM It’s called SECTTISSIMO Extension for the SECTEC framework Security Objectives: Access Rights (Authentication and Authorization), non- repudiation, right delegation, single sign-on privacy, and auditing. Security Annotation are at the PIM level but in a different sub-layer from the application model Abstract Security Service Model Application model

11 Wolter et al. [3] Detailed discussion about the different abstract security concepts, e.g. confidentiality, auditing, availability… Developed security policy for the all the aforementioned security concepts The first aim of the framework is the secure interaction between objects, and the necessary information to be stored about these interactions A new level of abstraction is introduced. i.e. the Computational independent model (CIM) ISM PSM PIM CIM

12 Problems in the Current MDS Approaches No Sufficient information to generate an enforceable security configuration Security experts and business experts have different understandings on the notion of security, e.g. : –Business experts: just authorization –Security experts: certificate based authorization, four-eyes-principle, break- glass policy…

13 The Proposed MDS framework Business process expert will define the security goals along with the business process modeling The security information must be sufficient for the security expert to: Model security solution for the system Perform some tool- supported transformation to generate the executable artifacts Security Objectives: use identity information and associated rights, information on different forms, service function

14 Case Study: Online Student Information System Collaborating services (Accounting, Registration and examination departments) Security concepts must be represented and annotated with the application model at the PIM level After studying the security requirements of the system, the authors got this model

15 Conclusion & Future Works Conclusions: –The Incorporation of security requirements into early stages of software development will improve the security –Must break the misunderstandings between the business and the security experts Future Works: –Development of a Domain Specific Language (DSL) for the proposed MDS, to help business experts to annotate more semantically the security requirements of a specific domain

16 Critics The authors highlighted the problems of the current approaches but they didn’t resolve it at all –The misunderstandings between domain experts are never addressed – The authors didn’t show how this MDS framework provides sufficient security information: Than the other frameworks To generate a enforceable security configuration They said that they are going to use the BPMN modeling language and they didn’t They use indifferently the two concepts: non-repudiation and availability

17 References 1.Michal Hafner, R.B., Berthold Agreiter, SECTET: an extensible framework for the realization of secure inter- organizational workflows. Emeral Internet Research, 2006. Vol.16 No. 5,2006: p. pp.491-506. 2.Memom, M., M. Hafner, and R. Breu, SECTISSIMO: A Platform-independent Framework for Security Services. MODSEC08 Modeling Security Workshop, 2008. 3.Wolter, C., et al., Model-driven business process security requirement specification. J. Syst. Archit., 2009. 55(4): p. 211-223.

18 THANK YOU Presented by Raef Mousheimish


Download ppt "Model Driven Security Framework for Definition of Security Requirements for SOA Based Applications Authors: Muhammad Qaisar Saleem, Jafreezal Jaafar, and."

Similar presentations


Ads by Google