Secure collaboration in onboarding

The process of onboarding a company is characterized by inter-enterprise collaboration between the acquiring and the acquired companies. Multiple cross-functional teams are formed to assimilate and integrate the processes, products, data, customers, and partners of the company under acquisition. Dynamic access control management in such inter-enterprise collaboration is the subject of this thesis. A problem in inter-enterprise collaboration in onboarding is that information assets shared by collaborating teams are not adequately protected. As a result, there is potential for accidental or malicious leakage of sensitive business information like the intellectual property, product roadmaps and strategy, customer lists etc. Also, the statically defined access control policies are not sufficient to address access control requirements of dynamic collaboration where there is a constant change in people, processes, and information assets in collaboration repository. This research proposes a new approach and model to integrate security in onboarding collaboration process. Research methods such as, literature review, field studies including direct experiential projects in onboarding and interviews with experts in Mergers and Acquisitions, and detailed data collection and analysis through surveys are used to identify the issues that need to be addressed in the onboarding process. Literature review enabled the identification of access control requirements from the perspective of statically defined policies and the need to determine access dynamically. From the field studies, it was deciphered that there is a need for a well-defined onboarding collaboration process. The data analysis and interpretation from the survey results provided insights into the needs for integrating security in all phases of onboarding collaboration. All these research methods essentially enabled identification of two key issues that this research addresses: 1) well-defined onboarding collaboration process and 2) building security in all phases of onboarding collaboration. A new approach and model called SCODA is developed to integrate security in all phases of onboarding collaboration. Onboarding collaboration process consists of four phases: create, operate, dissolve, and archive. These phases provide the basis for systematically addressing security and access control when the collaboration team is formed, while it is operating, when the team is dissolved after completing its tasks, and when shared information assets are archived. The research adapts role based access control (RBAC) and formally defines the enterprise, functional, and collaboration roles for making access control management decisions. New ideas are developed in trustbased access control management in dynamic collaboration. The change management aspects are also discussed. The SCODA model is validated and the refinements incorporated accordingly. This research contributed to both theory and practice of information security in general and access control in particular in the context of dynamic collaboration. It proposed a new approach of building security in, i.e. to integrate security in all phases of collaboration. In order to build security in, a new onboarding collaboration process is developed that is adaptable and customizable. It has also developed a new approach for trust based dynamic access control based on the new concepts of strong and weak trust relationships. These trust relationships are also adaptable and customizable. Finally, this research has potential for future research work in the design and implementation of multi-paradigm based enterprise security frameworks and interenterprise collaboration

SensorCloud: Towards the Interdisciplinary Development of a Trustworthy Platform for Globally Interconnected Sensors and Actuators

Although Cloud Computing promises to lower IT costs and increase users' productivity in everyday life, the unattractive aspect of this new technology is that the user no longer owns all the devices which process personal data. To lower scepticism, the project SensorCloud investigates techniques to understand and compensate these adoption barriers in a scenario consisting of cloud applications that utilize sensors and actuators placed in private places. This work provides an interdisciplinary overview of the social and technical core research challenges for the trustworthy integration of sensor and actuator devices with the Cloud Computing paradigm. Most importantly, these challenges include i) ease of development, ii) security and privacy, and iii) social dimensions of a cloud-based system which integrates into private life. When these challenges are tackled in the development of future cloud systems, the attractiveness of new use cases in a sensor-enabled world will considerably be increased for users who currently do not trust the Cloud.Comment: 14 pages, 3 figures, published as technical report of the Department of Computer Science of RWTH Aachen Universit

Securing personal distributed environments

The Personal Distributed Environment (PDE) is a new concept being developed by Mobile VCE allowing future mobile users flexible access to their information and services. Unlike traditional mobile communications, the PDE user no longer needs to establish his or her personal communication link solely through one subscribing network but rather a diversity of disparate devices and access technologies whenever and wherever he or she requires. Depending on the services’ availability and coverage in the location, the PDE communication configuration could be, for instance, via a mobile radio system and a wireless ad hoc network or a digital broadcast system and a fixed telephone network. This new form of communication configuration inherently imposes newer and higher security challenges relating to identity and authorising issues especially when the number of involved entities, accessible network nodes and service providers, builds up. These also include the issue of how the subscribed service and the user’s personal information can be securely and seamlessly handed over via multiple networks, all of which can be changing dynamically. Without such security, users and operators will not be prepared to trust their information to other networks

Towards Identifying and closing Gaps in Assurance of autonomous Road vehicleS - a collection of Technical Notes Part 1

This report provides an introduction and overview of the Technical Topic Notes (TTNs) produced in the Towards Identifying and closing Gaps in Assurance of autonomous Road vehicleS (Tigars) project. These notes aim to support the development and evaluation of autonomous vehicles. Part 1 addresses: Assurance-overview and issues, Resilience and Safety Requirements, Open Systems Perspective and Formal Verification and Static Analysis of ML Systems. Part 2: Simulation and Dynamic Testing, Defence in Depth and Diversity, Security-Informed Safety Analysis, Standards and Guidelines

Secure data sharing and processing in heterogeneous clouds

The extensive cloud adoption among the European Public Sector Players empowered them to own and operate a range of cloud infrastructures. These deployments vary both in the size and capabilities, as well as in the range of employed technologies and processes. The public sector, however, lacks the necessary technology to enable effective, interoperable and secure integration of a multitude of its computing clouds and services. In this work we focus on the federation of private clouds and the approaches that enable secure data sharing and processing among the collaborating infrastructures and services of public entities. We investigate the aspects of access control, data and security policy languages, as well as cryptographic approaches that enable fine-grained security and data processing in semi-trusted environments. We identify the main challenges and frame the future work that serve as an enabler of interoperability among heterogeneous infrastructures and services. Our goal is to enable both security and legal conformance as well as to facilitate transparency, privacy and effectivity of private cloud federations for the public sector needs. © 2015 The Authors

Security for Grid Services

Grid computing is concerned with the sharing and coordinated use of diverse resources in distributed "virtual organizations." The dynamic and multi-institutional nature of these environments introduces challenging security issues that demand new technical approaches. In particular, one must deal with diverse local mechanisms, support dynamic creation of services, and enable dynamic creation of trust domains. We describe how these issues are addressed in two generations of the Globus Toolkit. First, we review the Globus Toolkit version 2 (GT2) approach; then, we describe new approaches developed to support the Globus Toolkit version 3 (GT3) implementation of the Open Grid Services Architecture, an initiative that is recasting Grid concepts within a service oriented framework based on Web services. GT3's security implementation uses Web services security mechanisms for credential exchange and other purposes, and introduces a tight least-privilege model that avoids the need for any privileged network service.Comment: 10 pages; 4 figure

Innovative public governance through cloud computing: Information privacy, business models and performance measurement challenges

Purpose: The purpose of this paper is to identify and analyze challenges and to discuss proposed solutions for innovative public governance through cloud computing. Innovative technologies, such as federation of services and cloud computing, can greatly contribute to the provision of e-government services, through scaleable and flexible systems. Furthermore, they can facilitate in reducing costs and overcoming public information segmentation. Nonetheless, when public agencies use these technologies, they encounter several associated organizational and technical changes, as well as significant challenges. Design/methodology/approach: We followed a multidisciplinary perspective (social, behavioral, business and technical) and conducted a conceptual analysis for analyzing the associated challenges. We conducted focus group interviews in two countries for evaluating the performance models that resulted from the conceptual analysis. Findings: This study identifies and analyzes several challenges that may emerge while adopting innovative technologies for public governance and e-government services. Furthermore, it presents suggested solutions deriving from the experience of designing a related platform for public governance, including issues of privacy requirements, proposed business models and key performance indicators for public services on cloud computing. Research limitations/implications: The challenges and solutions discussed are based on the experience gained by designing one platform. However, we rely on issues and challenges collected from four countries. Practical implications: The identification of challenges for innovative design of e-government services through a central portal in Europe and using service federation is expected to inform practitioners in different roles about significant changes across multiple levels that are implied and may accelerate the challenges' resolution. Originality/value: This is the first study that discusses from multiple perspectives and through empirical investigation the challenges to realize public governance through innovative technologies. The results emerge from an actual portal that will function at a European level. © Emerald Group Publishing Limited

Reve\{a,i\}ling the risks: a phenomenology of information security

In information security research, perceived security usually has a negative meaning, when it is used in contrast to actual security. From a phenomenological perspective, however, perceived security is all we have. In this paper, we develop a phenomenological account of information security, where we distinguish between revealed and reveiled security instead. Linking these notions with the concepts of confidence and trust, we are able to give a phenomenological explanation of the electronic voting controversy in the Netherlands