85 research outputs found
Context-Based Confidentiality Analysis for Industrial IoT
This dataset contains the models and source code regarding the work described in the paper "Context-Based Confidentiality Analysis for Industrial IoT". To use the content of this dataset, a working setup of the source code and models of the dataset https://zenodo.org/record/2574147#.XoC5KogzZPY, is needed as a base.This dataset is still actively worked on. An updated version might be published in the future.
This work was supported by the German Federal Ministry of Education and Research under grant number 01IS17106A (Trust 4.0)
Contextualizing Secure Information System Design: A Socio-Technical Approach
Secure Information Systems (SIS) design paradigms have evolved in generations to adapt to IS security needs. However, modern IS are still vulnerable and are far from secure. The development of an underlying IS cannot be reduced to “technological fixes” neither is the design of SIS. Technical security cannot ensure IS security. Generations of SIS design paradigms have evolved, all with their own sets of shortcomings. A SIS design paradigm must meet well-defined requirements, yet contemporary paradigms do not meet all these requirements. Current SIS design paradigms are not easily applicable to IS. They lack a comprehensive modeling support and ignore the socio-technical organizational role of IS security. This research introduced the use of action research in design science research. Design science paradigm was leveraged to introduce a meta-design artifact explaining how IS requirements including security requirements can be incorporated in the design of SIS. The introduced artifact CSIS provided design comprehensiveness to emergent and changing requirements to IS from a socio-technical perspective. The CSIS artifact meets secure system meta-design requirements. This study presented a secure IS design principle that ensures IS security
Machine-Readable Privacy Certificates for Services
Privacy-aware processing of personal data on the web of services requires
managing a number of issues arising both from the technical and the legal
domain. Several approaches have been proposed to matching privacy requirements
(on the clients side) and privacy guarantees (on the service provider side).
Still, the assurance of effective data protection (when possible) relies on
substantial human effort and exposes organizations to significant
(non-)compliance risks. In this paper we put forward the idea that a privacy
certification scheme producing and managing machine-readable artifacts in the
form of privacy certificates can play an important role towards the solution of
this problem. Digital privacy certificates represent the reasons why a privacy
property holds for a service and describe the privacy measures supporting it.
Also, privacy certificates can be used to automatically select services whose
certificates match the client policies (privacy requirements).
Our proposal relies on an evolution of the conceptual model developed in the
Assert4Soa project and on a certificate format specifically tailored to
represent privacy properties. To validate our approach, we present a worked-out
instance showing how privacy property Retention-based unlinkability can be
certified for a banking financial service.Comment: 20 pages, 6 figure
Extracting Role-Based Access Control Models from Business Process Event Logs
Keeruliste äriprotsesside ja järjest suurenevate andmemahtude juures on väljakutsuvaks
ülesandeks analüüsida ja parandada ettevõtte äriprotsessi andmeturvalisust. Infosüsteemid,
mis toetavad äriprotsessi mudeli (abstraktne esitus äriprotsessist) rakendamist, registreerivad
äriprotsessi tegevusi sündmustena eraldi logisse. Salvestatud sündmuste logid on aluseks
äriprotsessiga seotud andmete kaevamiseks. Need andmed on vajalikud äriprotsessi
analüüsimiseks ja parendamiseks, kuid neid andmeid võib kasutada ka turvaanalüüsiks.
Turvaanalüüsi üheks eesmärgiks on ka kontrollida, kas nende andmete hulgas turvalisusega
seotud informatsioon on kooskõlas praeguste turvanõuetega. Lisaks, äriprotsessi logide peal
saab rakendada äriprotsessikaeve (uurimisvaldkond, mis ühendab andmekaeve ja
äriprotsesside modelleerimise) tehnikaid, et luua äriprotsessi mudeleid. Lisaks äriprotsessi
mudelitele on võimalik tuletada ka teisi mudeleid, näiteks turvamudeleid, mida saab hiljem
kasutada turvameetmete tagamiseks infosüsteemis. Käesoleva töö eesmärgiks on esitada üks
võimalik meetod, kuidas luua rollipõhist ligipääsukontrolli esitatavaid turvamudeleid (Role-
Based Access Control models) XES-formaadis sündmuste logidest, mis on salvestatud
äriprotsessi toetava infosüsteemi poolt. Lisatähelepanu on suunatud kaitstavate infovarade
väljaselgitamiseks sündmuste logide põhjal. Need infovarad on näiteks dokumendid,
dokumendiväljad, või muud andmed, mida töödeldakse äriprotsessi tegevuste jooksul. Lisaks,
me hindame antud meetodi rakendatavust reaalse äriprotsessi sündmuste logi peal. Ühe
võimaliku meetodina me kontrollime sündmuste logi andmete ja seoste vastavust juurdepääsu
õigustega olemasoleva rollipõhise juurdepääsu kontrolli turvamudelis. Lõppkokkuvõttes võib
sündmuste logidest tuletatud rollipõhist ligipääsu kontrolli mudelit võtta aluseks
turvaanalüüsiks või rakendada mõnes süsteemis juurdepääsumehhanismina.Today, as business processes are getting more complex and the volumes of stored data about
business process executions are increasing in size, collecting information for the analysis and
for the improvement of the business process security1, is becoming a complex task.
Information systems that support business processes record business process executions into
event logs which capture the behavior of system usage in terms of events. Business process
event logs can be used for analysing and improving the business process, but also for
analysing the information security. One of the main goals of security analysis is to check the
compliance with existing security requirements. Also event logs can be the basis for business
process mining, or shortly process mining. Utilizing bottom-up process mining on event logs,
we can extract business process-related information for security analysis. Process mining is
not just only for discovering business process models, but also other models, such as security
models. For this purpose, we present a possible approach to extract RBAC models
(semi-)automatically from event logs in XES format. The focus is also on determining the
protected business assets, such as document or other artifact data that is exchanged and
accessed during business process activities. In addition, we evaluate the applicability of this
approach with conformance checking where we check the compliance of a real-life event log
with respect to the LTL constraints translated from RBAC model. Eventually, the purpose of
the extracted RBAC models is that they provide a basis for security analysis and they can be
adapted by other applications in order to implement access control mechanism
A Generic Metamodel For Security Policies Mutation
International audienceWe present a new approach for mutation analysis of Security Policies test cases. We propose a metamodel that provides a generic representation of security policies access control models and define a set of mutation operators at this generic level. We use Kermeta to build the metamodel and implement the mutation operators. We also illustrate our approach with two successful instantiation of this metamodel: we defined policies with RBAC and OrBAC and mutated these policies
A Systematic Mapping Study of Access Control in the Internet of Things
Internet of Things (IoT) provide wide range of services in both domestic and industrial environments. Access control plays a crucial role as to granting access rights to users and devices when an IoT device is connected to a network. Over the years, traditional access control models such as RBAC and ABAC have been extended to the IoT. Additionally, several other approaches have also been proposed for the IoT. This research performs a systematic mapping study of the research that has been conducted on the access control in the IoT. Based on the formulated search strategy, 1,617 articles were collected and screened for review. The systematic mapping study conducted in the paper answers three research questions regarding the access control in the IoT, i.e., what kind of access control related concerns have been raised in the IoT so far? what kind of solutions have been presented to improve access control in the IoT? what kind of research gaps have been identified in the access control research in the IoT? To the best of our knowledge, this is the first systematic mapping study performed on this topic
Recommended from our members
Developing focused auditing tools: A practical framework for creating formalized multi-level security policy specifications
The purpose of this study is that formalized policy specifications and focused penetration testing are needed to effectively audit any information system. Designing and maintaining the security system information is the primary duty of the cyber security professional. In today\u27s world, nearly all government agencies manage some form of financial, defense, national security, and/or privacy information security policies. It is also necessary in this environment that agencies are accountable for auditing the security systems that protect this information
- …