Using Control Frameworks to Map Risks in Web 2.0 Applications

Web 2.0 applications are continuously moving into the corporate mainstream. Each new development brings its own threats or new ways to deliver old attacks. The objective of this study is to develop a framework to identify the security issues an organisation is exposed to through Web 2.0 applications, with specific focus on unauthorised access. An extensive literature review was performed to obtain an understanding of the technologies driving Web 2.0 applications. Thereafter, the technologies were mapped against Control Objectives for Information and related Technology and Trust Service Principles and Criteria and associated control objectives relating to security risks. These objectives were used to develop a framework which can be used to identify risks and formulate appropriate internal control measures in any organisation using Web 2.0 applications. Every organisation, technology and application is unique and the safeguards depend on the nature of the organisation, information at stake, degree of vulnerability and risks. A comprehensive security program should include a multi-layer approach comprising of a control framework, combined with a control model considering the control processes in order to identify the appropriate control techniques.Web 2.0, Security risks, Control framework, Control Objectives for Information and related Technology (CobiT), Trust Service Principles and Criteria

Technological, Organizational, and Environmental Antecedents to Web Services Adoption

The proliferation of web services within the last two years enables organizations to assimilate software and services from different companies and locations into an integrated service capable of streamlining important processes. Widespread adoption of web services has not yet occurred across all industries. To better understand the key determinants of web services adoption at the firm level, a conceptual model of factors impacting web services adoption was developed. The conceptual model was grounded in the technology-organization-environment (TOE) framework (Tomatzky and Fleischer, 1990) to support the formulation of eleven propositions that may affect adoption and continued utilization of web services. Specifically, factors for each of the contexts within the TOE framework were formulated and supported including: (1) technological factors (security concerns; reliability; deployability); (2) organizational factors (firm size; firm scope; technological knowledge; perceived benefits); and, (3) environmental factors (competitive pressure; regulatory influence; dependent partner readiness; trust in the web service provider). A summary of the relationships between the key constructs in the model and recommendations for future research are provided

Security Analysis and Improvement Model for Web-based Applications

Today the web has become a major conduit for information. As the World Wide Web?s popularity continues to increase, information security on the web has become an increasing concern. Web information security is related to availability, confidentiality, and data integrity. According to the reports from http://www.securityfocus.com in May 2006, operating systems account for 9% vulnerability, web-based software systems account for 61% vulnerability, and other applications account for 30% vulnerability. In this dissertation, I present a security analysis model using the Markov Process Model. Risk analysis is conducted using fuzzy logic method and information entropy theory. In a web-based application system, security risk is most related to the current states in software systems and hardware systems, and independent of web application system states in the past. Therefore, the web-based applications can be approximately modeled by the Markov Process Model. The web-based applications can be conceptually expressed in the discrete states of (web_client_good; web_server_good, web_server_vulnerable, web_server_attacked, web_server_security_failed; database_server_good, database_server_vulnerable, database_server_attacked, database_server_security_failed) as state space in the Markov Chain. The vulnerable behavior and system response in the web-based applications are analyzed in this dissertation. The analyses focus on functional availability-related aspects: the probability of reaching a particular security failed state and the mean time to the security failure of a system. Vulnerability risk index is classified in three levels as an indicator of the level of security (low level, high level, and failed level). An illustrative application example is provided. As the second objective of this dissertation, I propose a security improvement model for the web-based applications using the GeoIP services in the formal methods. In the security improvement model, web access is authenticated in role-based access control using user logins, remote IP addresses, and physical locations as subject credentials to combine with the requested objects and privilege modes. Access control algorithms are developed for subjects, objects, and access privileges. A secure implementation architecture is presented. In summary, the dissertation has developed security analysis and improvement model for the web-based application. Future work will address Markov Process Model validation when security data collection becomes easy. Security improvement model will be evaluated in performance aspect

Internet Public Policy Themes: A Literature Review

The current paper aims to present a literature review for the researches conducted on internet public policy themes and provides a classification scheme for future research agenda. This research conducts a literature review based on the studies published in English and in a peer-reviewed journal from 1979 to 2015. Simple criterion method was used to find articles. 427 articles identified in 267 academic journals. All these articles were analyzed by year of publication, number of articles in the selected journal and area topics. This extended literature review provides an exhaustive and valuable source for future internet public policy research for practitioners and scholars by presenting a comprehensive list of references. Although, part of this article was published by (Kashani & Kasmani, 2018), the references listing associated with each internet public policy issue is original

Security Analysis and Improvement Model for Web-based Applications

Today the web has become a major conduit for information. As the World Wide Web?s popularity continues to increase, information security on the web has become an increasing concern. Web information security is related to availability, confidentiality, and data integrity. According to the reports from http://www.securityfocus.com in May 2006, operating systems account for 9% vulnerability, web-based software systems account for 61% vulnerability, and other applications account for 30% vulnerability. In this dissertation, I present a security analysis model using the Markov Process Model. Risk analysis is conducted using fuzzy logic method and information entropy theory. In a web-based application system, security risk is most related to the current states in software systems and hardware systems, and independent of web application system states in the past. Therefore, the web-based applications can be approximately modeled by the Markov Process Model. The web-based applications can be conceptually expressed in the discrete states of (web_client_good; web_server_good, web_server_vulnerable, web_server_attacked, web_server_security_failed; database_server_good, database_server_vulnerable, database_server_attacked, database_server_security_failed) as state space in the Markov Chain. The vulnerable behavior and system response in the web-based applications are analyzed in this dissertation. The analyses focus on functional availability-related aspects: the probability of reaching a particular security failed state and the mean time to the security failure of a system. Vulnerability risk index is classified in three levels as an indicator of the level of security (low level, high level, and failed level). An illustrative application example is provided. As the second objective of this dissertation, I propose a security improvement model for the web-based applications using the GeoIP services in the formal methods. In the security improvement model, web access is authenticated in role-based access control using user logins, remote IP addresses, and physical locations as subject credentials to combine with the requested objects and privilege modes. Access control algorithms are developed for subjects, objects, and access privileges. A secure implementation architecture is presented. In summary, the dissertation has developed security analysis and improvement model for the web-based application. Future work will address Markov Process Model validation when security data collection becomes easy. Security improvement model will be evaluated in performance aspect

WSACT : a model for Web Services access control incorporating trust

Today, organisations that seek a competitive advantage are adopting virtual infrastructures that share and manage computing resources. The trend is towards implementing collaborating applications that are supported by web services technology. Even though web services technology is rapidly becoming a fundamental development paradigm, adequate security constitutes the main concern and obstacle to its adoption as an industry solution. An important issue to address is the development of suitable access control models that are able to not only restrict access to unauthorised users, but also to discriminate between users that originate from different collaborating parties. In web services environments, access control is required to cross the borders of security domains, in order to be implemented between heterogeneous systems. Traditional access control systems that are identity-based do not provide a solution, as web services providers have to deal with unknown users, manage a large user population, collaborate with others and at the same time be autonomous of nature. Previous research has pointed towards the adoption of attribute-based access control as a means to address some of these problems. This approach is still not adequate, as the trustworthiness of web services requestors cannot be determined. Trust in web services requestors is thus an important requirement to address. For this reason, the thesis investigated trust, as to promote the inclusion of trust in the web services access control model. A cognitive approach to trust computation was followed that addressed uncertain and imprecise information by means of fuzzy logic techniques. A web services trust formation framework was defined that aims to populate trust concepts by means of automated, machine-based trust assessments. The structure between trust concepts was made explicit by means of a trust taxonomy. This thesis presents the WSACT – or the Web Services Access Control incorporating Trust –model. The model incorporates traditional role-based access control, the trust levels of web services requestors and the attributes of users into one model. This allows web services providers to grant advanced access to the users of trusted web services requestors, in contrast to the limited access that is given to users who make requests through web services requestors with whom a minimal level of trust has been established. Such flexibility gives a web services provider the ability to foster meaningful business relationships with others, which portrays humanistic forms of trust. The WSACT architecture describes the interacting roles of an authorisation interface, authorisation manager and trust manager. A prototype finally illustrates that the incorporation of trust is a viable solution to the problem of web services access control when decisions of an autonomous nature are to be made.Thesis (PhD (Computer Science))--University of Pretoria, 2008.Computer Scienceunrestricte

The use of web 2.0 technologies in academic libraries in South Africa.

Doctor of Philosophy in Information Studies. University of KwaZulu-Natal, Pietermaritzburg 2016.The potential of Web 2.0 to profoundly change higher education has been acknowledged. As libraries aspire to remain relevant as premier suppliers of information and endeavour to attract and engage their users, embracing and implementing Web 2.0 technologies has become synonymous with their overall success. This study investigated the use of Web 2.0 technologies in academic libraries in South Africa. The study noted that many academic libraries in South Africa are not lagging behind their global counterparts in adopting these technologies to enhance their services. Many academic libraries in South Africa are leveraging the power of Web 2.0 technologies to provide services that meet the needs of today’s users. The population for this study was made up of 17 academic libraries in South Africa. Out of the population of 347 librarians in research libraries, a total of 51 librarians were selected to participate in the study using the random selection method, which translated into three librarians per academic library. The selected number included library directors with whom semi-structured telephonic interviews were held. The study achieved a response rate of 80.3%, which is very good for making generalizations to a larger population. The study employed both qualitative and quantitative research paradigms to investigate the extent of use of Web 2.0 technologies in South African academic libraries. Neither research approach is better than the other. The two research paradigms are different and both have their strengths and weaknesses. Furthermore, in order to maximize the strengths of the two research approaches, the study made use of both the quantitative and the qualitative paradigms. The qualitative research approach was found to be appropriate for this study since it is the predominant paradigm of research in the social sciences. The quantitative research paradigm was chosen because it has two primary strengths, namely, the findings are generalizable and the data are objective. The researcher opted for a two-pronged method of data collection, which are the self-administered questionnaire and structured interview, as both methods were deemed appropriate for collecting data on academic librarians’ use or non-use of Web 2.0 technologies to deliver high-quality services to their users. Primary data was collected using the questionnaire (for librarians) and a semi-structured interview (for library directors), as data collection methods. The findings of the study show that Web 2.0 technologies are used in the majority of academic institutions surveyed in South Africa, as indicated by 78% of the respondents. This is an indication of the commitment to provide up-to-date services in the platforms that library patrons use, since the literature clearly states that the use of Web 2.0 technologies ensures that libraries keep abreast of technological developments locally and globally by occupying the same space their predominantly techno-savvy users occupy. Providing innovative services and resources that are responsive to users’ needs plays a crucial role in ensuring that academic libraries remain relevant, especially if one considers the threats to their existence, which libraries face currently. The findings also show that although academic libraries in South Africa have adopted the use of Web 2.0 technologies to deliver quality services, the uptake has been slow. The study recommends a comprehensive training programme, which includes a review of the Library and Information Science (LIS) curriculum, to ensure Web 2.0 compliance among LIS practitioners. Furthermore, the study proposes a model for the successful implementation of Web 2.0 technologies in academic libraries in South Africa. The model can be adapted to fit any type of library with few or no amendments

An access control framework for web services

Purpose – To define a framework for access control for virtual applications, enabled through web services technologies. The framework supports the loosely coupled manner in which web services are shared between partners. Design/methodology/approach – A background discussion on relevant literature, with an example is used to illustrate the problem that exists. To enable access control composition, an extension is proposed to authorisation specification language, together with publication of access control requirements of a web service provider. Findings – The framework shows that loosely coupled access control can be made possible by making use of the standard manner in which messages are communicated in XML, and by composing assertions with the access control policy of the provider in a consistent manner. Access to web service methods is only granted if permission can be derived for it, where the derivation step forms a formal proof. Research limitations/implications – A basic framework has been defined. An architecture to support it must be defined. Only a very basic level of access control composition has been illustrated. Practical implications – The publication of access control requirements in standards such as WS-Policy can be considered. Originality/value – This paper offers a practical approach to address access control for web services.The financial assistance of the Department of Labour (DoL) towards this research is hereby acknowledged.Computer Scienc

An access control framework for web services

hereby acknowledged. Opinions expressed and conclusions arrived at, are those of the author and are not necessarily to be attributed to the DoL. [The figures and tables at the bottom of this document] Purpose – To define a framework for access control for virtual applications, enabled through web services technologies. The framework supports the loosely coupled manner in which web services are shared between partners. Design/methodology/approach – A background discussion on relevant literature, with an example is used to illustrate the problem that exists. To enable access control composition, an extension is proposed to authorisation specification language, together with publication of access control requirements of a web service provider. Findings – The framework shows that loosely coupled access control can be made possible by making use of the standard manner in which messages are communicated in XML, and by composing assertions with the access control policy of the provider in a consistent manner. Access to web service methods is only granted if permission can be derived for it, where the derivation step forms a formal proof. Research limitations/implications – A basic framework has been defined. An architecture to support it must be defined. Only a very basic level of access control composition has been illustrated. Practical implications – The publication of access control requirements in standards such as WS-Policy can be considered. Originality/value – This paper offers a practical approach to address access control for web services