De-perimeterisation as a cycle: tearing down and rebuilding security perimeters

If an organisation wants to secure its IT assets, where should the security mechanisms be placed? The traditional view is the hard-shell model, where an organisation secures all its assets using a fixed security border: What is inside the security perimeter is more or less trusted, what is outside is not. Due to changes in technologies, business processes and their legal environments this approach is not adequate anymore.\ud This paper examines this process, which was coined de-perimeterisation by the Jericho Forum.\ud In this paper we analyse and define the concepts of perimeter and de-perimeterisation, and show that there is a long term trend in which de-perimeterisation is iteratively accelerated and decelerated. In times of accelerated de-perimeterisation, technical and organisational changes take place by which connectivity between organisations and their environment scales up significantly. In times of deceleration, technical and organisational security measures are taken to decrease the security risks that come with de-perimeterisation, a movement that we call re-perimeterisation. We identify the technical and organisational mechanisms that facilitate de-perimeterisation and re-perimeterisation, and discuss the forces that cause organisations to alternate between these two movements

GRID COMPUTING FOR COLLABORATIVE NETWORKS: A LITERATURE REVIEW

This paper describes the methodology and results of a literature review targeting the distinct interpretations of the Grid Computing paradigm within the context of Collaborative Networks. The review is based on the analysis of contributions published in selected scientific journals between 2002 and today. The analysis was performed taking into account the assumptions, scopes and solutions provided to approach the challenges for SMEs’ collaborative networks. The research questions driving this literature review have been the following: (1) How is the concept of Grid Computing associated with the concept of Collaborative Network? (2) How the Grid computing supports Collaborative Networks? (3) What are the business implications in Grid supported Collaborative Networks

Towards Secure Collaboration in Federated Cloud Environments

Public administrations across Europe have been actively following and adopting cloud paradigms at various degrees. By establishing modern data centers and consolidating their infrastructures, many organizations already benefit from a range of cloud advantages. However, there is a growing need to further support the consolidation and sharing of resources across different public entities. The ever increasing volume of processed data and diversity of organizational interactions stress this need even further, calling for the integration on the levels of infrastructure, data and services. This is currently hindered by strict requirements in the field of data security and privacy. In this paper, we present ongoing work aimed at enabling secure private cloud federations for public administrations, performed in the scope of the SUNFISH H2020 project. We focus on architectural components and processes that establish cross-organizational enforcement of data security policies in mixed and heterogeneous environments. Our proposal introduces proactive restriction of data flows in federated environments by integrating real-time based security policy enforcement and its post-execution conformance verification. The goal of this framework is to enable secure service integration and data exchange in cross-entity contexts by inspecting data flows and assuring their conformance with security policies, both on organizational and federation level

Designing the Extended Zero Trust Maturity Model A Holistic Approach to Assessing and Improving an Organization’s Maturity Within the Technology, Processes and People Domains of Information Security

Zero Trust is an approach to security where implicit trust is removed, forcing applications, workloads, servers and users to verify themselves every time a request is made. Furthermore, Zero Trust means assuming anything can be compromised, and designing networks, identities and systems with this in mind and following the principle of least privilege. This approach to information security has been coined as the solution to the weaknesses of traditional perimeter-based information security models, and adoption is starting to increase. However, the principles of Zero Trust are only applied within the technical domain to aspects such as networks, data and identities in past research. This indicates a knowledge gap, as the principles of Zero Trust could be applied to organizational domains such as people and processes to further strengthen information security, resulting in a holistic approach. To fill this gap, we employed design science research to develop a holistic maturity model for Zero Trust maturity based on these principles: The EZTMM. We performed two systematic literature reviews on Zero Trust and Maturity Model theory respectively and collaborated closely with experts and practitioners on the operational, tactical and strategic levels of six different organizations. The resulting maturity model was anchored in prior Zero Trust and maturity model literature, as well as practitioner and expert experiences and knowledge. The EZTMM was evaluated by our respondent organizations through two rounds of interviews before being used by one respondent organization to perform a maturity assessment of their own organization as a part of our case study evaluation. Each interview round resulted in ample feedback and learning, while the case study allowed us to evaluate and improve on the model in a real-world setting. Our contribution is twofold: A fully functional, holistic Zero Trust maturity model with an accompanying maturity assessment spreadsheet (the artifact), and our reflections and suggestions regarding further development of the EZTMM and research on the holistic application of Zero Trust principles for improved information security

Designing the Extended Zero Trust Maturity Model A Holistic Approach to Assessing and Improving an Organization’s Maturity Within the Technology, Processes and People Domains of Information Security

Zero Trust is an approach to security where implicit trust is removed, forcing applications, workloads, servers and users to verify themselves every time a request is made. Furthermore, Zero Trust means assuming anything can be compromised, and designing networks, identities and systems with this in mind and following the principle of least privilege. This approach to information security has been coined as the solution to the weaknesses of traditional perimeter-based information security models, and adoption is starting to increase. However, the principles of Zero Trust are only applied within the technical domain to aspects such as networks, data and identities in past research. This indicates a knowledge gap, as the principles of Zero Trust could be applied to organizational domains such as people and processes to further strengthen information security, resulting in a holistic approach. To fill this gap, we employed design science research to develop a holistic maturity model for Zero Trust maturity based on these principles: The EZTMM. We performed two systematic literature reviews on Zero Trust and Maturity Model theory respectively and collaborated closely with experts and practitioners on the operational, tactical and strategic levels of six different organizations. The resulting maturity model was anchored in prior Zero Trust and maturity model literature, as well as practitioner and expert experiences and knowledge. The EZTMM was evaluated by our respondent organizations through two rounds of interviews before being used by one respondent organization to perform a maturity assessment of their own organization as a part of our case study evaluation. Each interview round resulted in ample feedback and learning, while the case study allowed us to evaluate and improve on the model in a real-world setting. Our contribution is twofold: A fully functional, holistic Zero Trust maturity model with an accompanying maturity assessment spreadsheet (the artifact), and our reflections and suggestions regarding further development of the EZTMM and research on the holistic application of Zero Trust principles for improved information security

Policy driven security architectures for eBusiness

The dawning of the twenty-first century and genesis of a new millennium has been extremely kind to technological advance. Industries and society alike have reaped the extreme benefits of technology at its finest. Technological progress has also proven to be extraordinarily beneficial to businesses and their bottom lines when properly employed. The need for automated business logic and functionality has spawned numerous concepts and efforts to capitalize on advanced business requirements. Probably the most popular and revolutionary to date of all initiatives is the advent of eBusiness. A direct descendant of Electronic Data Interchange (EDI), eBusiness has and continues to evolve into more than a phenomenon, but rather a sound component of successful corporations and organizations. The evolution and acceptance of eBusiness has created a ripple effect throughout the technical and business worlds. The promise of this wonderful concept and its accompanying technology has forced companies to completely rethink strategic planning efforts, and to sit up and pay full attention to this ever-growing development. One area that has been extremely affected by the wide spread acceptance of eBusiness and its counterparts are the architectures and infrastructures now utilized to support these efforts. Enterprise architectures that had originally been designed to shield internal business activities from the public eye of the Internet and other domains have been either replaced, redesigned, or melded with new architectural designs that proclaim companies and their offerings to the world, all in a digital atmosphere. This proclamation can be exceptionally lucrative and damaging, all at the same time. The conception of the Internet has without a doubt been the single most important episode in the continuing fairytale and illumination of technological advance. What once was considered the Underground Railroad of information; limited to universities, research groups, and government organizations has become the Autobahn of electronic data, and continues to evolve and transcend barriers and boundaries. The ability to surpass traditional barriers such as geography and distance serves as a definite attraction for organizations to eBusiness, and a tremendous amount of companies are acting upon this attraction. However, the dark side of the Internet is a playground for adversaries such as, but not limited to hackers (crackers), lone criminals, malicious insiders (disgruntled employees), industrial spies, media representatives, organized crime, terrorists, national intelligence organizations, special interest groups, competitors, script kiddies, and infowarriors to name a few. All of these can and should be considered a potential danger while individuals and organizations alike interact via the Internet and private networks as well. Nowhere are the aforementioned dangers as prevalent as they are in the increasingly popular world of e. eBusiness, eCommerce, eMarketPlaces, eAuctions, eSupplyChains, etc., etc.; the list goes on and on. The digitization of data is big business, and organizations are realizing the infinite potential involved with participating in these markets, as well as utilizing it to streamline day-to-day business operations and management. Around the globe scores of innovative, thought-provoking systems are deployed daily to feed upon the e landscape and take advantage of this new and exciting world of prosperity. However, the same factions that make haste to establish an Internet or web-based presence and rush to take advantage of digital data and goods are often the very ones that almost always either forget, simply neglect, or place a low priority on an absolute vital necessity of all e-efforts. Security! Therefore, the intent of this thesis is to examine and introduce methodical approaches to designing and implementing security life cycles that are driven by policy for secure eBusiness architectures. In order to provide the necessary assurance and security needed for eBusiness architectures efficient well thought out life cycles must be employed for security practices. Security, like any other component of Information Technology (IT) is not a hit or miss scenario. It is a continuos and meticulous process that is all encompassing of all veins of an enterprise. In order to design a secure architecture a procedural approach must be taken, so that all threats, vulnerabilities, adversaries, holes, nooks, and crannies are covered. Even after all these things have been addressed there is no such thing as an impenetrable system or infrastructure, especially in a networked environment. Given enough time and resources the strongest of confines can be made as vulnerable as a home PC connected to the Net. This is especially true for those systems that operate over public networks such as the Internet. Therefore, processes and procedures must be introduced, refined and constantly managed to maintain a secure state of operation. This text will illustrate the process of assessing technical environments utilized for eBusiness initiatives and gathering requirements for secure operation. Then taking those requirements and developing a functional security policy to govern over the system. Next, the document will discuss extracting requirements from the actual security policy and using them to create a plan of implementation. Also, during the implementation phase exists several testing and assurance activities that should be addressed. After, the overall implementation is completed and deployed, streamlined processes must be applied and properly managed to ensure that the hardened solution continues to function, as it should. An adequate cycle is much more intensive than described above, and this thesis will provide the detail needed to thoroughly address the concepts described here