Modularisation de la sécurité informatique dans les systèmes distribués

Addressing security in the software development lifecycle still is an open issue today, especially in distributed software. Addressing security concerns requires a specific know-how, which means that security experts must collaborate with application programmers to develop secure software. Object-oriented and component-based development is commonly used to support collaborative development and to improve scalability and maintenance in software engineering. Unfortunately, those programming styles do not lend well to support collaborative development activities in this context, as security is a cross-cutting problem that breaks object or component modules. We investigated in this thesis several modularization techniques that address these issues. We first introduce the use of aspect-oriented programming in order to support secure programming in a more automated fashion and to minimize the number of vulnerabilities in applications introduced at the development phase. Our approach especially focuses on the injection of security checks to protect from vulnerabilities like input manipulation. We then discuss how to automate the enforcement of security policies programmatically and modularly. We first focus on access control policies in web services, whose enforcement is achieved through the instrumentation of the orchestration mechanism. We then address the enforcement of privacy protection policies through the expert-assisted weaving of privacy filters into software. We finally propose a new type of aspect-oriented pointcut capturing the information flow in distributed software to unify the implementation of our different security modularization techniques.Intégrer les problématiques de sécurité au cycle de développement logiciel représente encore un défi à l’heure actuelle, notamment dans les logiciels distribués. La sécurité informatique requiert des connaissances et un savoir-faire particulier, ce qui implique une collaboration étroite entre les experts en sécurité et les autres acteurs impliqués. La programmation à objets ou à base de composants est communément employée pour permettre de telles collaborations et améliorer la mise à l’échelle et la maintenance de briques logicielles. Malheureusement, ces styles de programmation s’appliquent mal à la sécurité, qui est un problème transverse brisant la modularité des objets ou des composants. Nous présentons dans cette thèse plusieurs techniques de modularisation pour résoudre ce problème. Nous proposons tout d’abord l’utilisation de la programmation par aspect pour appliquer de manière automatique et systématique des techniques de programmation sécurisée et ainsi réduire le nombre de vulnérabilités d’une application. Notre approche se focalise sur l’introduction de vérifications de sécurité dans le code pour se protéger d’attaques comme les manipulations de données en entrée. Nous nous intéressons ensuite à l’automatisation de la mise en application de politiques de sécurité par des techniques de programmation. Nous avons par exemple automatisé l’application de règles de contrôle d’accès fines et distribuées dans des web services par l’instrumentation des mécanismes d’orchestration de la plate-forme. Nous avons aussi proposé des mécanismes permettant l’introduction d’un filtrage des données à caractère privée par le tissage d’aspects assisté par un expert en sécurité

Knowledge management in higher education: a case study using a stakeholder approach

Provided that valuable knowledge is: collected from all existing sources including people, systems, databases, file cabinets, etc.; it is stored, categorized and organized; and it is disseminated to those people and systems that need it; “The right knowledge would reach the right person or system at the right time” (Seiner, 2000) and businesses would be transformed into knowledge organizations and economies into knowledge economies. This is in fact the global business phenomenon of our modern world economy (Malhotra, 2003); or at least we aspire that it will be. The wealth of today’s businesses and modern nations lies on their competences and capabilities as knowledge-based economies (Boisot, 1998). Higher Education Institutions (HEI) are increasingly exposed to marketplace pressures, in a similar way to other businesses, and the environment in which they are operating today has also changed drastically (Kara & DeShields, 2004), (Cranfield & Taylor, 2008); they experience intense pressure and are required to respond to the global integration (Blose, et al., 2005). The strategic management of knowledge of a university may provide the competitive advantage that universities need and has potentially several benefits to offer to higher education in general. Knowledge Management (KM) which includes management strategies, and methods, as well as the necessary information and communication technologies may potentially leverage intellectual capital and know-how in order that businesses can benefit from gains in human performance and competitiveness. Examples and best practices are available in the literature but very few of them are specific to higher education and involve the use of KM by HEIs. Amongst those who believe that KM has a lot more to offer to Higher Education (HE) is Rowley (Rowley, 2000) who said that “we are a long way from a scenario in which each member of the university community has access to the combined knowledge and wisdom of others in the organization, and has access to that knowledge in a form that suits their particular needs”. This study was initiated to study KM practices in a HEI and create a case study of a KM implementation specific to a HEI following a stakeholder approach. The HEI under study is the largest (over 5,000 students) private HE institution in Cyprus. While involving all areas required for the successful introduction of KM in a HEI, the study delivers a KM solution to satisfy the need of internal stakeholders, being the administration, faculty and staff members and the students. All aspects of KM are examined in the study which being exploratory in nature carries out an organization-wide survey to explore the HEI’s stakeholders’ perceptions of the “knowledge organization”, their current practices including strategy, leadership style, and culture and their needs and expectations relating to KM. Research objectives are satisfied with the utilization of focus groups and surveys conducted via questionnaires and personal interviews for the collection of both quantitative and qualitative data. As data are analyzed the results and recommended actions lead to a case study which describes the implementation of a kick-off KM project in the HEI. The case study has an explanatory nature and takes the reader through all of the steps, from the initiation to the completion, of the KM project. It may be replicated, customized, and re-used as necessary for other KM implementations in the HEI under study, other HEIs, or other organizations with similar needs

An empirical examination of the impact of ICT on the functioning of the Lebanese Ministry of Finance

his study attempts to obtain a holistic view of ICT application and its impact in the context of a developing economy taking the Lebanese Ministry of Finance as a case study. It draws on the works of Heeks and Stanforth (2007) and Tseng (2008) for the pre-deployment phase of the e-Gov application and the post-implementation phase respectively. Heeks and Stanforth used actor network theory to study the trajectory taken by the Sri Lankan e-Gov project, while Tseng used a form of Structuration theory known as Orlikowski’s Model of Technology to gauge the impact of an Electronic Government Information System (EGIS) on the Taiwanese Ministry employees. To the knowledge of the researcher the chosen research site has never been investigated before. This necessitated that the design phase of the study needed to be assessed first in order to get in-depth information about the contingent and local contextual factors and to ascertain the level of progress in the design and deployment of the ICT tools and techniques. For the post- implementation phase, this longitudinal study assessed the perceived effectiveness of the ICT impact on the end users - the employees. In addition, secondary data collected from the Ministry and the International Monetary Fund was used to corroborate the research. The study found that the use of ‘trajectory mapping’ was a crucial tool for investigating the initial ICT adoption process. This is due to its strength in exposing contextual factors, its ability to identify social and technical determinism at different stages of the investigation and its suitability in revealing political wrangling and identifying the dynamism of power in a public institution. The study’s findings also reveal the presence of both technical determinism and social determinism throughout the project, restructuring of the organisation due to the introduction of an ICT unit and job redesign in the whole MoF. The study also found out that ICT resulted in a power shift within the organisation by having the IT unit gain power due to its ICT knowledge. The investigation, however, could not find a direct relationship between the ‘degree of success’ end point suggested by Heeks and Stanforth (2007) and the sought benefits from the ICT impact. In other words, the proposed ‘degree of success’ may only explain the design aspect of the EGIS, however, this study found that success or demise depends also on the implementation process and the preparedness of citizens to receive such IT services. Furthermore, the study was able to empirically investigate the applicability of the three layered model suggested by Omoteso et al. (2007) and found out that considering contingency as dynamic is more applicable than the static contingency proposed in the model. The study realised that there is a great need for a continuous, contemporary training process in the ever-changing ICT environment in order to achieve uninterrupted positive results. Finally, the study indicates that lack of vertical communication, as observed in the Lebanese public institution, between users, ICT designers, and decision makers weaken the whole change process. Therefore, it suggests a form of knowledge management application using ICT as the main venue, a transition from the current mechanistic (bureaucratic) structure to an organic (flat) structure