Privacy-preserved security-conscious framework to enhance web service composition

The emergence of loosely coupled and platform-independent Service-Oriented Computing (SOC) has encouraged the development of large computing infrastructures like the Internet, thus enabling organizations to share information and offer valueadded services tailored to a wide range of user needs. Web Service Composition (WSC) has a pivotal role in realizing the vision of implementing just about any complex business processes. Although service composition assures cost-effective means of integrating applications over the Internet, it remains a significant challenge from various perspectives. Security and privacy are among the barriers preventing a more extensive application of WSC. First, users possess limited prior knowledge of security concepts. Second, WSC is hindered by having to identify the security required to protect critical user information. Therefore, the security available to users is usually not in accordance with their requirements. Moreover, the correlation between user input and orchestration architecture model is neglected in WSC with respect to selecting a high performance composition execution process. The proposed framework provides not only the opportunity to securely select services for use in the composition process but also handles service users’ privacy requirements. All possible user input states are modelled with respect to the extracted user privacy preferences and security requirements. The proposed approach supports the mathematical modelling of centralized and decentralized orchestration regarding service provider privacy and security policies. The output is then utilized to compare and screen the candidate composition routes and to select the most secure composition route based on user requests. The D-optimal design is employed to select the best subset of all possible experiments and optimize the security conscious of privacy-preserving service composition. A Choreography Index Table (CIT) is constructed for selecting a suitable orchestration model for each user input and to recommend the selected model to the choreographed level. Results are promising that indicate the proposed framework can enhance the choreographed level of the Web service composition process in making adequate decisions to respond to user requests in terms of higher security and privacy. Moreover, the results reflect a significant value compared to conventional WSC, and WSC optimality was increased by an average of 50% using the proposed CIT

An architecture for certification-aware service discovery

Service-orientation is an emerging paradigm for building complex systems based on loosely coupled components, deployed and consumed over the network. Despite the original intent of the paradigm, its current instantiations are limited to a single trust domain (e.g., a single organization). Also, some of the key promises of service-orientation - such as the dynamic orchestration of externally provided software services, using runtime service discovery and deployment - are still unachieved. One of the main reasons for this is the trust gap that normally arises when software services, offered by previously unknown providers, are to be selected at run-time, without any human intervention. To close this gap, the concept of machine-readable security certificates (called asserts) has been recently introduced, which paves the way to automated processing about security properties of services. Similarly to current security certification schemes, the assessment of the security properties of a service is delegated to an independent third party (certification authority), who issues a corresponding assert, bound to the service. In this paper, we propose an architecture, which exploits the assert concept to realise a certification-aware service discovery framework. The architecture supports the discovery of single services based on certified security properties (in additional to the usual functional properties), as well as the dynamic synthesis of service compositions, that satisfy the given security properties. The architecture is extensible, thus allowing for a range of domain specific matchmaking components, to cover dimensions related to, e.g., performance, cost and other non-functional characteristics

The true cost of unusable password policies: password use in the wild

HCI research published 10 years ago pointed out that many users cannot cope with the number and complexity of passwords, and resort to insecure workarounds as a consequence. We present a study which re-examined password policies and password practice in the workplace today. 32 staff members in two organisations kept a password diary for 1 week, which produced a sample of 196 passwords. The diary was followed by an interview which covered details of each password, in its context of use. We find that users are in general concerned to maintain security, but that existing security policies are too inflexible to match their capabilities, and the tasks and contexts in which they operate. As a result, these password policies can place demands on users which impact negatively on their productivity and, ultimately, that of the organisation. We conclude that, rather than focussing password policies on maximizing password strength and enforcing frequency alone, policies should be designed using HCI principles to help the user to set an appropriately strong password in a specific context of use