162 research outputs found
Recommended from our members
An architecture for certification-aware service discovery
Service-orientation is an emerging paradigm for building complex systems based on loosely coupled components, deployed and consumed over the network. Despite the original intent of the paradigm, its current instantiations are limited to a single trust domain (e.g., a single organization). Also, some of the key promises of service-orientation - such as the dynamic orchestration of externally provided software services, using runtime service discovery and deployment - are still unachieved. One of the main reasons for this is the trust gap that normally arises when software services, offered by previously unknown providers, are to be selected at run-time, without any human intervention. To close this gap, the concept of machine-readable security certificates (called asserts) has been recently introduced, which paves the way to automated processing about security properties of services. Similarly to current security certification schemes, the assessment of the security properties of a service is delegated to an independent third party (certification authority), who issues a corresponding assert, bound to the service. In this paper, we propose an architecture, which exploits the assert concept to realise a certification-aware service discovery framework. The architecture supports the discovery of single services based on certified security properties (in additional to the usual functional properties), as well as the dynamic synthesis of service compositions, that satisfy the given security properties. The architecture is extensible, thus allowing for a range of domain specific matchmaking components, to cover dimensions related to, e.g., performance, cost and other non-functional characteristics
Recommended from our members
Model-Driven Cyber Range Training: A Cyber Security Assurance Perspective
Security demands are increasing for all types of organisations, due to the ever-closer integration of computing infrastructures and smart devices into all aspects of the organisational operations. Consequently, the need for security-aware employees in every role of an organisation increases in accordance. Cyber Range training emerges as a promising solution, allowing employees to train in both realistic environments and scenarios and gaining hands-on experience in security aspects of varied complexity, depending on their role and level of expertise. To that end, this work introduces a model-driven approach for Cyber Range training that facilitates the generation of tailor-made training scenarios based on a comprehensive model-based description of the organisation and its security posture. Additionally, our approach facilitates the auto- mated deployment of such training environments, tailored to each defined scenario, through simulation and emulation means. To further highlight the usability of the proposed approach, this work also presents scenarios focusing on phishing threats, with increasing level of complexity and difficulty
Recommended from our members
Continuous certification of non-repudiation in cloud storage services
This paper presents a certification model for Non-repudiation (NR) of cloud storage services. NR, i.e., The possession of proofs that certain exchanges have taken place amongst interacting parties, is a significant security property for cloud data storage services. Our model for certifying NR is based on continuous monitoring and has been defined and realised according to the CUMULUS approach. It also corresponds to certification of level 3 maturity in the reference certification framework of Cloud Security Alliance
Recommended from our members
Describing and Verifying Monitoring Capabilities for Service Based Systems
Monitoring the operation of Service Based Systems (SBS) to ensure compliance with a set of service level agreements (SLAs) for example cannot always rely on a pre-specified monitoring infrastructure, where all the information and components required for monitoring are a priori known and available. This because new services with unknown monitoring infrastructures and capabilities may be dynamically assembled to an SBS. To address the need for dynamic configuration of SBS monitoring infrastructures, this paper proposes a model for describing the monitoring capabilities of different services of an SBS and discusses the process for verifying the monitorability of required properties based on these capabilities
Recommended from our members
Dynamic set-up of monitoring infrastructures for service based systems
Service based systems are intrinsically dynamic as the services deployed by them can be replaced at runtime. When this happens, the Service Level Agreements (SLAs) that regulate the provision of services may also need to change. Following such changes, the monitoring infrastructure that is used to monitor SLAs may also need to be modified to ensure the continuous provision of the necessary runtime checks. This paper presents a framework that supports the dynamic assessment of the monitorability of SLAs terms and the dynamic setup of an appropriate infrastructure for monitoring them following such changes. The monitorability checks are based on comparisons between the SLA terms for specific services and descriptions of the monitoring capabilities of these services which are expressed in languages introduced in the paper. The paper presents a prototype implementation of the framework and the results of a preliminary evaluation of it
Recommended from our members
A Framework for Hierarchical and Recursive Monitoring of Service Based Systems
Runtime monitoring of Service Based Systems (SBSs) usually relies on information derived from I/O messages exchanged within business processes implementing services. When service provisioning is regulated by complex Service Level Agreements (SLAs) between service requesters, (composed) services, and infrastructure providers, monitoring may require additional features, such as (i) coordination among events captured at different sources involved in service provisioning and (ii) delegation of properties monitoring to local sites. This paper discusses an architecture and engagement protocol supporting the two aforementioned requirements for monitoring complex SLA-driven service provisioning
Recommended from our members
Big Data Assurance Evaluation: An SLA-Based Approach.
The Big Data community has started noticing that there is the need to complete Big Data platforms with assurance techniques proving the correct behavior of Big Data
analytics and management. In this paper, we propose a Big Data assurance solution based on Service-Level Agreements (SLAs), focusing on a platform providing Model-based Big Data Analytics-as-a-Service (MBDAaaS)
Recommended from our members
Pattern-driven security, privacy, dependability and interoperability management of iot environments
Achieving Security, Privacy, Dependability and Interoperability (SPDI) is of paramount importance for the ubiquitous deployment and impact maximization of Internet of Things (IoT) applications. Nevertheless, said requirements are not only difficult to achieve at system initialization, but also hard to prove and maintain at run-time. This paper highlights an approach to tackling the above challenges, through the definition of pattern language and a framework that can guarantee SPDI in IoT orchestrations. By integrating pattern reasoning engines at the various layers of the IoT infrastructure, and a machine-processable representation of said pattern through Drools rules, the proposed framework can provide ways to fulfill SPDI requirements at design time, and also provide the means to guarantee those SPDI properties and manage the orchestrations accordingly. Moreover, an application example of the framework is presented in an Industrial IoT monitoring environment
Recommended from our members
Incremental certification of cloud services
Cloud is becoming fast a critical infrastructure. However, several recent incidents regarding the security of cloud services clearly demonstrate that security rightly remains one of the major concerns of enterprises and the general public regarding the use of the cloud. Despite advancements of research related to cloud security, we are still not in a position to provide a systematic assessment of cloud security based on real operational evidence. As a step towards addressing this problem, in this paper, we propose a novel approach for certifying the security of cloud services. Our approach is based on the incremental certification of security properties for different types of cloud services, including IaaS, PaaS and SaaS services, based on operational evidence from the provision of such services gathered through continuous monitoring. An initial implementation of this approach is presented
Recommended from our members
Cloud Certification Process Validation using Formal Methods
The importance of cloud-based systems is increasing constantly as they become crucial for completing tasks in an effective and affordable manner. Yet, their use is affected by concerns about the security of the data and applications provisioned through them. Security certification provides a means of increasing confidence in such systems, by establishing that they fulfil certain security properties of interest. Certification processes involve security property assessments against specific threat models. These processes may be based on self-assessment, testing, inspection or runtime monitoring of security properties, and/or combinations of such methods (hybrid certification). One important question for all such processes is whether they actually deliver what they promise. This question is open at the moment and is the focus of our work. To address it, we have developed an approach that formalises certification processes, by translating them in the language of the Prism model-checker and uses Prism to verify properties of interest on the model of the certification process, under specific environmental assumptions
- …