A REFERENCE MODEL FOR ENTERPRISE SECURITY - High Assurance Enterprise Security

David W. Enström, D’Arcy Walsh, Siavosh Hossendoust

2007

Abstract

This paper defines an enterprise security model that provides a cohesive structure for the definition and implementation of security services. The complete framework is described, but with a focus on subjects, and protected objects and how access is controlled. Multiple layers of security are defined, building upon the “defence in depth” concept, augmented with “domain” and “zone” concepts and associated protections. The dynamic use of roles is described, a concept that along with user self–service provides a practical approach for the management and use of roles for access control. This model may also be used as a reference architecture for the definition and integration of a set of security services that permit multiple vendor implementations to work together, and to establish the level of compliance of specific systems.

References

  1. Buecker, Axel, Filip, Werner, Becke, Richard, Cowan, Tony, Godbole, Subodh, Hinton, Heather, Kariyawasam, Sampath, Stranden, Harri, 2004, 'Federated Identity Management with IBM Tivoli Security Solutions', IBM Redbooks, First Edition.
  2. Basin, David, Doser, Jürgen, Lodderstedt, Torsten, 2004, 'Model Driven Security: From UML Models to Access Control Infrastructures', ACM Transactions on Software Engineering and Methodology, Vol. 15, No. 1, pp. 39-91.
  3. Blakely, Bob, Heath, Craig & members of The Open group Security Forum, 2004, Technical Guide - Security Design Patterns, viewed January 2005, <http://www.opengroup.org/bookstore/catalog/g031.ht m>.
  4. Bücker, Axel, Gontarczyk, Andrew, Heiser, Mari, Karekar, Santosh, Saunders, Patricia, Taglioni, Matteo, 2004, 'Enterprise Security Architecture Using IBM Tivoli Security Solutions' IBM Redbooks, Second Edition.
  5. Clarke, Siobhán, Harrison, William, Ossher, Harold, Tarr, Peri, 1999, 'Subject-Oriented Design: Towards Improved Alignment of Requirements, Design and Code', OOPSLA 7899 Proceedings, pp. 325-339.
  6. CSE, 2003, IT Security Zones Baseline Security Requirements, Sue Greaves, Communications Security Establishment, Ottawa.
  7. CSE, n.d., Introduction to Information Technology Security, viewed January 2006, <http://www.csecst.gc.ca/tutorials/english/section1/m1/index_e.htm>.
  8. Entrust, 2003, Privilege Management Infrastructure Using Getaccess Version 7 - Detailed Architecture Report, from Contract: W2213-2-6111, CSE, Ottawa.
  9. Ferraiolo, David, Kuhn, Rick, 1995, An Introduction to Role-Based Access Control, NIST/ITL Bulletin, viewed January 2006, <http://csrc.nist.gov/rbac/NISTITL-RBAC-bulletin.html>.
  10. IBM Microsoft, 2003, Federation of Identities in a Web Services World, viewed February 2005, <http://www128.ibm.com/developerworks/library/specification/wsfedworld/>.
  11. IBM, 2005, 'Federated Identity Management and Web Services Security with IBM Tivoli Security Solutions', IBM Redbooks, Second Edition.
  12. Indrakshi, Ray, Li, Na, France, Robert, Dae-Kyoo, Kim, 2004, 'Using UML to Visualize Role-Based Access Control Constraints', Proceedings of SACMAT 7804, pp. 115-124.
  13. International Organization for Standardization, 1989, Information Processing Systems - Open Systems Interconnection - Basic Reference Model - Part 2: Security architecture, ISO 7498-2:1989, International Organization for Standardization, Geneva.
  14. International Organization for Standardization, 2002, Security techniques - Security information objects for access control, ISO/IEC 15816:2002, International Organization for Standardization, Geneva.
  15. Jürgens, Jan, 2002, 'UMLSec: Extending UML for Secure Systems Development', UML 2002 - The Unified Modeling Language Proceedings, pp. 412-425.
  16. Kendall, Elizabeth, 1999, 'Role Model Designs and Implementations with Aspect-oriented Programming', OOPSLA 7899 Proceedings, pp. 353-369.
  17. Lodderstedt, Torsten, Basin, David, Doser, Jürgen, 2002, 'SecureUML: A UML-Based Modeling Language for Model-Driven Security', UML 2002 - The Unified Modeling Language Proceedings, pp. 426-441
  18. Miller, Mark, Yee, Ka-Ping, Shapiro, Jonathan, 2003, Capability Myths Demolished, Technical Report SRL2003-02, Johns Hopkins University Systems Research Laboratory, Baltimore.
  19. Organization for the Advancement of Structured Information Standards, 2005a, eXtensible Access Control Markup Language, XACML Version 2.0, OASIS, Billerica.
  20. Organization for the Advancement of Structured Information Standards, 2005b, Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0, OASIS, Billerica.
  21. Tulloch, Mitch, 2003, Microsoft Encyclopedia of Security. Microsoft Press, Redmond.
  22. Yoder, Joseph, Barcalow, Jeffrey, 1997, 'Architectural Patterns for Enabling Application Security, PloP 7897 Proceedings.
  23. © Her Majesty the Queen in Right of Canada, 2007
Download


Paper Citation


in Harvard Style

W. Enström D., Walsh D. and Hossendoust S. (2007). A REFERENCE MODEL FOR ENTERPRISE SECURITY - High Assurance Enterprise Security . In Proceedings of the Ninth International Conference on Enterprise Information Systems - Volume 3: ICEIS, ISBN 978-972-8865-90-0, pages 355-364. DOI: 10.5220/0002351903550364


in Bibtex Style

@conference{iceis07,
author={David W. Enström and D’Arcy Walsh and Siavosh Hossendoust},
title={A REFERENCE MODEL FOR ENTERPRISE SECURITY - High Assurance Enterprise Security},
booktitle={Proceedings of the Ninth International Conference on Enterprise Information Systems - Volume 3: ICEIS,},
year={2007},
pages={355-364},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002351903550364},
isbn={978-972-8865-90-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the Ninth International Conference on Enterprise Information Systems - Volume 3: ICEIS,
TI - A REFERENCE MODEL FOR ENTERPRISE SECURITY - High Assurance Enterprise Security
SN - 978-972-8865-90-0
AU - W. Enström D.
AU - Walsh D.
AU - Hossendoust S.
PY - 2007
SP - 355
EP - 364
DO - 10.5220/0002351903550364