The business of the future will be characterized by highly dynamic service-oriented architectures where outsourcing and distributed management constitute the norm rather than the exception. It will infer regulations and business standards into an increasing complexity in security and trust requirements. Best-effort security will no longer be accepted. Business entities will have to provide certified assurance services to customers and expect assured services from contractors in order to manage the associated business and technology risk.
The MASTER European research project aims at providing methodologies and infrastructures which:
- Facilitate the monitoring, enforcement, and audit of quantifiable indicators on the security of a business process;
- Provide manageable assurance of the security levels, trust levels and regulatory compliance of highly dynamic service- oriented architecture in centralized, distributed (multi-domain), and outsourcing contexts.
In order to reach those goals MASTER has organized its work into 3 set activities (Conceptual Model, Design-time and Run-time) represented in the following logical diagram:
Among those activities, our team at SAP research France is mainly involved in three following sub-activities:
- Monitoring infrastructure: we are specifying the monitoring policies as well as the components and infrastructures that are necessary to enforce them. A monitoring policy is a set of statements describing events to be observed, or measurements to be performed based on these observations. For instance, IT Control Objectives for SOX suggest “that procedures exist and are followed to maintain the effectiveness of authentication and access mechanisms”. Part of such a procedure in case of a password-based authentication mechanism is to implement a control that requires “regular password changes”. The general requirement of “password changes” is transformed into a set of more detailed policies based on observable events and the actual system infrastructure to monitor, such as notification of actual password change operations within a certain timeframe or the lack thereof.
- Security Requirements Translation: in which we are working on the concepts necessary for mapping high-level to low-level mandatory control processes. Thus, the integration of the security requirements can occur on several layers, ranging from organizational models to business processes to system transactions to objects and services.
- Security, Trust & Privacy for business based on SOA: in which we investigate a set of means to protect the confidentiality and privacy of events that occur in foreign domains, for instance, at outsourced services. Different approaches are investigated, including event abstraction, pseudonymization, secure computing, and controlled communication channels (i.e., the use of particular Trusted Third Parties providing access to critical events). We particularly emphasize on secure computing, it is the strongest technique available, but needs to be balanced with respect to the communication load required.
In this project we are collaborating with distinguished panel of industrial and university partners:
ATOS Origin; Universita` di Trento; Engineering Ingegneria Informatica S.p.A.; British Telecom; ETH; University of Stuttgart; LERO; ANECT; Deloitte; IBM; CESCE; Fondazione San Rafaele; Stiftelsen SINTEF
For further information please visit the website (http://www.master-fp7.eu/) and contact:
Emmanuel Pigout (firstname.lastname@example.org)
Dr Hoon Wei Lim (email@example.com)
Dr Philip Miseldine (firstname.lastname@example.org)
Theodoor Scholte (email@example.com)