Top

Published in:

01-10-2008 | WI – Schwerpunktaufsatz

Towards Systematic Achievement of Compliance in Service-Oriented Architectures: The MASTER Approach

Authors: Dipl.-Inform. Volkmar Lotz, Dipl.-Ing. Emmanuel Pigout, Dr. Peter M. Fischer, Prof. Dr. Donald Kossmann, Prof. Dr. Fabio Massacci, Dr. Alexander Pretschner

Published in: WIRTSCHAFTSINFORMATIK | Issue 5/2008

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Service-oriented architectures (SOA) have been successfully adapted by agile businesses to support dynamic outsourcing of business processes and the maintenance of business ecosystems. Still, businesses need to comply with applicable laws and regulations. Abstract service interfaces, distributed ownership and cross-domain operations introduce new challenges for the implementation of compliance controls and the assessment of their effectiveness.

In this paper, we analyze the challenges for automated support of the enforcement and evaluation of IT security controls in a SOA. We introduce these challenges by means of an example control, and outline a methodology and a high-level architecture that supports the phases of the control lifecycle through dedicated components for observation, evaluation, decision support and reaction. The approach is model-based and features policy-driven controls. A monitoring infrastructure assesses observations in terms of key indicators and interprets them in business terms. Reaction is supported through components that implement both automated enforcement and the provision of feedback by a human user. The resulting architecture essentially is a decoupled security architecture for SOA with enhanced analysis capabilities and will be detailed and implemented in the MASTER project.

previous article Compliance Monitor for Early Warning Risk Determination

next article RFID – ist Sicherheit in offenen Anwendungen erreichbar?

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

WIRTSCHAFTSINFORMATIK

WI – WIRTSCHAFTSINFORMATIK – ist das Kommunikations-, Präsentations- und Diskussionsforum für alle Wirtschaftsinformatiker im deutschsprachigen Raum. Über 30 Herausgeber garantieren das hohe redaktionelle Niveau und den praktischen Nutzen für den Leser.

inform now

Business & Information Systems Engineering

BISE (Business & Information Systems Engineering) is an international scholarly and double-blind peer-reviewed journal that publishes scientific research on the effective and efficient design and utilization of information systems by individuals, groups, enterprises, and society for the improvement of social welfare.

inform now

Wirtschaftsinformatik & Management

Texte auf dem Stand der wissenschaftlichen Forschung, für Praktiker verständlich aufbereitet. Diese Idee ist die Basis von „Wirtschaftsinformatik & Management“ kurz WuM. So soll der Wissenstransfer von Universität zu Unternehmen gefördert werden.

inform now

Alonso, Gustavo; Casati, Fabio; Kuno, Harumi; Machiraju, Vijay (2004): Web Services. Concepts, Architectures and Applications. Springer.

Boag, Scott; Chamberlin, Don; Fernández, Mary F.; Florescu, Daniela; Robie, Jonathan; Siméon, Jérôme (2007): XQuery 1.0: An XML Query Language. W3C Recommendation.

Brewer, David F. C.; Nash, Michael J. (1989): The Chinese Wall Security Policy. In: Proceedings of the 1989 IEEE Symposium on Security and Privacy, IEEE Computer Society Press, pp. 206–214.

Butler, Shawn A. (2006): Security attribute evaluation method: a cost-benefit approach. In: Proceedings of ICSE-02, ACM press, pp.232–240.

Committee of Sponsoring Organizations of the Treadway Commission (n. d.): The COSO framework. http://www.coso.org/guidance.htm, retrieved 2008-06-30.

Congress of the United States of America (2002): The Sarbanes-Oxley Act, (Pub. L. No. 107–204, 116 Stat. 745). Available at http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_bills&docid=f:h3763enr.tst.pdf, retrieved 2008-06-30.

Gordon, L.; Loeb, M. (2003): The economics of information security investment. TISSEC, 5(4), pp. 438–457.

ISO (2005): ISO/IEC 27001:2005 – Information technology – Security techniques – Information security management systems – Requirements.

Karabulut, Yuecel; Kerschbaum, Florian; Massacci, Fabio; Robinson, Phillip; Yautsiukhin, Artsiom (2007): Security and Trust in IT Business Outsourcing: a Manifesto. Electronic Notes in Theoretical Computer Science, Vol. 179, Elsevier, pp. 47–58.

Massacci, Fabio; Yautsiukhin, Artsiom (2007): An Algorithm for the Appraisal of Assurance Indicators for Complex Business Processes. In: Proceedings of the 3rd ACM Workshop on Quality of Protection. ACM Press.

Misra, Jayadev; Cook, William R. (2007): Computation Orchestration: A Basis for Wide-Area Computing. In: Journal of Software and Systems Modeling 6 (1), pp. 83–110.

n. a. (2006): Common Criteria for Information Technology Security Evaluation, Version 3.1, http://www.commoncriteriaportal.org/thecc.html, retrieved 2008-06-30.

Povey, D. (1999): Optimistic Security: a New Access Control Paradigm. In: Proc. Workshop on New Security Paradigms.

Pretschner, Alexander; Massacci, Fabio; Hilty, Manuel (2007): Usage Control in Service-Oriented Architectures. In: Proceedings of the 3rd International Conference on Trust, Privacy & Security in Digital Business, Springer, LNCS 4657.

Pretschner, A.; Hilty, M.; Basin, D., Schaefer, C.; Walter, T. (2008): Mechanisms for Usage Control. In: Proceedings of the ACM Symposium on Information, Computer and Communications Security (ASIACCS), Tokio, pp. 240–245.

Stoneburner, Gary; Goguen, Alice; Feringa, Alexis (2001): Risk Management Guide for Information Technology Systems. NIST report 800–30, http://csrc.nist.gov/publications/nistpubs/800–30/sp800–30.pdf, retrieved 2008-06-30.

Swanson, Marianne; Bartol, Nadya; Sabato, John; Hash, Joan; Graffo, Laurie (2003): Security Metrics Guide for Information Technology Systems. NIST, Report 800–55 2003, http://csrc.nist.gov/publications/nistpubs/800–55/sp800–55.pdf, retrieved 2008-06-30.

The Basel Committee on Banking Supervision (2006): The Basel 2 Account. http://www.bis.org/publ/bcbs128.htm, retrieved 2008-06-30.

The IT Governance Institute (2006): IT Control Objectives for Sarbanes-Oxley. http://www.isaca.org/Template.cfm?Section=Home&Contentid=17003&Template=/ContentManagement/ContentDisplay.cfm, retrieved 2008-06-30.

The IT Governance Institute (2007): Control Objectives for Information and related Technology (COBIT), Version 4.1. http://www.isaca.org/Content/NavigationMenu/Members_and_Leaders/COBIT6/Obtain_COBIT/Obtain_COBIT.htm, retrieved 2008-06-30.

US Department of Defense (2007): DoD Information Assurance Certification and Accreditation Process (DIACAP). Instructions Num. 8510.01,. http://iase.disa.mil/ditscap/, retrieved 2008-06-30.

Title: Towards Systematic Achievement of Compliance in Service-Oriented Architectures: The MASTER Approach
Authors: Dipl.-Inform. Volkmar Lotz
Dipl.-Ing. Emmanuel Pigout
Dr. Peter M. Fischer
Prof. Dr. Donald Kossmann
Prof. Dr. Fabio Massacci
Dr. Alexander Pretschner
Publication date: 01-10-2008
Publisher: Vieweg Verlag
Published in: WIRTSCHAFTSINFORMATIK / Issue 5/2008
Print ISSN: 0937-6429
Electronic ISSN: 1861-8936
DOI: https://doi.org/10.1007/s11576-008-0086-1

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

WIRTSCHAFTSINFORMATIK

Business & Information Systems Engineering

Wirtschaftsinformatik & Management

Other articles of this Issue 5/2008

RFID – ist Sicherheit in offenen Anwendungen erreichbar?

WI – Vergleichende Literaturstudie

WI – Call for Papers, Heft 5/2009, Internet der Dienste

IT-Compliance und IT-Governance

Compliance Monitor for Early Warning Risk Determination

SOA-Governance – Ein Ansatz zum Management serviceorientierter Architekturen

Premium Partner