1 / 18

Model Driven Security Framework for Definition of Security Requirements for SOA Based Applications

Model Driven Security Framework for Definition of Security Requirements for SOA Based Applications. Authors: Muhammad Qaisar Saleem , Jafreezal Jaafar , and Mohd Fadzil Hassan An ICCAIE Publication. Presented by Raef Mousheimish. Overview. Background Service oriented architecture

kadeem-emerson
Download Presentation

Model Driven Security Framework for Definition of Security Requirements for SOA Based Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Model Driven Security Framework for Definition ofSecurity Requirements for SOA Based Applications Authors: Muhammad QaisarSaleem, JafreezalJaafar, and MohdFadzil Hassan An ICCAIE Publication Presented by Raef Mousheimish

  2. Overview • Background • Service oriented architecture • Web Services • Model Driven Software Development • Model Driven Security • Current MDS Approaches • Frameworks • Problems • Proposed MDS Framework • Case study • Conclusion & Future Works • References

  3. Service Oriented Architecture (SOA) • The SOA is the dominant paradigm nowadays when building business application • It facilitates the merging of Business IT Domain SOA Functional Business Application

  4. Web Services (WSs) • When applying the SOA on the Web, WSs are the primary concepts. • Business Process = distributed and collaborative WSs Business Process • Organizational assets and resources • Different security infrastructure

  5. Model Driven Software Development (MDSD) Modeling Languages: ISM PIM PSM

  6. Model Driven Security (MDS) • The research community projected the MDSD to the security domain • They created the MDS frameworks • MDS frameworks are considered an acceptable and an applicable solution to adopt in the SOA • Extend the modeling languages to add security concepts to the model The Application model PIM And the Security Goals

  7. Typical MDS illustration Security Goals in the Business Requirement Analysis Security intents when modeling at the PIM level The concrete security configuration at the PSM level

  8. Hafner et al. [1] Memon et al. [2] Wolter et al. [3] Current MDS Approaches

  9. Hafneret al. [1] It’s called SECTEC Security Objectives: Access Rights (Authentication and Authorization) Security Annotation are at the PIM level integrated with the application model Adopt OMG’s MDE approach

  10. Memonet al. [2] It’s called SECTTISSIMO Extension for the SECTEC framework Security Objectives: Access Rights (Authentication and Authorization), non-repudiation, right delegation, single sign-on privacy, and auditing. Security Annotation are at the PIM level but in a different sub-layer from the application model Abstract Security Service Model Application model

  11. Wolteret al. [3] Detailed discussion about the different abstract security concepts, e.g. confidentiality, auditing, availability… Developed security policy for the all the aforementioned security concepts The first aim of the framework is the secure interaction between objects, and the necessary information to be stored about these interactions A new level of abstraction is introduced. i.e. the Computational independent model (CIM)

  12. Problems in the Current MDS Approaches • No Sufficient information to generate an enforceable security configuration • Security experts and business experts have different understandings on the notion of security, e.g. : • Business experts: just authorization • Security experts: certificate based authorization, four-eyes-principle, break-glass policy…

  13. The Proposed MDS framework Business process expert will define the security goals along with the business process modeling The security information must be sufficient for the security expert to: Model security solution for the system Perform some tool-supported transformation to generate the executable artifacts Security Objectives: use identity information and associated rights, information on different forms, service function

  14. Case Study: OnlineStudent Information System • Collaborating services (Accounting, Registration and examination departments) • Security concepts must be represented and annotated with the application model at the PIM level • After studying the security requirements of the system, the authors got this model

  15. Conclusion & Future Works • Conclusions: • The Incorporation of security requirements into early stages of software development will improve the security • Must break the misunderstandings between the business and the security experts • Future Works: • Development of a Domain Specific Language (DSL) for the proposed MDS, to help business experts to annotate more semantically the security requirements of a specific domain

  16. Critics • The authors highlighted the problems of the current approaches but they didn’t resolve it at all • The misunderstandings between domain experts are never addressed • The authors didn’t show how this MDS framework provides sufficient security information: • Than the other frameworks • To generate a enforceable security configuration • They said that they are going to use the BPMN modeling language and they didn’t • They use indifferently the two concepts: non-repudiation and availability

  17. References • Michal Hafner, R.B., Berthold Agreiter, SECTET: an extensible framework for the realization of secure inter-organizational workflows. EmeralInternet Research, 2006. Vol.16 No. 5,2006: p. pp.491-506. • Memom, M., M. Hafner, and R. Breu, SECTISSIMO: A Platform-independent Framework for Security Services. MODSEC08 Modeling Security Workshop, 2008. • Wolter, C., et al., Model-driven business process security requirement specification. J. Syst. Archit., 2009. 55(4): p. 211-223.

  18. Presented by Raef Mousheimish Thank you

More Related