Upload
orli
View
20
Download
1
Embed Size (px)
DESCRIPTION
Chapter VII Security Management for an E-Enterprise. -Ramyah Rammohan. Introduction. What is EI ? Integration of people, organization, and technology. Objective of EI Emphasize the need for security management, integration of security the enterprise. Integration Problem - PowerPoint PPT Presentation
Citation preview
Chapter VIISecurity Managementfor an E-Enterprise
-Ramyah Rammohan
Introduction
What is EI ?
Integration of people, organization, and technology.
Objective of EI
Emphasize the need for security management, integration of security the enterprise.
Integration Problem
Diverse Security mechanism
Background
Security domain-help partition the enterprise network into logical entities
Trust levels -allow for evaluation of the security needs of each domain
Tiered networks- provide a model for physically partitioning the enterprise network as per the enterprise security policy.
Outline of Security Management
Security Metrics
e-enterprise securitymanagement
E-enterprise securityProfile(ESP)
FU security capabilities(FUSC)
Security Domain, E-Enterprise Security Profile
Auditing:-The security of information systems requires the ability to trace all actions on sensitive objects back to the subjects originating these actions.-Application dependent
Authentication:-“authentication is the binding of an identity to a subject” (Bishop, 2002,p. 309).-SOS (Single sign on)
Access Control:protection against unauthorized access to or modification of information.
Cntd..
Cryptography :Cryptographic mechanisms not only help in restricting access of secure information to unauthorized subjects, but also provide support to ensure data integrity.
System Protection : This domain includes mechanisms that are used to protect the integrity of the system and data.
Intrusion Detection : Detecting events that represent attempts to breach security.
Perimeter Protection :Preventing unauthorized information exchange at boundaries.
.
Definition
The e-enterprise security profile is defined as a matrix, ESP, consisting of n + 1 rows and m columns, where:
n = Total number of FUs requiring integrationm = Total number of security domains
The n + 1th row depicts the security requirements for additional centralized control, if required to provide centralized security mechanisms such as single sign-on.
The FUs security capabilities is defined as a matrix, FUSC, consisting of n rows and m columns, where n and m are as given in Definition 1.
ESP and FUSC matrix
ESP Matrix
FUSC Matrix
References:Enterprise Information System Assurance and security- Merrill Warkentin and Rayford Vaughn
Software Metrics
Survivability is defined as the as “the capability of a system to fulfill its mission, in a timely manner, in the presence of attacks, failures, or accidents” (Ellison et al., 1997, p. 2).
Privacy is used to quantify the extent of privacy support provided by the e-enterprise.
Confidentiality
Confidentiality is used to quantify the degree to which the information or resources of the e-enterprise are concealed.
Integrity quantify the trustworthiness and correctness of enterprise data or resources.
Cntd..
Availability “the alternation between proper and improper service, and is often expressed as the fraction of time that a system can be used for its intended purpose during a specified period of time” (Nicol, Sanders, & Trivedi, 2004, p. 49).
Accountability signifies the extent to which activities in the e-enterprise are traceable to their sources.
Relaibility probability that the e-enterprise perform the
specified operations, as per its security policy, throughout a specified period of time.
Non-Repudiation Non-repudiation quantifies the extent of an enterprise to accurately associate data with its resources.
Security Management
Software Metric Domains
Survivability System protection, perimeter protection, intrusion detection.
Privacy Authentication, Access control, Cryptography, System protection, Perimeter protection.
Confidentiality Authentication, Access control, Cryptography.
Integrity Access control, Cryptography, System protection.
Availability Intrusion Detection, System protection, perimeter protection
Accountability Auditing
Reliability System protection, Perimeter protection
Non-Repudiation Authentication, Auditing, Cryptographic
Conclusion and Future work
Security management framework for enterprise integration. This objective is achieved by categorization of security
requirements through security domains and application of security management techniques based on security metrics.
The risk posture is defined in terms of threats (intrusion, insider attack, etc.) and undesirable consequences (loss of confidential information, etc.) that concern the enterprise (I3p, 2003).
Enterprise managers of limited enterprise resources for providing the required security solutions.
In the future, the plan is to conduct various experiments to verify the efficacy of the proposed approach.
References
Enterprise Information system Assurance and security-Managerial and technical issues by Merrill Warkentin and Rayford Vaughn
http://www.wikipedia.org/
Questions
-Thank you