Chapter VIISecurity Managementfor an E-Enterprise

-Ramyah Rammohan

Introduction

What is EI ?

Integration of people, organization, and technology.

Objective of EI

Emphasize the need for security management, integration of security the enterprise.

Integration Problem

Diverse Security mechanism

Background

Security domain-help partition the enterprise network into logical entities

Trust levels -allow for evaluation of the security needs of each domain

Tiered networks- provide a model for physically partitioning the enterprise network as per the enterprise security policy.

Outline of Security Management

Security Metrics

e-enterprise securitymanagement

E-enterprise securityProfile(ESP)

FU security capabilities(FUSC)

Security Domain, E-Enterprise Security Profile

Auditing:-The security of information systems requires the ability to trace all actions on sensitive objects back to the subjects originating these actions.-Application dependent

Authentication:-“authentication is the binding of an identity to a subject” (Bishop, 2002,p. 309).-SOS (Single sign on)

Access Control:protection against unauthorized access to or modification of information.

Cntd..

Cryptography :Cryptographic mechanisms not only help in restricting access of secure information to unauthorized subjects, but also provide support to ensure data integrity.

System Protection : This domain includes mechanisms that are used to protect the integrity of the system and data.

Intrusion Detection : Detecting events that represent attempts to breach security.

Perimeter Protection :Preventing unauthorized information exchange at boundaries.

.

Definition

The e-enterprise security profile is defined as a matrix, ESP, consisting of n + 1 rows and m columns, where:

n = Total number of FUs requiring integrationm = Total number of security domains

The n + 1th row depicts the security requirements for additional centralized control, if required to provide centralized security mechanisms such as single sign-on.

The FUs security capabilities is defined as a matrix, FUSC, consisting of n rows and m columns, where n and m are as given in Definition 1.

ESP and FUSC matrix

ESP Matrix

FUSC Matrix

References:Enterprise Information System Assurance and security- Merrill Warkentin and Rayford Vaughn

Software Metrics

Survivability is defined as the as “the capability of a system to fulfill its mission, in a timely manner, in the presence of attacks, failures, or accidents” (Ellison et al., 1997, p. 2).

Privacy is used to quantify the extent of privacy support provided by the e-enterprise.

Confidentiality

Confidentiality is used to quantify the degree to which the information or resources of the e-enterprise are concealed.

Integrity quantify the trustworthiness and correctness of enterprise data or resources.

Cntd..

Availability “the alternation between proper and improper service, and is often expressed as the fraction of time that a system can be used for its intended purpose during a specified period of time” (Nicol, Sanders, & Trivedi, 2004, p. 49).

Accountability signifies the extent to which activities in the e-enterprise are traceable to their sources.

Relaibility probability that the e-enterprise perform the

specified operations, as per its security policy, throughout a specified period of time.

Non-Repudiation Non-repudiation quantifies the extent of an enterprise to accurately associate data with its resources.

Security Management

Software Metric Domains

Survivability System protection, perimeter protection, intrusion detection.

Privacy Authentication, Access control, Cryptography, System protection, Perimeter protection.

Confidentiality Authentication, Access control, Cryptography.

Integrity Access control, Cryptography, System protection.

Availability Intrusion Detection, System protection, perimeter protection

Accountability Auditing

Reliability System protection, Perimeter protection

Non-Repudiation Authentication, Auditing, Cryptographic

Conclusion and Future work

Security management framework for enterprise integration. This objective is achieved by categorization of security

requirements through security domains and application of security management techniques based on security metrics.

The risk posture is defined in terms of threats (intrusion, insider attack, etc.) and undesirable consequences (loss of confidential information, etc.) that concern the enterprise (I3p, 2003).

Enterprise managers of limited enterprise resources for providing the required security solutions.

In the future, the plan is to conduct various experiments to verify the efficacy of the proposed approach.

References

Enterprise Information system Assurance and security-Managerial and technical issues by Merrill Warkentin and Rayford Vaughn

http://www.wikipedia.org/

Questions

-Thank you