Ivonne Thomas

Security Requirements Specification in Service-Oriented Business Process Management

Service-oriented Architectures deliver a flexible infrastructure to allow independently developed software components to communicate in a seamless manner. In the scope of organisational workflows, SOA provides a suitable foundation to execute business processes as an orchestration of multiple independent services. Along with the increased connectivity, the corresponding security risks rise exponentially. However, security requirements are usually defined on a technical level, rather than on an organisational level that would provide a comprehensive view on the participants, the assets and their relationships regarding security.In this paper, we propose an approach to describe security requirements at the business process layer and their translation to concrete security configuration for service-based systems. We introduce security elements for business process modelling which allow to evaluate the trustworthiness of participants based on a rating of enterprise assets and to express security intentions such as confidentiality or integrity on an abstract level. Our aim is to facilitate the generation of security configurations based on the modelled requirements. For this purpose, we foster a model-driven approach: Information at the modelling layer is gathered and translated to a domain-independent security model. Concrete protocols and security mechanisms are resolved based on a security pattern system that is introduced in the course of this paper.

The Service Security Lab: A Model-Driven Platform to Compose and Explore Service Security in the Cloud

Cloud computing enables the provisioning of dynamically scalable resources as a service. Next to cloud computing, the paradigm of Service-oriented Architectures emerged to facilitate the provisioning of functionality as services. While both concepts are complementary, their combination enables the flexible provisioning and consumption of independently scalable services. These approaches come along with new security risks that require the usage of identity and access management solutions and information protection. The requirements concerning security mechanisms, protocols and options are stated in security policies that configure the interaction between services and clients in a system. In this paper, we present our cloud-based Service Security Lab that supports the on-demand creation and orchestration of composed applications and services. Our cloud platform enables the testing, monitoring and analysis of Web Services regarding different security configurations, concepts and infrastructure components. Since security policies are hard to understand and even harder to codify, we foster a model-driven approach to simplify the creation of security configurations. Our model-driven approach enables the definition of security requirements at the modelling layer and facilitates a transformation based on security configuration patterns.

Trust Requirements in Identity Federation Topologies

Federated Identity Management describes a model to enable users to use their digital identities in collaborating companies regardless of organizational borders. The essential pre-requisite to share the user authentication across different security domains is the establishment of trust between the collaborating partners. Usually, this is done by setting up complex contracts, that describe common policies, obligations and procedures to be followed by each collaboration member. The result is a federation, or Circle of Trust, in which each member is willing to trust on assertions made by someone else. Naturally, federations are no isolated structures and members of one federation might also be part of another one - a constellation possible with current federation technologies. However, whether and how the trust relationships of federations can be used to allow access even across multiple federations is a question which has not been answered yet. In this paper, we investigate trust requirements for identity federation topologies. Starting from the classical structure of a Circle of Trust, we go beyond this and identify more complex patterns such as overlapping federations. For each pattern, we identify risks for identity and service providers as well as the necessary trust requirements that must be met to allow such constellations.

Using quantified trust levels to describe authentication requirements in federated identity management

Service-oriented Architectures (SOA) facilitate the dynamic and seamless integration of services offered by different service providers which in addition can be located in different trust domains. Especially for business integration scenarios, Federated Identity Management emerged as a possibility to propagate identity information as security assertions across company borders in order to secure the interaction between different services. Although this approach guarantees scalability regarding the integration of identity-based services, it exposes a service provider to new security risks. These security risks result from the complex trust relationships within a federation. In a federation the authentication of a user is not necessarily performed within the service providers domain, but can be performed in the users local domain. Consequently, the service provider has to rely on authentication results received from a federation partner to enforce access control. This implies that the quality of the authentication process is out of control by the service provider and therefore becomes a factor which needs to be considered in the access control step. In order to guarantee a designated level of security, the quality of the authentication process should be part of the access control decision. To ease this process, we propose in this paper a method to rate authentication information by a level of trust which describes the strength of an authentication method. Additionally, in order to support the concept of a two-factor authentication, we also present a mathematical model to calculate the trust level when combining two authentication methods.

A Web Service Architecture for Decentralised Identity- and Attribute-Based Access Control

The loosely coupled nature of Service-oriented Architectures raises the question how information for access control can be managed in an efficient way. Several specifications for Web Services exist to describe security requirements and to facilitate a provision of identity information. However, the integration of different standards regarding the expression of identity information in policies, claims and assertions comes along with an increased complexity. In order to identify and address the problems occurring with the combined use of standards as XACML, SAML and WS-Trust, we designed and implemented an architecture for identity- and attribute-based access control in decentralized environments. Our implementation provides an automated generation of access control policies in a format called XACML, a way to communicate required user attributes as claims across different domains based on the standards WS-Trust and WS-Policy, and a consistent mapping of retrieved attribute assertions to the XACML attributes in the access control policy.

A message meta model for federated authentication in service-oriented architectures

The goal of federated authentication is to identify a user or entity in different security domains without the need for redundant user management and a multitude of credentials. Federated authentication is becoming more important with the increasing popularity of service-oriented architectures, since interacting systems are generally not located within a single security domain. For this reason, companies have formed initiatives to develop standard protocols, which have led to the evolution of several specifications that each provide the means for federated authentication in homogeneous environments in which all federation partners use the same standard. In this paper, we raise a critical question: Can federated authentication also be achieved in ”heterogeneous” environments in which federation partners use different standards? After evaluating established standards and identifying similarities, we propose a meta model that describes federated authentication on an abstract level. We validate the model against the standard protocols and present a concrete implementation. Our aim is to enable federated authentication across different standards.

Enhancing Claim-Based Identity Management by Adding a Credibility Level to the Notion of Claims

Claim-based identity management denotes an open identity model which uses the notion of claims to describe identity attributes. A claim is an identity attribute named with an abstract identifier (e.g. a URI), which applications and services can use to specify the attributes they need. Open and extensible formats for the exchange of identity attributes ensure interoperability among different identity systems. For this reason, claim-based identity management lays the ground for Identity Metasystems, which provide an identity layer on top of existing identity systems and promise an easier management of digital identities among the Internet.However, the Internet grew into an environment of mostly isolated domains for a good reason. Service providers find it hard to accept identity information from any other than the own domain. While claim-based identity management provides the means to specify identity information on a per-attribute basis, trust is usually defined in a general manner. Service providers state the issuers of identity information, they trust, but do not restrict for what. In this paper, we argue that for a truly decentralized management of identity information, trust should be defined on the same granular level as identity information. We propose a model which considers trust on a per-claim basis. In our model, trust into a claim is defined as the assumed correctness and integrity of a claim in dependence of the issuer. As a proof-of-concept, we implemented a small flight booking scenario which uses claims augmented with an expected trust level to show how we can achieve more flexibility for the user in his choice of an identity provider when considering not only whom to trust, but for what.

An identity provider to manage reliable digital identities for SOA and the web

In this paper, we describe the implementation of our identity provider, based on open web service standards, which has been extended to distinguish between different qualities of identity attributes; therefore enabling a relying party to distinguish between verified and unverified digital identities. Our contribution is the definition and representation of identity meta information for identity attributes on the identity provider side and the conveyance of this information as Identity Attribute Context Classes to a relying party. As a main result, we propose a format and semantic to include identity attribute meta information into security token which are sent from the identity provider to a relying party in addition to the attribute value itself.

An Attribute Assurance Framework to Define and Match Trust in Identity Attributes

Identity federation denotes a concept for the controlled sharing of user authentication and user attributes between independent trust domains. Using WS-Federation, service providers and identity providers can set up a Circle of Trust, a so called federation, in which each member is willing to trust on assertions made by another partner. However, if a member has to rely on information received from a foreign source, the need for assurance that the information is correct is a natural requirement prior to using it. Identity assurance frameworks exist that can be used to assess the trustworthiness of identity providers. The result of this assessment is a level of trust, that can be assigned to an identity provider. However, existing approaches for evaluating identity assurance do not allow to define trust levels for individual attributes. In our trust model, we consider both: (a) trust in an identity provider as the issuer of assertions and (b) trust in single attributes that an identity provider manages. In this paper, we show how our approach that we implemented in a logic-based framework can be used in web service scenarios to provide trust information on the level of identity attributes, especially about the verification process, and to match trust requirements of attributes during request processing.

Security Requirements Specification in Process-aware Information Systems

Service-oriented Architectures deliver a flexible infrastructure to allow independently developed software com-ponents to communicate in a seamless manner. In the scope of organisational workflows, SOA provides a suitable foundation to execute business processes as an orchestration of multiple independent services. In order to secure services, requirements are usually defined on a technical level, rather than on an organisational level that would provide a comprehensive view on the participants, the assets and their relationships regarding security.