Improving Security Assurance of Services through Certificate Profiles

  • Marioli Montenegro
  • Antonio Maña
  • Hristo Koshutanski
Part of the Communications in Computer and Information Science book series (CCIS, volume 393)

Abstract

Cloud and Web Services technologies offer a powerful cost-effective and fast growing approach to the provision of infrastructure, platform and software as services. However, these technologies still raise significant concerns regarding security assurance and compliance of data and software services offered. A new trend of a service security certification has been recently proposed to overcome the limitations of existing security certificates by representing security certification in a structured, machine-processable manner that will enable automated reasoning for certified security features in security-critical domains. However, the richness and flexibility of the underlying certificate models and languages comes with the price of increased complexity in processing and comparing those certificates and related security claims in practice. In this paper, we propose the concept of certificate profile to provide a mechanism to address processability and interoperability of service security certificates. We present a conceptual model and a concrete realization of the model within the context of the European project ASSERT4SOA.

Keywords

Cloud Service Security Property Security Feature Semantic Rule Service Orient Computing 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Gartner: Forecast overview: Public cloud services. report G00234817 (2012)Google Scholar
  2. 2.
    Common Criteria: Common criteria part 1: introduction and general model (2012), http://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R4.pdf
  3. 3.
    Sunyaev, A., Schneider, S.: Cloud services certification. Commun. ACM 56(2), 33–36 (2013)CrossRefGoogle Scholar
  4. 4.
    Spanoudakis, G., Damiani, E., Maña, A.: Certifying services in cloud: The case for a hybrid, incremental and multi-layer approach. In: 14th IEEE International Symposium on High-Assurance Systems Engineering (HASE), pp. 175–176 (2012)Google Scholar
  5. 5.
    Anisetti, M., Ardagna, C.A., Guida, F., Gürgens, S., Lotz, V., Maña, A., Pandolfo, C., Pazzaglia, J.-C., Pujol, G., Spanoudakis, G.: ASSERT4SOA: Toward security certification of service-oriented applications. In: Meersman, R., Dillon, T., Herrero, P. (eds.) OTM 2010. LNCS, vol. 6428, pp. 38–40. Springer, Heidelberg (2010), http://dx.doi.org/10.1007/978-3-642-16961-8_11 CrossRefGoogle Scholar
  6. 6.
    Paul, S., Koshutanski, H., Cerbo, F.D., Kaluvuri, A.M.: Security assurance of services through digital security certificates. In: 20th IEEE International Conference on Web Services, ICWS 2013 (2013)Google Scholar
  7. 7.
    Mahbub, K., Pino, L., Foster, H., Spanoudakis, G., Maña, A., Pujol, G.: D2.1 - ASSERTs aware service query language and discovery engine. Technical report, ASSERT4SOA Project (2011), http://assert4soa.eu/deliverable/D2.1.pdf
  8. 8.
    Ramli, N.A.: Protection profile, a key concept in the common criteria. In: SANS Institute InfoSec Reading Room (2003)Google Scholar
  9. 9.
    Benassi, P.: TRUSTe: an online privacy seal program. Commun. ACM 42(2), 56–59 (1999)CrossRefGoogle Scholar
  10. 10.
  11. 11.
    X.509: The directory: Public-key and attribute certificate frameworks, ITU-T Recommendation X.509:2005 ∣ ISO/IEC 9594-8:2005 (2005)Google Scholar
  12. 12.
  13. 13.
    Andrieux, et al.: Web services agreement specification (ws-agreement), OGF - Grid Resource Allocation Agreement Protocol WG, v. gfd-r.192 (2011)Google Scholar
  14. 14.
    TAPAS Project: Trusted and QoS-Aware Provision of Application Services, http://tapas.sourceforge.net
  15. 15.
    Schematron: ISO/IEC 19757-3 (2006) http://www.schematron.com
  16. 16.
    Object Constraint Language: ISO/IEC 19507: 2012 (2012) http://www.omg.org/spec/OCL
  17. 17.
    FIPS-197: Advanced encryption standard (2001), http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
  18. 18.
    NIST-SP-800-38A: Recommendation for block cipher modes of operation (2001), http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
  19. 19.
    Pino, L., Spanoudakis, G.: Constructing secure service compositions with patterns. In: 8th IEEE World Congress on Services, SERVICES 2012 (2012)Google Scholar
  20. 20.
    ASSERT4SOA Project Consortium: D4.1 - Design and description of evidence-based certificates artifacts for services. Technical report, ASSERT4SOA Project (2011), http://www.assert4soa.eu/deliverable/D4.1.pdf
  21. 21.
    Fuchs, A., Gürgens, S.: D5.1 Formal models and model composition. Technical report, ASSERT4SOA Project (2011), http://www.assert4soa.eu/deliverable/D5.1.pdf
  22. 22.
    D’Agostini, S., Giacomo, V.D., Pandolfo, C., Presenza, D.: An Ontology for run-time Verification of Security Certificates for SOA. In: Proc. of the 1st International Workshop on Security Ontologies and Taxonomies, SecOnt 2012 (2012)Google Scholar
  23. 23.
    XPath: XML path language W3C, http://www.w3.org/TR/xpath/
  24. 24.
    SPARQL: SPARQL query language for RDF, W3C (2008), http://www.w3.org/TR/rdf-sparql-query/
  25. 25.
    ASSERT4SOA Project Consortium: D7.3 - Validation of the ASSERT4SOA framework based on the study case. Technical report, ASSERT4SOA Project (2013)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Marioli Montenegro
    • 1
  • Antonio Maña
    • 1
  • Hristo Koshutanski
    • 1
  1. 1.Escuela Técnica Superior de Ingeniería InformticaUniversidad de MálagaSpain

Personalised recommendations