基于SaaS的IT资产管理系统研究

对SaaS服务模式及IT资产管理的现状进行了一定的研究,然后将SaaS应用模式结合IT资产管理得到基于SaaS的IT资产管理系统。对系统架构、功能、安全方案和商业模式进行探讨,提出了实现SaaS模式下的IT资产管理系统的系统方案,该方案的目标是实现SaaS第三级成熟度模型,考虑用基于Rabin密码体制的一次性口令身份认证方案,并且部署在软件服务平台上。     

An engineering process for developing Secure Data Warehouses

We present a new approach for the elicitation and development security requirements in the entire Data Warehouse (DWs) life cycle, which we have called a Secure Engineering process for DAta WArehouses (SEDAWA). Whilst many methods for the requirements analysis phase of the DWs have been proposed, the elicitation of security requirements as non-functional requirements has not received sufficient attention. Hence, in this paper we propose a methodology for the DW design based on Model Driven Architecture (MDA) and the standard Software Process Engineering Metamodel Specification (SPEM) from the Object Management Group (OMG). We define four phases comprising of several activities and steps, an d five disciplines which cover the whole DW design. Our methodology adapts the i¹ framework to be used under MDA and the SPEM approaches in order to elicit and develop security requirements for DWs. The benefits of our proposal are shown through an example related to the management of the pharmacies consortium business.     

Adaptable,model-driven security engineering for SaaS cloud-based applications

Software-as-a-service (SaaS) multi-tenancy in cloud-based applications helps service providers to save cost, improve resource utilization, and reduce service customization and maintenance time. This is achieved by sharing of resources and service instances among multiple “tenants” of the cloud-hosted application. However, supporting multi-tenancy adds more complexity to SaaS applications required capabilities. Security is one of these key requirements that must be addressed when engineering multi-tenant SaaS applications. The sharing of resources among tenants—i.e. multi-tenancy—increases tenants’ concerns about the security of their cloud-hosted assets. Compounding this, existing traditional security engineering approaches do not fit well with the multi-tenancy application model where tenants and their security requirements often emerge after the applications and services were first developed. The resultant applications do not usually support diverse security capabilities based on different tenants’ needs, some of which may change at run-time i.e. after cloud application deployment. We introduce a novel model-driven security engineering approach for multi-tenant, cloud-hosted SaaS applications. Our approach is based on externalizing security from the underlying SaaS application, allowing both application/service and security to evolve at runtime. Multiple security sets can be enforced on the same application instance based on different tenants’ security requirements. We use abstract models to capture service provider and multiple tenants’ security requirements and then generate security integration and configurations at runtime. We use dependency injection and dynamic weaving via Aspect-Oriented Programming (AOP) to integrate security within critical application/service entities at runtime. We explain our approach, architecture and implementation details, discuss a usage example, and present an evaluation of our approach on a set of open source web applications.     

Synthesis of secure adaptors

Security is considered one of the main challenges for software oriented architectures (SOA). For this reason, several standards have been developed around WS-Security. However, these security standards usually hinder interoperability, one of the main pillars of Web service technologies. Software adaptation is a sound solution where an adaptor is deployed in the middle of the communication to overcome signature, behavioural and QoS incompatibilities between services. This is particularly important when dealing with stateful services (such as Windows Workflows or WS-BPEL processes) where any mismatch in the sequence of messages might lead the orchestration to a deadlock situation. We proposed security adaptation contracts as concise and versatile specifications of how such incompatibilities must be solved. Nonetheless, synthesising an adaptor compliant with a given contract is not an easy task where concurrency issues must be kept in mind and security attacks must be analysed and prevented. In this paper, we present an adaptor synthesis, verification and refinement process based on security adaptation contracts which succeeds in overcoming incompatibilities among services and prevents secrecy attacks. We extended the ITACA toolbox for synthesis and deadlock analysis and we integrated it with a variant of CCS, called Crypto-CCS, to verify and refine adaptors based on partial model checking and logical satisfiability techniques.     

云计算架构下的网站群应用实践

云计算正在由概念逐步走进现实,其广泛的应用前景已初现端倪。以政府机构网站群建设为对象,阐述应用云计算支撑政府机构网站群架构的安全性设计和应用方法。从两个方面构建网站群应用环境。一方面,以IaaS的模式搭建支撑网站群应用的云计算基础平台,以SaaS的模式搭建网站群内容管理云计算应用平台;另一方面,运用公有云和私有云环境,保障网站群系统安全和信息安全。更加方便、灵活地满足互联网信息传播需求,为政府运作及企业发展提供更加完善的信息化支撑服务。     

Developing an explorative model for SaaS adoption

Among several types of “cloud services”, the Software as a Service (SaaS) solution is promising. The Technology Acceptance Model (TAM) and its modified versions have been popularly utilized for examining how users come to accept a new technology, but have not yet been employed to handle issues regarding SaaS adoption. This paper attempts to develop an explorative model that examines important factors affecting SaaS adoption, in order to facilitate understanding with regard to adoption of SaaS solutions. An explorative model using partial least squares (PLS) path modeling is proposed and a number of hypotheses are tested, which integrate TAM related theories with additional imperative constructs such as marketing effort, security and trust. Thus, the findings of this study can not only help enterprise users gain insights into SaaS adoption, but also help SaaS providers obtain inspiration in their efforts to discover more effective courses of action for improving both new product development and marketing strategy.     

An Information Security Governance Framework

ABSTRACT

Information security culture develops in an organization due to certain actions taken by the organization. Management implements information security components, such as policies and technical security measures with which employees interact and that they include in their working procedures. Employees develop certain perceptions and exhibit behavior, such as the reporting of security incidents or sharing of passwords, which could either contribute or be a threat to the securing of information assets. To inculcate an acceptable level of information security culture, the organization must govern information security effectively by implementing all the required information security components. This article evaluates four approaches towards information security governance frameworks in order to arrive at a complete list of information security components. The information security components are used to compile a new comprehensive Information Security Governance framework. The proposed governance framework can be used by organizations to ensure they are governing information security from a holistic perspective, thereby minimising risk and cultivating an acceptable level of information security culture.     

Mining significant factors affecting the adoption of SaaS using the rough set approach

Despite that Software as a Service (SaaS) seems to be the most tempting solution among different types of cloud services, yet it has not been adopted to-date with as much alacrity as was originally expected. A variety of factors may influence the adoption of SaaS solutions. The objective of this study is thus to explore the significant factors affecting the adoption of SaaS for vendors and enterprise users. An analytical framework is proposed containing two approaches—Technology Acceptance Model (TAM) and Rough Set Theory (RST). An empirical study on the IT/MIS enterprises in Taiwan is carried out. The results have revealed a considerable amount of meaningful information, which not only facilitates the SaaS vendors to grasp users’ needs and concerns about SaaS adoption, but also helps the managers to introduce effective marketing strategies and actions to promote the growth of SaaS market. Based on the findings, some managerial implications are discussed.     

基于云计算的网站群架构及安全性设计与实践

该文以政府机构网站群建设为对象,搭建了网站群云计算构建的实验与应用平台,阐述了应用云计算支撑政府机构网站群架构及其安全性设计和应用方法i,该文主要从两方面满足网站群应用需求,一方面,以IaaS（Infrastructure as a Service）的模式搭建支撑网站群应用的云计算基础平台,以SaaS（Software as a Service）的模式搭建网站群内容管理云计算平台,另一方面,通过构建公共云和私有云环境,保障网站群系统安全和信息安全。以云计算为平台,向用户提供一站式的网站群建设、运行、监控服务,将成为政府网站群建设的新的方向．     

A method for insider threat assessment by modeling the internal employee interactions

International Journal of Information Security - Insider’s information security threat is one of the most critical issues in organizations. Due to their access to the assets and their...     

信息安全技术发展趋势分析

信息时代信息安全越来越重要。信息安全技术的发展为信息安全提供了有力保障。本文介绍了信息安全技术的分类以及主要信息安全技术的现状、发展趋势,其中主要介绍了密码学、安全操作系统、网络隔离技术、网络安全行为监管技术、容灾与应急处理技术、身份认证技术及可信计算技术的现状与发展趋势。     

Secure activity resource coordination: empirical evidence of enhanced security awareness in designing secure business processes

Systems development methodologies incorporate security requirements as an afterthought in the non-functional requirements of systems. The lack of appropriate access control on information exchange among business activities can leave organizations vulnerable to information assurance threats. The gap between systems development and systems security leads to software development efforts that lack an understanding of security risks. We address the research question: how can we incorporate security as a functional requirement in the analysis and modeling of business processes? This study extends the Semantic approach to Secure Collaborative Inter-Organizational eBusiness Processes in D'Aubeterre et al. (2008). In this study, we develop the secure activity resource coordination (SARC) artifact for a real-world business process. We show how SARC can be used to create business process models characterized by the secure exchange of information within and across organizational boundaries. We present an empirical evaluation of the SARC artifact against the Enriched-Use Case (Siponen et al., 2006) and standard UML-Activity Diagram to demonstrate the utility of the proposed design method.     

Security sieve: a technique for enhancing the performance of secure sockets layer-based distributed systems

Providing secure communication in distributed systems often introduces a performance penalty due to the CPU-intensive operations used by security protocols such as the Secure Sockets Layer (SSL) protocol. This paper proposes a technique, called security sieve, which enhances the performance of SSL-based document transmission. Security sieve separates the sensitive components from the non-sensitive components, and transmits the separated components over a secure channel and a (faster) non-secure channel, respectively. At the receiving end, the separated components are re-assembled to reconstruct the original document. A significant performance improvement with security sieve is observed for a number of system and workload parameters.     

Comparing PaaS offerings in light of SaaS development

Software vendors increasingly aim to apply the Software-as-a-Service (SaaS) delivery model instead of the traditional on-premise model. Platforms-as-a-Service (PaaS), such as Google App Engine and Windows Azure, deliver a computing platform and solution stack as a service, but they also aim to facilitate the development of cloud applications (SaaS). Such PaaS offerings should enable third parties to build and deliver multi-tenant SaaS applications while shielding the complexity of the underpinning middleware and infrastructure. This paper compares, on the basis of a practical case study, three different and representative PaaS platforms with respect to their support for SaaS application development. We have reengineered an on-premise enterprise application into a SaaS application and we have subsequently deployed it in three PaaS-based cloud environments. We have investigated the following qualities of the PaaS platforms from the perspective of SaaS development: portability of the application code base, available support for creating and managing multi-tenant-aware applications, and quality of the tool support.     

Extending TINA with Secure On-Line Accounting Services

Concepts and principles of TINA (Telecommunications Information Networking Architecture) are introduced with the objective of correcting problems of the current centralized service control and service data model in an IN (Intelligent Network). It is becoming increasingly clear that the future sophisticated telecommunication services, e.g., multimedia, and multi-party conferencing, breaking away from the traditional telephony call model will need the solutions for rapid and efficient introduction, deployment, operations, and management.In this paper, we discuss accounting features and requirements, as well as security services in the TINA management context. We will introduce and present an implementation of a model for a security management, based on secure objects, cryptography and certificate distribution. In order to provide secure services, secure objects that have security functionality, such as authentication and access control, have been defined. Secure objects in our model are CORBA objects. The security domain is also called SBS (Security Base Server), provides security services and has an SMIB (Security Management Information Base) that contains security policies, cryptographic algorithms, and other relevant information. A prototype has been implemented and some experimental results are presented.     

浅析安全路由器在中小企业安全防护中的应用

谈到网络安全,马上想到防火墙、入侵检测和VPN产品等。可是这些安全设备对中小企业来说价格较贵,并且管理复杂。由此,使用具有多重安全功能的安全路由器来建立企业网络,便成为一种新的安全解决之道。文中对安全路由器在中小企业中的应用进行了探讨。     

中小型企事业单位网上办公信息安全探讨与开发

通过一个办公自动化系统的实例，提出了一个面向中小型企事业单位的网络信息安全的解决方案，该方案具有安全性高、维护简便等特点。从网络拓扑结构、信息传输加密和用户操作3方面对方案进行了深入的分析，并且着重讨论了信息传输过程中采用的安全套接层协议的理论基础。     

Efficient customization of multi-tenant Software-as-a-Service applications with service lines

Application-level multi-tenancy is an architectural approach for Software-as-a-Service (SaaS) applications which enables high operational cost efficiency by sharing one application instance among multiple customer organizations (the so-called tenants). However, the focus on increased resource sharing typically results in a one-size-fits-all approach. In principle, the shared application instance satisfies only the requirements common to all tenants, without supporting potentially different and varying requirements of these tenants. As a consequence, multi-tenant SaaS applications are inherently limited in terms of flexibility and variability.This paper presents an integrated service engineering method, called service line engineering, that supports co-existing tenant-specific configurations and that facilitates the development and management of customizable, multi-tenant SaaS applications, without compromising scalability. Specifically, the method spans the design, implementation, configuration, composition, operations and maintenance of a SaaS application that bundles all variations that are based on a common core.We validate this work by illustrating the benefits of our method in the development of a real-world SaaS offering for document processing. We explicitly show that the effort to configure and compose an application variant for each individual tenant is significantly reduced, though at the expense of a higher initial development effort.     

Effectiveness and performance analysis of model-oriented security requirements engineering to elicit security requirements: a systematic solution for developing secure software systems

Software systems are becoming more and more critical in every domain of human society. These systems are used not only by corporates and governments, but also by individuals and across networks of organizations. The wide use of software systems has resulted in the need to contain a large amount of critical information and processes, which certainly need to remain secure. As a consequence, it is important to ensure that the systems are secure by considering security requirements at the early phases of software development life cycle. In this paper, we propose to consider security requirements as functional requirements and apply model-oriented security requirements engineering framework as a systematic solution to elicit security requirements for e-governance software systems. As the result, high level of security can be achieved by more coverage of assets and threats, and identifying more traces of vulnerabilities in the early stages of requirements engineering. This in turn will help to elicit effective security requirements as countermeasures with business requirements.