SlideShare une entreprise Scribd logo

Joint workshop on security modeling archimate forum and security forum

L
Luxembourg Institute of Science and Technology

Joint workshop on security modeling archimate forum and security forum

Sciences
1  sur  37
Télécharger pour lire hors ligne
Copyright © The Open Group 2011 Joint Workshop on Security Modeling ArchiMate Forum and Security Forum Facilitators: Erik Proper, Senior Research Manager and Christophe Feltus, Senior Research Engineer, Public Research Center Henri Tudor Iver Band, Enterprise Architect, Standard Insurance Company
Copyright © The Open Group 2011 Workshop Agenda 2 • Welcome and purpose • Introductions • Research spotlight: Strengthening RBAC with Responsibility Modeling • Motivation: The Inaction Problem in Information Security • Open Discussion: • Complementing TOGAF® and ArchiMate® with enhanced security modeling • Identification and prioritization of challenges • Next steps and adjourn
Copyright © The Open Group 2011 Workshop Purpose • The acceptance and maturity of TOGAF and ArchiMate present opportunities to • Improve the conceptual and visual modeling of enterprise information security • Drive usage of TOGAF and ArchiMate for security architecture • Enable information security stakeholders to make better decisions about protecting their interests • Enable all business leaders to understand the impact of information security or the lack thereof • We are here to identify and prioritize these opportunities, and to plan efforts to exploit them 3
Copyright © The Open Group 2011 Brief Personal Introductions • Name • Organization and position • Involvement in The Open Group • Security and modeling background and interests 4
Copyright © The Open Group 2011 Sponsored by Christophe Feltus Senior R&D Engineer christophe.feltus@tudor.lu Public Research Centre Henri Tudor 29, avenue John F. Kennedy L-1855 Luxembourg-Kirchberg Tel +352 42 59 91 - 1 Fax +352 42 59 91 - 777 www.tudor.lu Research Spotlight: Strengthening RBAC with Responsibility Modeling The Open Group Conference, San Francisco, USA, Feb 2, 2012
Copyright © The Open Group 2011 Outline 6 • Context of the research • The problem / the research approach • What is RBAC ? • Case study • 1st research question: How should responsibility be modelled, both in general and specifically in ArchiMate ? • 2nd research question: How can models of responsibility be used to improve access rights management ? • Conclusions
Copyright © The Open Group 2011 The Problem The research addresses two problems arising from security and governance requirements, such as Basel II and Sarbanes-Oxley • Enterprises must precisely provision access rights according to business needs, principles such as least privilege and separation of duties as well as statutory requirements. • RBAC partially solves that problem • Enterprises must precisely define responsibilities and stakeholders must understand them. • Today, there is no standard business definition of responsibility  Both problems are linked: Responsibility definition enables precise provisioning of access rights 7
Copyright © The Open Group 2011 Approach • In order to solve the problem: • We explore a model to define responsibilities • We consider access rights provisioning based on the model 8
Copyright © The Open Group 2011 RBAC 9 • A widely implemented mechanism for protecting system resources. Relies on user authentication, which in turn relies on identity management • Defines and applies relationships between • Users − often human, but can also be systems • Roles − job functions defined for an organization • Permissions − organizational consent to perform specific operations • Ensures that each user can execute only those operations authorized through roles that are both assigned to that user and activated for that user’s session • Four standard and cumulative levels (hierarchical, constraint,…) Users Roles Sessions Operations Objects Permissions (UA) User Assignment (PA) Permission Assignment user_sessions Session_roles Modeling RBAC with SABSA, TOGAF and ArchiMate, Creating a Foundation for Understanding and Action, Iver Band, CISSP Open Group Conference, Austin, Texas
Copyright © The Open Group 2011 Administration framework 10 Modeling RBAC with SABSA, TOGAF and ArchiMate, Creating a Foundation for Understanding and Action, Iver Band, CISSP Open Group Conference, Austin, Texas Business Actor Business object Business Role Business process / function / interaction • The data object Users corresponds to the Business Actor • The data object Roles Corresponds to the Business Role • The data object Permissions corresponds to the access to data object
Copyright © The Open Group 2011 Case study 11 Project management • The role of project manager is assigned to four processes that compose the project management service • Each of these processes accesses specific data • Bob is a project manager Project manager Manage team Prepare budget Manage risk Review results Patrick Bob Secretary Team Mgt data Budget data Risk Mgt data Results data
Copyright © The Open Group 2011 Case study 12 • Bob has too much work and delegates the preparation of the budget to his secretary, Patrick. •  How can Bob assign Patrick the necessary rights? Project manager Manage team Prepare budget Manage risk Review results Patrick Bob Secretary Team Mgt data Budget data Risk Mgt data Results data ?
Copyright © The Open Group 2011 Case study 13 • In this model, the Secretary role is assigned to the Prepare Budget Process • What happens to the other secretaries?  They receive too many rights Project manager Manage team Prepare budget Manage risk Review results Patrick Bob Secretary Team Mgt data Budget data Risk Mgt data Results data ?
Copyright © The Open Group 2011 Case study 14 • In this model, Patrick gets a special-purpose role • Is Patrick the only person who can manage the budget ? Role just for Patrick Project manager Manage team Prepare budget Manage risk Review results Patrick Bob Secretary Team Mgt data Budget data Risk Mgt data Results data ?
Copyright © The Open Group 2011 What we need to model 15 Therefore, we introduce RESPONSIBILITY
Copyright © The Open Group 2011 Responsibility Modeling 16 • How should responsibility be modelled, both in general and specifically in ArchiMate ? • New concepts • Relation between those concepts and ArchiMate  Illustrations with the case study
Copyright © The Open Group 2011 New Concepts 17 duty to report or explain the action or someone else's action to a given authority Name Symbol Meaning Responsibility A property assigned to a business actor that aggregates a set of obligations and rights Obligation An obligation is a duty to perform a task Right An ability granted to a business actor by the enterprise in order to enable the business actor to perform a specific task. Capability An ability of a business actor that has not been granted by the enterprise. Justification A justification is a duty to report and explain the action to a given authority Responsibility Right Capability Justification Obligation
Copyright © The Open Group 2011 Responsibility Modeling 18 Responsibility Business object Right To access requires Is necessary for Business role Business actor assigned to assigned to Business process concerns Obligation
Copyright © The Open Group 2011 Responsibility Modeling 19 Business actor Business role Business object Business Process Responsibility Obligation Right To access assigned torequires Is necessary for concerns assigned to Capability requires Is necessary for Justification
Copyright © The Open Group 2011 20 Prepare budget Read and write requiresconcerns Responsibility to prepare the budget Do concerns Patrick Budget data Project manager Bob Control Responsibility to review the budgetRead requires concerns Responsibilities to perform and control the budget necessary for necessary for
Copyright © The Open Group 2011 Outline 21 • Context of the research • The problem / the research approach • What is RBAC ? • Case study • 1st research question: How should responsibility be modelled, both in general and specifically in ArchiMate ? • 2nd research question: How can models of responsibility be used to improve access rights management ? • Conclusions
Copyright © The Open Group 2011 Second research question 22 • How to include the responsibility with RBAC and with RBAC administration framework ? • Introduction of the responsibility at the business layer and at the application layer • Association of the responsibility with the Business role and the RBAC role.  Illustration with the case study
Copyright © The Open Group 2011 Administrative Framework without Responsibility 23 Business Role RBAC Role Business Actor User ApplicationLayerBusinessLayer Assignment Inappropriate ! Permission
Copyright © The Open Group 2011 Administrative Framework with Responsibility 24 RBAC Role Business Role Responsibility Responsibility Business Actor User ApplicationLayerBusinessLayer Business Role Assignment Permission
Copyright © The Open Group 2011 25 Responsibility to review the budget Bob Patrick Budget data Read concerns Write concerns Responsibility to prepare the budget Business Actor Responsibilities Permission Project manager Case Study with Responsibility RBAC Role #1 RBAC Role #2
Copyright © The Open Group 2011 Conclusion 26 • In order to meet security and governance requirements, enterprises must precisely define responsibilities and provision access rights • The proposed responsibility extension to ArchiMate enables this precision RolePermission Role Role Role Role Hierarchy Permission Role Hierarchy Respons. Obligation Role Role Role Role
Copyright © The Open Group 2011 Conclusion 27 • The responsibility concept aligns access rights between the ArchiMate Business and Application layers.
Copyright © The Open Group 2011 Motivation: The Inaction Problem in Information Security 28
Copyright © The Open Group 2011 Stakeholder Inaction Causes Great Harm • According to an international study of 761 data compromise incidents in 20101 • 83% of victims were targets of opportunity, the same as 2009 • 92% of attacks were not highly difficult, up 7% from 2009 • 96% of breaches were avoidable through simple or intermediate controls, the same as 2009 • 89% of victims subject to the Payment Card Industry Data Security Standard2 had not achieved compliance 29
Copyright © The Open Group 2011 Why Don’t Stakeholders Act? • Economic explanations fall into categories such as3 • Misaligned incentives • Breach victims often suffer more than individuals responsible for preventing breaches • Employees are often more motivated to do things quickly and cheaply than securely • Asymmetric information • Market participants are variously incented to exaggerate or minimize risk • Exaggerated claims about premium countermeasures make customers unwilling to pay extra for better security • Network Externalities • Embracing weak security often helps build market share • Early countermeasure adopters must often await broader adoption to realize benefits • Externalities of Insecurity • The social cost of asset compromise is often greater than the owners’ cost 30
Copyright © The Open Group 2011 Why Don’t Stakeholders Act? • Security measures are always trade-offs, but our innate psychology causes us to misinterpret risk. Bruce Schneier4 identifies five areas that we often get wrong • Risk severity • Risk probability • Risk impact • Effectiveness of countermeasures • Comparison of disparate risks and costs • For example, we often4 • Exaggerate spectacular but rare risks and downplay common ones • Have trouble estimating risks for anything outside our normal situation • Perceive personified risks as greater than anonymous risks • Underestimate risks we willingly take or have some control over, but overestimate risks we can’t control • Overestimate risks that are receiving great publicity, that are new, or are man-made relative to risks that are less publicized, commonplace or natural in origin 31
Copyright © The Open Group 2011 Why Don’t Stakeholders Act? • We are much better equipped to address imminent threats versus those looming in the distance. As Schneier4 says • “We are very well adapted to dealing with the security environment endemic to hominids living in small family groups on the highland plains of East Africa” • In fact, our “Abstract concepts are largely metaphorical”5. For example, we • Punch a hole in the firewall • Experience security breaches • Analyze attack surfaces • All too often, end up between a rock and a hard place 32
Copyright © The Open Group 2011 Questions for Discussion • How can security architects use the ArchiMate visual modeling language to • Align stakeholders’ perceptions of risk with the logical and mathematical reality of enterprise risk? • Enable the sponsors, designers and implementers of controls to make the best possible protective decisions for their enterprise? • How can The Open Group build on ArchiMate 2.0 to better support security architecture? 33
Copyright © The Open Group 2011 Thank You! 34
Copyright © The Open Group 2011 Supplementary Material 35
Copyright © The Open Group 2011 Motivation References 1. W. Baker, A. Hutton, C.D. Hylender, J. Pamula, C. Porter, M. Spitler, et. al. 2011 Data Breach Investigations Report [Online], 2011. http://www.verizonbusiness.com/resources/reports/rp_data-breach- investigations-report-2011_en_xg.pdf 2. PCI Security Standards Council. Payment Card Industry Data Security Standard version 2.0 [Online], 2010. https://www.pcisecuritystandards.org/security_standards/documents.php?docu ment=pci_dss_v2-0#pci_dss_v2-0 3. T. Moore, R. Anderson. Economics and Internet Security: a Survey of Recent Analytical, Empirical and Behavioral Research [Online], 2011. ftp://ftp.deas.harvard.edu/techreports/tr-03-11.pdf 4. B. Schneier. The Psychology of Security [Online], 2008. http://www.schneier.com/essay-155.html 5. Lakoff, George, Johnson, Mark. Philosophy in the Flesh. Basic Books, 1999. 36
Copyright © The Open Group 2011 Responsibility References 1. Christophe Feltus, Eric Dubois, Erik Proper, Iver Band, Michaël Petit, Enhancing the ArchiMate® Standard with a Responsibility Modeling Language for Access Rights Management, 5th ACM International Conference on Security of Information and Networks (ACM SIN 2012), 22-27/10/2012, Jaipur, Rajastan, India. ISBN: 978-1-4503-1668-2 2. Christophe Feltus, Michaël Petit, Eric Dubois, ReMoLa: Responsibility Model Language to Align Access Rights with Business Process Requirements, Fifth IEEE International Conference on Research Challenges in Information Science (IEEE RCIS 2011), 19-21/5/2011, Guadeloupe - French West Indies, France 3. Christophe Feltus, Eric Dubois, Michaël Petit, Conceptualizing a Responsibility based Approach for Elaborating and Verifying RBAC Policies Conforming with CobiT Framework Requirements, Third International Workshop on Requirements Engineering and Law (RELAW10), in conjunction with the 18th IEEE International Requirements Engineering Conference (RE2010), 27/9-1/10/2010, Sydney, Australia. 4. Christophe Feltus, Michaël Petit, Morris Sloman, Enhancement of Business IT Alignment by Including Responsibility Components in RBAC, 5th International Workshop on Business/IT Alignment and Interoperability (BUSITAL 2010), an International Workshop of the 22th Conference on Advanced Information Systems Engineering (CAISE2010), 7-11/6/2010, Hammamet, Tunisia 5. Christophe Feltus, Michaël Petit, Eric Dubois, Strengthening Employee’s Responsibility to Enhance Governance of IT - COBIT RACI Chart Case Study, The 1st ACM Workshop on Information Security Governance (ACM WISG 2009) held in conjunction with the 16th ACM Conference on Computer and Communications Security (ACM CCS 2009), 13/11/2009, Chicago, Illinois, USA. 6. Christophe Feltus, Michaël Petit, Building a Responsibility Model Including Accountability, Capability and Commitment, Fourth International Conference on Availability, Reliability and Security (“ARES 2009 – The International Dependability Conference”) IEEE, 16-19/3/2009, Fukuoka, Japan. (SCOPUS) 7. Christophe Feltus, Michaël Petit, Building a Responsibility Model using Modal Logic - Towards Accountability, Capability and Commitment Concepts, The seventh ACS/IEEE International Conference on Computer Systems and Applications (AICCSA-09) IEEE, 10-13/5/2009, Rabat, Morocco 37

Recommandé

Ch11
Ch11Ch11
Ch11
kelasapa
 
TOGAF® & Major IT Frameworks - Architecting the Family
TOGAF® & Major IT Frameworks - Architecting the FamilyTOGAF® & Major IT Frameworks - Architecting the Family
TOGAF® & Major IT Frameworks - Architecting the Family
Danny Greefhorst
 
IT Governance - Capability Assessment using COBIT 5
IT Governance - Capability Assessment using COBIT 5IT Governance - Capability Assessment using COBIT 5
IT Governance - Capability Assessment using COBIT 5
Eryk Budi Pratama
 
Introduction to COBIT 5 and IT management
Introduction to COBIT 5 and IT managementIntroduction to COBIT 5 and IT management
Introduction to COBIT 5 and IT management
Christian F. Nissen
 
Removing the barriers to business transformation with ArchiMate
Removing the barriers to business transformation with ArchiMateRemoving the barriers to business transformation with ArchiMate
Removing the barriers to business transformation with ArchiMate
Corso
 
The first year of EA at Bristol
The first year of EA at BristolThe first year of EA at Bristol
The first year of EA at Bristol
emergingpractices
 
EA Governance
EA GovernanceEA Governance
EA Governance
emergingpractices
 
What Can We Do With The ArchiMate Language?
What Can We Do With The ArchiMate Language?What Can We Do With The ArchiMate Language?
What Can We Do With The ArchiMate Language?
Iver Band
 

Recommandé

Ch11
Ch11Ch11
Ch11
kelasapa
 
TOGAF® & Major IT Frameworks - Architecting the Family
TOGAF® & Major IT Frameworks - Architecting the FamilyTOGAF® & Major IT Frameworks - Architecting the Family
TOGAF® & Major IT Frameworks - Architecting the Family
Danny Greefhorst
 
IT Governance - Capability Assessment using COBIT 5
IT Governance - Capability Assessment using COBIT 5IT Governance - Capability Assessment using COBIT 5
IT Governance - Capability Assessment using COBIT 5
Eryk Budi Pratama
 
Introduction to COBIT 5 and IT management
Introduction to COBIT 5 and IT managementIntroduction to COBIT 5 and IT management
Introduction to COBIT 5 and IT management
Christian F. Nissen
 
Removing the barriers to business transformation with ArchiMate
Removing the barriers to business transformation with ArchiMateRemoving the barriers to business transformation with ArchiMate
Removing the barriers to business transformation with ArchiMate
Corso
 
The first year of EA at Bristol
The first year of EA at BristolThe first year of EA at Bristol
The first year of EA at Bristol
emergingpractices
 
EA Governance
EA GovernanceEA Governance
EA Governance
emergingpractices
 
What Can We Do With The ArchiMate Language?
What Can We Do With The ArchiMate Language?What Can We Do With The ArchiMate Language?
What Can We Do With The ArchiMate Language?
Iver Band
 
Enterprise Architecture - An Introduction from the Real World
Enterprise Architecture - An Introduction from the Real World Enterprise Architecture - An Introduction from the Real World
Enterprise Architecture - An Introduction from the Real World
Daljit Banger
 
Archi mate views_and_viewpoints
Archi mate views_and_viewpointsArchi mate views_and_viewpoints
Archi mate views_and_viewpoints
Igor Igoroshka
 
Software Architecture: Why and What?
Software Architecture: Why and What?Software Architecture: Why and What?
Software Architecture: Why and What?
Chris F Carroll
 
Zachman’s Framework & TOGAF for EA in Research Institute: Case Study of Indo...
Zachman’s Framework & TOGAF for EA in Research Institute: Case Study of Indo...Zachman’s Framework & TOGAF for EA in Research Institute: Case Study of Indo...
Zachman’s Framework & TOGAF for EA in Research Institute: Case Study of Indo...
Riri Kusumarani
 
Modeling TOGAF with ArchiMate
Modeling TOGAF with ArchiMateModeling TOGAF with ArchiMate
Modeling TOGAF with ArchiMate
Iver Band
 
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise ITCOBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
Mark Constable
 
EAPJ Vol IV July 2017
EAPJ Vol IV July 2017EAPJ Vol IV July 2017
EAPJ Vol IV July 2017
Darryl_Carr
 
SharePoint Business Track Part 1 of 2
SharePoint Business Track Part 1 of 2SharePoint Business Track Part 1 of 2
SharePoint Business Track Part 1 of 2
NextLabs, Inc.
 
How to pass cobit exam
How to pass cobit exam How to pass cobit exam
How to pass cobit exam
Egyptian Engineers Association
 
Cobit5 introduction
Cobit5 introductionCobit5 introduction
Cobit5 introduction
Markus Yaldu
 
Why Program Management is Essential for IT Projects
Why Program Management is Essential for IT ProjectsWhy Program Management is Essential for IT Projects
Why Program Management is Essential for IT Projects
bbigelow
 
An Introduction to Enterprise Architecture Visual Modeling with The ArchiMate...
An Introduction to Enterprise Architecture Visual Modeling with The ArchiMate...An Introduction to Enterprise Architecture Visual Modeling with The ArchiMate...
An Introduction to Enterprise Architecture Visual Modeling with The ArchiMate...
Enterprise Architecture Professional Journal
 
IntelliSense EA Practice - EA Framework Comparison
IntelliSense EA Practice - EA Framework ComparisonIntelliSense EA Practice - EA Framework Comparison
IntelliSense EA Practice - EA Framework Comparison
Carl Barnes
 
Enterprise Architecture Overview
Enterprise Architecture OverviewEnterprise Architecture Overview
Enterprise Architecture Overview
Tim Murphy
 
IS.IT. Project Office set-up in complex environment. A post-merger case ( PRA...
IS.IT. Project Office set-up in complex environment. A post-merger case ( PRA...IS.IT. Project Office set-up in complex environment. A post-merger case ( PRA...
IS.IT. Project Office set-up in complex environment. A post-merger case ( PRA...
Manuel Lacarte
 
TOGAF Reference Models
TOGAF Reference ModelsTOGAF Reference Models
TOGAF Reference Models
Paul Sullivan
 
Cobit 2019 framework by ISACA
Cobit 2019 framework by ISACACobit 2019 framework by ISACA
Cobit 2019 framework by ISACA
MDFazlaRabbiAbir
 
Erp 03
Erp 03Erp 03
Erp 03
Anna Osyatnik
 
Enterprise reference architecture v1.1.ppt
Enterprise reference architecture v1.1.pptEnterprise reference architecture v1.1.ppt
Enterprise reference architecture v1.1.ppt
Ahmed Fattah
 
User-Centric Design: How to Leverage Use Cases and User Scenarios to Design S...
User-Centric Design: How to Leverage Use Cases and User Scenarios to Design S...User-Centric Design: How to Leverage Use Cases and User Scenarios to Design S...
User-Centric Design: How to Leverage Use Cases and User Scenarios to Design S...
SPTechCon
 
Sim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access managementSim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access management
christophefeltus
 
Sim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access managementSim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access management
Luxembourg Institute of Science and Technology
 

Contenu connexe

Tendances

Modeling TOGAF with ArchiMate
Modeling TOGAF with ArchiMateModeling TOGAF with ArchiMate
Modeling TOGAF with ArchiMate
Iver Band
 
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise ITCOBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
Mark Constable
 
SharePoint Business Track Part 1 of 2
SharePoint Business Track Part 1 of 2SharePoint Business Track Part 1 of 2
SharePoint Business Track Part 1 of 2
NextLabs, Inc.
 
Why Program Management is Essential for IT Projects
Why Program Management is Essential for IT ProjectsWhy Program Management is Essential for IT Projects
Why Program Management is Essential for IT Projects
bbigelow
 

Tendances (19)

Enterprise Architecture - An Introduction from the Real World
Enterprise Architecture - An Introduction from the Real World Enterprise Architecture - An Introduction from the Real World
Enterprise Architecture - An Introduction from the Real World
 
Archi mate views_and_viewpoints
Archi mate views_and_viewpointsArchi mate views_and_viewpoints
Archi mate views_and_viewpoints
 
Software Architecture: Why and What?
Software Architecture: Why and What?Software Architecture: Why and What?
Software Architecture: Why and What?
 
Zachman’s Framework & TOGAF for EA in Research Institute: Case Study of Indo...
Zachman’s Framework & TOGAF for EA in Research Institute: Case Study of Indo...Zachman’s Framework & TOGAF for EA in Research Institute: Case Study of Indo...
Zachman’s Framework & TOGAF for EA in Research Institute: Case Study of Indo...
 
Modeling TOGAF with ArchiMate
Modeling TOGAF with ArchiMateModeling TOGAF with ArchiMate
Modeling TOGAF with ArchiMate
 
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise ITCOBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
 
EAPJ Vol IV July 2017
EAPJ Vol IV July 2017EAPJ Vol IV July 2017
EAPJ Vol IV July 2017
 
SharePoint Business Track Part 1 of 2
SharePoint Business Track Part 1 of 2SharePoint Business Track Part 1 of 2
SharePoint Business Track Part 1 of 2
 
How to pass cobit exam
How to pass cobit exam How to pass cobit exam
How to pass cobit exam
 
Cobit5 introduction
Cobit5 introductionCobit5 introduction
Cobit5 introduction
 
Why Program Management is Essential for IT Projects
Why Program Management is Essential for IT ProjectsWhy Program Management is Essential for IT Projects
Why Program Management is Essential for IT Projects
 
An Introduction to Enterprise Architecture Visual Modeling with The ArchiMate...
An Introduction to Enterprise Architecture Visual Modeling with The ArchiMate...An Introduction to Enterprise Architecture Visual Modeling with The ArchiMate...
An Introduction to Enterprise Architecture Visual Modeling with The ArchiMate...
 
IntelliSense EA Practice - EA Framework Comparison
IntelliSense EA Practice - EA Framework ComparisonIntelliSense EA Practice - EA Framework Comparison
IntelliSense EA Practice - EA Framework Comparison
 
Enterprise Architecture Overview
Enterprise Architecture OverviewEnterprise Architecture Overview
Enterprise Architecture Overview
 
IS.IT. Project Office set-up in complex environment. A post-merger case ( PRA...
IS.IT. Project Office set-up in complex environment. A post-merger case ( PRA...IS.IT. Project Office set-up in complex environment. A post-merger case ( PRA...
IS.IT. Project Office set-up in complex environment. A post-merger case ( PRA...
 
TOGAF Reference Models
TOGAF Reference ModelsTOGAF Reference Models
TOGAF Reference Models
 
Cobit 2019 framework by ISACA
Cobit 2019 framework by ISACACobit 2019 framework by ISACA
Cobit 2019 framework by ISACA
 
Erp 03
Erp 03Erp 03
Erp 03
 
Enterprise reference architecture v1.1.ppt
Enterprise reference architecture v1.1.pptEnterprise reference architecture v1.1.ppt
Enterprise reference architecture v1.1.ppt
 

Similaire à Joint workshop on security modeling archimate forum and security forum

Is Your E-Business Suite Data Visible After An M&A Event?
Is Your E-Business Suite Data Visible After An M&A Event?Is Your E-Business Suite Data Visible After An M&A Event?
Is Your E-Business Suite Data Visible After An M&A Event?
SmartDog Services
 

Similaire à Joint workshop on security modeling archimate forum and security forum (20)

User-Centric Design: How to Leverage Use Cases and User Scenarios to Design S...
User-Centric Design: How to Leverage Use Cases and User Scenarios to Design S...User-Centric Design: How to Leverage Use Cases and User Scenarios to Design S...
User-Centric Design: How to Leverage Use Cases and User Scenarios to Design S...
 
Sim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access managementSim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access management
 
Sim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access managementSim an innovative business oriented approach for a distributed access management
Sim an innovative business oriented approach for a distributed access management
 
An agent based framework for identity management the unsuspected relation wit...
An agent based framework for identity management the unsuspected relation wit...An agent based framework for identity management the unsuspected relation wit...
An agent based framework for identity management the unsuspected relation wit...
 
An agent based framework for identity management the unsuspected relation wit...
An agent based framework for identity management the unsuspected relation wit...An agent based framework for identity management the unsuspected relation wit...
An agent based framework for identity management the unsuspected relation wit...
 
Who govern my responsibilities sim a methodology to align business and it pol...
Who govern my responsibilities sim a methodology to align business and it pol...Who govern my responsibilities sim a methodology to align business and it pol...
Who govern my responsibilities sim a methodology to align business and it pol...
 
Methodology to align business and it policies use case from an it company
Methodology to align business and it policies use case from an it companyMethodology to align business and it policies use case from an it company
Methodology to align business and it policies use case from an it company
 
Methodology to align business and it policies use case from an it company
Methodology to align business and it policies use case from an it companyMethodology to align business and it policies use case from an it company
Methodology to align business and it policies use case from an it company
 
Soa 2013
Soa 2013Soa 2013
Soa 2013
 
Fear and Loathing in Agility: Long Live the Accounting Department
Fear and Loathing in Agility: Long Live the Accounting DepartmentFear and Loathing in Agility: Long Live the Accounting Department
Fear and Loathing in Agility: Long Live the Accounting Department
 
Project Organizational Responsibility Model - ORM
Project Organizational Responsibility Model - ORMProject Organizational Responsibility Model - ORM
Project Organizational Responsibility Model - ORM
 
Enterprise Architecture - An Introduction
Enterprise Architecture - An Introduction Enterprise Architecture - An Introduction
Enterprise Architecture - An Introduction
 
How to improve an ECM system
How to improve an ECM systemHow to improve an ECM system
How to improve an ECM system
 
PMP Training Course - Project Management Framework
PMP Training Course - Project Management FrameworkPMP Training Course - Project Management Framework
PMP Training Course - Project Management Framework
 
Governance Rules for Open Source Software Systems
Governance Rules for Open Source Software Systems Governance Rules for Open Source Software Systems
Governance Rules for Open Source Software Systems
 
Enabling the Definition and Enforcement of Governance Rules in Open Source Sy...
Enabling the Definition and Enforcement of Governance Rules in Open Source Sy...Enabling the Definition and Enforcement of Governance Rules in Open Source Sy...
Enabling the Definition and Enforcement of Governance Rules in Open Source Sy...
 
Enterprise Agile at Lockheed Martin - 4th February 2014
Enterprise Agile at Lockheed Martin - 4th February 2014Enterprise Agile at Lockheed Martin - 4th February 2014
Enterprise Agile at Lockheed Martin - 4th February 2014
 
Taxonomy Design for the Short on Time
Taxonomy Design for the Short on TimeTaxonomy Design for the Short on Time
Taxonomy Design for the Short on Time
 
Is Your E-Business Suite Data Visible After An M&A Event?
Is Your E-Business Suite Data Visible After An M&A Event?Is Your E-Business Suite Data Visible After An M&A Event?
Is Your E-Business Suite Data Visible After An M&A Event?
 
Lecture 1_System Integration & Architecture
Lecture 1_System Integration & ArchitectureLecture 1_System Integration & Architecture
Lecture 1_System Integration & Architecture
 

Plus de Luxembourg Institute of Science and Technology

Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-TopicsSmart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Luxembourg Institute of Science and Technology
 
Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Alignment of remmo with rbac to manage access rights in the frame of enterpri...Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Luxembourg Institute of Science and Technology
 

Plus de Luxembourg Institute of Science and Technology (20)

Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-TopicsSmart-X: an Adaptive Multi-Agent Platform for Smart-Topics
Smart-X: an Adaptive Multi-Agent Platform for Smart-Topics
 
Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Alignment of remmo with rbac to manage access rights in the frame of enterpri...Alignment of remmo with rbac to manage access rights in the frame of enterpri...
Alignment of remmo with rbac to manage access rights in the frame of enterpri...
 
Modeling enterprise risk management and secutity with the archi mate language
Modeling enterprise risk management and secutity with the archi mate languageModeling enterprise risk management and secutity with the archi mate language
Modeling enterprise risk management and secutity with the archi mate language
 
Aligning access rights to governance needs with the responsibility meta model...
Aligning access rights to governance needs with the responsibility meta model...Aligning access rights to governance needs with the responsibility meta model...
Aligning access rights to governance needs with the responsibility meta model...
 
Towards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk managementTowards an innovative systemic approach of risk management
Towards an innovative systemic approach of risk management
 
Towards a hl7 based metamodeling integration approach for embracing the priva...
Towards a hl7 based metamodeling integration approach for embracing the priva...Towards a hl7 based metamodeling integration approach for embracing the priva...
Towards a hl7 based metamodeling integration approach for embracing the priva...
 
Solution standard de compensation appliquée à une architecture e business séc...
Solution standard de compensation appliquée à une architecture e business séc...Solution standard de compensation appliquée à une architecture e business séc...
Solution standard de compensation appliquée à une architecture e business séc...
 
Strengthening employee’s responsibility to enhance governance of it – cobit r...
Strengthening employee’s responsibility to enhance governance of it – cobit r...Strengthening employee’s responsibility to enhance governance of it – cobit r...
Strengthening employee’s responsibility to enhance governance of it – cobit r...
 
Service specification and service compliance how to consider the responsibil...
Service specification and service compliance how to consider the responsibil...Service specification and service compliance how to consider the responsibil...
Service specification and service compliance how to consider the responsibil...
 
Responsibility aspects in service engineering for e government
Responsibility aspects in service engineering for e governmentResponsibility aspects in service engineering for e government
Responsibility aspects in service engineering for e government
 
Reputation based dynamic responsibility to agent assignement for critical inf...
Reputation based dynamic responsibility to agent assignement for critical inf...Reputation based dynamic responsibility to agent assignement for critical inf...
Reputation based dynamic responsibility to agent assignement for critical inf...
 
Remola responsibility model language to align access rights with business pro...
Remola responsibility model language to align access rights with business pro...Remola responsibility model language to align access rights with business pro...
Remola responsibility model language to align access rights with business pro...
 
Process assessment for use in very small enterprises the noemi assessment met...
Process assessment for use in very small enterprises the noemi assessment met...Process assessment for use in very small enterprises the noemi assessment met...
Process assessment for use in very small enterprises the noemi assessment met...
 
Preliminary literature review of policy engineering methods
Preliminary literature review of policy engineering methodsPreliminary literature review of policy engineering methods
Preliminary literature review of policy engineering methods
 
Organizational security architecture for critical infrastructure
Organizational security architecture for critical infrastructureOrganizational security architecture for critical infrastructure
Organizational security architecture for critical infrastructure
 
Open sst based clearing mechanism for e business
Open sst based clearing mechanism for e businessOpen sst based clearing mechanism for e business
Open sst based clearing mechanism for e business
 
On designing automatic reaction strategy for critical infrastructure scada sy...
On designing automatic reaction strategy for critical infrastructure scada sy...On designing automatic reaction strategy for critical infrastructure scada sy...
On designing automatic reaction strategy for critical infrastructure scada sy...
 
Noemi, a collaborative management for ict process improvement in sme experien...
Noemi, a collaborative management for ict process improvement in sme experien...Noemi, a collaborative management for ict process improvement in sme experien...
Noemi, a collaborative management for ict process improvement in sme experien...
 
Multi agents system service based platform in telecommunication security inci...
Multi agents system service based platform in telecommunication security inci...Multi agents system service based platform in telecommunication security inci...
Multi agents system service based platform in telecommunication security inci...
 
Multi agents based architecture for is security incident reaction
Multi agents based architecture for is security incident reactionMulti agents based architecture for is security incident reaction
Multi agents based architecture for is security incident reaction
 

Dernier

PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
Sérgio Sacani
 
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Sérgio Sacani
 
CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡
CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡
CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡
anilsa9823
 
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43bNightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Sérgio Sacani
 
DIFFERENCE IN BACK CROSS AND TEST CROSS
DIFFERENCE IN BACK CROSS AND TEST CROSSDIFFERENCE IN BACK CROSS AND TEST CROSS
DIFFERENCE IN BACK CROSS AND TEST CROSS
LeenakshiTyagi
 
Disentangling the origin of chemical differences using GHOST
Disentangling the origin of chemical differences using GHOSTDisentangling the origin of chemical differences using GHOST
Disentangling the origin of chemical differences using GHOST
Sérgio Sacani
 
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Lokesh Kothari
 
The Philosophy of Science
The Philosophy of ScienceThe Philosophy of Science
The Philosophy of Science
University of Hertfordshire
 
❤Jammu Kashmir Call Girls 8617697112 Personal Whatsapp Number 💦✅.
❤Jammu Kashmir Call Girls 8617697112 Personal Whatsapp Number 💦✅.❤Jammu Kashmir Call Girls 8617697112 Personal Whatsapp Number 💦✅.
❤Jammu Kashmir Call Girls 8617697112 Personal Whatsapp Number 💦✅.
Nitya salvi
 
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCRStunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Delhi Call girls
 

Dernier (20)

PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
PossibleEoarcheanRecordsoftheGeomagneticFieldPreservedintheIsuaSupracrustalBe...
 
CELL -Structural and Functional unit of life.pdf
CELL -Structural and Functional unit of life.pdfCELL -Structural and Functional unit of life.pdf
CELL -Structural and Functional unit of life.pdf
 
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
Discovery of an Accretion Streamer and a Slow Wide-angle Outflow around FUOri...
 
GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)
 
fundamental of entomology all in one topics of entomology
fundamental of entomology all in one topics of entomologyfundamental of entomology all in one topics of entomology
fundamental of entomology all in one topics of entomology
 
Forensic Biology & Its biological significance.pdf
Forensic Biology & Its biological significance.pdfForensic Biology & Its biological significance.pdf
Forensic Biology & Its biological significance.pdf
 
Green chemistry and Sustainable development.pptx
Green chemistry and Sustainable development.pptxGreen chemistry and Sustainable development.pptx
Green chemistry and Sustainable development.pptx
 
CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡
CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡
CALL ON ➥8923113531 🔝Call Girls Kesar Bagh Lucknow best Night Fun service 🪡
 
Recombinant DNA technology (Immunological screening)
Recombinant DNA technology (Immunological screening)Recombinant DNA technology (Immunological screening)
Recombinant DNA technology (Immunological screening)
 
Botany 4th semester series (krishna).pdf
Botany 4th semester series (krishna).pdfBotany 4th semester series (krishna).pdf
Botany 4th semester series (krishna).pdf
 
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43bNightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
Nightside clouds and disequilibrium chemistry on the hot Jupiter WASP-43b
 
Recombination DNA Technology (Nucleic Acid Hybridization )
Recombination DNA Technology (Nucleic Acid Hybridization )Recombination DNA Technology (Nucleic Acid Hybridization )
Recombination DNA Technology (Nucleic Acid Hybridization )
 
TEST BANK For Radiologic Science for Technologists, 12th Edition by Stewart C...
TEST BANK For Radiologic Science for Technologists, 12th Edition by Stewart C...TEST BANK For Radiologic Science for Technologists, 12th Edition by Stewart C...
TEST BANK For Radiologic Science for Technologists, 12th Edition by Stewart C...
 
DIFFERENCE IN BACK CROSS AND TEST CROSS
DIFFERENCE IN BACK CROSS AND TEST CROSSDIFFERENCE IN BACK CROSS AND TEST CROSS
DIFFERENCE IN BACK CROSS AND TEST CROSS
 
Disentangling the origin of chemical differences using GHOST
Disentangling the origin of chemical differences using GHOSTDisentangling the origin of chemical differences using GHOST
Disentangling the origin of chemical differences using GHOST
 
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
 
The Philosophy of Science
The Philosophy of ScienceThe Philosophy of Science
The Philosophy of Science
 
❤Jammu Kashmir Call Girls 8617697112 Personal Whatsapp Number 💦✅.
❤Jammu Kashmir Call Girls 8617697112 Personal Whatsapp Number 💦✅.❤Jammu Kashmir Call Girls 8617697112 Personal Whatsapp Number 💦✅.
❤Jammu Kashmir Call Girls 8617697112 Personal Whatsapp Number 💦✅.
 
VIRUSES structure and classification ppt by Dr.Prince C P
VIRUSES structure and classification ppt by Dr.Prince C PVIRUSES structure and classification ppt by Dr.Prince C P
VIRUSES structure and classification ppt by Dr.Prince C P
 
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCRStunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
 

Joint workshop on security modeling archimate forum and security forum

  • 1. Copyright © The Open Group 2011 Joint Workshop on Security Modeling ArchiMate Forum and Security Forum Facilitators: Erik Proper, Senior Research Manager and Christophe Feltus, Senior Research Engineer, Public Research Center Henri Tudor Iver Band, Enterprise Architect, Standard Insurance Company
  • 2. Copyright © The Open Group 2011 Workshop Agenda 2 • Welcome and purpose • Introductions • Research spotlight: Strengthening RBAC with Responsibility Modeling • Motivation: The Inaction Problem in Information Security • Open Discussion: • Complementing TOGAF® and ArchiMate® with enhanced security modeling • Identification and prioritization of challenges • Next steps and adjourn
  • 3. Copyright © The Open Group 2011 Workshop Purpose • The acceptance and maturity of TOGAF and ArchiMate present opportunities to • Improve the conceptual and visual modeling of enterprise information security • Drive usage of TOGAF and ArchiMate for security architecture • Enable information security stakeholders to make better decisions about protecting their interests • Enable all business leaders to understand the impact of information security or the lack thereof • We are here to identify and prioritize these opportunities, and to plan efforts to exploit them 3
  • 4. Copyright © The Open Group 2011 Brief Personal Introductions • Name • Organization and position • Involvement in The Open Group • Security and modeling background and interests 4
  • 5. Copyright © The Open Group 2011 Sponsored by Christophe Feltus Senior R&D Engineer christophe.feltus@tudor.lu Public Research Centre Henri Tudor 29, avenue John F. Kennedy L-1855 Luxembourg-Kirchberg Tel +352 42 59 91 - 1 Fax +352 42 59 91 - 777 www.tudor.lu Research Spotlight: Strengthening RBAC with Responsibility Modeling The Open Group Conference, San Francisco, USA, Feb 2, 2012
  • 6. Copyright © The Open Group 2011 Outline 6 • Context of the research • The problem / the research approach • What is RBAC ? • Case study • 1st research question: How should responsibility be modelled, both in general and specifically in ArchiMate ? • 2nd research question: How can models of responsibility be used to improve access rights management ? • Conclusions
  • 7. Copyright © The Open Group 2011 The Problem The research addresses two problems arising from security and governance requirements, such as Basel II and Sarbanes-Oxley • Enterprises must precisely provision access rights according to business needs, principles such as least privilege and separation of duties as well as statutory requirements. • RBAC partially solves that problem • Enterprises must precisely define responsibilities and stakeholders must understand them. • Today, there is no standard business definition of responsibility  Both problems are linked: Responsibility definition enables precise provisioning of access rights 7
  • 8. Copyright © The Open Group 2011 Approach • In order to solve the problem: • We explore a model to define responsibilities • We consider access rights provisioning based on the model 8
  • 9. Copyright © The Open Group 2011 RBAC 9 • A widely implemented mechanism for protecting system resources. Relies on user authentication, which in turn relies on identity management • Defines and applies relationships between • Users − often human, but can also be systems • Roles − job functions defined for an organization • Permissions − organizational consent to perform specific operations • Ensures that each user can execute only those operations authorized through roles that are both assigned to that user and activated for that user’s session • Four standard and cumulative levels (hierarchical, constraint,…) Users Roles Sessions Operations Objects Permissions (UA) User Assignment (PA) Permission Assignment user_sessions Session_roles Modeling RBAC with SABSA, TOGAF and ArchiMate, Creating a Foundation for Understanding and Action, Iver Band, CISSP Open Group Conference, Austin, Texas
  • 10. Copyright © The Open Group 2011 Administration framework 10 Modeling RBAC with SABSA, TOGAF and ArchiMate, Creating a Foundation for Understanding and Action, Iver Band, CISSP Open Group Conference, Austin, Texas Business Actor Business object Business Role Business process / function / interaction • The data object Users corresponds to the Business Actor • The data object Roles Corresponds to the Business Role • The data object Permissions corresponds to the access to data object
  • 11. Copyright © The Open Group 2011 Case study 11 Project management • The role of project manager is assigned to four processes that compose the project management service • Each of these processes accesses specific data • Bob is a project manager Project manager Manage team Prepare budget Manage risk Review results Patrick Bob Secretary Team Mgt data Budget data Risk Mgt data Results data
  • 12. Copyright © The Open Group 2011 Case study 12 • Bob has too much work and delegates the preparation of the budget to his secretary, Patrick. •  How can Bob assign Patrick the necessary rights? Project manager Manage team Prepare budget Manage risk Review results Patrick Bob Secretary Team Mgt data Budget data Risk Mgt data Results data ?
  • 13. Copyright © The Open Group 2011 Case study 13 • In this model, the Secretary role is assigned to the Prepare Budget Process • What happens to the other secretaries?  They receive too many rights Project manager Manage team Prepare budget Manage risk Review results Patrick Bob Secretary Team Mgt data Budget data Risk Mgt data Results data ?
  • 14. Copyright © The Open Group 2011 Case study 14 • In this model, Patrick gets a special-purpose role • Is Patrick the only person who can manage the budget ? Role just for Patrick Project manager Manage team Prepare budget Manage risk Review results Patrick Bob Secretary Team Mgt data Budget data Risk Mgt data Results data ?
  • 15. Copyright © The Open Group 2011 What we need to model 15 Therefore, we introduce RESPONSIBILITY
  • 16. Copyright © The Open Group 2011 Responsibility Modeling 16 • How should responsibility be modelled, both in general and specifically in ArchiMate ? • New concepts • Relation between those concepts and ArchiMate  Illustrations with the case study
  • 17. Copyright © The Open Group 2011 New Concepts 17 duty to report or explain the action or someone else's action to a given authority Name Symbol Meaning Responsibility A property assigned to a business actor that aggregates a set of obligations and rights Obligation An obligation is a duty to perform a task Right An ability granted to a business actor by the enterprise in order to enable the business actor to perform a specific task. Capability An ability of a business actor that has not been granted by the enterprise. Justification A justification is a duty to report and explain the action to a given authority Responsibility Right Capability Justification Obligation
  • 18. Copyright © The Open Group 2011 Responsibility Modeling 18 Responsibility Business object Right To access requires Is necessary for Business role Business actor assigned to assigned to Business process concerns Obligation
  • 19. Copyright © The Open Group 2011 Responsibility Modeling 19 Business actor Business role Business object Business Process Responsibility Obligation Right To access assigned torequires Is necessary for concerns assigned to Capability requires Is necessary for Justification
  • 20. Copyright © The Open Group 2011 20 Prepare budget Read and write requiresconcerns Responsibility to prepare the budget Do concerns Patrick Budget data Project manager Bob Control Responsibility to review the budgetRead requires concerns Responsibilities to perform and control the budget necessary for necessary for
  • 21. Copyright © The Open Group 2011 Outline 21 • Context of the research • The problem / the research approach • What is RBAC ? • Case study • 1st research question: How should responsibility be modelled, both in general and specifically in ArchiMate ? • 2nd research question: How can models of responsibility be used to improve access rights management ? • Conclusions
  • 22. Copyright © The Open Group 2011 Second research question 22 • How to include the responsibility with RBAC and with RBAC administration framework ? • Introduction of the responsibility at the business layer and at the application layer • Association of the responsibility with the Business role and the RBAC role.  Illustration with the case study
  • 23. Copyright © The Open Group 2011 Administrative Framework without Responsibility 23 Business Role RBAC Role Business Actor User ApplicationLayerBusinessLayer Assignment Inappropriate ! Permission
  • 24. Copyright © The Open Group 2011 Administrative Framework with Responsibility 24 RBAC Role Business Role Responsibility Responsibility Business Actor User ApplicationLayerBusinessLayer Business Role Assignment Permission
  • 25. Copyright © The Open Group 2011 25 Responsibility to review the budget Bob Patrick Budget data Read concerns Write concerns Responsibility to prepare the budget Business Actor Responsibilities Permission Project manager Case Study with Responsibility RBAC Role #1 RBAC Role #2
  • 26. Copyright © The Open Group 2011 Conclusion 26 • In order to meet security and governance requirements, enterprises must precisely define responsibilities and provision access rights • The proposed responsibility extension to ArchiMate enables this precision RolePermission Role Role Role Role Hierarchy Permission Role Hierarchy Respons. Obligation Role Role Role Role
  • 27. Copyright © The Open Group 2011 Conclusion 27 • The responsibility concept aligns access rights between the ArchiMate Business and Application layers.
  • 28. Copyright © The Open Group 2011 Motivation: The Inaction Problem in Information Security 28
  • 29. Copyright © The Open Group 2011 Stakeholder Inaction Causes Great Harm • According to an international study of 761 data compromise incidents in 20101 • 83% of victims were targets of opportunity, the same as 2009 • 92% of attacks were not highly difficult, up 7% from 2009 • 96% of breaches were avoidable through simple or intermediate controls, the same as 2009 • 89% of victims subject to the Payment Card Industry Data Security Standard2 had not achieved compliance 29
  • 30. Copyright © The Open Group 2011 Why Don’t Stakeholders Act? • Economic explanations fall into categories such as3 • Misaligned incentives • Breach victims often suffer more than individuals responsible for preventing breaches • Employees are often more motivated to do things quickly and cheaply than securely • Asymmetric information • Market participants are variously incented to exaggerate or minimize risk • Exaggerated claims about premium countermeasures make customers unwilling to pay extra for better security • Network Externalities • Embracing weak security often helps build market share • Early countermeasure adopters must often await broader adoption to realize benefits • Externalities of Insecurity • The social cost of asset compromise is often greater than the owners’ cost 30
  • 31. Copyright © The Open Group 2011 Why Don’t Stakeholders Act? • Security measures are always trade-offs, but our innate psychology causes us to misinterpret risk. Bruce Schneier4 identifies five areas that we often get wrong • Risk severity • Risk probability • Risk impact • Effectiveness of countermeasures • Comparison of disparate risks and costs • For example, we often4 • Exaggerate spectacular but rare risks and downplay common ones • Have trouble estimating risks for anything outside our normal situation • Perceive personified risks as greater than anonymous risks • Underestimate risks we willingly take or have some control over, but overestimate risks we can’t control • Overestimate risks that are receiving great publicity, that are new, or are man-made relative to risks that are less publicized, commonplace or natural in origin 31
  • 32. Copyright © The Open Group 2011 Why Don’t Stakeholders Act? • We are much better equipped to address imminent threats versus those looming in the distance. As Schneier4 says • “We are very well adapted to dealing with the security environment endemic to hominids living in small family groups on the highland plains of East Africa” • In fact, our “Abstract concepts are largely metaphorical”5. For example, we • Punch a hole in the firewall • Experience security breaches • Analyze attack surfaces • All too often, end up between a rock and a hard place 32
  • 33. Copyright © The Open Group 2011 Questions for Discussion • How can security architects use the ArchiMate visual modeling language to • Align stakeholders’ perceptions of risk with the logical and mathematical reality of enterprise risk? • Enable the sponsors, designers and implementers of controls to make the best possible protective decisions for their enterprise? • How can The Open Group build on ArchiMate 2.0 to better support security architecture? 33
  • 34. Copyright © The Open Group 2011 Thank You! 34
  • 35. Copyright © The Open Group 2011 Supplementary Material 35
  • 36. Copyright © The Open Group 2011 Motivation References 1. W. Baker, A. Hutton, C.D. Hylender, J. Pamula, C. Porter, M. Spitler, et. al. 2011 Data Breach Investigations Report [Online], 2011. http://www.verizonbusiness.com/resources/reports/rp_data-breach- investigations-report-2011_en_xg.pdf 2. PCI Security Standards Council. Payment Card Industry Data Security Standard version 2.0 [Online], 2010. https://www.pcisecuritystandards.org/security_standards/documents.php?docu ment=pci_dss_v2-0#pci_dss_v2-0 3. T. Moore, R. Anderson. Economics and Internet Security: a Survey of Recent Analytical, Empirical and Behavioral Research [Online], 2011. ftp://ftp.deas.harvard.edu/techreports/tr-03-11.pdf 4. B. Schneier. The Psychology of Security [Online], 2008. http://www.schneier.com/essay-155.html 5. Lakoff, George, Johnson, Mark. Philosophy in the Flesh. Basic Books, 1999. 36
  • 37. Copyright © The Open Group 2011 Responsibility References 1. Christophe Feltus, Eric Dubois, Erik Proper, Iver Band, Michaël Petit, Enhancing the ArchiMate® Standard with a Responsibility Modeling Language for Access Rights Management, 5th ACM International Conference on Security of Information and Networks (ACM SIN 2012), 22-27/10/2012, Jaipur, Rajastan, India. ISBN: 978-1-4503-1668-2 2. Christophe Feltus, Michaël Petit, Eric Dubois, ReMoLa: Responsibility Model Language to Align Access Rights with Business Process Requirements, Fifth IEEE International Conference on Research Challenges in Information Science (IEEE RCIS 2011), 19-21/5/2011, Guadeloupe - French West Indies, France 3. Christophe Feltus, Eric Dubois, Michaël Petit, Conceptualizing a Responsibility based Approach for Elaborating and Verifying RBAC Policies Conforming with CobiT Framework Requirements, Third International Workshop on Requirements Engineering and Law (RELAW10), in conjunction with the 18th IEEE International Requirements Engineering Conference (RE2010), 27/9-1/10/2010, Sydney, Australia. 4. Christophe Feltus, Michaël Petit, Morris Sloman, Enhancement of Business IT Alignment by Including Responsibility Components in RBAC, 5th International Workshop on Business/IT Alignment and Interoperability (BUSITAL 2010), an International Workshop of the 22th Conference on Advanced Information Systems Engineering (CAISE2010), 7-11/6/2010, Hammamet, Tunisia 5. Christophe Feltus, Michaël Petit, Eric Dubois, Strengthening Employee’s Responsibility to Enhance Governance of IT - COBIT RACI Chart Case Study, The 1st ACM Workshop on Information Security Governance (ACM WISG 2009) held in conjunction with the 16th ACM Conference on Computer and Communications Security (ACM CCS 2009), 13/11/2009, Chicago, Illinois, USA. 6. Christophe Feltus, Michaël Petit, Building a Responsibility Model Including Accountability, Capability and Commitment, Fourth International Conference on Availability, Reliability and Security (“ARES 2009 – The International Dependability Conference”) IEEE, 16-19/3/2009, Fukuoka, Japan. (SCOPUS) 7. Christophe Feltus, Michaël Petit, Building a Responsibility Model using Modal Logic - Towards Accountability, Capability and Commitment Concepts, The seventh ACS/IEEE International Conference on Computer Systems and Applications (AICCSA-09) IEEE, 10-13/5/2009, Rabat, Morocco 37