A defined global information security policy is attached to the VO level; it can be ... partners linked together by business relationships [McKnight, Chervany 1996].
Evaluating the Virtual Organizations security solutions using the ISO/IEC 17799 standard Michel Kamel, Abdelmalek Benzekri, François Barrère, Romain Laborde Université Paul Sabatier, Route de Narbonne 118, 31062 Toulouse, France, {mkamel, benzekri, barrere, laborde}@irit.fr
Abstract A Virtual Organization (VO) network, a solution to collaborative environments, allows the participating organizations to share and exchange resources and competencies for economical or educational purposes; thus, they can realize common projects. Within VOs, organizations must open their information systems; a secure distributed infrastructure should be deployed to interconnect the different organizations security domains. Security concerns are raised to setup collaboration means because each security domain defines an administrative authority, has a certain level of security and defines security policies to protect the organization assets. A global and consistent information security policy, extending the different organizations security policies, must be defined on the VO level. In order to build the chain of trust between organizations, we adopted the “level of maturity” concept and defined a tool based on the ISO/IEC 17799 directives. In this paper, we are using this tool to measure the maturity level of the proposed security solutions and test their efficiency for a VO environment. Keywords Virtual Organization, security practices, identity federation, ISMS, ISO/IEC 17799
1
Introduction
Virtual Organizations (VOs) offer new challenges and ways of working. By offering a new model of cooperation between enterprises, they may be built dynamically. They are using temporary network of independent organizations connected through Information and Communication Technologies (ICTs). Common projects (economical or educational) may be led by sharing resources (human, material, etc.), capabilities and competencies. But within a VO network, organizations must open their information systems and security concerns are raised to setup collaboration means. VO borders need to be defined: security practices and policies must be implemented to protect resources from harmful attacks avoiding consequences like business losses. A defined global information security policy is attached to the VO level; it can be built as an extension of the different organizations’ local security policies avoiding to start from scratch. Such a solution brings the opportunity to focus only on security concerns associated with the VO, while respecting those defined to govern exchanges within an organization. The question is how to implement such a system which has to be reliable, simple, and that should guarantee the separation of the different domains? Security services such as authentication, authorization, confidentiality, integrity and traceability must be ensured within the VO shared infrastructure. We have considered this problematic within the VIVACE1 project. We have chosen the identity federation [FIM 2006] and Privilege Management Infrastructure (PMI) [Chadwick, Otenko 2005] concepts to address building a VO between the major actors of the European 1
VIVACE project. AIP3-CT-2003-502917. http://www.vivaceproject.com
Aeronautical domain. Identity federation allows the establishment of a circle of trust between partners linked together by business relationships [McKnight, Chervany 1996]. Thus, administrators have to manage only their own resources and their own users’ accounts. In addition, PMI architectures enforce the access control policies protecting the resources put at the disposal of partners. The ISO/IEC 17799 [Iso 2007] security standard, a code of practice for information security management, enumerates the security controls to deploy which allow organizations to achieve their control objectives. In [Kamel 2006], we have proposed the adaptation of this standard to the VO context in order to allow the implementation and the certification of an Information Security Management System (ISMS) respecting security directives and avoiding erroneous management of the shared resources. In this paper, we evaluate our approach against the ISO/IEC 17799 standard. We are interested in evaluating the maturity of such an approach and its adaptability to a VO environment where security issues are of great interest. This paper starts by enumerating some related works dealing with managing VOs. In section 3, our research approach is detailed: the ISMS concept is introduced, ISO/IEC 17799 security standard is presented as a code of practice providing a framework to define an ISMS within a unique organization. The “maturity level” criterion is introduced to measure the level of maturity of an organization information system. In section 4, our findings concerning the definition and the evaluation of an ISMS on the VO level is detailed. A proposal solution for access control within a VO is described and evaluated using our ISO/IEC 17799-based maturity level tool. Section 5 concludes the paper and proposes future work.
2
Related work
Different approaches are proposed to deal with the deployment of secure VOs supported by secure IT infrastructures. For example, within CAS [Saleem 2004] and VOMS [Alfieri 2003] a centralized approach is used to manage both user’s authentication and rights granting. Within TrustCom [Tuptuk, Lupu 2004], the identity federation concept is chosen and thus, it proposes a decentralized management solution for the VO distributed information system. In addition, delegation policies express the granting of rights for the purpose of administering access control. This allows decentralising the administration task; each administrative authority manages resources within its security domain. Our research approach deals with using and evaluating security solutions for VOs in order to deploy secure distributed access control architectures within a VO environment. Compared to the TrustCom approach, our approach consists in deploying an access control solution based on identity federation and PMI within a VO context. In addition, we are interested in evaluating the level of security provided by such solutions not only deploying them. ISO/IEC17799 provides a list of security best practices to define an ISMS within one organization. In addition, ISO/IEC 27001 [Iso 2007] defines a methodology to certify an ISMS. However, we are not aware of any international standard that deals with IT security issues for VOs today. In a previous work [Kamel 2006], we defined a framework based on ISO/IEC 17799 that includes a tool for organizations that want to join a VO to evaluate the maturity level (from 1 to 5) of their security practices. This is why we have dealt with it in this paper.
3
Research approach
The aim of an ISMS is to establish the organization information security policy and objectives, and then assess these objectives are met. It provides a systematic approach to manage sensitive information in order to protect it and encompasses large scale employees,
processes and information systems. The ISO/IEC 17799 security standard brings a modelling framework for ISMS. Traditionally, when an organization implements an ISMS, it is under its entire control (data, computing, people, etc). So, the organization can manage it effectively. But when this organization is part of a VO network, VO partners may own some of the VO resources and some tasks may imply an agreement between all the parties. As a consequence, it becomes harder for an organization to maintain its ISMS. Standards and conformance to them are welcomed to set up a common ISMS view and help to avoid security breaches. The ISO/IEC 17799 security standard brings a modelling framework for ISMS within a unique organization.
3.1
ISO/IEC 17799
ISO/IEC 17799, the code of practice for information security management, lays out a well structured set of controls to address information security risks. It was first published in December 2000. An enhanced version of ISO/IEC 17799 appears in late 2005; it contains eleven main sections specifying 39 control objectives and 133 security controls. A “control objective” is defined as a statement of the desired result or purpose to be achieved by implementing control procedures within a particular IT activity. A “security control” is defined as the policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected. The ISO/IEC 17799:2005 eleven core chapters are: • Security policy This chapter provides guidelines and management advice for improving information security. • Organizing information security This chapter facilitates information security management within the organization. • Asset management This chapter carries out an inventory of assets and protects these assets effectively. • Human resources security This chapter minimizes the risks of human error, theft, fraud or the abusive use of equipment. • Physical and environmental security This chapter prevents the violation, deterioration or disruption of industrial facilities and data. • Communications and operations management This chapter ensures the adequate and reliable operation of information processing devices. • Access control This chapter controls access to information. • Information systems acquisition, development and maintenance This chapter ensures that security is incorporated into information systems. • Information security incident management This chapter defines a plan to act when incidents occur and disturb the right operation of the security system. • Business continuity management This chapter minimizes the impact of business interruptions and protects the company’s essential processes from failure and major disasters. • Compliance This chapter avoids any breach of criminal or civil law, of statutory or contractual requirements, and of security requirements. The participating organizations need to establish what is called a “chain of trust” allowing each of them to open its information system to others without risking the loss of its critical resources put at their disposal [Handy 1995]. They need to have a proof that their respective IT infrastructures are secure and they have the necessary elements allowing them to
interconnect these infrastructures in a secure way. The “maturity level” concept is adopted to respond to this constraint.
3.2
The “maturity level” criterion
The “maturity level” gives an indicator considering the security practices and their efficiency in avoiding security problems. This criterion is treated by reference models such as the Capability Maturity Model Integration (CMMI) [Cmmi 2007] which assesses an organization against a scale of five process maturity levels (Initial, Repeatable, Defined, Managed and Optimizing). ISO/IEC 15504 [Iso 2007] contains also a reference model defining a process and a capability dimensions. The process dimension defines processes divided into five categories (customer-supplier, engineering, supporting, management, organization). For each process, ISO/IEC 15504 defines a capability level on the following scale (incomplete process, performed process, managed process, established process, predictable process and optimizing process). In our approach, we adopt five levels of security practices maturity (ranging from 1 to 5) in order to evaluate the efficiency of the deployed security practices in ensuring security services [Sowa, Śnieżyński 2005] [Holland, Geoff Lockett 1998] within the organization network. The five defined levels are: • Level 1 - Initial The security level within the organization network is very low: the level of risks facing the organization assets is very high which may cause their loss or their destruction. • Level 2 - Minimal The security practices deployed within the organization allows it to benefit from a minimal level of security protecting its assets. Although some security practices are deployed, it is not sufficient for an organization to consider that its infrastructure is protected from attacks. • Level 3 - Acceptable The security practices deployed within the organization are in an acceptable level; we can say that the organization assets are protected from attacks. • Level 4 - Managed For level 4, the organization administrators are effectively protecting the organization network and assets. A high level of security is ensured within the organization network. In other terms, the administrators are effectively managing security issues. • Level 5 - Optimal Level 5 indicates a very high level of security; the organization has deployed the necessary security practices to protect itself from harmful attacks. Such level of maturity reflects the administrators’ high experience in security issues; it is reached only if the organization considers security as a catalyst of its effective business strategy. In our approach, we defined an “Objective level” as the reference level of maturity (level 3) that an organization should have to be able to manage its own IT infrastructure whenever it should be interconnected to a VO distributed infrastructure. We are considering that an organization, which has competencies in terms of business processes and strategies which could be of great interest to the VO partners, should not be excluded if it doesn’t have the necessary experience to manage its IT infrastructure in a secure way. The adopted approach is: “if the maturity level of the security practices of an organization is lower than the “Objective level”, it can join a VO only if its IT infrastructure and its interconnection to the VO distributed architecture is managed by a third party having the necessary experience in security practices and issues”.
We have developed a tool that allows the evaluation of the security practices deployed as a part of the organization global IT security solution. This tool is in the form of a questionnaire based on ISO/IEC 17799 and it allows us to evaluate the deployed security practices on each organization site and to take a decision concerning the solution to adopt to interconnect the different organizations information systems. The questions intended to the organizations administrators are associated to the five maturity levels depending on their criticality and the security issues they express. The more the question expresses criticality in terms of security, the higher is the associated maturity level. Our tool decomposes security practices into six of the ISO/IEC 17799 standard chapters which are: “security policy”, “organization of information security”, “communications and operations management”, “access control”, “information systems, acquisition and maintenance” and “compliance”. This tool will reflect the experience that has each of the administrators of the different organizations in terms of IT security. Using this tool, we can evaluate security solutions for VO networks and test their efficiency in such a distributed environment. The tool defines 278 questions (statements distributed over six chapters dealing with information security) reflecting the state of the organization information system security. In this paper, we address the evaluation of our proposal solution that integrates identity federation and PMI in order to implement distributed access control architectures at the VO level.
4
Findings
Figure 1 shows the distributed VO infrastructure we are deploying as a part of the VIVACE project to provide the VIVACE partners a collaborative environment to simulate and design aircrafts. This infrastructure integrates Shibboleth [Watt 2005] [Shibboleth 2006] and PERMIS [Chadwick, Otenko 2005] [Permis 2006] for the deployment of a distributed VO access control architecture. Shibboleth is an attribute based federated identity authentication and authorization infrastructure based on the Security Assertion Markup Language (SAML) standard [Cantor 2004]. It provides a framework of authentication and authorization in a federation of service suppliers and consumers. It allows dealing with the heterogeneity problem of the authentication mechanisms that may be used on the partners’ sites. PERMIS, as PMI architecture based on the PDP/PEP concept and supporting the XACML [Xacml 2007] policy language, strengthens the authorization paradigm proposed by Shibboleth. The interface to the PERMIS PDP is being enhanced to support the XACML request context and to return the XACML response context. Within this infrastructure, the Public Key Infrastructure (PKI) concept is adopted to strengthen the authentication mechanism [Adams, Lioyd 1999]. Users are authenticated on their sites by providing their identity certificates managed by the PKI. In addition, the Virtual Private Networks (VPNs) [Scott, Wolfe, Erwin 1999] concept is also adopted. An IPsec VPN provides a secure tunnel for information preserving its integrity and confidentiality whenever it is exchanged over the Internet. These advanced technologies allow us to ensure the strong authentication, authorization, confidentiality, integrity and traceability security services. Within such an IT infrastructure, the administrators of IT resources, called Source Of Authorities (SOAs), control the access to their resources by defining access policies based on roles. These policies are enforced by PERMIS. In this paper, we consider that any information about a user is an attribute. The organizations manage the authentication of their people and their credentials (e.g. roles). In order to perform this task, each users’ origin organization has to deploy a Certificate Authority (CA) to manage users’ certificates and an Attribute Authority (AA) for the users’ attributes. Security information (proof of user’s
authentication and the user’s attributes) are propagated from the origin site to the IT resource provider site relying on Shibboleth. The communication between sites is secured by IPsec VPN tunnels.
Figure 1: An example of a Distributed Information System Infrastructure
By analyzing this distributed VO infrastructure, we identified the security practices, related to the “access control” security issue, that we need to implement. Figure 2 shows an extract of these practices.
Figure 2: Security practices to implement Figure 3 shows a snapshot from the maturity level evaluation tool; it corresponds to the access control chapter (“chapter 11” in order to be in harmony with the ISO/IEC 17799 chapters’ classification). We are not showing the totality of the questionnaire; we are interested only in the “access control policy” security control. This figure shows a list of questions concerning access control; we must respond to the questions by “1” for “yes, this
practice is implemented”, “0” for “no, this practice is not implemented” and “0.5” for “this practice is partially implemented”.
Figure 3: "Access control policy" security control
After we have responded to the totality of the questionnaire, the tool evaluates the maturity level of each of the security controls depending on the maturity level corresponding to each question and the corresponding evaluation (0, 0.5 or 1). Then, the tool measures the average evaluation of the maturity of all the security controls (within the six chapters). The final result is shown using a graphic (figure 4) highlighting the calculated value of the practices maturity and comparing it to the “Objective” level.
Figure 4: The evaluation of the proposal solution
By analyzing the result that the tool has provided: “3.47” is the maturity level corresponding to the access control chapter; we can confirm that our access control solution is efficient and may be deployed within a VO network as it corresponds to a level of maturity higher then 3. The total average, corresponding to the global organization security solution, may change according to the values of the maturity level that could have the security controls which are not directly in relation with our access control solution. Depending on the IT security experience that the organizations’ administrators have, the total maturity level may be lower or upper.
5
Conclusion
Since the creation and until the dissolution of a VO, efficient management solutions must be adopted to ensure an effective collaboration between partners. Managing a VO necessitates the collaboration of the different administrative authorities within the different security domains. A secure distributed IT infrastructure is deployed; this infrastructure must deploy security practices to ensure the basic security services needed for a secure collaborative environment. In this paper, to support the VO networks, we proposed to deploy an IT infrastructure interconnecting the different organizations information systems integrating the identity federation (Shibboleth) and PMI (PERMIS) concepts. The proposal solution is developed and evaluated using our maturity level evaluation tool, which is based on ISO/IEC 17799. The tool has quantified the level of trust that we can have in our proposal solution; it allowed us to confirm that this solution is adapted to a VO environment. Our future work will focus on three points: the improvement of our tool so it deals with some elements that are not considered within its current version, the evaluation of other VO security solutions, and the utilization of our tool within the VIVACE project in order to collect comments on it. References Adams C., Lioyd S. : Understanding Public Key Infrastructure- concepts, standards, deployment considerations, USA, Sams, 1999, 320 p., ISBN 157870166X. Alfieri R. et al. : VOMS, an authorization system for Virtual Organizations. 1st European Across Grids Conference, Feb. 2003, Spain. Cantor S. et al. : Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0 Committee Draft 01, 18 August 2004. Document identifier: sstc-saml-core-2.0-cd-01 Chadwick D.W., Otenko O. : The PERMIS X.509 Role Based Privilege Management Infrastructure, University of Salford, 2005 FIM, Federated Identity Deployment Architecture, Ping Identity white paper, September 2006 Handy C. : Trust and the Virtual Organization, Harvard Business Review, 73, (3), pp. 40-50, 1995. Holland C., Geoff Lockett A. : Business trust and the formation of Virtual Organizations, UK, 1998 Kamel M. et al. : Building virtual organizations compliant with the ISO/IEC 17799 directives, GRES, France, 2006. McKnight H., Chervany N. : The Meanings of Trust, Technical Report MISRC 96-04, Management Information Systems Research Center, University of Minnesota, 1996. Saleem A. et al. : Using the VOM portal to manage policy within Globus Toolkit, Community Authorisation Service, London, 2004 Scott C., Wolfe P., Erwin M. : Virtual Private Networks, USA, O’REILLY, 1999, 211 p., ISBN 1-56592-529-7 Sowa G., Śnieżyński T. : Configurable multi-level security architecture for CNOs, ECOLEAD project, Deliverable D63.1, COMARCH, April 2005 The CMMI model. Available online at: http://www.sei.cmu.edu/cmmi/cmmi.html [Accessed January 2007] The ISO/IEC 17799, ISO/IEC 27001 and ISO/IEC 15504 international standards. Available online at: http://www.standardsinfo.net/isoiec/index.html [Accessed January 2007] The PERMIS project. Available online at: http://www.permis.org/en/index.html [Accessed July 2006] The Shibboleth project. Available online at: http://shibboleth.internet2.edu/ [Accessed July 2006] The XACML policy language. Available online at : http://www.oasis-open.org [Accessed January 2007] Tuptuk N., Lupu E. : State of the art evaluation, the TrustCoM project, June 2004. Watt J. et al. : A Shibboleth-Protected Privilege Management Infrastructure for e-Science Education, University of Glasgow, UK, 2005
