JADAVPUR
U  N  I  V  E  R  S  I  T  Y
Centre for Distributed Computing

CDC-JU
Events

PROJECT - WEBSEC II

Summary of work done:
We need formal models of systems whenever their complexity increases to such an extent that it becomes impossible for human and organizational structures to manage. Cases in point are the compiler technology and software engineering models. The security design and management are becoming too complex because of the interplay among technology, management, economics, social issues and the huge volume of data to be managed. The matter is complicated because of frequent changes in all these aspects and in fact, once the design and development is done, the changes in the requirement and environment appear much more frequently than in software systems. Any tangible assurance in this dynamic system requires formal analysis and tools based on the formal model.
There exist various separate models for the different aspects of enterprise security. For example, Clark-Wilson model deals with integrity; Bell-La Padula Model deals with Database Access; there are models of Discretionary, Mandatory and Role-based Access Control; Risk Models of different kinds; Survivability models for networks and security; Cost-Benefit Models; models for security architecture and configuration generation; Testing models, etc. The major objective of the present project was to integrate the above models and a few newly proposed ones into a unified model of enterprise information security, so that the different outputs of the tools can be checked for soundness and completeness. The model-based approach will allow questions on information security posed by the top management to be answered with a degree of confidence and the management can take informed objective decisions regarding investing in and managing the security infrastructure so that the security risk to the enterprise IT assets can be mitigated to an acceptable level at an acceptable cost. The model will also be used to develop formal metrics of information security, which are still now in an infant stage.
During this project, a detailed survey of different security models of confidentiality, integrity, availability, non-repudiation, authentication, and access-control was conducted. An integrated model for managing enterprise information system security has been formulated. This model addresses various security parameters like confidentiality, integrity, availability, etc. Modal propositional logic has been used to formulate the model. Also, a detailed survey of existing methodologies for measuring security has been conducted. A new fuzzy-logic based risk analysis methodology has been formulated. Metrics of assurance, architectural efficacy, operational efficiency, protection capability, and protection performance have been proposed, too.
The second objective was to develop a suite of services to support the different phases of the security-engineering life cycle. The difference between the tools developed in the previous project and this project is that the new tools are based on a sound formal model; they are embedded in a web-based Object-oriented (J2EE) framework, so that the clients can get the service from anywhere in the country; the framework supports rapid deployment of newer services to be integrated in the future. The up gradation of the existing services will also be easier. Under this project, an entire suite of web-services have been developed which will enable enterprises to manage their information security needs within a single framework. The suite of services has been named WISSDOM, which is an acronym for Web enabled Information System Security Design and Operational Management.

The web-services developed under the project are as follows:
(i) Data Capture Service
(ii) Consolidated Risk Analysis
(iii) Detailed risk analysis
(iv) Initial Vulnerability analysis
(v) Control list Generation (compliant with ISO 17799:2005)
(vi) Control Gap analysis (compliant with ISO 17799:2005)
(vii) Generation of Requirement Specification file
(viii) Generation of Baseline Policy Manual (compliant with ISO 17799:2005)
(ix) Generation of Detailed Policy Manual (compliant with ISO 17799:2005)
(x) Generation of Guideline Manual (compliant with ISO 17799:2005)
(xi) Generation of Procedure Manual (compliant with ISO 17799:2005)
(xii) Administrative/Security services
(xiii) Generation of Asset Based Advisory
(xiv) Generation of Location Based Advisory
(xv) Compliance Testing
(xvi) Training services
A third objective was to develop quality training material on the web. A security training service has been developed during this project period. It consists of 2 parts. One is a generic training sub-module for imparting security knowledge to users. The other is a tool-specific training sub-module that imparts knowledge on the usability of the web-services. The training module supports different categories of users, like Chief Information Security Officer, security manager, and general user. This service is being offered using a Knowledge Management Tool Learn.ITY from Aunwesha Knowledge Systems Pvt. Ltd.. The Company has permitted the use of their product for development purpose.

 

<< Pervious

 

 

CDC-JU © All Rights Reserved