Unabhängige Kompetenz-Plattform
für Integrierte Sicherheit in der Schweiz.


PoSecCo - Test the way to more compliance

Future Internet (FI) applications will see dynamic compositions of services providing a broad diversity of functions, starting with business functionality down to infrastructure services. Their progress crucially depends on the service providers’ ability to deal with two interdependent challenges:

  • to achieve, maintain and prove compliance with security requirements stemming from internal needs, 3rd party demands and international regulations and
  • to cost-efficiently manage policies and security configuration in operating conditions.

The deficiencies of current processes and tools force service providers to trade off profitability against security and compliance. PoSecCo overcomes this by establishing a traceable and sustainable link between high-level requirements and low-level configuration settings.

The EU research project PoSecCo (posecco.eu) aims to develop new methods and tools that support organizations in the IT security policy refinement process. We thereby speak of a "policy chain" to emphasize the tight coupling of policy representations of different abstractions. This chain is established during a design-time refinement and optimization process, whereby the specification of policies on each layer is supported by dedicated tools. Policy designers at the various levels are supported in many ways, e.g., in the identification and resolution of policy conflicts, or the selection and automated configuration of suitable enforcement mechanisms. At runtime, the policy chain can be leveraged, for instance, to support audit activities, or to understand the impact of security misconfigurations.

The three different elements of the policy chain, Business Policies, IT Security Policies and Security Configurations, are represented by corresponding information models, each one of them linked to a corresponding model for functional matters. In other words, Business Policies (that comprise Security Requirements) are defined over a Business Model describing concepts such as Business Service, Customer or Supplier, IT Security Policies are defined over an IT Service Model that describes the architecture of an IT system by pointing to its main building blocks, interfaces, and communicating channels, and the Security Configuration is defined over a Infrastructure Model that describes system details such as the network topology, application instances or actual communication endpoints, all of which has been modelled close to the DMTF standard CIM (Common Information Model).

In September 2013, the project has integrated all tools developed by the project into the final prototype. The project is now turning to the final phase: the final evaluation of project results whereby staff members of our end-users will be asked to perform typical tasks they encounter in their everyday work both with and without the support of the PoSecCo tool. This will be the basis for providing a final quantitative and qualitative assessment of the benefits brought about by the PoSecCo concept.

Want to know more? Come, get introduced to and even test our integrated prototype at the ICT 2013 event in Vilnius. We will be happy to welcome you in booth 4D3 in the “Industry and Business for Tomorrow” hall.

Prof. Dr. Annett Laube-Rosenpflanzer

Security-Finder Schweiz: Newsletter