Value-driven Security Agreements in Extended Enterprises

V. Nunes Leal Franqueira, Roelf J. Wieringa

Research output: Book/ReportReportProfessional

19 Downloads (Pure)

Abstract

Today organizations are highly interconnected in business networks called extended enterprises. This is mostly facilitated by outsourcing and by new economic models based on pay-as-you-go billing; all supported by IT-as-a-service. Although outsourcing has been around for some time, what is now new is the fact that organizations are increasingly outsourcing critical business processes, engaging on complex service bundles, and moving infrastructure and their management to the custody of third parties. Although this gives competitive advantage by reducing cost and increasing flexibility, it increases security risks by eroding security perimeters that used to separate insiders with security privileges from outsiders without security privileges. The classical security distinction between insiders and outsiders is supplemented with a third category of threat agents, namely external insiders, who are not subject to the internal control of an organization but yet have some access privileges to its resources that normal outsiders do not have. Protection against external insiders requires security agreements between organizations in an extended enterprise. Currently, there is no practical method that allows security officers to specify such requirements. In this paper we provide a method for modeling an extended enterprise architecture, identifying external insider roles, and for specifying security requirements that mitigate security threats posed by these roles. We illustrate our method with a realistic example.
Original languageUndefined
Place of PublicationEnschede
PublisherCentre for Telematics and Information Technology (CTIT)
Publication statusPublished - 24 Mar 2010

Publication series

NameCTIT Technical Report Series
PublisherCentre for Telematics and Information Technology, University of Twente
No.TR-CTIT-10-17
ISSN (Print)1381-3625

Keywords

  • EWI-17833
  • Governance
  • External Insider Threat
  • IR-71275
  • Security Agreement
  • METIS-270803
  • SCS-Services
  • Value Modeling
  • Extended Enterprise Architecture

Cite this

Nunes Leal Franqueira, V., & Wieringa, R. J. (2010). Value-driven Security Agreements in Extended Enterprises. (CTIT Technical Report Series; No. TR-CTIT-10-17). Enschede: Centre for Telematics and Information Technology (CTIT).
Nunes Leal Franqueira, V. ; Wieringa, Roelf J. / Value-driven Security Agreements in Extended Enterprises. Enschede : Centre for Telematics and Information Technology (CTIT), 2010. (CTIT Technical Report Series; TR-CTIT-10-17).
@book{2cef7ba57ca04efdb84710d9cdc0ede0,
title = "Value-driven Security Agreements in Extended Enterprises",
abstract = "Today organizations are highly interconnected in business networks called extended enterprises. This is mostly facilitated by outsourcing and by new economic models based on pay-as-you-go billing; all supported by IT-as-a-service. Although outsourcing has been around for some time, what is now new is the fact that organizations are increasingly outsourcing critical business processes, engaging on complex service bundles, and moving infrastructure and their management to the custody of third parties. Although this gives competitive advantage by reducing cost and increasing flexibility, it increases security risks by eroding security perimeters that used to separate insiders with security privileges from outsiders without security privileges. The classical security distinction between insiders and outsiders is supplemented with a third category of threat agents, namely external insiders, who are not subject to the internal control of an organization but yet have some access privileges to its resources that normal outsiders do not have. Protection against external insiders requires security agreements between organizations in an extended enterprise. Currently, there is no practical method that allows security officers to specify such requirements. In this paper we provide a method for modeling an extended enterprise architecture, identifying external insider roles, and for specifying security requirements that mitigate security threats posed by these roles. We illustrate our method with a realistic example.",
keywords = "EWI-17833, Governance, External Insider Threat, IR-71275, Security Agreement, METIS-270803, SCS-Services, Value Modeling, Extended Enterprise Architecture",
author = "{Nunes Leal Franqueira}, V. and Wieringa, {Roelf J.}",
year = "2010",
month = "3",
day = "24",
language = "Undefined",
series = "CTIT Technical Report Series",
publisher = "Centre for Telematics and Information Technology (CTIT)",
number = "TR-CTIT-10-17",
address = "Netherlands",

}

Nunes Leal Franqueira, V & Wieringa, RJ 2010, Value-driven Security Agreements in Extended Enterprises. CTIT Technical Report Series, no. TR-CTIT-10-17, Centre for Telematics and Information Technology (CTIT), Enschede.

Value-driven Security Agreements in Extended Enterprises. / Nunes Leal Franqueira, V.; Wieringa, Roelf J.

Enschede : Centre for Telematics and Information Technology (CTIT), 2010. (CTIT Technical Report Series; No. TR-CTIT-10-17).

Research output: Book/ReportReportProfessional

TY - BOOK

T1 - Value-driven Security Agreements in Extended Enterprises

AU - Nunes Leal Franqueira, V.

AU - Wieringa, Roelf J.

PY - 2010/3/24

Y1 - 2010/3/24

N2 - Today organizations are highly interconnected in business networks called extended enterprises. This is mostly facilitated by outsourcing and by new economic models based on pay-as-you-go billing; all supported by IT-as-a-service. Although outsourcing has been around for some time, what is now new is the fact that organizations are increasingly outsourcing critical business processes, engaging on complex service bundles, and moving infrastructure and their management to the custody of third parties. Although this gives competitive advantage by reducing cost and increasing flexibility, it increases security risks by eroding security perimeters that used to separate insiders with security privileges from outsiders without security privileges. The classical security distinction between insiders and outsiders is supplemented with a third category of threat agents, namely external insiders, who are not subject to the internal control of an organization but yet have some access privileges to its resources that normal outsiders do not have. Protection against external insiders requires security agreements between organizations in an extended enterprise. Currently, there is no practical method that allows security officers to specify such requirements. In this paper we provide a method for modeling an extended enterprise architecture, identifying external insider roles, and for specifying security requirements that mitigate security threats posed by these roles. We illustrate our method with a realistic example.

AB - Today organizations are highly interconnected in business networks called extended enterprises. This is mostly facilitated by outsourcing and by new economic models based on pay-as-you-go billing; all supported by IT-as-a-service. Although outsourcing has been around for some time, what is now new is the fact that organizations are increasingly outsourcing critical business processes, engaging on complex service bundles, and moving infrastructure and their management to the custody of third parties. Although this gives competitive advantage by reducing cost and increasing flexibility, it increases security risks by eroding security perimeters that used to separate insiders with security privileges from outsiders without security privileges. The classical security distinction between insiders and outsiders is supplemented with a third category of threat agents, namely external insiders, who are not subject to the internal control of an organization but yet have some access privileges to its resources that normal outsiders do not have. Protection against external insiders requires security agreements between organizations in an extended enterprise. Currently, there is no practical method that allows security officers to specify such requirements. In this paper we provide a method for modeling an extended enterprise architecture, identifying external insider roles, and for specifying security requirements that mitigate security threats posed by these roles. We illustrate our method with a realistic example.

KW - EWI-17833

KW - Governance

KW - External Insider Threat

KW - IR-71275

KW - Security Agreement

KW - METIS-270803

KW - SCS-Services

KW - Value Modeling

KW - Extended Enterprise Architecture

M3 - Report

T3 - CTIT Technical Report Series

BT - Value-driven Security Agreements in Extended Enterprises

PB - Centre for Telematics and Information Technology (CTIT)

CY - Enschede

ER -

Nunes Leal Franqueira V, Wieringa RJ. Value-driven Security Agreements in Extended Enterprises. Enschede: Centre for Telematics and Information Technology (CTIT), 2010. (CTIT Technical Report Series; TR-CTIT-10-17).