=Paper=
{{Paper
|id=None
|storemode=property
|title=Supporting the Development and Documentation of Trustworthy ICT Systems according to Security Standard through Patterns and Security Requirements Engineering Approaches
|pdfUrl=https://ceur-ws.org/Vol-834/paper11_essosds2012.pdf
|volume=Vol-834
}}
==Supporting the Development and Documentation of Trustworthy ICT Systems according to Security Standard through Patterns and Security Requirements Engineering Approaches==
https://ceur-ws.org/Vol-834/paper11_essosds2012.pdf
First Doctoral Symposium on
Engineering Secure Software und Systems
Patterns- and
Security-Requirements-Engineering-based
Support for Development and Documentation of
Security Standard Compliant ICT Systems ?
Kristian Beckers and Maritta Heisel (PhD Supervisor)
paluno - The Ruhr Institute for Software Technology University of Duisburg-Essen
{firstname.lastname}@paluno.uni-due.de
Abstract. Aligning an ICT system with a security standard is a chal-
lenging task, because of the sparse support for development and docu-
mentation that these standards provide.
We create patterns for the elements of trustworthiness: security, risk
management, privacy, and law. The instantiations of these patterns are
used to support the development and documentation of ICT systems
according to security standards. In addition, we define relations between
security standards and security requirements engineering approaches.
Key words: security standards, requirements engineering, security, pat-
terns
1 Motivation and Background
Security is a system property of ICT systems [1, 2] and an acceptable security
level has to be achieved for the entire system. Security standards exist that
provide relevant methods for achieving this goal. However, aligning ICT systems
with security standards is difficult, because the standards provide only sparse
support for system development and documentation. For example, assembling
an information security management system (ISMS) according to the ISO 27001
requires a scope and boundaries description among its initial steps. The required
input is to consider “characteristics of the business, the organization, its location,
assets and technology”[3, p. 4].
Security requirements engineering (SRE) methods, on the other hand, pro-
vide structured elicitation and analysis of security requirements. This structured
elicitation and analysis of security requirements of SRE methods is useful for nu-
merous security engineering contexts. Therefore, we propose to use SRE methods
to support security engineers in the development and documentation of trust-
worthy ICT systems that are compliant to security standards.
This thesis is inspired by the work of Gamma et. al [4], which manages com-
prehensible to describe design problems and solutions in a fairly easy way. We
?
This research was partially supported by the EU project Network of Excellence on
Engineering Secure Future Internet Software Services and Systems (NESSoS, ICT-
2009.1.4 Trustworthy ICT, Grant No. 256980).
ESSoS-DS 2012 Feb 15, 2012
�First Doctoral Symposium on
Engineering Secure Software und Systems
aim to accomplish the same for design and documentation problems of trustwor-
thy ICT systems. Security engineering “requires cross-disciplinary expertise” [5,
p. 3]. Patterns provide the means to collect this expertise and instantiate it to a
given security engineering problem. We define trustworthiness as a combination
of security, risk management, privacy and compliance attributes. All of these
attributes are also required by security standards, e.g., ISO 27001. Hence, we
restrict patterns in this work to security, law, privacy, and risk management
patterns.
The outcome of this analysis answers the research question, if and to what
extent patterns and SRE approaches can support the development of a secu-
rity standard compliant ICT system. Moreover, it answers the question in what
way patterns and SRE methods provide the required documentation for a secu-
rity standard compliant ICT system and how existing pattern-based and SRE
documentation can be re-used for an aforementioned system.
2 Previous Work
ICT systems keep increasing their functionality and distribution in recent years.
Unfortunately this increase in complexity of ICT systems leads also to an increase
in security problems for instance in cloud computing systems (or short clouds)
[6].
We developed a pattern-based approach to support the context establish-
ment and asset identification in the scope of cloud computing systems for the
ISO 27005 [7] standard [8]. Our work shows a cloud system analysis pattern and
different kinds of stakeholder templates serve to understand and describe a given
cloud development problem. We illustrated our support using an online banking
cloud scenario, presented in in Fig. 1. Our cloud system analysis pattern in Fig. 1
that provides a conceptual view on cloud computing systems and serves to sys-
tematically analyse stakeholders and requirements. The notation used to specify
the pattern is based on UML1 notation, i.e. the stick figures represent roles,
the boxes represent concepts orientates of the real world, the named lines rep-
resent relations (associations) equipped with cardinalities, the unfilled diamond
represents a “part-of” relation, and the unfilled triangles represent inheritance.
A Cloud is embedded into an environment consisting of two parts, namely
the Direct System Environment and the Indirect System Environment. The Di-
rect System Environment contains stakeholders and other systems that directly
interact with the Cloud, i.e. they are connected by associations. Moreover, as-
sociations between stakeholders in the Direct and Indirect System Environment
exist, but not between stakeholders in the Indirect System Environment and
the cloud. Typically, the Indirect System Environment is a significant source for
compliance and privacy requirements.
The Cloud Provider owns a Pool consisting of Resources, which are divided
into Hardware and Software resources. The provider offers its resources as Ser-
vices, i.e. IaaS, PaaS, or SaaS. The boxes Pool and Service in Fig. 1 are hatched,
1
Unified Modeling Language: http://www.omg.org/spec/UML/2.3/
ESSoS-DS 2012 Feb 15, 2012
�First Doctoral Symposium on
Engineering Secure Software und Systems
Indirect System Environment
Legislator Germany Legislator EU Legislator US Domain Finance
Direct System Environment Has 1..*
IsMonitoredBy 1..*
Cloud Virtual IsComplementedBy Webserver,
Machine Application *
1..* *
Server, etc. BuiltAndCustomizedBy
UsedBy 1..*
* *
Cloud IsComplementedBy Online
Service Programming Bank Institute
Provides Interface 1..* * Banking * 1..* 1..*
1..* 1..* Software BuiltBy *
1..* WorkFor
UsedBy
1..* 1..* *
Online IsComplementedBy Transaction *
Banking Data *
Service 1..* *
Has
*
IsBasedOn Internal Development Unit
Hulda *
Server
1..*
1..* 1..* Data Center
Owns 1..* Pool Network and
Virtualization 1..*
Software InputBy/OutputTo
Bank Customer
Fig. 1: Cloud System Analysis Pattern
because it is not necessary to instantiate them. Instead, the specialised cloud ser-
vices such as IaaS, PaaS, and SaaS and specialised Resources are instantiated.
The Cloud Developer represents a software developer assigned by the Cloud Cus-
tomer. The developer prepares and maintains an IaaS or PaaS offer. The IaaS
offer is a virtualised hardware, in some cases equipped with a basic operating
system. The Cloud Developer deploys a set of software named Cloud Software
Stack (e.g. web servers, applications, databases) into the IaaS in order to offer
the functionality required to build a PaaS. In our pattern PaaS consists of an
IaaS, a Cloud Software Stack and a cloud programming interface (CPI), which
we subsume as Software Product. The Cloud Customer hires a Cloud Developer
to prepare and create SaaS offers based on the CPI, finally used by the End Cus-
tomers. SaaS processes and stores Data in- and output from the End Customers.
The Cloud Provider, Cloud Customer, Cloud Developer, and End Customer are
part of the Direct System Environment. Hence, we categorise them as direct
stakeholders. The Legislator and the Domain (and possibly other stakeholders)
are part of the Indirect System Environment. Therefore, we categorize them as
indirect stakeholders.
The cloud system analysis pattern instance in Fig. 1 helps, e.g., identifying
assets by considering the instantiated boxes and the associations between the
direct stakeholders and the cloud. The associations indicate the flow of informa-
tion into and out of the cloud and therefore helps to analyze the information
ESSoS-DS 2012 Feb 15, 2012
�First Doctoral Symposium on
Engineering Secure Software und Systems
assets processed and stored in the cloud. Furthermore, the associations help to
find out about the asset owner, as the standard requires.
Identifying relevant compliance regulations for a software system and aligning
it to be compliant is a challenging task. Hence, we already developed a pattern-
based method for Identifying and analyzing laws [9]. The method makes use of
different kinds of patterns, which help to systematically elicit relevant laws.
We also analyzed the ISO 27001 standard to determine what techniques
and documentation are necessary and instrumental to develop and document
systems according to this standard [10]. Based on these insights, we inspected a
number of current SRE approaches to evaluate whether and to what extent these
approaches support ISO 27001 system development and documentation. We re-
use a conceptual framework (CF) [11] originally developed for comparing SRE
methods to relate important terms, techniques, and documentation artifacts of
the security requirements engineering methods to the ISO 27001.
3 Future Work
In the future we will extend this approach to support the documentation and
development of trustworthy ICT systems, as depicted in Fig. 2. In our approach,
we will re-use existing meta models for security standards, e.g., Sunyaev [12] and
for risk management standards, e.g., Fenz [13] and combine them into a pattern
for security and risk management standards (1). As a next step we will develop
relations from these patterns to the CF (2), which allows us to re-use the existing
relations to SRE methods (3). We combine the relations 1, 2, and 3 and, thus,
we can create transitive relations the SRE methods to multiple security and risk
management standards, e.g. ISO 27001 and Common Criteria (4).
However, the privacy and compliance demands of trustworthy ICT systems
and security standards, e.g., ISO 27001 and Common Criteria, alike are not yet
addressed. Hence, we propose to develop relations between specific patterns for
laws (5), risk and security (6), and privacy (7). We will also extend the CF to
enable relations to privacy and law extensions of SRE methods. The risk and
security patterns shall address issues that are not already covered by an existing
SRE method in 3. We will also develop the patterns in 5, 6, and 7, if there are
no suitable patterns available yet. As a last step we combine the relations 5, 6,
and 7 and, thus, also relate the patterns to multiple security standards, e.g. ISO
27001 and Common Criteria (8).
We choose cloud computing as an example of our work. Hence, we will create
more detailed patterns for cloud systems based upon the aforementioned Cloud
System Analysis Pattern.
Moreover, aligning clouds to meet compliance regulations is a challenging
task, because of a high number of different kinds of stakeholders. We will address
this problem by creating specific cloud law analysis patterns as an extension to
our existing law pattern approach [9]. Our extension will also make use of results
generated by the application of the cloud system analysis pattern.
ESSoS-DS 2012 Feb 15, 2012
�First Doctoral Symposium on
Engineering Secure Software und Systems
4
Security and Risk
Management
Standard 1
Security
Security and Risk Patterns for
1 SRE Requirements
Security
Management Security and Risk 3
Conceptual Engineering
Requirements
Standard ... 1 Management 2 Framework 3 Method 1 Security
Engineering
Security and Risk Standards
Management 1 Requirements
Method 2
Standard n 3 Engineering
7 Method n
5 6
Law Patterns Security and Risk
Privacy Patterns
Patterns
8
Fig. 2: Support for Developing and Documenting Trustworthy ICT Systems
We will start working on privacy patterns based upon Nissenbaum’s model of
informational privacy in terms of contextual privacy [14]. The model considers
the context of a given situation, the kind of information and the relation of the
information to the context. We will also compare security and risk management
patterns using existing surveys, e.g., Heyman et al. [15].
The outcome of our work is a methodology for developing and documenting
ICT systems with the goal to be compliant to security standards. We aim at
developing a system of patterns supported by security requirements engineering
approaches, which can be used to improve the security of an ICT system, as well
as to generate a documentation of an ICT system. This documentation can be
used as a basis for certification according to a standard.
The patterns in our work will be based upon UML and the problem frame
approach by Michael Jackson [16]. In addition, essential parts of the patterns are
specified with a formal notation based upon the Z notation [17]. The patterns
will be derived from relevant scientific literature, existing pattern libraries, as
well as being found in existing implementations of security standards.
We plan to validate our work via using the methodology and the pattern
system for an ICT system and a specific security standard. We will compare
the resulting documentation against a standard-compliant documentation that
is not based on our patterns.
We conclude with a brief summary of the main benefits of our approach:
– A methodology for systematic pattern-based development and documenta-
tion of ICT systems
– Complementing patterns with existing SRE approaches in order to com-
pletely support the implementation of sections of security standards
– Specific-patterns for laws, privacy, security and risk management to cover
all quality requirements of security standards
– Ease the burden of implementing security standards
ESSoS-DS 2012 Feb 15, 2012
�First Doctoral Symposium on
Engineering Secure Software und Systems
References
1. Pfleeger, C.P., Pfleeger, S.L.: Security In Computing. 4th edn. Prentice Hall PTR
(2007)
2. Anderson, R.: Security EngineerIng. 2nd edn. Wiley (2008)
3. ISO/IEC: Information technology - Security techniques - Information security
management systems - Requirements. ISO/IEC 27001, International Organization
for Standardization (ISO) and International Electrotechnical Commission (IEC)
(2005)
4. Gamma, E., Helm, R., Johnson, R., Vlissides, J.M.: Design Patterns: Elements of
Reusable Object-Oriented Software. 1 edn. Addison-Wesley Professional (1994)
5. Bishop, M.: Computer Security : art and science. 1st edn. Pearson (2003)
6. Beckers, K., Jürjens, J.: Security and compliance in clouds. In: Information Security
Solutions Europe (ISSE 2010). Securing electronic business processes : Highlights
of the Information Security Solutions Europe, Vieweg + Teubner (2010) 91–100
7. ISO/IEC: Information technology - security techniques - information security
risk management. ISO/IEC 27005, International Organization for Standardiza-
tion (ISO) and International Electrotechnical Commission (IEC) (2008)
8. Beckers, K., Küster, J.C., Faßbender, S., Schmidt, H.: Pattern-based support for
context establishment and asset identification of the ISO 27000 in the field of
cloud computing. In: Proceedings of the International Conference on Availability,
Reliability and Security (ARES), IEEE Computer Society (2011) 327–333
9. Beckers, K., Küster, J.C., Faßbender, S., Schmidt, H.: A pattern-based method
for identifying and analysing laws. In: REFSQ. (2012) to be published.
10. Beckers, K., Faßbender, S., Heisel, M., Küster, J.C., Schmidt, H.: Supporting the
development and documentation of ISO 27001 information security management
systems through security requirements engineering approaches. In: Proceedings of
the International Symposium on Engineering Secure Software and Systems (ES-
SoS). LNCS, Springer (2012) to be published.
11. Fabian, B., Gürses, S., Heisel, M., Santen, T., Schmidt, H.: A comparison of
security requirements engineering methods. Requirements Engineering – Special
Issue on Security Requirements Engineering 15(1) (2010) 7–40
12. Sunyaev, A.: Health-Care Telematics in Germany: Design and Application of a
Security Analysis Method. 1st edn. Gabler Verlag (2011)
13. Fenz, S., Ekelhart, A., Neubauer, T.: Information security risk management: In
which security solutions is it worth investing? Communications of the Association
for Information Systems 28(1) (5 2011) 329–356
14. Nissenbaum, H.: Privacy in Context: Technology, Policy, and the Integrity of Social
Life. 1st edn. Stanford (2009)
15. Heyman, T., Scandariato, R., Huygens, C., Joosen, W.: Using security patterns
to combine security metrics. In: Proceedings of the International Conference on
Availability, Reliability and Security (AReS), IEEE Computer Society (2008) 1156–
1163
16. Jackson, M.: Problem Frames. Analyzing and structuring software development
problems. Addison-Wesley (2001)
17. ISO/IEC: Information technology – Z formal specification notation – Syntax, type
system and semantics. ISO/IEC 13568, International Organization for Standard-
ization (ISO) and International Electrotechnical Commission (IEC) (2002)
ESSoS-DS 2012 Feb 15, 2012
�