|
http://www.spinellis.gr/pubs/conf/1999-WISE-TEKNO/html/wise.html This is an HTML rendering of a working paper draft that led to a publication. The publication should always be cited in preference to this draft using the following reference:
|
Diomidis Spinellis
Department of Information & Communication Systems
University of the Aegean
GR-83200 Karlobasi, Greece
dspin@aegean.gr
Dimitris Gritzalis
Department of Informatics
Athens University of Economics & Business
GR-104 34 Athens, Greece
dgrit@aueb.gr
The rising deployment of mission-critical systems over public data networks is prompting enterprises of all types and sizes to re-examine their approach towards the security of their information technology systems. We present ISA-EUNET, an integrated approach comprising security technology awareness, support, education, training, and dissemination aiming towards the diffusion of security and safety know-how to SMEs. The main technological drivers behind the SMEs' need for education are information system risk analysis, development of secure software systems, and provision and utilisation of Trusted Third Party services. The provided education and training is based on a phased approach, a set the security project selection criteria, and an innovative decentralised, yet identity-preserving, structure. An important part of the ISA-EUNET approach is security information dissemination throught a Web-based Technological Knowledge Office database.
Information Systems Security; SME dissemination activities; World Wide Web.
The rapidly increasing adoption of Internet-based solutions for disseminating corporate information, conducting electronic commerce, teleworking, implementing virtual private networks, and setting up extranets is prompting enterprises of all types and sizes to re-examine their approach towards the security of their information technology (IT) systems. Through the adoption of multimedia email, Java and Javascript Web applets, and Internet-connected corporate networks modern IT systems are becoming vulnerable to a wide variety of threats affecting the availability, integrity, and confidentiality of the information they handle.
In front of these changes, the European SMEs face a big challenge and, at the same time, demonstrate specific points of cultural weaknesses. The majority of the European SMEs do not have a clear operational and cultural approach to the problems generated by ``security hidden requests'', legal constraints, new regulations and directives; moreover they have limited time to study and test the new methods, ongoing research, and tools necessary to give a correct answer to the deployment of secure software systems. On the other hand, SMEs must remain competitive if they want to survive in the new world-wide scenario. which will become larger and larger (from the business point of view) in consideration of the new opportunities generated by the new expanding area of Internet-based electronic commerce applications. All European SMEs developing or depending on secure IT systems have in common the need for personalised and direct support in order to solve concretely and successfully the practical problems they face in their day-by-day operations. This includes education and hands-on direct training on consolidated European Best Practices and local support and tutoring on a wider set of subjects related to the solution of their practical problems on security issues.
This paper presents an integrated approach comprising security technology awareness, support, education, training, and dissemination aiming towards the diffusion of security and safety know-how to SMEs. The remainder of this paper is structured as follows: Section 2 introduces the ISA-EUNET approach and its objectives, its context within EU-funded research activities, the project's goals, and its strategy; Section 3 details the main technological drivers behind the SMEs' need for education, namely information system risk analysis, development of secure software systems, and provision and utilisation of Trusted Third Party services; Section 4 describes a phased approach for providing security-related consulting services to SMEs, the security project selection criteria, and the key elements of the ISA-EUNET structure; Section 5 describes the schema, design, and implementation of the project's Technological Knowledge Office database, while Section 6 concludes the paper with a summary of the project's main achievements.
ISA-EUNET aims towards the establishment of a high-technology software European lean network of experts in security and safety applications to directly support SMEs at a regional level. The specific objectives of our approach are: to raise awareness of SMEs on the different aspects of software intensive systems for security and safety applications, to support the same SMEs with proper training on European software best practices, methods and tools, to provide on-site tutoring, to promote the circulation of ``validated'' information in the specific technological areas, to improve the effectiveness of European SMEs business operation and, finally, to create a new market niche for the security and safety technology operators.
ISA-EUNET is part of the ESSI-2 Software Best Practice initiative within the framework of the specific research and technological development programme in the field of Information Technologies. The aims of ESSI are to promote best practice and thereby improve the software development process in industry, through the take-up of well founded and established but insufficiently deployed technological support, so as to achieve greater efficiency, higher quality, and greater economy. This is to be accomplished by applying state-of-the-art software engineering techniques in a wide range of industries, taking into account moving targets and changing cultures in this rapidly evolving area. The full impact for Europe is to be achieved through a multiplier effect, with the dissemination of results across national borders and across industrial sectors. And guiding aspect for ISA-EUNET and at the same time an important part for ESSI are the Pro-Active Software Best Practice Networks (ESBNETs). These aim towards the establishment of European networks of organisations managing locally a set of closely related software best practice activities including hands-on activities -- like the performance of small scale PIEs, assessments, improvement plans, etc. -- information brokerage, experience exchange networks, demonstration sites, executive industrial visits or other schemes particularly tailored to meet the needs of the SMEs. The ISA-EUNET approach evolved as a result of ISA-EUNET: an ESPRIT ESSI-funded project. The composition of the ISA-EUNET consortium is outlined in Appendix A.
The ISA-EUNET Consortium uses its scientific, technical and market competencies at different levels to reach the goals described. All partners (including the co-ordinator) implement specific direct actions towards SMEs at the regional level according to the ISA-EUNET Work Plan, take part in the central supporting activity of the TEchnical KNowledge Office (``TEKNO'' -- illustrated in Figure 1 and described in Section 5), and activate links with national ESPINODES. The ISA-EUNET co-ordinator performs the linking activity, (links with ESBNETS, international Partners, other Academic Institutions and Research Centres) focusing and monitoring the overall efforts of Partners, maintaining the identity and the consistency of the Consortium, while stimulating actions to promote business results in the medium term time-frame. Finally, subcontractors are used only marginally and only to cover either new specific high-technology issues (with niche activities to be done by SMEs) or to support the telematic applications on the World Wide Web.
The strategy of the ISA-EUNET approach is based on three main elements: TEKNO, the regional nets of direct links between the Partners and the local SMEs, and the strong proactive co-ordination.
An important part of the ISA-EUNET approach concerns the characterisation and analysis of the emerging business context formed by the deployment of large integrated digital infrastructures and embedded software systems, and the technological, legal, societal, and cultural drivers behind the SMEs needs.
A study performed in the Greek IT market through interviews with selected target SMEs aimed towards identifying SME security-related needs. We expect similar trends to be prevalent throughout Europe. The Greek IT industry [Vei98] is undergoing a very promising transition.
A number of players in the channel have advantageously positioned themselves to make the most of joining the EMU with software development being quite mature. There are exports in the Balkans area. Most software development companies are focused on the SME market providing packaged products and custom-developed solutions. There are around 200 mature software development companies.
An important market characteristic is the large participation of the public sector creating around 30% of the demand. Software is also needed by the private industry, especially shipping, banking (which is currently in a consolidation and restructuring phase), and financial institutions. As manufacturing is decreasing a lot of demand is coming from the service sectors. A problem, identified by the study, that influences ISA-EUNET directions is the perceived shortage of skilled staff.
Software products are currently undergoing a transition moving from stand-alone platforms to networked client-server architectures. With the rapidly improving Greek Wide Area Network (WAN) infrastructure, the opening of the telecom market for data, and the emergence of a number of reliable Internet Service Providers, large companies, the government, but also SMEs are increasingly networking geographically dispersed offices and using software over public networks. The increasing use of the Internet and the World Wide Web in particular, have also contributed to this trend. Activities related to electronic commerce and EDI are on the ascend fuelled by European Union funded R&TD projects.
The Greek government is also creating demand through the KLISTHENES project aiming in the further utilisation of IT in the public sector. Important parts of the project currently under-way include the integrated system for tax revenue management (TAXIS project, one of the biggest projects in Europe, with a 500 million ECU's budget) and the introduction of IT in the public health-insurance, pension, and health-care systems.
The recent establishment of an independent authority (National Data Protection Board) to enforce the Greek Law 2472/97 for the protection of individuals from the processing of personal data is expected to severely influence the security requirements of those projects.
All these market trends are fuelling demand for secure information systems. Such systems have to be reliable and secure following a rigorous risk analysis. For many activities occurring over public data networks trusted third party (TTP) services providing public-key certificates will be required. These identified specific needs are expanded in the following sections. In summary, the three main security-related technological drivers that emerged during the analysis phase, are:
An enterprise cannot reasonably develop efficient security policies and procedures without clearly understanding the systems that must be protected, as well as how valuable they are to the enterprise. In addition, one must determine the probability that the assets will be threatened. Therefore, the objective of a risk analysis review is to identify and assess the risks to which the IS and its assets are exposed in order to select appropriate and justified security safeguards [Com93].
The analysis of risks is performed in four stages [ELB93,WK96]:
Assets are the elements of an IS that possess a value. A security incident that will affect an asset will also have an impact on the owner of the asset (i.e. the organisation, the enterprise or the individual). Assets are valuated according to the impact of a probable asset impairment. Threats need to exploit a certain vulnerability in order to cause a security incident. Therefore, threats, vulnerabilities, and impacts should be combined together to provide a measure of the risk an IS is exposed to.
A result of an initial study on security-related SME software development was that SME software development organisations were mainly developing client-server systems [Sin92,DCS98] with Web-based systems an emerging new activity. SMEs need to be educated on the aspects of Secure Software System Development outlined in the following paragraphs [FNS91]. As client-server information flows through a corporate or public network environment, in any instant, it can be in one of the below states [Pfl96]:
In each of these certain states, the potential threat agents may be [MSB95]:
An important part of creating a secure and safe environment for a program to run is facing the potential threats inherent in distributed client-server and Web technology [GS97] which may be exploited by any of the threat agents mentioned above.
The main threats can be classified with respect to the potential result as [MSB95]:
For data on servers a threat agent may exploit inadequate access control, programming errors, or use impersonation. Legitimate users may disclose data to third parties who have not this right. This threat applies particularly to private corporate data distributed on an Intranet. Data in transit can be observed via wiretapping, misrouting, or accessing server and proxy logs and cache structures. Unprotected networks and applications are vulnerable to all threat agents, but protected ones are only exposed to vulnerabilities by authorised agents. Data on clients is vulnerable to disclosure when residing on an insecure operating system, or when executing Web-obtained software. Client masquerading may also be used to cause disclosure.
Weaknesses on servers or the operating system they reside on can (and have been) exploited to cause server data modification. Wiretapping may also be used to modify or destroy data packets in transit. In addition, data on clients is vulnerable to modification when executing Web-obtained software.
Threat agents may create masquerade servers or documents on a server. For data in transit a threat agent may falsify the source of information (server or individual). A threat agent may also falsify the user or host identity presented to the server.
Users sending information to a server may repudiate their actions and document authors may falsely claim not to be the document's true author. The first threat is particularly relevant to Web-based transactions used e.g. for on-line shopping, while the second one applies to the distribution of illegitimate content.
The ISA-EUNET approach is using the outlined threat model as a basis for characterising SME needs, and documenting the information disseminated to them.
A new emerging business environment is expected, especially with Electronic Commerce poised for rapid growth, a vast number of potential opportunities are unfolding. It is estimated that there were 75 million Internet users at the end of 1998. Internet shopping is becoming a reality with sizeable initial projects backed by major national and international corporations (e.g. Visa and MasterCard). The largest Internet retailer, amazon.com now has over one million customers. It follows that Internet security is becoming increasingly important [Bhi96]. Banking has been made available to the general public with the advent of the worlds first ``Internet only'' bank Security First Network Bank. All banks are now looking at how they can utilise the Internet to offer a new delivery channel to their customers and many have started pilot projects.
Up to now the view of security was relatively confined but a new definition is emerging. This is centred around the use of Public and Private keys to allow authentication and digital signing. In most countries around the world projects have started to offer certification (which is a means of publishing a person's public key for authentication use in e-commerce).
The main target groups of certification and digital signature services could be the following:
Software development SMEs have to cater to the needs of all the categories listed above. They therefore need expert guidance for providing and deploying the necessary products and services.
An important part of the ISA-EUNET strategy is the establishment of a common initial approach to target SMEs. At the local level the Target Enterprises need direct and personalised support to be motivated to fill the cultural gap which may generate weakness in a global competitive scenario. The objective of ISA-EUNET was to prepare plans of actions for Partners in order to give timely and effective support to the target SMEs. We therefore decided to define and standardise some common protocols which should permit us to have a common approach to SMEs needs, independently of the national diversities. In order to establish this protocol it was important to take into account the information dissemination strategies that can be applied across all SMEs. We therefore proposed a staged approach towards the target SMEs together with detailed project evaluation criteria for selecting viable SMEs and projects. As the ISA-EUNET project is financed by the European Commission some of the practical support and tutoring/mentoring provided to the SMEs are to be performed without charging the full cost to the respective SME.
We proposed a staged approach towards each individual SME. For each stage, we describe the respective actions from an ISA-EUNET member and the target SME.
At the initial stage the target SME may be unaware of any specific security education needs. The initial approach to target SMEs has to be specified formally so that it can be applied by each partner in the same structured and uniform way. The initial approach described here is based on experiences in the first four months of the ISA-EUNET project (July to October 1998). The experiences are derived from company visits, telephone communication, and presentations at public seminars. The explicit philosophy behind the initial approach, that is described below, is that step by step confidence has to be gained from SMEs, which are preferably existing contacts. In the first step a restricted amount of existing contacts are used to create initial awareness and interest, subsequently a selected set of companies will be contacted directly to make appointments for carrying out experiments. As such a kind of centre-out approach is followed: first getting (at least) one company interested to do a micro-PIE, subsequently using the experiences to do public presentations to convince other companies and to carry out new experiments. The initial approach has five phases:
The target SME will try to shift the partner's work towards solving its specific problems (e.g. a specific intrusion threat or a runaway project). The goal of the ISA-EUNET partner will be to shift the -- possibly vague -- target SME requirements towards the partner's specific capability (e.g. consulting on TTP implementation).
A target SME will typical respond to a successful requirement analysis with questions directed towards establishing the feasibility of a specific product. The SME's managers will prepare a cost-benefit analysis and an internal proposal to obtain the budget needed. The ISA-EUNET partner will provide the target SME with background information (e.g. cost estimates, case studies, technical articles) to help its staff draft the internal proposal. This stage presents a perfect opportunity for establishing a close and friendly working relationship based on mutual trust between the employees of the SME and the ISA-EUNET partner. This relationship will be an important asset during the following stages.
At this stage the target SME, having secured the internal approval for budget, will try to identify possible bidders and write a request for proposal. In order to win this proposal the ISA-EUNET partner will have to discuss as early as possible the related terms and conditions and discover the basis on which the bids will be judged, as well as the available budget. The contacts established at the previous stages will prove valuable at this point.
The target SME will publish a formal request for quotation which has to be studied by the ISA-EUNET partner in order to prepare a proposal and a quotation. At this stage the ISA-EUNET partner will have to determine whether the target SME is a suitable customer candidate. Following a positive decision, the ISA-EUNET partner should stress its specific strengths, track record, emphasise the access to the common pool of ISA-EUNET knowledge and the TEKNO database, and provide a quotation consistent with the SME's available budget and the prevailing market condition. For security reasons the proposals would be submitted close to the tender closing time.
A successful proposal will result in the ISA-EUNET partner being selected for a short-list of prospective suppliers. The SME will ask for the best and final offers from the favoured suppliers. The ISA-EUNET partner must, at this stage, fine tune the bid and adjust the price (upwards or downwards) depending on its knowledge of other contenders. It is important to keep in mind that ISA-EUNET offers an exclusive pool of specialised knowledge which should not be downmarketed.
At this stage the ISA-EUNET partner and the SME will negotiate the final contract. The negotiation includes the detailed schedule of the consulting provided, the price, access to the SME material, rights to use and publish results, and other terms and conditions. The goal at this stage is to close the deal.
After the contract starts, the ISA-EUNET partner must inform the target SME of the progress using suitable reports as well as any unavoidable changes in the established plan. The ISA-EUNET partner should also monitor the SME's use of the provided services and provide assistance so that results will match the initial expectations. Contract extensions and further work will be provided to the ISA-EUNET partner only if the target SME sees concrete value being delivered during the contract execution.
Inevitably, once an initial working relationship has been established, the ISA-EUNET partner should start discussing the SME's future security-related requirements and develop the required capability -- possibly in co-ordination with other ISA-EUNET members -- to meet those future needs.
As discussed in the previous section, when a request for quotation is received from the SME the ISA-EUNET partner will have to decide whether the nature of the work fits with its capabilities, short and long term strategic goals, work schedule, staff levels, and work load. The following criteria should be used when selecting projects:
ISA-EUNET Consortium uses the best of its scientific, technical and market competencies at different levels to reach the final goals of the project. All partners (including co-ordinator) do implement specific direct actions towards SMEs at regional level according to the Work Plan, and take part in the activities of the TEKNO structure. The co-ordinator performs the linking activity, stimulating, focusing and monitoring the overall efforts of the partners, maintaining the identity and the consistency of the Consortium. The subcontractors are used only to cover either new specific high-tech issues, or to work on specific tasks for Web implementations.
Three key elements are used by the Consortium for performing the proposed set of operations and activities:
In this age of information overload, finding the right information can be a challenge for SMEs, and trusting it often requires a leap of faith because we cannot be sure where it came from or which is its practical value. To help operators of ISA-EUNET to share information and SMEs to use it without fear, we have realised a TEchnical KNowledge Office (TEKNO) which is a lean, flexible, virtual structure designed to disseminate information of the ISA-EUNET internal network. TEKNO searches, generates, links, organises, updates and presents information that ISA-EUNET Partners use most often about methodologies, research, and tools applicable to software intensive systems for security and safety applications. The team working on this TEKNO task is a virtual team built with the contribution of key people working part-time in the different European regions of ISA-EUNET, and linked person to person via the Internet plus some group meetings (usually via teleconferences, Internet chat, etc. and sometimes with real physical meetings of the interested people in occasions of seminars and other main events with SMEs). In addition to this validation activity, the TEKNO proposes and develops medium term strategic plans for driving correctly and consistently the overall actions of the Consortium with the important by-product of promoting possible self-sustained activities (that is a set of activities acceptable and paid for by SMEs) towards the regional SMEs in the future, after the completion of the ISA-EUNET project.
At a regional level the ISA-EUNET partners can work with SMEs using a large set of technical, training and business relationships which were set up in the last years in connection with direct deals and some EU funded actions (which include DG III ESPRIT "SCOPE", DG II ESSI "ESSI-SCOPE" and "ENCRESS", etc.). Starting from these initial informal relationships between partners and with local SMEs, an unstructured network was generated. During 1996-97 there was a first effort, at regional level only, to give to the now available network a partial formal structure. The network nowadays exists and it is deployed in all the countries covered by ISA-EUNET (and in many others including France, Norway and Portugal) and consists of several regional nodes each with a number of operational links with local SMEs and institutions (15 to 35); this network is used, with some low cost but very important telematic and procedural improvements, as a key tool for achieving ISA-EUNET goals.
The third element of the of the Consortium's strategy is an innovative approach to the co-ordination of partners which opens an new dimension of economical relevance for the future of the Consortium. Proactive co-ordination means the promotion of the partners' level of freedom and, at the same time, the protection of Consortium identity. The two concepts are not in contrast and their implementation has been properly balanced by the co-ordinator partners appointing as Director of ISA-EUNET an executive manager with international experience in large EU funded and industrial multinational projects, for achieving the Consortium goals.
Due to the pace of security-related technological advances, partners are absolutely free to take any decision under their responsibility (with reference to their contractual and budget commitments); to implement this concept the first task of the Director is to increase the level of freedom for the specific partner promoting new local initiatives and mainly removing the ``not-yet-known'' barriers in the area of security-related software. The speed of circulation of ideas and applicative information available in the internal network is the mechanism which is used to permit the growth of innovative ideas and solutions for SMEs, in the action of partners. The speed of circulation of information is of vital importance and the co-ordinator also takes care of implementing low cost telematic links permitting the achievement of this goal, which break the limits of regional industrial culture producing benefits both for Partners and for SMEs.
The second aspect of the proactive action of the Director consists in the day-by-day monitoring action necessary to maintain the identity of ISA-EUNET Consortium (focused on the key common issues of its mission) and in a scout activity addressed to identify among partners and SMEs, any new opportunity of synergism from different academic areas and IT and non IT industrial sectors (energy and process industries, medical equipment, robotics, avionics, aerospace, telecom. etc.) to thus promote cross-fertilisation actions with direct benefits to innovative local SMEs.
As the implementation of these two concepts is adequately balanced there is a good chance that the ISA-EUNET Consortium will be successful because it is now possible to take advantage from the experience of partners already used to work in large teams with severe and ambitious objectives. In a time frame of three to five years, the success of the proposed project will give origin to other security-related high-technology business operations for SMEs (home safety applications, mass market and extensively deployed products embedding security-related IT, etc.). For these enterprises the presence of a strong technical-managerial co-ordination body maintains in their future common operations the initial benefits of ESBNET.
As outlined in the previous section a key element of ISA-EUNET is the Technical Knowledge Office which is used to co-ordinate the dissemination of security-related information to SMEs. The TEKNO database is based on a relational structure and is used to organise and categorise entries making them thus accessible to other members of ISA-EUNET and target SMEs. The structure is based on a set of orthogonal TEKNO entry dimensions which are common across all entries. As entries are added to the TEKNO database the structure will ultimately evolve towards the final database schema.
Every TEKNO entry is described using the following index categories:
|
|
Currently a prototype of TEKNO has been implemented in order to verify the viability of the database schema, the user interface, and the population dynamics. It is based on a set of dynamically constructed Web pages based on specific templates the entry descriptions. All entries of TEKNO are described using a simple text format like the one presented in Figure 4.
Entry name:Intrusion Detection Contributor:Athens University of Economics and Business Distribution type:ISA-EUNET Entry status:Under review Entry type:Training material Application area:Digital large-scale infrastructures Entry language:EN - English Affected quality measures:QM.2.1.4 - Trustworthiness Computing reviews category:D.4.6 - Security and Protection Other relevant TEKNO items:None Entry link:../todo.html Reviewer:Sokratis Katsikas |
A program written in Perl [WS90] goes through all entry descriptions and creates HTML [BLC95] pages presenting a rich cross-indexed structure based on all entry characterisation dimensions. A set of cross-linked associative arrays is used to maintain and expose the free and evolving relational schema of the database without restricting the entry authors to use a fixed set of entry characterisations. The main page of this structure is illustrated in Figure 1.
A separate page is generated for each TEKNO entry, with links to other
relevant entries, the descriptions of the database schema, and the
main link to the material of the entry.
For ISA-EUNET-restricted material a simple password scheme is used to
hinder access to unauthorised entities.
A sample TEKNO Web entry is illustrated in Figure 5.
In the previous sections we introduced the ISA-EUNET approach and its objectives, its context within EU-funded research activities, the approach's goals, and its strategy; detailed the main technological drivers behind the SMEs' need for education, namely information system risk analysis, development of secure software systems, and provision and utilisation of Trusted Third Party services; described a phased approach for providing security-related consulting services to SMEs, the security project selection criteria, and the key elements of the ISA-EUNET structure; and outlined the schema, design, and implementation of the project's Technological Knowledge Office database. Our experience so far has been more than positive. The emergence of the Internet has created a new impetus for security technology awareness, support, training, and dissemination activities; ISA-EUNET is currently ``riding the wave'' of corporate security education a fact which is evident from the attendance of seminars, courses, and other relevant activities. In the following months the completion and deployment of the operational TEKNO will result in additional exposure and, we hope, in subsequent multiplier effects on the visibility of the ISA-EUNET goals and activities.
The work reported herein was carried out within the context of ISA-EUNET, an ESPRIT (ESSI-ESBNET, project number 27450) R&D project funded by the Directorate General III of the European Commission.
The ISA-EUNET project is managed by QualityLab (QLAB), a Consortium founded in 1994 and formed by four small already operating enterprises (ARTIS, MAPLE, MetriQs, Performance Research) and one medium company (SIA: Societá Italiana Avionica) in Turin, Ivrea and Milano with headquarters in Turin. The main objective of QLAB is to provide solutions, in support of the whole Software Life Cycle (from Software System Requirements Analysis to the final Software System Testing and Maintenance) and to sell consultancy services and tools both to SMEs and to large multinational European enterprises. Partners in the ISA-EUNET Consortium are:
