PoSecCo in a nutshell
The problem
Future Internet (FI) applications will see dynamic compositions of services providing a broad diversity of functions, starting with business functionality down to infrastructure services. Their progress crucially depends on the service providers’ ability to deal with two interdependent challenges:
- to achieve, maintain and prove compliance with security requirements stemming from internal needs, 3rd party demands and international regulations and
- to cost-efficiently manage policies and security configuration in operating conditions.
The deficiencies of current processes and tools force service providers to trade off profitability against security and compliance. Major causes are
- ignorance or manual resolution of policy and configuration dependencies, caused by distinct terminologies and languages of security domains, and the complexity of large-scale distributed systems,
- constant evolution of requirements and regulations as well as service compositions and configurations, and
- the number of stakeholders involved in security management and requirement definition.
The solution
PoSecCo overcomes this by establishing a traceable and sustainable link between high-level requirements and low-level configuration settings (see figure).
Operations will be supported by self-managed features and decision support systems. Substantial improvements are expected in the areas of policy modeling and conflict detection across architectural layers, decision support for policy refinement processes, policy and configuration change management including validation, remediation and audit support, and security management processes in FI application scenarios. PoSecCo addresses the economic viability of the chosen approach by assessing cost and organizational benefits of an improved policy and configuration management.
Fellow research projects
PoSecCo continues other EC projects, especially DESEREC, POSITIF, and MASTER, and adopts existing industry-standards for change management and audit to ensure its impact.
Empiric study
We have created a questionnaire that aims at investigating problems and requirements in the domain of policy security and configuration management. The questionnaire requires approximately 20-30 minutes for answering. The questionnaire will be provided as an online survey in English language. The anonymity of the participants will be guaranteed.
The involvement of the interviewees in the five core activities to be supported by the PoSecCo toolset as well as their perspective on the planned functionalities are in the central focus. This five core activities were identified as critical in cross-organizational security settings. Furthermore, interviewees are asked to rate the importance of seven challenges in the domain of secure, compliant and auditable cloud computing and their impact on financial figures, customer satisfaction, internal business processes and growth. Finally, one question regarding the identification and quantification of business disruptions will be asked.
The target audience of our study are persons working in organizations dealing with policy, security and configuration management in cross-organizational settings, i.e. in cloud computing or outsourcing scenarios. Thereby, the following roles are of particular interest:
- security managers
- compliance managers
- system administrators
- internal auditors
- operations managers
- vendor managers
- IT auditors
We will provide a rich and hopefully valuable feedback to everybody interested in our results.
The questionnaire can be accessed: https://www.soscisurvey.de/PoSecCo/
The consortium
- PoSecCo consortium partners
The PoSecCo consortium comprises leading European companies and research institutes in the area of Policy and Security Configuration. 11 partners from 7 EU countries jointly build a multidisciplinary project team with much experience in international collaboration (Germany, Switzerland, Italy, Netherlands, France, Spain, Austria). PoSecCo Consortium is well-balanced between Industry, SME and University partners. Industry partners are all market leaders in their technology segment and run highly respected research laboratories. SME partner Crossgate is the European market-leader of gateway services that enable and mediate B2B communication. End-user partner Deloitte is a recognized expert in governance and control. As such, both end-user partners complement each other and ensure a holistic view on security and compliance issues. Universities in PoSecCo are all "first addresses" in their knowledge area and well connected with their scientific communities.
