Abstract
Cloud and Web Services technologies offer a powerful cost-effective and fast growing approach to the provision of infrastructure, platform and software as services. However, these technologies still raise significant concerns regarding security assurance and compliance of data and software services offered. A new trend of a service security certification has been recently proposed to overcome the limitations of existing security certificates by representing security certification in a structured, machine-processable manner that will enable automated reasoning for certified security features in security-critical domains. However, the richness and flexibility of the underlying certificate models and languages comes with the price of increased complexity in processing and comparing those certificates and related security claims in practice. In this paper, we propose the concept of certificate profile to provide a mechanism to address processability and interoperability of service security certificates. We present a conceptual model and a concrete realization of the model within the context of the European project ASSERT4SOA.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Gartner: Forecast overview: Public cloud services. report G00234817 (2012)
Common Criteria: Common criteria part 1: introduction and general model (2012), http://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R4.pdf
Sunyaev, A., Schneider, S.: Cloud services certification. Commun. ACM 56(2), 33–36 (2013)
Spanoudakis, G., Damiani, E., Maña, A.: Certifying services in cloud: The case for a hybrid, incremental and multi-layer approach. In: 14th IEEE International Symposium on High-Assurance Systems Engineering (HASE), pp. 175–176 (2012)
Anisetti, M., Ardagna, C.A., Guida, F., Gürgens, S., Lotz, V., Maña, A., Pandolfo, C., Pazzaglia, J.-C., Pujol, G., Spanoudakis, G.: ASSERT4SOA: Toward security certification of service-oriented applications. In: Meersman, R., Dillon, T., Herrero, P. (eds.) OTM 2010. LNCS, vol. 6428, pp. 38–40. Springer, Heidelberg (2010), http://dx.doi.org/10.1007/978-3-642-16961-8_11
Paul, S., Koshutanski, H., Cerbo, F.D., Kaluvuri, A.M.: Security assurance of services through digital security certificates. In: 20th IEEE International Conference on Web Services, ICWS 2013 (2013)
Mahbub, K., Pino, L., Foster, H., Spanoudakis, G., Maña, A., Pujol, G.: D2.1 - ASSERTs aware service query language and discovery engine. Technical report, ASSERT4SOA Project (2011), http://assert4soa.eu/deliverable/D2.1.pdf
Ramli, N.A.: Protection profile, a key concept in the common criteria. In: SANS Institute InfoSec Reading Room (2003)
Benassi, P.: TRUSTe: an online privacy seal program. Commun. ACM 42(2), 56–59 (1999)
McAfee: Mcafee secure (2007), http://www.mcafee.com/us/mcafeesecure/index.html
X.509: The directory: Public-key and attribute certificate frameworks, ITU-T Recommendation X.509:2005 ∣ ISO/IEC 9594-8:2005 (2005)
SAML: SAML v2.0 (2005), http://saml.xml.org/saml-specifications
Andrieux, et al.: Web services agreement specification (ws-agreement), OGF - Grid Resource Allocation Agreement Protocol WG, v. gfd-r.192 (2011)
TAPAS Project: Trusted and QoS-Aware Provision of Application Services, http://tapas.sourceforge.net
Schematron: ISO/IEC 19757-3 (2006) http://www.schematron.com
Object Constraint Language: ISO/IEC 19507: 2012 (2012) http://www.omg.org/spec/OCL
FIPS-197: Advanced encryption standard (2001), http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
NIST-SP-800-38A: Recommendation for block cipher modes of operation (2001), http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Pino, L., Spanoudakis, G.: Constructing secure service compositions with patterns. In: 8th IEEE World Congress on Services, SERVICES 2012 (2012)
ASSERT4SOA Project Consortium: D4.1 - Design and description of evidence-based certificates artifacts for services. Technical report, ASSERT4SOA Project (2011), http://www.assert4soa.eu/deliverable/D4.1.pdf
Fuchs, A., Gürgens, S.: D5.1 Formal models and model composition. Technical report, ASSERT4SOA Project (2011), http://www.assert4soa.eu/deliverable/D5.1.pdf
D’Agostini, S., Giacomo, V.D., Pandolfo, C., Presenza, D.: An Ontology for run-time Verification of Security Certificates for SOA. In: Proc. of the 1st International Workshop on Security Ontologies and Taxonomies, SecOnt 2012 (2012)
XPath: XML path language W3C, http://www.w3.org/TR/xpath/
SPARQL: SPARQL query language for RDF, W3C (2008), http://www.w3.org/TR/rdf-sparql-query/
ASSERT4SOA Project Consortium: D7.3 - Validation of the ASSERT4SOA framework based on the study case. Technical report, ASSERT4SOA Project (2013)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Montenegro, M., Maña, A., Koshutanski, H. (2013). Improving Security Assurance of Services through Certificate Profiles. In: Canal, C., Villari, M. (eds) Advances in Service-Oriented and Cloud Computing. ESOCC 2013. Communications in Computer and Information Science, vol 393. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-45364-9_24
Download citation
DOI: https://doi.org/10.1007/978-3-642-45364-9_24
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-45363-2
Online ISBN: 978-3-642-45364-9
eBook Packages: Computer ScienceComputer Science (R0)