Augmented enterprise models as a foundation ... - ACM Digital Library

Augmented Enterprise Models as a Foundation for Generating Security-Related Software: Requirements and Objectives Anat Goldstein

Ulrich Frank

University of Duisburg-Essen Universitaetsstr. 9 D-45141 Essen +49(0201)183-4563

University of Duisburg-Essen Universitaetsstr. 9 D-45141 Essen +49(0201)183-4042

[email protected]

[email protected]

ABSTRACT The research presented in this paper is aimed at developing a holistic modelling method that comprehensively considers and integrates technical, organizational, behavioral and business aspects – all crucial to create and manage secure IT systems. Our method relies on Multi-perspective Enterprise Modeling (MEMO) and extends it to support security concepts. The focus of this paper is twofold: 1. identifying opportunities for using enterprise models for generating security related code; 2. defining requirements, which should be satisfied by the modelling method in order to support such security-related code generation. In order to identify opportunities for code generation, we apply a technique for developing domain specific modelling languages (DSML) that is chiefly based on a structured analysis of use scenarios including prototypical diagrams. It is supplemented by work found in literature and validated with practitioners. Our analysis results in the identification of three areas in which MEMO IT security models can be used for automatic creation of code: access control, report generation and encryption and in 9 corresponding requirements that the modelling language should satisfy.

Categories and Subject Descriptors D.2.11 [Software Engineering]: Software Architectures Domain-specific architectures, Languages

General Terms Management, Design, Security, Languages

Keywords IT security, model driven security, enterprise modeling, MEMO, DSML, security code generation.

1. INTRODUCTION Today, more than ever, organizations are facing many challenges, regarding the security of Information Technology (IT): technical challenges, resulting from the dynamic changes of technology and

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. MDSec'12, September 30 2012, Innsbruck, Austria Copyright 2012 ACM 978-1-4503-1806-8/12/09 $15.00.

from the distributed nature of data, hardware and computational resources; organizational challenges resulting from the fact that more business processes are becoming computerized and thus accessible online to various stakeholders, who might intentionally or unintentionally exploit this to cause harm; continuance upgrading of criminal attackers; and the increasing pressure to justify the costs associated with IT security. These challenges are related to different perspectives of the enterprise, which involve different stakeholders. Tackling these challenges requires a holistic approach that would not only consider technical issues, but would also consider business, organizational and managerial issues [21][24]. As a foundation of such an approach, our research proposes the use of Multi-perspective Enterprise Modeling (MEMO). Enterprise modeling in general and MEMO in particular supports the analysis of various organizational aspects (e.g. organizational structure, business processes, IT resources, strategic goals) and the integration between them (e.g. it is possible to define which organizational role performs a business process and which IT resources are used to support it). By doing so, it enhances the communication between various stakeholders, who are responsible for different aspects of the enterprise. In order to provide a holistic approach for supporting IT management with designing, realizing and managing appropriate IT security systems, we extend MEMO with security related concepts (e.g., by adding the concept of permission to an organizational role or the concept of security requirement to a business process). In this paper, our focus is on potential uses of IT security models for the automatic creation of security related code within this extension of MEMO. The ability to derive security related code is a powerful tool, which can save development time and costs. As discussed in the following section, MEMO is supported by a modelling tool – MEMO Center which, based on the defined meta models, supports code generation of: 1. integrated modelling editors of different perspectives 2. different representations (views) of each perspective to support different stakeholders (both in the type and instance levels). The work presented here is a research in progress that is intended as foundation for discussion and discursive evaluation of peers and domain experts. The results of this evaluation will eventually guide the further development IT security-related DSML. The remainder of this paper is arranged as follows. In the following section we present multi-perspective enterprise modelling (MEMO) and outline how it can be augmented with

concepts to represent IS security aspects. In section 3 we analyze potential uses of the targeted IT security modelling method for security related code generation – based on use-scenarios and based on the literature. We then derive specific requirements that should be satisfied by the modelling language in order to support such potential uses. We present our conclusions in section 4.

2. ENTERPRISE MODELLING Analyzing, developing, using and managing business information systems is a challenging task that requires the active participation of stakeholders with different professional backgrounds. Hence, there is need to effectively reduce complexity, to provide a foundation for implementing software and to coordinate the contributions of different stakeholders. Enterprise modelling has evolved as an approach to address these challenges by enhancing conceptual models of information systems (e.g. an object model) with those of the respective action systems (e.g. business process models or strategy models).

2.1 Multi-Perspective Enterprise Modelling Multi-Perspective Enterprise Modelling (MEMO) includes a highlevel conceptual framework that represents a “ball park view” on an enterprise [8]. It is composed of three generic perspectives (e.g. strategy, organization, information system) each of which can be further detailed into various aspects (e.g. resource, structure, process, goal). The framework serves as a starting point for identifying perspectives that require further attention. To allow for more elaborate analyses, each selected perspective is associated with a set of diagram types. Each diagram type is associated with a domain specific modeling language (DSML). Different from general purpose modelling languages like the ERM or the UML, a DSML includes domain-specific concepts and features a domainspecific graphical notation. Thus, it promises to increase modelling productivity, to improve model integrity and to foster the comprehensibility of models. Currently, MEMO includes DSMLs for resource modelling [12], for modelling IT infrastructures [13] organization modelling [5], and for modelling strategic aspects [6]. So far, security-related aspects have not been addressed explicitly. Nevertheless, various DSML within MEMO include concepts that are relevant for IT security management. The reason for choosing MEMO over other enterprise modelling methods such as ARIS [19] or ArchiMate [15] is based on the following considerations: First, is based on a flexible language architecture [9]. The language architecture consists of a meta meta modelling language [4] and an extensible set of DSMLs, the semantics and abstract syntax of which is specified using the meta meta modelling language. All DSML that are part of MEMO are integrated through common concepts. The language architecture allows for extending existing languages or for adding new DSML (for example MEMO has been extended to support Risks, Controls and Indicators). Second, MEMO provides support for method engineering and is supported by corresponding (meta-) modelling tool, MEMO Center [9][11]. MEMO Center is a powerful modelling tool, which relies on Eclipse GMF and supports model driven development. It enables not only the definition of meta models and generation of corresponding modelling editors, which allow the creation of new type-level models, but also the instantiation of these type-level models to create and manage instances of the model's entity-types. Last, but not least, in contrast to commercial approaches like ARIS, the specifications of MEMO and its meta models are freely available and documented in several publications.

2.2 Enhancing Enterprise Modelling with Security Aspects A multi-perspective enterprise model covers many aspects that are subject of IT security management, such as IT resources (e.g. application systems, components, networks etc.) or organizational roles and organizational units. In addition to that, models of the organizational strategy and of business processes allow for analyzing costs and benefits related to particular IT security measures. Therefore, our approach is aimed at enriching the existing DSMLs with additional, security-related concepts and – if required – to add a further DSML that focus solely on specific IT security aspects. Figure 1 and Figure 2 illustrate possible extensions of enterprise models with IT security concepts. As a consequence, it should enable to model security-related issues on various levels of abstraction, serving different perspectives. For example: A department manager may be especially interested in keeping the privacy of customers in the business processes he is in charge of. By enriching the representation of a business process with security-related information on an appropriate level of abstraction (e.g. by avoiding too much technical detail), the department manager gets a better idea of what to expect from investments into security management. A security expert, however, can further enrich the model with corresponding measures to achieve such privacy – for example using encryption. Models can be enriched with detailed specifications so that it is even possible to generate corresponding software (e.g., encryption and decryption functions). It this sense, conceptual models of IT security systems can serve as a blueprint for implementing corresponding software.

3. Requirement Analysis for Supporting Generation of Security Related Code: As discussed in section 2, MEMO serves as a strong foundation for IT Security modelling not only because it supports modelling and representation of different enterprise perspectives and facilitates the communication between different stakeholders, but also because it provides infrastructure for software generation. In this section we focus on analyzing the requirements that the modelling method should satisfy in order to support generation of security related code. Other requirements that should also be satisfied by an IT security modeling language (which are not related to code generation) were previously analyzed and are presented in [10]. We first identify opportunities to generate code from IT Security models. To do that, based on an approach presented in [7], we develop two use-scenarios, which demonstrate such opportunities. These use scenarios are supplemented with prototypical diagrams and with illustrative questions that the diagrams should help answering. We also rely on previous work on model-driven security found in the literature. After identifying potential uses for model-driven security development for each scenario, we derive requirements that should be satisfied by the modelling language in order to fulfill these opportunities.

3.1 Augmented Organizational Chart An organizational chart is a diagram type, which allows the representation of organizational structures – organization units, positions, roles, committees and the associations between them. This is a central diagram in the MEMO OrgML and is also part of other enterprise modelling approaches. From the viewpoint of security, this diagram type can be enriched with concepts of access control, which define for different business units, roles,

positions and users which activities they are authorized to perform and which resources they are allowed to access. There are several role-based access control modelling approaches, e.g. [16][20][22][23], which support code generation. These approaches emphasize the importance of this aspect. In this context, the following questions should be answered, using an augmented organizational structure chart, as illustrated in Figure 1.

possible to add constraints to the concept of permission. This can be implemented using OCL which is supported by MEMO Center. Requirement 4: The modelling language should allow the specification of relevant configuration details regarding Access Control code generation. As indicated by [16] and [17] such configuration is platform-dependent, that is, specific requirements can be defined once a specific security platform is selected.

To which data entities can a position/role/user access? And vice-versa – who is allowed to access a certain data type? • To which attributes of a certain data-type can a position/ role/user access? • Which access permissions (create, delete, read, update) are given to a position/role/user to perform on a data type or more specifically - on its attributes? • Which business process activities a specific role/ position/user is allowed to perform? And vice versa - Which roles/position/users are allowed to perform which activity? • Who is allowed to access (read/create/delete/update) a specific data entity or data file? Figure 1 and the above questions, illustrate that one possible direction for using code generation is for the automatic derivation of access control policies, such as role-based access control (RBAC [18]), which is supported by many software platforms. Access control can be associated with three types of objects: data, IT resources (e.g., printer, server, web-service..) and activities or operations.

There is an extensive amount of work that focuses on access control modelling. SecureUML [16] and SECTET [1] are UML extensions that focus on role-based access control (RBAC). [20] use UML to represent organizational aspects (that is, RBAC) as well. [1] and [2] provide extensions to UML that focus on business process management. [22] develop an extension of BPMN that supports modelling authorization of business processes and allows automatic derivation of authorization policies. Although access control modelling languages already exist in the literature, extending MEMO to support access control has some advantages: 1. It provides an additional level of abstraction - allowing to assign access rights to users not only based on their assigned roles, but also based on their organizational belonging: department, team and position or based on other attributes they posses (classification, training, etc.); 2. It provides a framework for assigning organizational entities (position, departments, teams, etc.) with access rights not only to data types but also to IT resources and to business process activities and supports their integration under one single framework; 3. It supports inheritance of permissions between different organizational entities; and 4. It allows to associate security aspects with related business activities, e.g. business processes. Thereby it supports analyzing the economics of IT security.

•

The generated result can take various forms: database permission tables, WSDL files, operation system permission files, or deployment descriptors as can be found in previous work in the literature. For example [16] use secureUML models to generate role-based access control policies of Enterprise JavaBean (EJB) methods while [22] extend Business Process models with security concepts to generate Attribute Based Access Control policies in XACML. In order to support automatic access control policy generation, the modelling language should satisfy the following requirements: Requirement 1: The modelling language should allow defining access rights for the different organizational entities: positions, roles and business units. Thus, it should include a concept of permission set which contains permissions to perform actions (e.g. read, write, delete and create). A permission set links between organizational entities (subjects) and objects such as data types, data type's attributes, IT resources (software and hardware) or business process activities. Requirement 2: It should be possible to model inheritance of permissions. For example if a sales agent has permissions to read customer data records than his supervisor, the head of sales, should automatically have the same permissions. Another example: if a department is given the permission to access an IT Resource then all positions in this department should inherit this permission. However, there might be cases where one would not want permissions to be inherited (e.g. a physician has access to his patients' data but his supervisor should not). Thus, it should also be possible to indicate that a certain permission should not be inherited. Requirement 3: It should be possible to add conditions or constraints on permissions, as indicated by [16]. For example a sales agent has permission to access a sales data record only on the first week after it was made. To support this it should be

3.1.1 Model Driven Access Control- Related Work

3.2 Augmented IT Resource Diagram An IT Resource diagram allows the representation of the enterprise's IT resources: the software, hardware and network elements composing the organization's information systems. This is a primary diagram of MEMO Information Technology Modelling Language (ITML). Since most security requirements as well as security controls are related to IT resources, this diagram has an important role in describing IT security aspects and in designing IT security infrastructure. Figure 2 presents an illustration of an augmented IT Resource diagram and also how it is integrated with the object model. Some relevant questions it should help answering are: Which security requirements are related to an IT resource? Which measures are used to satisfy a security requirement? What is the cost of adding a security measure resource? Which security measure is expected to be the most efficient? • How is a security measure implemented or configured? • What is the number of attack attempts on an IT resource? What is the number of successful attempts? • What is the average number of attacks per year on a resource? • Who is allowed to use/access a resource (e.g. web service, database, hardware and file)? • What is the justification for purchasing a certain security measure? • Which data entities/attributes should be encrypted? Which algorithms should be used for their encryption? Based on Figure 2 and on the above illustrative questions, another opportunity to use models for code generation is for • • •

Figure 1. Augmented Organizational Chart, integrated with other perspectives report generation. One useful report is a report that supports managers in performing statistical analysis of threats realization (i.e. attacks), their actual cost and damage. Another useful report is a report that supports cost-benefit analyses of security measures. For example it allows comparing effectiveness of a chosen security measure based on the history of attack attempts, to compare the prevented losses against the implementation costs and to justify the acquisition. In order to support generation of such reports the modelling language should satisfy the following requirements. Requirement 5: The modelling language should include concepts related to risk analysis and management. An IT resource should be associated with the concept of vulnerability, which should be associated with the concept of threat, the likelihood that the vulnerability would be exploited. Each threat should be associated with a threat-source – the entity which is creating the threat. Vulnerability should be also associated with the concept of counter-measure that is used to resolve it. Each threat should be associated with the concept of impact, defining the possible damage caused by the threat. Requirement 6: It should be possible to represent and integrate both the "type level", that is, IT resource types, their vulnerabilities, possible threats and counter measures, and the "instance level", that is, actual instances of IT resources, threat realizations (actual attacks) and actual measures that are used. This will allow us to create for example reports on threats'

realization in the past or on the actual costs of protecting an IT resource. As discussed on section 2.1, MEMO Center supports integration of type level and instance level. First, it allows the definition of a meta model to represent security concepts, which are integrated with exiting enterprise concepts (an excerpt of such model is presented in Figure 3A). Then it allows the generation of a corresponding modelling editor to create IT security models ("type level" models, as shown in Figure 3B). It is possible to define attributes which will be relevant only in the instance level (intrinsic attributes) such as the realization date of a threat or the actual cost of its realization (Figure 3A). From an IT security model it is then possible, with a press of a button, to generate corresponding instance level models in which these attributes can receive values (Figure 3C).

3.3 Augmented Object Model As can be seen in Figure 2, a further opportunity to use IT security models is for the generation of encryption related code. Encryption can be performed on the database level or on the application level. In database encryption the DBMS is responsible for the encryption of data, however until the data is transferred from the application to the database it is unsecured. In application-level encryption the data is encrypted by the application and thus, encrypted data is transferred and saved in the database. When data is retrieved by the application it needs to be decrypted by the application. Thus, application-level encryption

requires the creation of encryption / decryption functions and also adjustments of the database schema to the encrypted data format. In order to support encryption (either database or application level), the IT security modelling language should enrich MEMO object model (equivalent to UML Class Diagram) satisfy the following requirements. Requirement 7: It should be possible to define that a data entity in the object model (class diagram) should be encrypted. It should be also possible to indicate that a specific attribute of an entity should be encrypted. There is a tradeoff between the level of security and runtime performance (a stronger encryption algorithm puts more load on runtime performance). It is common to define different security levels for different attributes. For example, [3] define different levels of security for different data categories (e.g., date, freetext, and identifier). We propose a more flexible definition in which several security levels are defined (each associated with a different encryption algorithm), regardless to data category. To support this, the following requirements should be satisfied. Requirement 8: It should also be possible to assign each encrypted attribute as well as a whole data entity with a security level. The modeler should be able to define as much security levels as required. Requirement 9: Each security level should allow the specification of technical parameters such as the encryption algorithm and a key-pool containing a set of corresponding keys (as indicated by [3], the amount of data encrypted with the same key should be limited) and key-types. Other configuration parameters will be required of course, depending on the specific encryption infrastructure to be used [17].

3.3.1 Model Driven Encryption - Related Work Several papers propose modelling languages to define confidentiality policies, from which encryption related code can

be generated. Our approach is similar to the approach presented in [3], where a domain model is enriched with confidentiality concepts in order to generate encryption related code and configuration artifacts. While the model presented in [3] is especially suited for the Healthcare domain, we believe that our model is more general and intended for any application domain. The generation process can result in various outputs. For example, [17] use security models to generate web-services security configuration files for commercial tools such as Kerberos and X.509. [22] use confidentiality constraint model to generate Apache Axis 2 Rampart security configurations.

4. CONCLUSIONS This paper creates a foundation for designing language concepts that are suited for multi-perspective modelling of IT security aspects. Specifically it focuses on concepts that support automatic creation of security related code. We identify three areas in which IT security models can be used for automatic creation of code: access control, report generation and encryption. For each one of these areas we derive corresponding requirements that should be satisfied by an IT security modelling language in order to support such generation. We identify a total of 9 requirements, which complement requirements which were already defined in [10]. Using the use scenarios approach (described in section 3) has led to the identification of areas specifically suited for MEMO, that is, areas which can benefit most from MEMO's capability to integrate different perspectives, to represent different abstraction levels and to reduce complexities. In Addition to that, some of the required concepts may also be used independently from the context provided by MEMO – for example automatic evaluation of security aspects of systems' design, as presented in [13] or integrity and authentication policies generation into specific

Figure 2. Augmented IT Recourse Diagram, enriched with security concepts and integrated with Object diagram

Figure 3. Different levels of abstraction created with MEMO Center: [A] shows an excerpt of security risk analysis meta model; [B] shows the corresponding security risk analysis model (type level); and [C] shows an instances of the model (instance level) platform configuration, as presented in [23]. While such uses are important, the added value of using MEMO for their definition and generation is not as remarkable. We have started validating these requirements (along with other requirements which are out of the scope of this paper) with practitioner and so far no other requirements were suggested. Our next steps include the development of a prototype, testing it with prospective users and further improve the prototype according to users' input.

[11] Gulden, J. and Frank, U. 2010. MEMOCenterNG. A fullfeatured modeling environment for organisation modeling and model-driven software development. In Proceedings of CAISE 2010, Hammamet. [12] Jung, J. 2006. Supply Chains in the Context of Resource Modelling. ICB Research Report, Uni. Duisburg-Essen, N. 5.

5. REFERENCES

[13] Jürjens J. 2002. UMLsec: Extending UML for Secure Systems Development. Lecture Notes in Computer Science, Volume 2460/2002, 1-9.

[1] Alam, M., Hafner, M. and Breu, R.2006. A Constraint based Role Based Access Control in the SECTET A Model-Driven Approach. In Proceedings of 2006 International Conference on Privacy, Security and Trust: Bridge the Gap between PST Technologies and Business Services, article 13. ACM, NY.

[14] Kirchner L. 2005. Cost Oriented Modelling of ITLandscapes: Generic Language Concepts of a Domain Specific Language. In: Jörg Desel, Ulrich Frank (ed.): Proceedings of the Workshop on Enterprise Modelling and Information Systems Architectures, pp. 166-179.

[2] Braber, F., Hogganvik, I., Lund, M. S., Stolen, K. and Vraalsen, F. 2007. Model-based security analysis in seven steps—a guided tour to the CORAS method. BT Technol J 25(1), 101–117.

[15] Lankhorst, M.. 2005. Enterprise Architecture at Work: Modelling, Communication and Analysis. Berlin: Springer.

[3] Ding, Y. and Klein K. 2010. Model-Driven ApplicationLevel Encryption for the Privacy of E-Health Data. In Proceedings of ARES2010, 341-346. [4] Frank, U. 2011. The MEMO Meta Modelling Language (MML) and Language architecture. ICB Research Report No. 43, Universität Duisburg-Essen, Essen [5] Frank, U. 2011. MEMO Organisation Modelling Language (OrgML): Requirements and Core Diagram Types. ICB Research Report No. 46, Universität Duisburg-Essen, Essen. [6] Frank, U. and Lange, C. 2004. A Framework to Support the Analysis of Strategic Options for Electronic Commerce. Arbeitsberichte des Instituts für Wirtschafts und Verwaltungsinformatik, Universität Koblenz-Landau, No.41. [7] Frank, U. 2010. Outline of a Method for Designing DomainSpecific Modelling Languages. ICB Research Report No. 42, Universität Duisburg-Essen, Essen. [8] Frank, U. 2002. Multi-perspective enterprise modeling (MEMO): Conceptual framework and modeling languages. In Proceedings of the 35th HICSS. Honululu, 72–82. [9] Frank, U. 2012. Multi-Perspective Enterprise Modeling: Foundational Concepts, Prospects and Future Research Challenges. Accepted for publication in Software and Systems Modeling. [10] Goldstein A. and Frank U. 2012. A method for MultiPerspective Modelling of IT Security: Objectives and Analysis of Requirements. Accepted for SBP-2012.

[16] Lodderstedt, T., Basin, D. A. and Doser J. 2002. SecureUML: A UML-Based Modeling Language for ModelDriven Security. In Proceedings of MODELS 02, p.426-441. [17] Nakamura, Y., Tatsubori, M., Imamura, T. and Ono, K. 2005. Model-driven security based on web services security architecture. In Proceedings of SCC'05, 1, pp. 7-15. [18] Sandhu, R. S., Coyne, E. J., Feinstein, H. L. and Youman C. E. 1996. Role-based Access Control Models. IEEE Computer, 29(2): 3"7. [19] Scheer, A.-W. 2000. ARIS—Business Process Modeling (3rd ed.). Berlin: Springer. [20] Shin, M. E. and Ahn, G-J. 2000. UML-Based Representation of Role-Based Access Control. In Proceedings of the 9th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, p.195-200. [21] Von Solms, B. 2001. ‘Information Security – A multidimensional Discipline’, Computers and Security, Vol 20, p. 504 – 508. [22] Wolter, C. and Schaad A. 2007. Modeling of task-based authorization constraints in BPMN. BPM, Lecture Notes in Computer Science, vol. 4714, Springer, p. 64–79. [23] Wolter, C. Menzel, M., Schaad, A., Miseldine, P. and Meinel C. 2008. Model-Driven Business Process Security Requrement Specification. Journal of Systems Architecture vol. 55 p. 211-233. [24] Zuccato A. 2007. Holistic security management framework applied in electronic commerce. Computer and Security vol. 26. p 256-265