MASTER as a security management tool for policy compliance

Abstract

The problem of assessing security mechanisms in dynamic service-oriented architectures remains open. Assessment is particularly important in outsourcing scenarios to provide evidence on how policies across different providers are complied with. This evidence is essential to provide assurance to enterprise management that contractual agreements are satisfied, and if they are not, to what extend and in what conditions. The problem of assessing compliance with rules and regulations is difficult to solve, for several reasons. First, SOA are highly dynamic and distributed, which makes it difficult to monitor and aggregate evidence from different locations of interest. Second, the complexity of the requirements in the policies makes it difficult to associate these requirements with meaningful evidence. The reason is that high-level requirements may require evidence the collection of which needs to be broken down into low level evidence (i.e. operating system logs) that business constraints are satisfied as the application is running. © 2010 Springer-Verlag.