Professional Documents
Culture Documents
Figure 6 describes how security functions are mapped to Solution could use Only limited to
various standards and this eliminates any duplicate functional products (and not technologies within
requirements across various standards. The next step is to necessarily organization.
derive technical requirements from these functional supporting any
requirements. Technical requirements are the ones that will be interoperable
standard) that
used by system developers, integrators, system administrators, provide single sign
etc. to implement or enforce. on across web
applications.
For instance an Authentication functional requirement may
then be translated into various technical requirements such as: Technology Technology Organization should
Readiness Level Readiness to support be ready to deploy,
System shall support authentication based on username and LDAP for manage, maintain
password or System shall support authentication based on authentication may and train their
Digital Certificates. The technical requirement at this level be higher compared employees in support
still leaves room for interpretation by software developers or to supporting Single of such technology.
system integrators. For instance, there are different ways to Sign on Standards
support username and password based authentication, such as such as SAML.
either against LDAP server or against RDBMS database.
Table 1 Analysis of technology factors and solution options
In defining the security technical requirements, one has to
consider various factors such as security of the technical
solution itself, interoperability standards, human systems The Table 1 describes various factors that influence
technical direction and those factors should be considered in
interaction, technology readiness level, system usage or
deployment model, system administrations, etc. the technical requirements documents. These factors can
influence what solutions will be put in place and how they will
Factors influencing Solution Options Common be developed, managed and integrated with other software
technical advantages or systems.
requirements disadvantages
Each functional requirement should not be mapped only
Username and Store username and Password is stored in into its own technical requirement. In defining the technical
Password password against digest format, unable requirements, the technical solutions for each functional block
LDAP using default to retrieve the
password attribute. plaintext password.
may overlap, and one set of technical requirements may
actually satisfy few functional requirements. For instance the
Store username and Passwords then password management functional requirements can be easily
password against any should be encrypted addressed when LDAP is chosen as technical requirements to
RDBMS database. and stored. address authentication, since most LDAP servers provide the
When encrypted, one capability to enforce complex password policies. Hence the
has to manage the need to break down the functional requirements to low level
encryption keys. technical requirements that can be used as a reference during
During
design, implementation and even during procurement of new
authentication a systems.
common and
proprietary API
should be provided
for authentication. .
Figure 7 Security Codes or derived technical requirements
Biography
Sitaraman Lakshminarayanan has over 14 years of Information Technology experience with expertise across Software & System
Architecture and Security. He is currently with GE Energy and working on System Security architecture across Smart Grid and
other system security initiatives. He authored book on Web Services Security (Oracle Web Services Manager- Securing your web
services) June 2008. He also co-authored book on ASP.NET Security (Wrox Publications 2002). He has published papers on
IEEE IT Professional (Cloud computing), IEEE PES. He also co-authored the Security guidelines for Cloud Security Alliance
Version 2.0. He has presented at various conferences on software and systems security. His expertise includes Software and
Systems Security, Identity & Access Management and PKI.
Manyphay Souvannarath is a Senior Systems Engineer at GE Energy. Her current roles include Systems Engineer and Architect
for Smart Grid projects. Ms. Souvannarath earned her B.S. in Computer Science and Biochemistry at Grand Valley State
University. She is in the process of completing her MBA at Grand Valley State University and M.S. in Systems Engineering at
Georgia Institute of Technology.