Professional Documents
Culture Documents
Abstract
Nowadays many companies understand the benefit of outsourcing. Yet, in current outsourcing practices,
clients usually focus primarily on business objectives and security is negotiated only for communication
links. It is however not determined how data must be protected after transmission. Strong protection
of a communication link is of little value if data can be easily stolen or corrupted while on a supplier’s
server. The problem raises a number of related challenges such as: identification of metrics which are more
suitable for security-level negotiation, client and contractor perspective and security guarantees in service
composition scenarios. These challenges and some others are discussed in depth in the article.
Keywords: Business Process Outsourcing, Security, Security Metrics, Protection Level Agreement.
1 Introduction
Today many companies prefer to delegate IT work packages to external or third-
party organizations rather than fulfilling them themselves [4,11]. In this way a
company can concentrate on its core business rather than on peripheral tasks, espe-
cially if they differ too much from the company’s primary activities. For example,
Consolidated Freightways, a transportation company, outsources the upgrade and
management of its IT infrastructure to IBM Global Services [11].
Definition 1.1 Outsourcing is the ongoing administration, management and possi-
bly subcontracting by an external party, of specific client’s (IT) processes to enhance
their efficiency and effectiveness [25]
1 Email: yuecel.karabulutATsap.com
2 Email: florian.kerschbaumATsap.com
3 Email: Fabio.MassacciATunitn.it
4 Email: philip.robinsonATsap.com
5 Contacting author. Email: evtiukhiATdit.unitn.it
6 This work was partly supported by the projects: EU-IST-IP-SERENITY (N 27587), MIUR-FIRB-ASTRO
(N RBNE0195K5), PAT-MOSTRO (2003-S116-00018), IST-FP6-FET-IP-SENSORIA (N 016004)
This paper is electronically published in
Electronic Notes in Theoretical Computer Science
URL: www.elsevier.nl/locate/entcs
Y. Karabulut, F. Kerschbaum, F. Massacci, P. Robinson, A. Yautsiukhin
Often the outsourced company itself may further outsource its assignments to
others. That is, a company may start as a contractor and by acquiring and handing
out new assignments may become an orchestrator.
When a company plays an orchestration role it coordinates a business process
to accomplish the work. The process can be static or dynamic. In traditional
outsourcing contracts we envisage a static orchestration where the process is defined
from the outset and partners and services do not change. For novel paradigms, such
as virtual organizations, partners and services can be selected on the fly.
Before cooperation proceeds, participants negotiate a Service Level Agreement
(SLA). The main part of the agreement is devoted to functional requirements and
to some non-functional requirements such as performance. Not enough attention,
if any, is devoted to security.
Example 1.2 Web Service security only focuses on the security parameters of com-
munication links. It covers requirements for message encryption, signature, authen-
tication, and server access control [2,23]. WS security standards do not mention
how data is protected after transmission. Data can therefore be stored in a server
without a properly configured antivirus or in a database without role base access
control.
In this paper we identify the security and trust issues that underpin an out-
sourcing relationship and the notion of Protection Level Agreement (PLA) that is
appropriate in this setting.
The paper is organized as follows. Section 2 is a short state of the art in security
metrics. We introduce a notion of PLA in Section 3. Sections 4 and 5 are devoted to
client’s and contractor’s view of PLA respectively. Section 6 describes how client’s
PLA can be achieved in service composition scenario. The issue that trust is not
transitive is discussed in Section 7. Section 8 is dedicated to related works.
Example 4.1 For example, the speed of connection must be not less then 256
bits/s. Nobody will complain if the speed is higher. On the other hand, the number
of successful virus attacks must not be higher then 10 per month (nobody will
complain if the number of successful attacks is less).
of new virus attacks is expected to be similar. If the trend changes (i.e. wild
viruses per month increase) more viruses will affect the client’s data than before
even if the contractor behaves according to the agreement. In the first case, it is the
contractor’s responsibility to cope with the problem (i.e. update antivirus system
once a week) to keep the number of virus attacks as it is specified in the agreement.
8 Related works
Only a few works tackle the issue of security requirements in business outsourcing.
In [17] it is claimed that security requirements must be reflected in the contract and
their fulfilment must be somehow monitored. The authors consider security require-
ments as a part of SLA. Trusted Virtual Domains (TVDs) [12,5] are intended to
connect a number of remote trustable virtual processing environments in one secure
network. Security operational policy (accord of PLA/SLA), which are obligatory
for every environment, are used. This technology can be applied to client-contractor
interaction when one side (most likely, a contractor) allows another one to use its
TVD. It is necessary to point to that TVD requires installation of special isolating
software to operate.
In [26] a monitoring system for trusted computer platform is presented. The
idea is to embed a trusted hardware component into the execution environment
which verifies the compliance of the system with an operational policy (which can
be considered as a PLA) at the beginning of interaction.
One of the first papers discussing security SLA in a large enterprise is [13]. The
main idea is to check compliance the system with fifteen security domains split
into best practices. For each best practice the security service level is determined
and added to the SLA (yet it does not consider task outsourcing). [7] extends the
security division to compare two SLAs or to find a security SLA which is the closest
9
Y. Karabulut, F. Kerschbaum, F. Massacci, P. Robinson, A. Yautsiukhin
9 Conclusion
In the article the problem of guaranteeing appropriate security during storing data
on a contractor’s server has been discussed in depth. We have introduced several
important definitions and identified a number of challenges and issues.
We have argued that external metrics are more meaningful for a client and have
proposed some of them which can be used for PLA. Internal metrics are more appro-
priate for a contractor. They help to estimate the quality of its security system and
to choose the right configuration to achieve its client’s requirements. Monitoring of
security requirement fulfilment is another important issue which depends on metric
types. External metrics can be monitored by a client remotely. For monitoring of
internal metrics special techniques should be applied to guarantee that the data
may be trusted. We have pointed some of the techniques, but how to apply them
is another big issue.
Additional issues emerge in a service composition scenario. Clients’s security
requirements must be inserted into a functional workflow, decomposed and distrib-
uted between subcontractors. In addition to these issues trust relationships must
be taken into account.
In this article we have focused more on technical side of the agreement. One
problem that we have left out is the issue of enforcement. The issue must be
considered before applying PLA as a contract, but we left it for a future work.
References
[1] Alberts, C. J. and A. J. Dorofee, OCTAVE Criteria, Technical Report CMU/SEI-2001-TR-016, CERT
(2001).
[2] Atkinson, B., et al. “Web Services Security,” Microsoft, IBM, VeriSign, 1.0 edition (2002)
[3] Bellare, M. and B. Yee, Forward integrity for secure audit logs, Technical report, University of California
at San Diego (1997).
[5] Bussani, A., et al. Trusted Virtual Domains: Secure Foundations for Business and IT Services,
Technical Report RC23792, IBM (2005).
[6] Butler, S. A., Security attribute evaluation method, Technical Report CMU-CS-03-132, Carnegie Mellon
University (2003).
[7] Casola, V., A. Mazzeo, N. Mazzocca and M. Rak, A SLA evaluation methodology in Service Oriented
Architectures, in: Proc. of QoP. (2005).
[8] CISWG, Report of the best practices and metrics teams, Technical Report CS1/05-0005, Government
reform comittee (2004).
[9] Cohen, F., Managing network security - part 5: Risk management or risk analysis, Network Sec. 1997
(1997), pp. 15–19.
[10] Eloff, J. and M. Eloff, Information Security Management - A New Paradigm, in: Proc. of SAICSIT,
2003, pp. 130 – 136.
[11] Goth, G., The ins and outs of it outsourcing, IT Professional 1 (1999), pp. 11 – 14.
10
Y. Karabulut, F. Kerschbaum, F. Massacci, P. Robinson, A. Yautsiukhin
[12] Griffin, J. L., et al. Trusted virtual domains: Toward secure distributed services, in: Proc. of HotDep,
Yokohama, Japan, 2005.
[13] Henning, R., Security service level agreements: quantifiable security for the enterprise?, in: Proc. of
NSPW (2000), pp. 54–60.
[14] ISO/IEC, “Information technology Security techniques Evaluation criteria for IT security,” (2001).
[15] ISO/IEC, “Common Criteria for Information Technology Security Evaluation,” Common Criteria
Project Sponsoring Organisations, 2.2 edition (2004).
[16] Johansson, E. and P. Johnson, Assessment of enterprise information security - an architecture theory
diagram definition, in: Proc. of CSER, 2005.
[17] Karjoth, G., et al Service-oriented assurance comprehensive security by explicit assurances, in: Proc.
of QoP. (2005).
[18] Leach, J., TBSE - an engineering approach to the design of accurate and reliable security systems,
Comp. & Sec. 23 (2004), pp. 22–28.
[19] List, W., The common criteria – good, bad or indifferent?, Inform. Sec. Technical Report 2 (1997),
pp. 19–23.
[20] Lutchen, M., IT Outsourcing: The Importance of Retaining a Strong Management Capability, Part
One (of Three), available via http://www.pwc.com 2005.
[21] Madan, B. B., et al. A method for modeling and quantifying the security attributes of intrusion tolerant
systems, Performance evaluation journal 1-4 (2004), pp. 167–186.
[22] Massacci, F., J. Mylopoulos and N. Zannone, Hierarchical hippocratic databases with minimal disclosure
for virtual organizations, The VLDB J. (2006), to appear.
[23] Naedele, M., Standards for xml and web services security, IEEE Comp. 36 (2003), pp. 96–98.
[24] Ortalo, R., Y. Deswarte and M. Kaaniche, Experimenting with quantitative evaluation tools for
monitoring operational security, TSE 25 (1999), pp. 633–650.
[25] Pai, T. M., Outsourcing for competitive advantage: Are you missing a business opportunity?, available
via http://www.infosys.com/events/MDPAI%20pres%5F5%20Nov%5FSpore.ppt (2001).
[26] Sadeghi, A.-R. and C. Stüble, Property-based attestation for computing platforms: caring about
properties, not mechanisms (2005), pp. 67–77.
[27] SSE-CMM, “Systems Security Engineering Capability Maturity Model - SSE-CMM Model Document,”
Carnegie Mellon University, version 3.0 edition (2003).
[28] Stoneburner, G., A. Goguen and A. Feringa, Risk management guide for information technology
systems, Technical Report 800-30, Nat. Institute of Standards and Technology (2001).
[29] Swanson, M., et al Security metrics guide for information technology systems, Technical Report 800-55,
Nat. Institute of Standards and Technology (2003).
[30] Wang, Y. and P. K. Ray, Evaluation methodology for the security of e-finance systems, in: Proc. of
EEE (2005).
[31] Yankelovich, P., Global Top Decision-Makers Study on Business Process Outsourcing, available via
http://www.colthr.com/files/Business%5FProcess%5FOutsourcing.pdf (1999).
11