Time filter

Source Type

Madrid, Spain

Mellado D.,Spanish Tax Agency | Mouratidis H.,University of East London
Proceedings of the 9th International Workshop on Security in Information Systems, WOSIS 2012, in Conjunction with ICEIS 2012 | Year: 2012

The elicitation of security requirements for Software Product Lines (SPL) is a challenging task, mainly due to the varying security properties required in different products, for the diversity of market segments, and the constraint of simultaneously maintaining the cost-effective principle of the SPL paradigm. Goal-driven security requirements engineering approaches, such as Secure Tropos, have been proposed in the literature as a suitable paradigm for elicitation of security requirements and their analysis on both a social and a technical dimension. Nevertheless, on one hand, security requirements engineering methodologies are not appropriately tailored to the specific demands of SPL, while on the other hand specific proposals of SPL engineering have traditionally ignored security requirements. This paper presents work that fills this gap by proposing an extension to the Secure Tropos language to support SPL.

Marquez L.,Spanish National Authority for Markets and Competition CNMC | Rosado D.G.,University of Castilla - La Mancha | Mouratidis H.,University of Brighton | Mellado D.,Spanish Tax Agency | Fernandez-Medina E.,University of Castilla - La Mancha
Lecture Notes in Business Information Processing | Year: 2015

The emergence of cloud computing as a major trend in the IT industry signifies that corporate users of this paradigm are confronted with the challenge of securing their systems in this new environment. An important aspect of that, includes the secure migration of an organization’s legacy systems, which run in data centers that are completely controlled by the organization, to a cloud infrastructure, which is managed outside the scope of the client’s premises and may even be to-tally off-shore. This paper makes two important contributions. Firstly, it presents a process (SMiLe2Cloud) and a framework that supports secure migration of corporate legacy systems to the cloud. We propose a process based on a continuous improvement cycle that starts with a Knowledge Discovery Meta-Model (KDM) set of models from which a security model for legacy system migration to the cloud is derived. Secondly, it provides a set of clauses (derived from the models) for security cloud providers and custom security cloud controls. © Springer International Publishing Switzerland 2015.

Mellado D.,Spanish Tax Agency | Fernandez-Medina E.,University of Castilla - La Mancha | Piattini M.,University of Castilla - La Mancha
Information and Software Technology | Year: 2010

Context: The correct analysis and understanding of security requirements are important because they assist in the discovery of any security or requirement defects or mistakes during the early stages of development. Security requirements engineering is therefore both a central task and a critical success factor in product line development owing to the complexity and extensive nature of software product lines (SPL). However, most of the current SPL practices in requirements engineering do not adequately address security requirements engineering. Objective: The aim of this approach is to describe a holistic security requirements engineering framework with which to facilitate the development of secure SPLs and their derived products. It will conform with the most relevant security standards with regard to the management of security requirements, such as ISO/IEC 27001 and ISO/IEC 15408. Results: This framework is composed of: a security requirements engineering process for SPL (SREPPLine) driven by security standards; a Security Reference Meta Model to manage the variability of those SPL artefacts related to security requirements; and a tool (SREPPLineTool) which implements the meta-model and supports the process. Method: A complete explanation of the framework will be provided. The process will be formally specified with SPEM 2.0 and the repository will be formally specified with an XML grammar. The application of SREPPLine and SREPPLineTool will be illustrated through a description of a simple example as a preliminary validation. Conclusion: Although there have been several attempts to fill the gap between requirements engineering and SPL requirements engineering, no systematic approach with which to define security quality requirements and to manage their variability and their related security artefacts in SPL models is, as yet, available. The contribution of this work is that of providing a systematic approach for the management of the security requirements and their variability from the early stages of product line development in order to facilitate the conformance of SPL products with the most relevant security standards. © 2010 Elsevier B.V. All rights reserved.

Rebollo O.,Ministry of Labour and Immigration | Mellado D.,Spanish Tax Agency | Eduardo F.-M.,University of Castilla - La Mancha
Proceedings of WOSIS 2013: 10th International Workshop on Security in Information Systems - In Conjunction with the 15th International Conference on Enterprise Information Systems, ICEIS 2013 | Year: 2013

The cloud computing paradigm provides a more efficient way in which to provide IT services, introducing on-demand services and flexible computing resources. The adoption of these cloud services is being hindered by the security issues that arise with this new environment. A global security solution, which deals with the specific particularities of the cloud paradigm, is therefore needed, and literature fails to report on such a solution. As a consequence, in this paper we propose a novel security governance framework focused on the cloud computing environment (ISGcloud). This framework is founded upon two main standards: on the one hand, we implement the core governance principles of the ISO/IEC 38500 governance standard; and on the other hand, we propose a cloud service lifecycle based on the ISO/IEC 27036 outsourcing security draft. The paper includes an overview of the framework and the description of a collection of activities and their related tasks. Copyright © 2013 SCITEPRESS.

Rebollo O.,Ministry of Labour and Social Security | Mellado D.,Spanish Tax Agency | Fernandez-Medina E.,University of Castilla - La Mancha | Mouratidis H.,University of Brighton
Information and Software Technology | Year: 2015

Context: Cloud computing is a thriving paradigm that supports an efficient way to provide IT services by introducing on-demand services and flexible computing resources. However, significant adoption of cloud services is being hindered by security issues that are inherent to this new paradigm. In previous work, we have proposed ISGcloud, a security governance framework to tackle cloud security matters in a comprehensive manner whilst being aligned with an enterprise's strategy. Objective: Although a significant body of literature has started to build up related to security aspects of cloud computing, the literature fails to report on evidence and real applications of security governance frameworks designed for cloud computing environments. This paper introduces a detailed application of ISGCloud into a real life case study of a Spanish public organisation, which utilises a cloud storage service in a critical security deployment. Method: The empirical evaluation has followed a formal process, which includes the definition of research questions previously to the framework's application. We describe ISGcloud process and attempt to answer these questions gathering results through direct observation and from interviews with related personnel. Results: The novelty of the paper is twofold: on the one hand, it presents one of the first applications, in the literature, of a cloud security governance framework to a real-life case study along with an empirical evaluation of the framework that proves its validity; on the other hand, it demonstrates the usefulness of the framework and its impact to the organisation. Conclusion: As discussed on the paper, the application of ISGCloud has resulted in the organisation in question achieving its security governance objectives, minimising the security risks of its storage service and increasing security awareness among its users. © 2014 Elsevier B.V. All rights reserved.

Discover hidden collaborations