Engineering Security Agreements Against External Insider Threat

Engineering Security Agreements Against External Insider Threat

Virginia N. L. Franqueira (Department of Computing, University of Central Lancashire, Preston, UK), André van Cleeff (Department of Computer Science, University of Twente, Enschede, The Netherlands), Pascal van Eck (Department of Computer Science, University of Twente, Enschede, The Netherlands) and Roel J. Wieringa (Department of Computer Science, University of Twente, Enschede, The Netherlands)
Copyright: © 2013 |Pages: 26
DOI: 10.4018/irmj.2013100104
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

Companies are increasingly engaging in complex inter-organisational networks of business and trading partners, service and managed security providers to run their operations. Therefore, it is now common to outsource critical business processes and to completely move IT resources to the custody of third parties. Such extended enterprises create individuals who are neither completely insiders nor outsiders of a company, requiring new solutions to mitigate the security threat they cause. This paper improves the method introduced in Franqueira et al. (2012) for the analysis of such threat to support negotiation of security agreements in B2B contracts. The method, illustrated via a manufacturer-retailer example, has three main ingredients: modelling to scope the analysis and to identify external insider roles, access matrix to obtain need-to-know requirements, and reverse-engineering of security best practices to analyse both pose-threat and enforce-security perspectives of external insider roles. The paper also proposes future research directions to overcome challenges identified.
Article Preview

Introduction

In the past, companies were loosely linked only to a few other companies and their IT resources, i.e. IT infrastructure, data and business processes, remained in-house under their custody and control. Today, companies no longer operate in isolation but are rather tightly connected to other companies in a network-like structure, called business networks, inter-organisational networks or extended enterprises (Wiendahl & Lutz, 2002; Jagdev & Thoben, 2001; Baraldi et al., 2012; Hakansson & Ford, 2002), with different levels of integration and cooperation.

Extended enterprises are ever more attractive because they provide competitive advantage by allowing cost savings, time and quality-related benefits, and by increasing business agility and flexibility; each participant in an extended enterprise specializes on its core competencies and takes advantage of other organisations’ expertise to deliver its business mission (Jagdev & Thoben, 2001; Starr et al., 2003). The growth in the adoption of Cloud Computing and the diversity of service bundles on offer exacerbate the fact that organisational boundaries in an extended enterprise context are overwhelmingly fuzzy (Jericho-Forum, n.d.; Thoben & Jagdev, 2001; Jagdev & Thoben, 2001). The size of an extended enterprise can be significant, typically reaching hundreds; research from the Information Security Forum indicates that, on average, companies work with 750 service providers (Davis, 2010). This adds-up to other factors, such as the complexity of dependencies among participants of the network, geographic dispersion, and distributed sources of risk (Thoben & Jagdev, 2001; Davis, 2010), and to the fact that each company part of an extended enterprise is most likely to be itself an extended enterprise, creating a chain of non-transparent B2B relationships.

Extended enterprises create a security management problem in part because it is difficult to have a holistic overview of security across systems, technologies and resources in the entire network. One specific sub-problem of security management in extended enterprises is what we call the external insider threat. Such threat is posed by a class of individuals employed by participants of a company’s extended enterprise network − or their network − who need access to a certain extent to the assets (e.g., data, IT infrastructure, processes) the company owns and is accountable for, regardless of where and by whom it is handled. External insiders are a class of individuals which do neither completely fall under the class of insiders nor of outsiders of one company, and therefore, mitigations to insiders and outsiders do not completely solve the external insider threat problem. External insiders of a company assume a large number of roles across numerous other companies part of its extended enterprise in a variety of B2B arrangements. Those arrangements involve different levels of integration, cooperation and resources sharing (Kumar & van Dissel, 1996; Jagdev & Thoben, 2009). They can span from more traditional arrangements such as trading partners in a value chain, service providers, business partners, to less traditional arrangements such as outsourced operations or facilities providers, security managed providers, Federated Cloud service providers (Bernsmed et al., 2011), or even innovation-driven cooperatives (Thorgren et al., 2009) and consortia for collective management of security (Gupta & Zhdanov, 2007).

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 31: 4 Issues (2018): 1 Released, 3 Forthcoming
Volume 30: 4 Issues (2017)
Volume 29: 4 Issues (2016)
Volume 28: 4 Issues (2015)
Volume 27: 4 Issues (2014)
Volume 26: 4 Issues (2013)
Volume 25: 4 Issues (2012)
Volume 24: 4 Issues (2011)
Volume 23: 4 Issues (2010)
Volume 22: 4 Issues (2009)
Volume 21: 4 Issues (2008)
Volume 20: 4 Issues (2007)
Volume 19: 4 Issues (2006)
Volume 18: 4 Issues (2005)
Volume 17: 4 Issues (2004)
Volume 16: 4 Issues (2003)
Volume 15: 4 Issues (2002)
Volume 14: 4 Issues (2001)
Volume 13: 4 Issues (2000)
Volume 12: 4 Issues (1999)
Volume 11: 4 Issues (1998)
Volume 10: 4 Issues (1997)
Volume 9: 4 Issues (1996)
Volume 8: 4 Issues (1995)
Volume 7: 4 Issues (1994)
Volume 6: 4 Issues (1993)
Volume 5: 4 Issues (1992)
Volume 4: 4 Issues (1991)
Volume 3: 4 Issues (1990)
Volume 2: 4 Issues (1989)
Volume 1: 1 Issue (1988)
View Complete Journal Contents Listing