Security and Trust in IT Business Outsourcing: a Manifesto

Nowadays many companies understand the benefit of outsourcing. Yet, in current outsourcing practices, clients usually focus primarily on business objectives and security is negotiated only for communication links. It is however not determined how data must be protected after transmission. Strong protection of a communication link is of little value if data can be easily stolen or corrupted while on a supplier's server. The problem raises a number of related challenges such as: identification of metrics which are more suitable for security-level negotiation, client and contractor perspective and security guarantees in service composition scenarios. These challenges and some others are discussed in depth in the article.

[1]  Rodolphe Ortalo,et al.  Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security , 1999, IEEE Trans. Software Eng..

[2]  Antonino Mazzeo,et al.  A SLA evaluation methodology in Service Oriented Architectures , 2006, Quality of Protection.

[3]  Bob Atkinson Web Services Security (WS-Security) , 2003 .

[4]  Mark O'Neill,et al.  Web Services Security , 2003 .

[5]  Ahmad-Reza Sadeghi,et al.  Property-based attestation for computing platforms: caring about properties, not mechanisms , 2004, NSPW '04.

[6]  Bernhard Jansen,et al.  Trusted Virtual Domains: Secure Foundations for Business and IT Services , 2005 .

[7]  Trent Jaeger,et al.  Trusted virtual domains: toward secure distributed services , 2005 .

[8]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[9]  Pradeep Kumar Ray,et al.  Evaluation methodology for the security of e-finance systems , 2005, 2005 IEEE International Conference on e-Technology, e-Commerce and e-Service.

[10]  J. Eloff,et al.  Information security management: a new paradigm , 2003 .

[11]  G. Goth Mobile devices present integration challenges , 1999 .

[12]  Pontus Johnson,et al.  Assessment of Enterprise Information Security - An Architecture Theory Diagram Definition - , 2005 .

[13]  John Mylopoulos,et al.  Hierarchical hippocratic databases with minimal disclosure for virtual organizations , 2006, The VLDB Journal.

[14]  John Leach TBSE - an engineering approach to the design of accurate and reliable security systems , 2004, Comput. Secur..

[15]  Ronda R. Henning,et al.  Security service level agreements: quantifiable security for the enterprise? , 1999, NSPW '99.

[16]  Mihir Bellare,et al.  Forward Integrity For Secure Audit Logs , 1997 .

[17]  D. Reid,et al.  Outsourcing for competitive advantage , 1998, Strategic Management of the Manufacturing Value Chain.

[18]  William List The common criteria - Good, bad or indifferent? , 1997, Inf. Secur. Tech. Rep..

[19]  C. Goth The ins and outs of IT outsourcing , 1999 .

[20]  Birgit Pfitzmann,et al.  Service-oriented Assurance - Comprehensive Security by Explicit Assurances , 2006, Quality of Protection.

[21]  Luo Huai,et al.  System Security Engineering Capability Maturity Model , 2003 .

[22]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[23]  Bharat B. Madan,et al.  A method for modeling and quantifying the security attributes of intrusion tolerant systems , 2004, Perform. Evaluation.

[24]  Shawn A. Butler,et al.  Security Attribute Evaluation Method , 2003 .

[25]  Marianne Swanson,et al.  Security metrics guide for information technology systems , 2003 .

[26]  Fred Cohen,et al.  Managing network security - Part 5: Risk management or risk analysis , 1997 .

[27]  Martin Naedele Standards for XML and Web Services Security , 2003, Computer.