Representing Security Goals, Policies, and Objects

As information security is increasingly becoming critical for today's computer based systems, there is increasing need for integrating security concerns into the early phases system development processes. As a result, more attention is being drawn to modeling of security goals and their refinements into implementable security policies. With the growing adoption of the UML for object oriented analysis and design, there is need to incorporate security concepts into UML models to offer an attractive approach to engineering security into the system being developed. In this paper, we present a visual approach to unifying goal oriented analysis of security objectives and their associated security policies, with UML functional models. We also show how this representation leads to the early discovery of conflicts and inconsistencies in security policies during analysis. A simplified college department information system is used to illustrate the major concepts of this approach

[1]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[2]  Ivar Jacobson,et al.  Unified Modeling Language User Guide, The (2nd Edition) (Addison-Wesley Object Technology Series) , 2005 .

[3]  Ketil Stølen,et al.  Integrating Security in the Development Process with UML , 2005, Encyclopedia of Information Science and Technology.

[4]  John Mylopoulos,et al.  Analyzing security requirements as relationships among strategic actors , 2002 .

[5]  Lawrence Chung,et al.  Dealing with Security Requirements During the Development of Information Systems , 1993, CAiSE.

[6]  J. Rushby Security Requirements Specifications : How and What ? Extended , 2001 .

[7]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[8]  Sam Supakkul,et al.  Representing NFRs and FRs: A Goal-Oriented and Use Case Driven Approach , 2004, SERA.

[9]  Damian A. Marriott,et al.  Management policy service for distributed systems , 1996, Proceedings of Third International Workshop on Services in Distributed and Networked Environments.

[10]  John Mylopoulos,et al.  Security and privacy requirements analysis within a social setting , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[11]  Emil C. Lupu,et al.  Conflicts in Policy-Based Distributed Systems Management , 1999, IEEE Trans. Software Eng..

[12]  Ivar Jacobson,et al.  The unified modeling language reference manual , 2010 .

[13]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[14]  Bashar Nuseibeh,et al.  Security requirements engineering: when anti-requirements hit the fan , 2002, Proceedings IEEE Joint International Conference on Requirements Engineering.

[15]  Axel van Lamsweerde,et al.  Goal-Oriented Requirements Engineering: A Guided Tour , 2001, RE.

[16]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[17]  Bashar Nuseibeh,et al.  On modelling access policies: relating roles to their organisational context , 2005, 13th IEEE International Conference on Requirements Engineering (RE'05).

[18]  Donald Firesmith,et al.  Engineering Security Requirements , 2003, J. Object Technol..

[19]  John Mylopoulos,et al.  Modeling security requirements through ownership, permission and delegation , 2005, 13th IEEE International Conference on Requirements Engineering (RE'05).

[20]  John Mylopoulos,et al.  Requirements Engineering Meets Trust Management: Model, Methodology, and Reasoning , 2004, iTrust.

[21]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.