Security assurance of web services through digital security certification

Kaluvuri, Samuel Paul
Thesis

Service Oriented Computing (SOC) has facilitated a paradigm shift in software provisioning models:  software is offered as a service - providing enormous benefits to both service providers and consumers. However, a major barrier for  a wider adoption of the new service provisioning model in business- and security-critical domains  is the lack of security assurance over such service offerings. Security certification, a well established approach in traditional software provisioning models to gain security assurance, can be applied to service environments to provide service consumers with the required assurance.

However, current certification schemes are tailored for traditional software provisioning models where a consumer operates the certified product, static (evaluated at a point in time),  and the resulting certificates are represented in natural language. On the other hand, service environments are dynamic with consumers having no control over the service nor its operational environment, and designed to facilitate machine to machine communication. Hence, current security schemes do not scale to service environments, nor can they cater to service specific scenarios such as discovery and composition which rely on automated reasoning.

This thesis proposes the concept of a digital security certificate which is realized by a language to enable security certificate representation in a structured, machine-processable manner. In addition, the thesis presents a framework for the maintenance of the digital security certificates that can cope with the dynamic requirements of service environments. The contributions of this thesis will facilitate the adoption of security certification schemes to service environments.Service Oriented Computing (SOC) has facilitated a paradigm shift in software provisioning models:  software is offered as a service - providing enormous benefits to both service providers and consumers. However, a major barrier for  a wider adoption of the new service provisioning model in business- and security-critical domains  is the lack of security assurance over such service offerings. Security certification, a well established approach in traditional software provisioning models to gain security assurance, can be applied to service environments to provide service consumers with the required assurance.

 However, current certification schemes are tailored for traditional software provisioning models where a consumer operates the certified product, static (evaluated at a point in time),  and the resulting certificates are represented in natural language. On the other hand, service environments are dynamic with consumers having no control over the service nor its operational environment, and designed to facilitate machine to machine communication. Hence, current security schemes do not scale to service environments, nor can they cater to service specific scenarios such as discovery and composition which rely on automated reasoning.

 

This thesis proposes the concept of a digital security certificate which is realized by a language to enable security certificate representation in a structured, machine-processable manner. In addition, the thesis presents a framework for the maintenance of the digital security certificates that can cope with the dynamic requirements of service environments. The contributions of this thesis will facilitate the adoption of security certification schemes to service environments.


Type:
Thèse
Date:
2014-11-14
Department:
Sécurité numérique
Eurecom Ref:
4437
Copyright:
© TELECOM ParisTech. Personal use of this material is permitted. The definitive version of this paper was published in Thesis and is available at :

PERMALINK : https://www.eurecom.fr/publication/4437