Comercio exterior

4.3.1

Phase 1: Requirements Elicitation

Task 1: Forming teams and then gathering knowledge about processes related to the envisaged scenario, identifying influential stakeholders, process or business constraints, and so on.

Case: As suggested in the framework,SupplierandBuyerfirst begin by creating

teams responsible for the cross-enterprise project. These consist of project man- agers, process domain experts, business and systems analysts, system developers, end users, legal counsel, and IT security specialists/professionals. After forming teams, they set about speaking to their business managers and personnel involved in related procurement and order processing services (domain experts, users and so on). Some of these persons will already be on the teams formed. Having iden- tified these sets of persons, the teams collect documentation on how the existing processes function. This includes models, produced reports, functionality charts and so on.

Task 2: Use the data collected to define and analyse existing processes to thor- oughly understand the current flows. This activity will enable the identification of the core processes to carry forward.

4. Applying BOF4WSS to a Scenario 89

alysts define the current procurement process (largely done manually) at a high level. That process is shown below.

Step 1. Buyerneeds materials. Buyer’s employee queries a number of suppliers

to determine which of them could fulfil the company’s need. Once found,Buyer

selects materials, quantity and sets delivery schedule. The Internal department then approves order. The order is placed (using EDI, an online system, email or fax) with selected supplier.

Step 2. The chosen supplier receives order, andBuyer is billed (using EDI, an

online system, email or fax)

Step 3. Buyer receives goods shipment and checks that the specific goods

ordered have been received. Accounting Department checks goods received against the original order placed and then issues payment to the supplier.

Figure 4.1 gives more detail of this process flow, the inputs, outputs, and actions

involved using a UML diagram defined by Buyer. UML is one of the prime

techniques suggested within BOF4WSS.

Message Inspector

Service 1 SecurePipe

Personnel queries suppliers for quotes on materials

Selected supplier Set of

suppliers Personnel monitoring

the stock system, notice that there is a need for materials for production

Quotes from suppliers

Stocks checked, quotes determined Select materials,

quantity, & set schedule

Buyer

Personnel place materials order using EDI, or fax, or, ... Processes

order

Order received & processed Bill for materials is sent via EDI, or fax, or ...

Goods sent/shipped Goods prepared Goods received

and checked

Payment order issued _Payment received & processed SecurePipe

Message InterceptBuyer’s Internal Department

Approves order Request for approval Order approval

received

Bill logged

SecurePipe Message InterceptorriBuyer’s Accounting

Department

Processes request Confirmation and bill payment request

Figure 4.1: Current process displayed in a UML sequence diagram

Task 3: Model the envisioned business processes. This may involve process redefinition/redesign depending on how different the new processes are to be.

Case: Based on the information and current needs,Buyer’s domain experts and analysts define the envisioned procurement process:

Step 1. Buyer needs materials. Buyer’s system recognizes this need (because

minimum stock levels have been reached) and identifies materials, quantities, and sets delivery schedule. The order is sent to the Internal department for

approval. The Internal department approves order (manual). Buyer’s system

places the order with Supplier’s system over the Internet using WS.

Step 2: Supplier system receives the order from Buyer, and Buyer is billed

using Web services

Step 3. Buyer receives goods and checks that the specific goods ordered have

been received. Accounting Department checks goods received against the orig-

inal order placed, and then directs the system to issue payment toSupplier.

Figure 4.2 is created by Buyer to provide more detail into the new process.

Message Inspector

Service 1 Complete_System

Materials needed System identifies materials, quantity, & set schedule

New WS- based System

System places materials order using Web services messages Personnel

process request

Order received & processed Bill for materials is sent online via a Web services message

Goods sent/shipped Goods prepared Log goods & verify

order Confirmation and bill payment request

Payment received & processed SecurePipe

Message InterInternal Department Order approval Automated request for approval Order approval received System logs the bill SecurePipe Message InteeAccounting Department

Processes request Bill payment approval

Payment order issued using Web services

Payment confirmation System logs confirmation Message Inspector Production Le- gacy System Monitoring (continuous) Low stock levels

Update system request Update system to reflect new stock Buyer Supplier In te rn e t

Figure 4.2: Envisioned process displayed in a UML sequence diagram

Task 4a: Analyse the process flows at a relatively high level to identify what participants should be able to do, and what inputs, outputs and actions are required for a process to be successfully completed. If UML sequence diagrams

4. Applying BOF4WSS to a Scenario 91

are being used, it should be relatively straightforward to identify these. This

produces the functional requirements.

Case: With consideration of the sequence diagram in Figure 4.2, business ana-

lysts at Buyer note that there should be a Procurement system capable of the

following functionalities (inputs and outputs are clearly shown in the figure and are therefore not specifically identified again here).

i Continuously monitoring the stock levels for all production materials. The Procurement system will therefore need to interface with the existing legacy stock system—this is a system which has up-to-date information on all the materials needed in production.

ii Automatically generating an electronic purchase order depending on materi- als needed, including quantity and schedule of dates.

iii Passing the order for manual approval to personnel in the Internal Depart- ment (possibly using email).

iv Subsequently enabling the electronic purchase order to be sent (using WS

messages) over the Internet to an order processing service system atSupplier’s

enterprise.

v Logging bills sent by Supplierusing WS.

vi Interfacing with personnel in the Accounting Department and allowing for their manual approval of bill payments.

vii Issuing payment orders to Supplier for goods supplied.

viii Interacting with the existing legacy stock system to enable new stocks to be recorded and stock levels updated.

In terms of BOF4WSS’ suggestion that companies should identify quality

requirements, Buyer and Supplier personnel opt to define these aspects at a

later date in the Systems Design phase and last Agreements phase.

Task 4b: Identify the general security actions and requirements for the processes and the scenario.

The first step is to analyse access restrictions on processes, actors etc., and assess the threats, vulnerabilities and risks that can affect processes. Next would be a scenario risk assessment as this enables a comprehensive security-driven analysis of the overall business scenario to be undertaken. The general process is to identify risks, estimate and evaluate them, decide on possible treatments, and

finally, elicit and generalize to the high-level security actions and requirements.

Case: To identify security necessary for the scenario, the IT security special-

ists on the project team at Buyer choose to apply the NIST Risk Management

approach [195]. This is the preferred approach in their company. Instead of pre- senting the complete process, a few of the key aspects of the approach are shown below. First, in Table 4.1 is part of the list of assets, vulnerabilities and threats within the scenario that are identified by the security specialists.

Item Asset Vulnerability Threat

source

Threat action

6 WS mes- sages

Sending information over the Internet in inappropri- ately secured formats

Malicious party

Eavesdropping and tam- pering with data in a WS’ message (in transit) 7 Procure-

ment system

No facilities for the logging of transactions between Buyer and

Supplier Third party, Malicious party, Insider Repudiation of services; unauthorized changes made to orders or system

8 Sensitive WS mes- sages, for example, payment orders

No allowance for sensitive messages to have added security Malicious party with sophis- ticated tools Unauthorized access gained to sensitive data. For example in pay- ment orders, they are bank codes and account numbers

Table 4.1: Assets, vulnerabilities and threats faced by Buyer

From here, the next step is the identification and estimation of related security risks in Table 4.2. Table 4.3 supports this by outlining descriptions of risk levels from the NIST Guide.

The next aim in the Guide is to assess the treatment options for risks in terms of related organizational policies, laws and regulations, and effectiveness of recommended options/controls. For the first two risks in Table 4.2, the following information is key in making the treatment decision.

4. Applying BOF4WSS to a Scenario 93

Risk no. Related item Likelihood Impact Risk Level

RSK-12 Item 6 Medium High Medium

RSK-13 Item 7 Medium Medium Medium

RSK-14 Item 8 Medium High Medium

RSK-15 Item 9 Low Medium Low

Table 4.2: Buyer’s risks faced and their estimated values

Risk Level Risk Description and Necessary Actions

High If an observation or finding is evaluated as a high risk, there is a strong need for corrective measures. An existing system may continue to oper- ate, but a corrective action plan must be put in place as soon as possible. Medium If an observation is rated as medium risk, corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time.

Low If an observation is described as low risk, the system’s approving au- thority must determine whether corrective actions are still required or decide to accept the risk.

Table 4.3: Risk scale and necessary actions ([195])

For Risks RSK-12 and RSK-13, the Sarbanes-Oxley Act of 2002 (a United States federal law) is a critical consideration. This act requires that companies are able to confirm that only authorized persons have access to private information and sensitive systems. Additionally, audit trails are necessary to ensure this is done and enable other types of checking and verification. Regarding RSK-12

specifically,Buyeralso has a security policy that strongly advocates the protection

of integrity and confidentiality of all non-public communications.

With the aspects above in mind and a risk level of Medium, security spe-

cialists at Buyer decide to mitigate the two risks and define respective security

requirements to achieve mitigation.

Applying the general process above to find all risks, threats and so on, Buyerderives the following high-level security requirements (recall that a security requirement represents the application of a mitigation action to treat a risk). Only some are shown noting space considerations.

1. The Web services messages to be used between companies to facilitate busi- ness transactions cannot be adequately secured by normal transport-level security (that is, Secure Sockets Layer or Transport Layer Security). These

mechanisms provide only point-to-point security and not the end-to-end se- curity needed by Web services (readers can view Boncella [17] for details). As a result, measures should be taken to support security at the Web ser- vices message level to ensure data integrity and confidentiality. This relates to risk RSK-12 above.

2. A part of reliable business process execution both within the company and externally (thus, with trading partners) involves comprehensive logging and subsequent enforcement. This especially relates to the maintenance of an audit trail for transaction monitoring, which would also facilitate tracing and accountability checks when required. This relates to risk RSK-13.

3. The interactions within and external toBuyer (that is, with business part-

ners such as Supplier) involve the transference of a wide variety of infor-

mation. This information has varying levels of sensitivity. Appreciating this fact, measures should be taken to secure this information (in terms of confidentiality and privacy) to mirror these sensitivity levels. Classification levels of High, Medium and Low are proposed to do this, with different degrees of security on each level. To enable this, all information should first be classified. This relates to risk RSK-14 above.

4. No matter how secure and sophisticated the application infrastructure is, a denial-of-services attack can cripple companies or business partners by making their applications/services offline and unavailable. Thus, companies and business partners should adopt appropriate measures that can help defend and respond against a security breach and ensure further service continuity without disrupting legitimate user/system requests. (Adapted from Steel et al. [194])

The security requirements to be assumed as output from Supplier’s Require-

ments Elicitation process are next.

Contrary to the bullet-point requirements listingBuyer produces, security

4. Applying BOF4WSS to a Scenario 95

requirements. The first of these formats is a predefined, standard security re- quirements checklist commonly used by the company when dealing with external parties. An excerpt of the checklist is displayed in Table 4.4.

Item Description Yes/No

Requirement 1. There should be an infrastructure plan that ensures the capability of having systems, applications and services available in the event of a security breach or accidental (human or natural) incident. If such an event occurs,Supplier, and previously defined business partners should have mechanisms in place to recover from the event. Such mechanisms may even stop the event from occurring in the first place. (Adapted from [194])

Requirement 2. Organizations participating in a B2B transactions should have security directives in place that address the topic of viruses, malware and all other malicious types of applications. Typically this should be handled by a well-known antivirus software, which is updated regularly, installed on the local networks, and used to scan all networks periodically. ([203] aided definition)

Requirement 3. Authentication is critical and should be used.

Table 4.4: Supplier’s security requirements checklist

To complement the standard requirements checklist, professionals from

Supplierapply the CORAS [47] risk assessment technique to identify other nec-

essary security requirements and risk treatments. As security team members

fromSupplierare of the opinion that diagrams would be more useful for compa-

nies’ discussions in the Negotiations phase, they supply the diagrammatic output from the CORAS technique. An example of the requirements diagrams which

Supplier would bring into the Negotiations phase of BOF4WSS are shown in

Figures 4.3 and 4.4. These figures display Supplier’s requirements #4 and #5

respectively; specifically, the ‘Treatment’ components of the diagram depict the actual requirements.

To summarize therefore, for their requirements Supplier is taking the

checklist and the set of diagrammatic models into the Negotiations phase. In addition to the references mentioned above, [13, 32] also aid as a general resource in defining the security actions and requirements.

Case Output: Each company’s functional requirements and security actions – the requirements above are examples of what is output and what they carry

Figure 4.3: Requirement #4: Supplier’s risk treatment for servers

Figure 4.4: Requirement #5: Supplier’s risk treatment for sensitive communi-

4. Applying BOF4WSS to a Scenario 97

forward to subsequent phases. Also, the supporting documentation, for example process models.

4.3.2

Phase 2: Negotiations

Task 1: Discuss and negotiate on functional and quality requirements for sys- tems. This starts with the requirements and process models brought by each company.

Case: This task is not shown because of the space that would be required, and

especially considering that the focus is on security in this scenario. An assumption is made however that the general (UML) process flow and resulting functional

requirements which are outlined by Buyer have been agreed for adoption by

companies.

Task 2: Discuss and negotiate (or compare and reconcile) security actions and requirements for scenario interactions.

Case: Teams fromBuyer and Supplier consisting of business and systems ana-

lysts and security professionals, meet to negotiate on their documented security actions and chart an agreed path forward.

The first task is the exchange of security documents/reports to allow each company to gain an understanding of the high-level security requirements of the other company. As requirements documents and formats across companies are so different however, this entails many queries to the other company’s personnel as they attempt to understand: (i) what exactly the other company means by particular requirements, (ii) explanations of the proprietary checklists, require- ments listings, and the graphical formats used to express requirements (these are unknown to business partners), and (iii) the motivation behind the need, that is, why a company has a particular security action/requirement.

Specific questions asked in line with these factors therefore include the following. Is there an underlying reason behind the security requirement? Is there a risk the company is trying to protect against in checklist items? If so,

why is it considered important to mitigate this risk as opposed to some other option? This process is conducted for each requirement.

With some understanding of the other company’s actions and require- ments, the second task was for both companies to look at comparing their indi- vidual actions/requirements. This process is conducted by security professionals

and analysts from each company. The aim being to determine if Supplier’s and

Buyer’s security actions for the scenario were compatible, and therefore could be carried forward to be applied to the pending business scenario. To ease compar- ison, the companies first choose to categorize each of their requirements by topic (for example, requirements regarding communications security were grouped). Table 4.5 displays the resulting groupings for nine requirements.

Category Buyer Sec. Req. Supplier Sec. Req.

Communications security #1, 3 #5

Auditing/Logging #2 –

Availability of services/data #4 #1

Systems security – #4

Entity verification – #3

Malicious software security – #2

Table 4.5: Grouping of companies’ security requirements

Next, each company’s personnel use the other company’s requirements doc- ument/reports to determine if that company has similar security requirements to their own. This is done on a requirement-by-requirement basis. If that company does not, then discussions take place questioning that fact. Typical questions include the following. Why has this type of requirement not been considered? Does the company not see the potential risk associated here? Are there other rea- sons/factors supporting why the underlying risk was chosen not to be handled?

Taking one requirement as an example of the narrative above, the following

shows the supporting information given byBuyer for its security requirement #1

(listed previously). Supplier queries this requirement because it had no similar

4. Applying BOF4WSS to a Scenario 99

– The reality that there are unique risks associated with the use of WS-specific technology and therefore these require additional security considerations. – The fact that the possible impact of threats on interactions would be very

costly. Also, there is a medium risk likelihood as Buyer has been the victim

of targeted attacks in the past.

– The Sarbanes-Oxley Act of 2002 (a United States federal law) requires that

In document Proyecto de asociatividad para la exportación de panela granulada desde la Asociación de Mujeres Campesinas productoras de panela granulada del recinto Suncamal del cantón Cumanda, provincia de Chimborazo, hacia los principales países de la Unión Europea (página 59-63)