Status active project
Project type Research Project
Dimension International
Acquisition date 2008-02-07
Start date 2008-02-07
End date 2011-02-07

Project details

Project astract

The business of the future will be characterized by highly dynamic service-oriented architectures where outsourcing and distributed management constitute the norm rather than the exception with an increasing complexity in security and trust requirements from regulations and business standards. Best-effort security will no longer be accepted and business entities will have to provide certified assurance services to customers and expect assured services from contractors in order to manage the associated business and technology risk. MASTER aims at providing methodologies and infrastructures that facilitate the monitoring, enforcement, and audit of quantifiable indicators on the security of a business process, and that provide manageable assurance of the security levels, trust levels and regulatory compliance of highly dynamic service- oriented architecture in centralized, distributed (multi-domain), and outsourcing contexts. To this extents MASTER will identify new innovation components in terms of key assurance indicators, key security indicators, protection and regulatory models and security model transformations coupled with the methodological and verification tools for the analysis and assessment of business processes. It will further define an overall infrastructure for the monitoring, enforcement, reaction, diagnosis and assessment of these indicators centralized, distributed (multi-domain), and outsourcing contexts. It will show a proof-of-concept implementation in the challenging realms of Banking/Insurance and in the e-Health IT systems. MASTER will thus deliver a strategic component of the security and trust pillar of the European Technology Platform NESSI which makes it a NESSI strategic project.

Fundings 9200000€
  • DIT - UniTN
  • ATOS Origin
  • SAP research
  • Engineering SpA
  • IBM Research Lab Zurich
  • ETH Zurich
  • SINTEF - Norway
  • University of Stuttgart
  • Deloitte
  • Fondazione San Raffaele
  • CESCE - Sinclair International

DISI Sub-project details

Project astract

UNITN is the scientific director of the project and wil be scientifically responsible for the following activities: A2 (Conceptual Models)l develop models and languages to quantify and qualify the concepts, indicators and models of MASTER. Such models will define the compliance of a process to regulations, security contractual requirements and security policies. Languages to express metrics, security indicators and security features will be developed to allow for cross-organization specification of such requirements and collection of metrics for evaluation, monitoring and assessment of compliance. Further we will be scientifically responsible for will focus on online policy enforcement by direct action and reaction. The functionality under scrutiny accepts events from the monitoring infrastructure A4 as input (which itself receives relevant events from the signaling components that send some information about a service's activities to the monitors). It then checks adherence to usage control policies. There are two forms of usage control policies: direct action simply allows or forbids the usage of specific data items under specific circumstances (e.g., data must not be used more than three times, or data must not be distributed before a month's time). Reaction specifies certain actions to be taken under certain circumstances (e.g., notify data owner whenever data is accessed, or (unconditionally) delete data after thirty days, or spell out a fine if there is no evidence that the data item was deleted after thirty days). A6 (Assessment Infrastructure) develops techniques and tools for analyzing events produced by the MASTER infrastructure in order to perform off-line detection of policy violations, understand causes of policy violations, derive predict models for violations, and perform compliance analysis. Diagnostic models provide information on the root causes of policy violations and can be used to assess if the set of services and processes behave in accordance to policies and regulations. Finally, visual and online analysis of security KSI and KAI is provided via a graphical console that allows on-line querying and processing of the information in the warehouse, including the diagnostic models.

Fundings 920000€
Manager Bruno Crispo