Security and Trust in IT Business Outsourcing: a Manifesto

Karabulut, Yücel; Kerschbaum, Florian; Massacci, Fabio; Robinson, P; Yautsiukhin, Artsiom

doi:10.1016/j.entcs.2006.08.030

Cited by 25 publications

(27 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As argued in [16] and also in [12,Chap.3], internal security indicators are not appropriate for the client. It should rather use what we termed assurance indicators.…”

Section: Definitionmentioning

confidence: 99%

See 1 more Smart Citation

An algorithm for the appraisal of assurance indicators for complex business processes

Massacci

Yautsiukhin

2007

Proceedings of the 2007 ACM Workshop on Quality of Protection

View full text Add to dashboard Cite

In order to provide certified security services we must provide indicators that can measure the level of assurance that a complex business process can offer. Unfortunately the formulation of security indicators is not amenable to efficient algorithms able to evaluate the level of assurance of complex process from its components.In this paper we show an algorithm based on FD-Graphs (a variant of directed hypergraphs) that can be used to compute in polynomial time (i) the overall assurance indicator of a complex business process from its components for arbitrary monotone composition functions, (ii) the subpart of the business process that is responsible for such assurance indicator (i.e. the best security alternative).

show abstract

“…As argued in [16] and also in [12,Chap.3], internal security indicators are not appropriate for the client. It should rather use what we termed assurance indicators.…”

Section: Definitionmentioning

confidence: 99%

“…install antivirus, enforce a policy for using e-mails). To assess the internal security of the BP the contractor can use what we called security indicators such as the frequency of anti-virus updates, the presence of sophisticated access control models and so on [16].…”

Section: Definitionmentioning

confidence: 99%

An algorithm for the appraisal of assurance indicators for complex business processes

Massacci

Yautsiukhin

2007

Proceedings of the 2007 ACM Workshop on Quality of Protection

View full text Add to dashboard Cite

show abstract

“…In this work, we introduce behavior compliance control, in which a cloud provider uses methods from dynamic anomaly detection to provide clients trustworthy evidence about the absence of "abnormal" executions caused by incorrect server configurations, version mismatches, hardware glitches or malicious attacks by third parties [20]. Providing such evidence is very important in scenarios where faults or attacks occur through invalid program inputs such as incorrect or compromised configuration files.…”

Section: Introductionmentioning

confidence: 99%

Dynamic Anomaly Detection for More Trustworthy Outsourced Computation

Alsouri

Sinschek

Sewe

et al. 2012

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract.A hybrid cloud combines a trusted private cloud with a public cloud owned by an untrusted cloud provider. This is problematic: When a hybrid cloud shifts computation from its private to its public part, it must trust the public part to execute the computation as intended. We show how public-cloud providers can use dynamic anomaly detection to increase their clients' trust in outsourced computations. The client first defines the computation's reference behavior by running an automated dynamic analysis in the private cloud. The cloud provider then generates an application profile when executing the outsourced computation for its client, persisted in tamper-proof storage. When in doubt, the client checks the profile against the recorded reference behavior. False positives are identified by re-executing the dubious computation in the trusted private cloud, and are used to re-fine the description of the reference behavior. The approach is fully automated. Using 3,000 harmless and 118 malicious inputs to different Java applications, we show that our approach is effective. In particular, different characterizations of behavior can yield anything from low numbers of false positives to low numbers of false negatives, effectively trading trustworthiness for computation cost in the private cloud.

show abstract

“…These factors include for example the organisation's culture (Allen et al, 2002;Graf and Mudambi, 2005), its ability to manage customer-vendor relationships (Lee, 2001;Kedia and Lahiri, 2007;Goo et al, 2007), security capabilities (Power and Forte, 2005;Hunter, 2003;Karabulut et al, 2007;Kennedy and Clark, 2006;Khalfan, 2004;Todd et al, 2006) and people management (Jensen et al, 2007).…”

Section: Introductionmentioning

confidence: 99%

Revisiting learning outcomes from market led ICT outsourcing

Choudhuri

Maguire

Ojiako

2009

Business Process Management Journal

View full text Add to dashboard Cite

Purpose -Today's global business is heavily dependent on information and communication technology (ICT). The reality for most organisations is that the rate of technology change has been extremely fast. To cope with these changes, some organisations are committing a large amount of resources. Such challenges make it difficult for some companies to invest in ICT, resulting in a need to re-think their business models. One such approach which has proved popular over the last few years is to outsource ICT. However, not all ICT outsourcing projects have been totally successful. The paper aims to explore various constructs in ICT outsourcing. Design/methodology/approach -The aim is achieved by conducting studies on 11 ICT outsourcing projects within the service sector. Findings -In future, customers will be looking for value-added services while focusing less on outsourcing as a cost-cutting exercise. There is also an added pressure on the customers and vendors to ensure that the original business case to justify outsourcing is robust. Research limitations/implications -The research is conducted with a limited sample of ICT outsourcing projects. For this reason, many of the conclusions in this paper are generalisations. Further research will need to be conducted in order for the lessons that emerge to be applicable across a wider business perspective. Originality/value -The paper takes a longer term perspective on the interface between customers and vendors in outsourcing projects. However, globally, this sector is very fluid and it is crucial that organisations understand the complexity of the relationships. This paper does not specifically seek to add to the existing body of knowledge on ICT outsourcing, but rather it serves as an opportunity to reflect on the full complexity of ICT outsourcing.

show abstract

Security and Trust in IT Business Outsourcing: a Manifesto

Cited by 25 publications

References 21 publications

An algorithm for the appraisal of assurance indicators for complex business processes

An algorithm for the appraisal of assurance indicators for complex business processes

Dynamic Anomaly Detection for More Trustworthy Outsourced Computation

Revisiting learning outcomes from market led ICT outsourcing

Contact Info

Product

Resources

About