Uma Proposta para Medição de Complexidade de Segurança em Procedimentos de Tecnologia da Informação
Abstract
IT security has become over the recent years a major concern for organizations. However, it doesn't come without large investments on both the acquisition of tools to satisfy particular security requirements and, in general, complex procedures to deploy and maintain a protected infrastructure. The scientific community has proposed in the recent past models and techniques to estimate the complexity of configuration procedures, aware that they represent a significant operational cost, often dominating total cost of ownership. However, despite the central role played by security within this context, it has not been subject to any investigation so far. To address this issue, we apply a model of configuration complexity proposed in the literature in order to be able to estimate security impact on the complexity of IT procedures. Our proposal has been materialized through a prototypical implementation of a complexity scorer system called Security Complexity Analyzer (SCA), that was used to evaluate real-life security scenarios.
References
Brown, A. B. and Hellerstein, J. L. (2004). An approach to Benchmarking Configuration Complexity. In Proceedings of the 11th ACM SIGOPS European Workshop, page 18, Leuven, Belgium. ACM Press.
Brown, A. B., Keller, A., and Hellerstein, J. L. (2005). A Model of Configuration Complexity and its Application to a Change Management System. In IEEE, editor, Proc. IFIP/IEEE International Symposium on Integrated Network Management, IFIP/IEEE International Symposium on Integrated Network Management, pages 631–644, Nice, France.
Cannon, D. and Wheeldon, D. (2007). Service Operation Itil, Version 3 (Itil). Stationery Office.
Cavusoglu, H.,Mishra, B., and Raghunathan, S. (2004). Amodel for evaluating it security investments. Commun. ACM, 47(7):87–92.
Cazemier, J. A., Overbeek, P. L., and Peters, L. M. (2000). Security Management (IT Infrastructure Library Series). Stationery Office, UK.
Diao, Y. and Keller, A. (2006). Quantifying the Complexity of IT Service Management Processes. In IEEE, editor, Proc. of IFIP/IEEE International Workshop on Distributed Systems: Operations and Management, IFIP/IEEE International Workshop on Distributed Systems: Operations and Management, Dublin, Ireland. IEEE.
Diao, Y., Keller, A., Parekh, S., andMarinov, V. V. (2007). Predicting Labor Cost throught IT Management Complexity Metrics. In IEEE, editor, Proc. IFIP/IEEE International Symposium on Integrated Network Management, IFIP/IEEE International Symposium on Integrated Network Management, Munich, Germany. IEEE.
Dm-crypt (2008). http://www.saout.de/misc/dm-crypt/.
Joomla (2008). http://www.joomla.org/.
Keller, A., Brown, A. B., and Hellerstein, J. L. (2007). A Configuration Complexity Model and Its Application to a Change Management System. Network and Service Management, IEEE Transactions on, 4(1):13–27.
Miller, G. A. (1956). The magical number seven, plus or minus two: Some limits on our capacity for processing information. The Psychological Review, 63:81–97.
Netfilter/iptables (2008). http://www.netfilter.org/.
OpenSSL (2008). http://www.openssl.org.
Openswan (2008). http://www.openswan.org/.
OpenVPN (2008). http://openvpn.net/.
Stallings, W. (2006). Network Security Essentials: Applications and Standards (3rd Edition). Prentice Hall.
