Description
Automating security reviews serves as a way of recreating the review process in a
more efficient manner. In order to utilise such automated reviews, machines must
be enabled to collect evidence themselves. Therefore, these machines need a set of
security criteria that is understandable to them. We have established a methodology for
structuring security requirements from standards that act as criteria for those reviews.
First, the security standards need to be understood and subsequently reorganised to fit
the current needs. Further, the system that is to be protected is analysed with threat
modelling techniques. Both results are then combined for more thoroughness. This
involves creating a hierarchical model of security measures that enables the measures
to be clearly assigned to their respective categories. The methodology is applied
to an exemplary security standard and a use case within the cloud environment.
The approach is designed to grant structuring of requirements independent of the
specific standard used. Here we show a way of doing so through the use of systematic
reorganisation and threat modelling. The created methodology demonstrates how
security standards can be broken down and provides the possibility to be used in further
ontology development. For future work, this method aims at providing preparatory
work for making the requirements accessible to machines through the use of such
ontologies.
|
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching