Beruflich Dokumente
Kultur Dokumente
Requirements Patterns
AbstractSecurity management and business assets However, with the growing need to implement information
protection have been a paramount concern for many years. Due technology security measures and the larger application scope,
to the flood of arising innovative technologies such as cloud analysts and requirements engineers have to face two major
computing or big data, security approaches have constantly challenges: the reuse of the, often tacit, knowledge about
evolved toward more sophisticate solutions, aiming to tackle security and the engineering of this reusable knowledge. A new
always more complex security issues. Nowadays, integrated discipline called Security Requirements Engineering (SRE) is
frameworks are necessary to manage this complexity. Pattern- intended to tackle these challenges: the first challenge is
based approaches for reusing security solutions have proven its usually faced by means of security patterns and the second one
usefulness, but mostly in the frame of simple security matters.
by means of systems of security patterns. However, there are
Acknowledging this, the scientific community has recently
considered how these patterns could also be used to address the
still several difficulties regarding the maturity of the SRE
complexity caused by the association of multiple security criteria. methods to deal with security requirements. For instance,
Approaches based on the combination of simple security Zuccato et al. [20] report that (1) SRE is in practice frequently
patterns have emerged and have resulted in the elaboration of performed by security non-experts, (2) security expertise is
methods for designing systems of security patterns and systems scarce, and (3) security requirements and their dependencies
managing these collections of patterns. Nonetheless, in that are often not directly known by requirements engineers. In
domain, we have observed that researches are mostly focused on addition to the lack of explicit and reusable security
the definition of security solutions and do not address the knowledge, there is the lack of organization of that reusable
complexity of the security requirements yet. In this paper we knowledge in a process compatible with the requirements
present a proposal for addressing this issue by means of a engineering practices. To cope with this issue, this paper
framework for engineering reusable security patterns for proposes a framework for engineering reusable security
complex systems called COPERATE (COmPlex sEcurity requirements patterns in the context of the current requirements
Requirements pAtTErns). To show the feasibility of our engineering practices for complex systems. In particular, the
approach, this framework is used for defining a complex security proposed framework consists in a set of tools that gathers
requirement and its corresponding pattern for an excerpt of a simple and complex patterns models and metamodels
case taken from the cloud-computing domain. [5][8][14], patterns engineering methods [6][10], and a security
pattern template library. There are several advantages of using
KeywordsInformation security; security management;
this framework. Some of these advantages are associated with
security pattern; security requirements; pattern modelling
the fact of considering security during early stages of
I. INTRODUCTION information systems development, like for instance allowing
information systems developers to envisage threats and their
Security has moved from being considered by information consequences and countermeasures before a system is in place.
systems designers as a technical topic to becoming a critical Other advantages are associated with the possibility of
issue in our society [2]. With the growing use of information managing groups of security requirements and their associated
systems, these kind of systems are becoming more and more patterns.
complex. Nowadays, information systems must comply with
new usages, requirements, and deployment technologies that From a methodological perspective, the framework
permanently expose them to new vulnerabilities. There is no proposed in this paper has been built with a Design Science
single week without an announcement indicating that the approach, as explained by Hevner et al. [7]. The designed
information system of some private or public organization was artefact is a framework for engineering complex security
attacked. Attacks to information systems may target strategic requirements patterns that defines a CSRP (complex security
data such as information exchanged by CEOs, financial data, requirements pattern) model and a CSRE (complex security
R&D documents, customers and human resources information, requirements engineering) method. The CSRP model is
etc. The consequences for organizations are manifold: designed from the existing security requirements pattern model
deterioration of the image and brand, disturbance of activity, that has been iteratively extended to integrate complex security
financial losses, and even threats to the socio-economic, elements (e.g., interrelation between security criteria, mutual
political and military ecosystems. influence, etc.). The information necessary to complete the
model is gathered using techniques such as observation, the environment in which it is deployed, and that using security
interviews and surveys, document archaeology, etc. These patterns may help the developer to gain security insight for
social science techniques are efficient to elicit requirements checking the consistency of a specific design and
and are part of common requirements engineering best implementation with security properties.
practices. Information about requirements is also extracted
The framework proposed in this paper aims to organize the
using reengineering approaches and information retrieval
techniques in the available assets. Identification, location and elements that should be taken into account to build and manage
complex security patterns for a particular information system in
extraction of features, reusable assets or patterns can help
during the model creation. Afterwards, the collection of function of the complexity level of the security criteria that
should be considered (vertical axis) and the security
security requirements patterns is built iteratively, by
intertwined design and experimental validation activities. The deployment life cycle of the information system (horizontal
axis), as illustrated on Figure 1. This framework extends
elaboration of the CSRE method is based on a risk
management method that allows analysing threats on the previous work achieved in the context of the PABRETM
Framework [14][15], which mainly defines the elements of
information system in order to derive security requirements to
mitigate security risks. simple security requirements pattern (SSRP) [5] and Security
Requirements Engineering (SRE) [18].
Fortunately, this paper is not the first one intending to
tackle these issues; on the contrary, it is based on previous III. MOTIVATING SCENARIO: A DATA ACCESS APPLICATION IN A
efforts of the requirements engineering community. In CLOUD-BASED ENVIRONMENT
particular, the framework proposed in this paper is a step Cloud computing offers a plethora of arriving complex
towards the integration and the extension of the method for security requirements for the reason that it associated
using security patterns to model and analyze security traditional security requirements and new requirements
requirements proposed by Konrad et al. [8], the PABRE associated to the internet-based and shared processing of the
framework for pattern-based requirements elicitation proposed information. In this context, a data retrieval system on the
by Renault et al. [15], the methods for constructing and using cloud is used as a running example to explain to what extend
requirements patterns proposed by Franch et al. [5] and the traditional security protections may not be handled
Fernandez et al. [4], and the idea of creating system of security separately anymore but must be regarded has a complex
design patterns proposed by Nguyen et al [12]. integration of security patterns. For instance, in traditional
The rest of this paper is organized as follows: Section II information systems, access to information requires the
presents the related work found in literature about security deployment of two isolated and independent security
patterns requirements engineering and shows the novelty of our requirements patterns, respectively: a pattern for the
proposal with respect to the current state of the art. Section III management of the access rights (Re1: user authentication)
presents the framework that we propose in this paper and and a pattern for the encryption of the data (Re2: data
illustrates it with a running example taken from the cloud confidentiality). In a cloud computing-based environment,
computing area. Section IV concludes the paper with some the access rights and the data encryption should not be
discussions about our early experiences using the framework separately handled by these two patterns. Instead, they should
and presents an agenda for future researches in reusable be composed into a new unique complex security requirements
security patterns for complex systems. pattern that takes into account the complex relations between
the two simple patterns taken separately. In order to do so,
II. RELATED WORK the new requirements pattern should associate encryption
requirements and traditional access control mechanisms like
Knowledge management in Requirements Engineering
for instance RBAC (role based access control). This means that
(RE) is a current issue of the research community. The concept
although we may consider Re1 and Re2 separately in
of requirements patterns is explored, among others, by Franch
traditional architectures of information systems, in a cloud
et al. [5] (see white boxes in Figure 1). However, the research
environment it will be necessary to consider them as a unique
on this topic is currently wide and not yet focused on specific
new complex requirement Re3, where Re3 is not equivalent to
disciplines of RE [15], although there are some initiatives in
the field of Security Requirements Engineering (SRE). In that Re1 + Re2 but Re3=Re1Re2 with Re1Re2 being > (Re1 +
regard, Souag et al. [17] argue that reusable knowledge for Re2). Indeed, as explained hereafter, in cloud computing user
SRE constitutes a major ingredient of the SRE methods. authentication may, for instance, not be performed in clear
Security patterns consist in a set of specific problem-solution but by means of encryption tools.
associations which aim to solve and facilitate the automatic To solve CSR (such as Re3), the deployment of a set of
treatment of recurring security issues, from the requirements simple security patterns achieved separately is no more
engineering phase up to their design and implementation. sufficient. Indeed, in case of an access to a traditional
Security patterns have already been examined by a plethora of information system, the user first needs to identify himself in
researchers [6][10][13][16][18]. clear and then successively deploy encryption mechanism to
Two of the most relevant contributions on SRE are: the confidentially communicate with the system. In this case, a
work of Fernandez et al. [4], which provides an overview of a conventional network sniffer may know that there is a
method for security system development involving a full range communication between the user and the system but may not
of security patterns; and the work of Konrad et al. [8], which read the content of the data. The situation is different in a
explains that the security needs of a system highly depend on cloud-computing context where network sniffing most often
implies a malicious act [19], which needs to be faced by the Considering this new paradigm, the selection of the most
cloud service provider. This service provider must guarantee appropriate pattern(s) for a given design challenge is no more
the confidentiality of the data but also the anonymity of the conceivable without knowing the environment in which the
user who access the system. pattern will exist, on the one hand, and the controls which are
made available by the system of security patterns (SSP) and to
Hence, in this case, we observe that the requirements
be deployed by the security engineer, on the other hand. Based
patterns of deploying an access control mechanism to on Nguyen et al. [11], the same authors propose in [12] an
guarantee user authentication (Re1) and an encryption
approach to automatically compose security design patterns
mechanism to guarantee confidentiality (Re2) independently considering multiple security concerns (e.g., authorization,
(and formalised Re1 + Re2) do not offer the necessary security
authentication, identification, etc.) and the inter-pattern
protection to preserve user anonymity anymore. In this case, relationships.
both requirements must be integrated to form what we call a
Complex Security Requirements Pattern (Re3), representing As illustrated in Figure 1, SRE methods have proposed
Re1Re2. In other words, the integration of the security discovering simple security requirements pattern and
requirements Re1 and Re2 is used to simultaneously achieve identifying the appropriate security pattern necessary to fulfil
user authentication and data encryption that guarantees the these requirements. To address more complex security criteria,
confidentially and privacy of the users while they log on the assembling security patterns in systems of patterns appears to
information system. be a promising approach. However, to the best of our
knowledge, it does not exist a repository of Complex Security
IV. COPERATE: COMPLEX SECURITY REQUIREMENTS Requirements Patterns (CSRP) yet nor RE methods to associate
PATTERN FRAMEWORK the right systems of patterns to the right CSRP (grey boxes on
This section presents a first iteration of the framework for Figure 1). The objective of the framework is to provide the
engineering complex security requirements patterns definition of complex security requirements patterns and more
(COPERATE) and an exploitation of this framework for especially how they can be fulfilled by a system of security
patterns.
dealing with complex security requirements from the cloud-
computing field. B) Using the COPERATE framework
A) The COPERATE framework This section illustrates how the general framework for
complex security requirements patterns may be used in order to
Although it is worth to note that most of security engineers
discover complex security patterns. Therefore, we present the
exploit the patterns independently from each other, we also
usage of the framework in the context of our motivating
observe that few have addressed the exploitation of systems of
scenario. First, we figure out the evolution from traditional
patterns. Some researchers, such as Nguyen et al [12], highlight
security requirements engineering to complex security
that security patterns must also be organized in systems in
requirements engineering; and second, based on this evolution,
order to offer additional and complementary benefits (e.g.,
we illustrate how complex security patterns need to be
coordination, optimisation, avoidance of redundancy, etc.).
specified to face arising complex security needs.
This statement is supported by the literature review and
analysis on security patterns made by Nguyen et al. [11], in 1) From (standard) Security Requirements Engineering
which the authors argue that a security pattern solely cannot (SRE) to Complex Security Requirements Engineering (CSRE)
help to secure a system against different threats. Thus, it is Security requirements engineering is a dedicated part of the
necessary to build a system of security patterns in which inter- requirements engineering process that aims, in the context of
pattern relations are specified. the security pattern domain, at discovering recurring simple