Architecture-driven Information Assurance for Rapid Acquisition

Abstract

Architecture-driven Information Assurance for Rapid Acquisition Travis D. Breaux Carnegie Mellon University Department of Defense (DoD) information assurance (IA) certification and accreditation makes architecture-dependent assumptions that fail under new software paradigms, such as mobile and cloud applications. To remain competitive and reduce acquisition time, IA policy must be commensurate with risk and scalable with software’s external dependencies, reusability, and operational lifetime. We propose to investigate the relationship between the risk perceptions of security analysts and the technical mitigations available to reduce risk in enterprise architecture. The proposed work will yield an empirically validated risk preference matrix (a statistical model) that correlates information types, mission needs, and perceive risk scores; simulation results that demonstrate the efficacy of an extended enterprise architecture description language (EADL) to answer questions about the effect of mitigations on perceive risk; and new theory about how the EADL and threat scenarios inform risk management decisions among novice and expert security analysts. The impact of these results is far reaching with benefits to the public: security in commercial and government enterprises, including critical infrastructure, depend on the ability to rapidly adapt security to evolving threats. The proposed research will yield new methods and tools aimed at scaling security protections to evolving risk over the lifetime of these systems. This research will yield important public benefits to private sector companies who supply and consume the same dual-purpose information technology (IT) used by the DoD and who are frequently subject to security threats from organized crime, foreign governments and stateless hackers. This IT increasingly makes use of new architectural paradigms, such as mobile and cloud-based platforms, that increase reuse and agility at the risk of decreased transparency across multi-party, distributed systems. The ability to rapidly and reliability certify IT components in multi-party IT systems will have important public benefits, including increased awareness of security requirements across suppliers, increased innovation that meets emerging demands by composing new systems from trusted components, and reduced costs from increased automation and agility of the workforce. If new technologies are not trusted, companies will continue to rely on outdated hardware and software that often limits information reuse and requires unnecessary redundancy.

Document Details

Document Type

DoD Grant Award

Publication Date

May 12, 2016

Source ID

N002441610006

Entities

Tags