Feeds:
Posts
Comments

Archive for October, 2009

Introduction

Mooshabaya is an open source mashup authoring framework. It allows the mashups to be modeled as workflows and to be exported and deployed in mashup servers. This project will try to bridge the workflow domain and mashup domain using their commonalities. The project builds on the existing workflow modeling tool XBaya which currently supports exporting workflows as BPEL and Jython scripts.

Following features will be available in the initial release of Mooshabaya.

– Generating mashups from workflow models

– Service discovery from web registries

– Deployment of generated mashups to mashup servers

– Monitoring the mashup execution

Initially it will utilize WSO2 products for mashup deployment (WSO2 Mashup Server) and service discovery (WSO2 Governance Registry) requirements. In later releases it expected to extend its support for other products as well.

Mooshabaya Mashup Generator:Mooshabaya graphical workflow composer exports the composed workflows as mashups, by modifying XBaya Workflow Composer, which currently exports the composed workflows into BPEL and Jython.

Service Discovery: Mooshabaya basically will find service descriptions from WSO2 Governance Registry, which governs SOA deployment metadata. Mooshabaya will support different forms of user authentication with the registry as per the infrastructure level security requirements of the registry. For example it will support direct user authentication with the registry or brokered authentication via an Identity provider as required. In the latter case WSO2 Identity server will act as the authentication broker for authenticating the particular user via Mooshabaya.

Data aggregation:Mooshabaya will generate mashups which are does data aggregation from different input sources such as web feeds and data sources. Web feeds support would include RSS 1.0, RSS 2.0 and Atom. This would make mashups generated by Mooshabaya more versatile by enabling them to acquire and process data from different input sources at runtime.

Mashup Deployment:Mooshabaya will handle mashup deployment via a MTOM based service, which will upload the required mashup file, generated stubs and configuration files to a WSO2 mashup server where the mashup indented to be deployed.

Mashup Monitoring:Mooshabaya will enable the mashup developer to monitor the execution of the mashups after they have been deployed and run on the Mashup server. This will be carried out via an external or internal WS-Messenger instance to which Mooshabaya will subscribe prior to mashup monitoring session. These required configurations for subscribing to WS-Messenger instance should be provided by the user at the mashup modeling stages. Then the mashup generation components will use this information to integrate monitoring constructs in generated mashups. These constructs will cause events to be generated targeting the specified WS-Messenger instance at runtime.

Mashup Deployment:Mooshabaya will handle mashup deployment via a MTOM based service, which will upload the required mashup file, generated stubs and configuration files to a WSO2 mashup server where the mashup indented to be deployed.

Mashup Monitoring: Mooshabaya will enable the mashup developer to monitor the execution of the mashups after they have been deployed and run on the Mashup server. This will be carried out via an external or internal WS-Messenger instance to which Mooshabaya will subscribe prior to mashup monitoring session. These required configurations for subscribing to WS-Messenger instance should be provided by the user at the mashup modeling stages. Then the mashup generation components will use this information to integrate monitoring constructs in generated mashups. These constructs will cause events to be generated targeting the specified WS-Messenger instance at runtime.


Abstract System View

Abstract System View

High Level Design

High Level Design

This view of the system depicts the major components within Mooshabaya. Of these mashup generation component is vital. Mashup generation phase will consist of following key stages.

* Validation – validate the modeled workflow to check whether
* Core Mashup code generation – Implement the mashup with the service invocations based on the modeled workflow. This also integrates the other required stubs
and the configuration files to the mashup.
* Feed Integration – Inject the mashup code relevant to fetching feeds from different data sources such as web feeds at mashup runtime.
* Eventing Integration – Injecting eventing related mashup codes, which generate events during mashup execution.

Development

Currently this is being carried out as a Computer Science Engineering final year project. Project is currently in the design stage though some initial implementation work on mashup generation and service discovery has been done. Development works will be carried out using open source software development methodologies.

For more on information on the project visit the following.

Project Site: http://sourceforge.net/projects/mooshabaya/

Project Wiki:http://mooshabaya.wikidot.com/

Project SVN:https://mooshabaya.svn.sourceforge.net/svnroot/mooshabaya

Development

Currently this is being carried out as a BSc. Computer Science Engineering final year project. Project is currently in the design stage though some initial implementation work on mashup generation and service discovery has been done. Development works will be carried out using open source software development methodologies.

Advertisements

Read Full Post »

ISO27001 & its Business Value

Today most of the businesses have become IT reliant for their core business and administrative activities. Since IT systems play a central role in mangament of sensitive corporate data, information security these systems provide has become a very important aspect. Now with the rapid rise of internet and e-commerce the security requirements has become higher than ever.

For example, before the rise of web applications organizations’ efforts to secure themselves against external attacks were largely focused on the network perimeter. Defending this perimeter entailed hardening and patching the services that it needed to expose, and firewalling access to others. Web applications have changed all of this. For an application to be accessible by its users, the perimeter firewall must allow inbound connections to the server over HTTP/S. And for the application to function, the server must be allowed to connect to supporting back-end systems, such as databases, mainframes, and financial and logistical systems. These systems often lie at the core of the organization’s operations and reside behind several layers of network level defenses. If a vulnerability exists within a web application, then an attacker on the public Internet may be able to compromise the organization’s core back-end systems solely by submitting crafted data from his web browser. This data will bypass all of the organization’s network defenses, in just the same way as does ordinary traffic to the web application. Effectively the applications such as these has expanded the security perimeter of the organization requiring it to divert more effort towards security hardening requirements.

It goes without saying information security breaches can have far reaching effects on the organization in several fronts including monetary and customer loyalty as illustrated in the following case study.

A Case Study

The TJX Companies, Incorporated (NYSE: TJX), is the largest international home fashion departmental store chain in the United States based in Framingham, Massachusetts. By 2004, the company moved up to the 141st position in the Fortune 500 rankings and was a $17 billion worth business. In 2007 TJX revealed that its security system has been compromised and some 45.7 million customer accounts has been affected. The biggest known theft of credit-card numbers in history began in 2005 outside a discount clothing store near St. Paul, Minn. Hackers used a telescope-shaped antenna and a laptop to decode data streaming through the air between hand-held price-checking devices, cash registers and the store’s computers. Once in, they were further able to penetrate into the central database of TJX Cos. in Framingham, Mass. During the next 2 years they had been able to smuggle credit card data from the system and sell or use them in fraudulent card transactions amounting to $8 million or more. [1]

What went wrong?

Following information were uncovered during an subsequent security analysis performed. [1]

* Loose compliance with regulatory standards such as PCI DSS (Data Security Standard) for storing and transmitting credit/debit card information.
* Store systems were based on a weak wireless security protocol (WEP).
* Lack of additional security features such as firewalls and software patches on these systems.
* Track2 information, such as account numbers, expiration dates, encrypted personal identification numbers, along with Social Security Numbers and driver’s
licenses, were stored for unusually long periods of time.
* Lack of clear segregation and access control systems implemented for the critical information on TJX’s central servers. This additionally made the information
easily available to the hackers.

Aftermath

* $9.75 million breach settlement charges with 41 states to cover the costs of investigating the incident.
* An initial budget of $100 million for the possible security upgrades
* Several customer law suites for damages
* Heavily damaged customer loyalty and hence loss of business.

From this case study it is evident a well functioning information security framework within the organisation is necessary for preventing such security oversights which can become very costly. This is where a standardized security system becomes vital. Specially IS0 27001 is very important in this regard since it is the de-facto standard for establishing, maintaining and improving an Information Security Management System (ISMS).

Benefits of a ISO 27001 Implementation

From a technical perspective following benefits can obtained from a ISO 27001 implementation.

* Interoperability – Let’s say that a multinational company has its regional branches in China and US. Now the security requirements of the systems may differ in these localities and so will the security system implemenations. However the overall organizational security policy states all the regional information security systems should be in compliance with ISO 27001. So since above regional branches both follow ISO 27001 standardization, then they can achieve a comfortable level of interoperability when it comes to secure business information transactions even though they may belong to very different backgrounds, because of the common set of standardization guidelines that they follow.

* Quality assurance – Whether it is the organization or the business partners, there should be some quality in the information security system and hence of the organization in general. With a suitable ISO 27001 implementation the management can be assured they have a recognised framework for dealing with the information security.

* Compliance – Having a certification against an international standard is desireable and can create a positive image about the organisational security policies among the stakeholders of the business. There is a well defined path for the certification and it is a result of a continous process rather than a one off achievement.

* Benchmarking – An organization can use the ISO 27001 to measure its status against that of its competitors. They can emphasize on their current rank and the developments that they make as opposed to their rivals.

* Security awareness – Since the ISO 27001 implementation and its practice is a continuous process that will engage organisational personnal in various security related aspects it will raise the overall employee awareness about the security aspects. In fact this is one of the most important aspects when it comes to information security. The system is only strong as the weakest link and it has been proven that ill-informed user can be a great security risk no matter how much security systems are in place. So in this respect ISO 27001 is not just about security thorough software or physical infrastructure but it also encompasses influencing the behavioural and cultural aspects of the organization. Even significant change management processes can come in to play, in creating a security aware culture within the organization and may even cause some staff being laid off in some extreme cases due to non compliance behaviour and resistance to the changes.

From a business perspective following benefits can obtained from a ISO 27001 implementation.

* IT alignment of the business processes – To a proper ISO 27001 compliance a good IT alignment of the business activities should be present. A better IT alignment would mean increased efficiency in business processes causing quicker response times and reduction of costs.

* Avoidance and mitigation of damages – From the case study of TJX it is evident the amount of damages due to lack of security can become very significant. These damages both in terms of money, lost sales and customer loyalty, will have a significant adverse effects on organisational profit margins. This will also cause the organisation to divert its energy to cope with the aftermaths of the event in the form of law suits, security consultations etc instead of focusing on its core business activities. If a proper security mechanism was in place none of these would have happend and or at least the breach could have been tracked down earlier mitigating the damages. Since the implementation requires the organization to have backup plans to be in place in order to investigate and compensate if such security breach happens the organisation will be in a better position to handle such a situation.

* Increased profits – ISO 27001 certificate demonstrates that the orgnisation can be trusted to secure customers’ data, as well as their own. Specially corporate customers are likely to realise the benefits of this commitment and this can be helpful in developing a positive image of organisation. Having the ISO 27001 logos on the company literature is a continual reminder to potential and existing customers that the organisation takes confidentially, integrity and availability of their information seriously. This would drive higher customer satisfaction, new customers and increased profitability. This can even be leveraged as a competitive adavantage over the rival organisations. For example in government Tenders the government would favour the orgnisations with sound security policies and may even include a certification such as ISO 27001 as a prerequisite.

* Cost effective and rational security systems – Since the implementation requires clear identification of orgnisational security enviornment and its specific security needs only the required systems and processes will be put in place with configurations specifically suited to organizational security requirements. The organisation may have many technical safeguards, but a proper risk assessment may highlight the safeguards having little or no business benefits and would provide a better return off investment if they were reconfigured to protect assets that required a higher level of protection. This avoids bloated (and in turn costly) and unnecessary rigid (or on the contrary unnecessarily linienet) security systems and allows the organisation to obtain the level of security that’s required.

* Better employee relations – Clear policies and guidelines makes things easier for staff. This will increase employee satisfaction and may help reducing staff turnover. Better security awareness programs,trainings and clear disciplinary procedures will also induce increased professionalism among the employees as well.

* Better risk planning – The information security strategy can be integrated with the overall organisational risk strategy leading to a comprehensive platform on which risk planning decisions can be made.

References

[1] TJX Companies, Inc –  http://publicloud.com/?p=368
[2] Calder Alan and Watkins Steve, IT Governance:A Manager’s Guide to Data Security and ISO 27001/ISO 27002. 4th ed, Kogan Page, London
[3] The ISO27k FAQ. –  http://www.iso27001security.com/html/faq.html

Read Full Post »