Enterprise Level Security: Securing Information Systems in an Uncertain World, 1st Edition (Hardback) book cover

Enterprise Level Security

Securing Information Systems in an Uncertain World, 1st Edition

By William R. Simpson

Auerbach Publications

397 pages | 112 B/W Illus.

Purchasing Options:$ = USD
Hardback: 9781498764452
pub: 2016-05-13
SAVE ~$15.59
eBook (VitalSource) : 9780429084072
pub: 2016-04-27
from $36.48

FREE Standard Shipping!


Enterprise Level Security: Securing Information Systems in an Uncertain World provides a modern alternative to the fortress approach to security. The new approach is more distributed and has no need for passwords or accounts. Global attacks become much more difficult, and losses are localized, should they occur. The security approach is derived from a set of tenets that form the basic security model requirements. Many of the changes in authorization within the enterprise model happen automatically. Identities and claims for access occur during each step of the computing process.

Many of the techniques in this book have been piloted. These techniques have been proven to be resilient, secure, extensible, and scalable. The operational model of a distributed computer environment defense is currently being implemented on a broad scale for a particular enterprise.

The first section of the book comprises seven chapters that cover basics and philosophy, including discussions on identity, attributes, access and privilege, cryptography, the cloud, and the network. These chapters contain an evolved set of principles and philosophies that were not apparent at the beginning of the project.

The second section, consisting of chapters eight through twenty-two, contains technical information and details obtained by making painful mistakes and reworking processes until a workable formulation was derived. Topics covered in this section include claims-based authentication, credentials for access claims, claims creation, invoking an application, cascading authorization, federation, and content access control. This section also covers delegation, the enterprise attribute ecosystem, database access, building enterprise software, vulnerability analyses, the enterprise support desk, and network defense.

Table of Contents


Problem Description

What Is Enterprise Level Security?

Distributed versus Centralized Security

Crafting a Security Model

Entities and Claims

Robust Assured Information Sharing

Key Concepts

Two Steps Forward and One Step Back

The Approximate Time-Based Crafting




Who Are You?


Identity and Naming: Case Study

Implications for Information Security


Identity Summary


Facts and Descriptors

An Attribute Ecosystem

Data Sanitization

Temporal Data

Credential Data

Distributed Stores

Access and Privilege

Access Control

Authorization and Access in General

Access Control List

Complex Access Control Schemas


Concept of Least Privilege



Cryptographic Keys and Key Management

Symmetric Keys

Store Keys

Delete Keys


Symmetric versus Asymmetric Encryption Algorithms


Hash Function


A Note on Cryptographic Key Lengths

Internet Protocol Security

Other Cryptographic Services

The Java Cryptography Extension

Data at Rest

Data in Motion

The Cloud

The Promise of Cloud Computing

Benefits of the Cloud

Drawbacks of Cloud Usage

Challenges for the Cloud and High Assurance

Cloud Accountability, Monitoring, and Forensics

Standard Requirements for Cloud Forensics

The Network

The Network Entities


Claims-Based Authentication

Authentication and Identity

Credentials in the Enterprise

Authentication in the Enterprise

Infrastructure Security Component Interactions

Compliance Testing

Federated Authentication

Credentials for Access Claims

Security Assertion Markup Language

Access Control Implemented in the Web Service

Establishing Least Privilege

Default Values

Creating an SAML Token

Scaling of the STS for High Assurance Architectures

Rules for Maintaining High Assurance during Scale-Up

Claims Creation

Access Control Requirements at the Services

Access Control Requirement

Enterprise Service Registry

Claims Engine

Computed Claims Record

Invoking an Application

Active Entities

Claims-Based Access Control

Establishing Least Privilege

Authorizing the User to the Web Application

Authorizing a Web Service to a Web Service

Interaction between Security Components

Cascading Authorization

Basic Use Case1

Standard Communication

Pruning Attributes, Groups, and Roles

Required Escalation of Privilege

Data Requirements for the Pruning of Elements

Saving of the SAML Assertion

SAML Token Modifications for Further Calls

An Annotated Notional Example

Additional Requirements

Service Use Case Summary



Elements of Federated Communication

Example Federation Agreement

Access from Outside the Enterprise

Trusted STS Store

Trusted STS Governance

Content Access Control

Authoritative and Nonauthoritative Content

Content Delivery Digital Rights Management

Mandatory Access Control

Access Control Content Management System

Enforcing Access Control

Labeling of Content and Information Assets

Conveying Restrictions to the Requester

Enforcing/Obtaining Acknowledgment of Restrictions


Content Management Function

Components of a Stored Information Asset

Additional Elements for Stored Information Assets

Key Management Simplification

Import or Export of Information Assets


Delegation Service

Service Description for Delegation

Form of Extended Claims Record

Special Delegation Service

The Enterprise Attribute Ecosystem

User and Data Owner Convenience Functions

Attribute Ecosystems Use Cases

Attribute Ecosystem Services

Database Access

Database Models

Database Interfaces and Protocols

Overall Database Considerations

Enterprise Resource Planning Business Software

ERP as a Legacy System

Hardening of ERP Database Systems

Building Enterprise Software

Services Types

Functionality of All Services

Service Model

Enterprise Services Checklist

Enterprise Service Registry

Service Discovery: Manual and Automated

Additional Considerations


ELS Interface

Access Control List

Vulnerability Analyses

Vulnerability Causes

Related Work

Vulnerability Analysis

Flaw Remediation


An Enterprise Support Desk


Data Repository System

Information for Service Monitoring

Centralized Repository

Services by Type

Data Keeping Requirements

Naming Schema

Monitor Activities

Help Desk Breakdown

Customer Support and Help Desk

Levels of Service

Using the Knowledge Repository

ESD Summary

Network Defense

Expected Behavior


Current Protection Approaches

An Alternative to Private Key Passing

A Distributed Protection System

Next Steps for Appliances

Appliances That Change Content

Appliances: A Work in Progress

Concluding Remarks

Where We Have Been and Where We Are Going

Understanding the Approach

About Those Takeaways



About the Author

Dr. William R. Simpson earned his bachelor of science in aerospace engineering from Virginia Polytechnic Institute and State University, a master of science and a doctor of philosophy in aeronautical and astronautical engineering from Ohio State University, and a master of science in administration from George Washington University. He has held academic positions at George Mason University, Old Dominion University, the University of Maryland, and Ohio State University. He has held industry positions at the US Naval Air Test Center, the Center for Naval Analyses, the ARINC Research Corporation, and the Institute for Defense Analyses.

Subject Categories

BISAC Subject Codes/Headings:
COMPUTERS / Information Technology
COMPUTERS / Security / General
POLITICAL SCIENCE / Political Freedom & Security / International Security