Address:
Mr Zachariya Kamagate from the computer sciences department (INFO) and Lab-Sticc laboratory, will present his research about :
"Integrating Security Into A Risk-Based Enterprise Architecture Framework"
Current societies and the modern economy depend heavily on software systems and their interconnection, which make it possible to manage and coordinate complex actions in order to satisfy, among other things, the performance and productivity needs of the company. However, these systems have become critical elements of these organizations, and are at the heart of security concerns. Indeed, these systems are most often the target of many cyberattacks aimed at taking control of them, obtaining sensitive data and information or destroying them. Addressing security and risk issues regarding the overall software systems development life cycle process is a difficult task. Most often, there is a gap between the security specifications defined during the system requirements phase and the security implementation during the implementation phase. This fact is due to traditional development methods which are ineffective in the context of the complexity of today’s systems with vulnerabilities resulting from their development and the way these systems interact in the organization. This thesis focuses on a new approach to integrating security as a key component of software system architecture, based on riskassessment and using the Enterprise Architecture (EA) framework TOGAF as a basis for defining the system models as well as the Model Driven Architecture (MDA) of the Model-Driven Engineering (MDE) approach as a development tool. This thesis proposes a methodology, combining the STRIDE and EBIOS methods, for the identification of company-specific risks, taking into account contextual factors and threats. Using the MDA allows modeling these risks as a context linked to the business, logical and physical architectures of the EA in accordance with the abstract CIM, PIM and PSM levels of the MDA. This allows a better understanding of the interdependencies between functional and security components. Security integration is considered from the requirements and system architecture design phase using EA-based security models and architectural patterns. MDA helps automate the integration process by improving the respective models and substituting security components, thus ensuring consistency between models and implementations. The proposal thus aims to bring together technical and business points of view on information security. To experiment with the proposed framework, an e-Commerce based case study was conducted to evaluate its relevance and verify its applicability using MDA tools for code generation. Ultimately, this thesis contributes to the convergence of Enterprise Architecture, IT security and Model Driven Engineering (MDA) by providing an innovative methodological framework. Integrating security based on risk assessment is becoming an imperative for organizations seeking to preserve the confidentiality, integrity and availability of their IT systems while remaining agile by facing emerging threats, all supported by contextual models.
Organizer(s)
As part of the joint thesis accreditation between IMT Atlantique and the SPIN doctoral school.
Keywords : Software Architecture, Model Driven Engineering, Enterprise Architecture, IS Se- curity, Risk Management