Information technology has an enormous influence in many enterprises. Computers have not only become important devices that people rely on in their daily lives and work, but have also become essential tools for enterprises. More and more enterprises have shifted their focus to how to prevent outer forces from invading and stealing from networks. However, many enterprises have disregarded the significance of internal leaking, which also plays a vital role in information management. This research proposes an information security management approach that is based on context-aware role-based access control (RBAC) and communication monitoring technology, in order to achieve enterprise information security management. In this work, it is suggested that an enterprise may, first, use an organizational chart to list job roles and corresponding permissions. RBAC is a model that focuses on different work tasks and duties. Subsequently, the enterprise may define a security policy to enforce the context-aware RBAC model. Finally, the enterprise may use communication monitoring technology in order to implement information security management. The main contribution of this work is the potential it provides to both reduce information security incidents, such as internal information leakage, and allow for effective cost control of information systems.
Nowadays, in the workplace, information technology has an enormous influence on many enterprises. Computers have not only become important devices that people rely on in their daily lives and at work, but have also become essential tools for enterprises. However, while advantages come with the prevalence of information technologies, disadvantages also present themselves. More and more enterprises have had to shift their focus to how to prevent outer forces from invading and stealing from their networks. However, a number of firms have disregarded the significance of internal leaking, which plays a vital role in information management [
With the development of information technology, more and more information products have been developed. With the advent of new information equipment, system administrators should have the ability to improve information security management policies. Each modification of an information security management policy will take a lot of time. Defining a management approach is therefore necessary for any enterprise [
Role-based access control (RBAC) has become a widely accepted access control mechanism for security management [
However, the funds that are able to be invested in information security monitoring control equipment are limited for small and medium enterprises. Given this, this research proposes an information security management approach that is based on context-aware role-based access control (RBAC) and communication monitoring technology. This research adopts RBAC in order to use limited resources to achieve comprehensive planning and save unnecessary waste and expenses. According to our information security management policy, the system gives different permissions to different roles and adopts different information monitoring devices to control those with different roles. The main objective of this work is to use minimal resources for the deployment and implementation of an information security management policy in order to achieve effective management.
The remainder of this paper is organized as follows. Section
The related literature covers information security management, access control models, context-aware control models, and communication monitoring technology.
Information security refers to the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to ensure confidentiality, integrity, and availability [
Access control determines whether a user has permission to access a service when he or she requests this service. The most common access control policies contain discretionary access control (DAC), mandatory access control (MAC), and role-based access control (RBAC) [
Access control avoids unauthorized access to information or information processing facilities in order to reduce threats. A role-based access control model more efficiently manages a large number of users. RBAC is a practical solution to the distributed environment [
Dey and Abowd define context as any information that can be used to characterize the situation of an entity [
Bill and Marvin propose context awareness as application software that can be used depending on its location near staff and objects, as well as objects made according to time changes [
According to the 2007 electronic monitoring and surveillance survey conducted by the American Management Association (AMA) and the ePolicy Institute, more than one-fourth of employers have fired workers for misusing e-mail, and nearly one-third have fired employees for misusing the Internet [
Legal, organizational, social, and technical methods are often taken by enterprises to prevent information leakage [
The research design of this work is illustrated in Figure
Research design.
In this section, an enterprise information security management model is described. The enterprise information security management model is based on context-aware role-based access control and communication monitoring technology. The context-aware role-based access control (RBAC) model for enterprise information security management includes the users, roles, control groups, permissions, sessions, context information, and information security policy, as shown in Figure
Context-aware RBAC model for enterprise ISMS.
What follows is a detailed description of each component.
This study proposes an information security management model that is applicable to all kinds of enterprises, rather than only to the information technology industry. Because the threat of information security does not only exist in some specific industries, there is a demand for information security in various industries. Therefore, this research classifies all common roles/job positions in current industries. According to the job category of 104 Job Bank in Taiwan, this work divides roles into two types, that is, roles that require the use of IT equipment and roles that do not require the use of IT equipment. Roles that do not require information equipment are beyond the scope of our study. Therefore, this study only defines an information security policy in order to reduce information leakage for roles that require the use of information equipment.
The proposed context-aware RBAC model for enterprise ISMS is an extension of the RBAC model, and the main difference is the combination of context information, information security policy, and a novel element, that is, a control group, to allow various enterprises to improve information security management. Whether a user has the right to operate certain resources or objects is based on their respective roles. In addition, the information security policy should be satisfied and in compliance with related communication monitoring technology. A flowchart of the proposed architecture is shown in Figure
Flowchart of proposed architecture.
The research analyzes common ways in which information is leaked in enterprises. In general, a user wants to bring files out from the enterprise. The available ways are through USB flash disks, file transfer protocol (FTP) transmissions, instant messaging (IM) software, e-mail, peer-to-peer (P2P) approaches, and web or cloud systems, CD writers, and so on. Therefore, this work defines several information security polices to avoid information leakage and proposes some related communication monitoring technologies to achieve effective information security management.
Based on related communication monitoring technologies, this research defines twelve control groups. Each control group contains a variety of roles, and the permissions for each role should be satisfied by the communication monitoring technology. A detailed description of each control group and its corresponding communication monitoring technology is described in the following.
Permissions for web browsing.
Control group | Roles | Communication monitoring technology | |
---|---|---|---|
Web behavior control | Operations staff | System development staff | Webpage browsing/record/block |
Human resource staff | Maintenance staff | ||
Administrative staff | Logistics staff | ||
General staff | Drawing staff | ||
Legal staff | Design staff | ||
Marketing staff | Text staff | ||
Planning staff | Media dissemination staff | ||
Project management staff | Research staff | ||
Sales staff | Financial staff | ||
Trade staff |
Permissions for IM software.
Control group | Roles | Communication monitoring technology | |
---|---|---|---|
IM communication management | Operations staff | Sales staff | Record instant messaging content/block file transfers |
Human resource staff | Trade staff | ||
Administrative staff | System development staff | ||
General staff | Text staff | ||
Legal staff | Research staff | ||
Marketing staff | Financial staff | ||
Project management staff |
This research adopts a firewall or antivirus strategy to defend against external attacks. However, internal information leakage cannot be protected in the same way as the previously mentioned approaches. If a user uses mail to send confidential data out, the hard work developed over years may be vital information for competitors. The system manager can adopt mail filtering management technology in order to avoid this situation. The system administrator can define specific keywords, sender accounts, receiver accounts, function variables, mail subjects, or content to block users from sending mail. Detailed permissions for mail filter control groups are shown in Table
Permissions for mail.
Control group | Roles | Communication monitoring technology | |
---|---|---|---|
Mail filtering management | Operations staff | Project management staff | Mail auditing/record/release/block |
Human resource staff | Sales staff | ||
Administrative staff | System development staff | ||
General staff | Trade staff | ||
Legal staff | Research staff | ||
Marketing staff | Financial staff | ||
Planning staff |
Permissions for document usage.
Control group | Roles | Communication monitoring technology |
---|---|---|
DRM management | Marketing staff | Read/bring out/open/ |
Sales staff |
Permissions for web browsing.
Control group | Roles | Communication monitoring technology | |
---|---|---|---|
Wireless network management | Operations staff | Sales staff | Allowed to use the wireless network |
Marketing staff | Text staff | ||
Project management staff | Media dissemination staff | ||
Planning staff |
Permissions for USB device.
Control group | Roles | Communication monitoring technology | |
---|---|---|---|
USB device management | Operations staff | Drawing staff | USB device |
Marketing staff | Design staff | ||
Project management staff | Research staff | ||
Sales staff | Financial staff | ||
System development staff |
Permissions for P2P usage.
Control group | Roles | Communication monitoring technology | |
---|---|---|---|
P2P usage control | Operations staff | System development staff | Block P2P related software |
Human resource staff | Maintenance staff | ||
Administrative staff | Logistics staff | ||
General staff | Drawing staff | ||
Legal staff | Design staff | ||
Marketing staff | Text staff | ||
Planning staff | Media dissemination staff | ||
Project management staff | Research staff | ||
Sales staff | Financial staff | ||
Trade staff |
Permissions for file transfer.
Control group | Roles | Communication monitoring technology | |
---|---|---|---|
File transfer control |
Operations staff | System development staff | File transfer |
Human resource staff | Maintenance staff | ||
Administrative staff | Logistics staff | ||
General staff | Drawing staff | ||
Legal staff | Design staff | ||
Marketing staff | Text staff | ||
Planning staff | Media dissemination staff | ||
Project management staff | Research staff | ||
Sales staff | Financial staff | ||
Trade staff |
Permissions for CD/DVD read and write.
Control group | Roles | Communication monitoring technology | |
---|---|---|---|
CD/DVD read and write control | Operations staff | Drawing staff | CD/DVD rom |
Marketing staff | Design staff | ||
Project management staff | Research staff | ||
Sales staff | Financial staff | ||
System development staff |
Permissions for web browsing.
Control group | Roles | Communication monitoring technology | |
---|---|---|---|
Cloud storage system control | Operations staff | System development staff | Block cloud service connections |
Human resource staff | Maintenance staff | ||
Administrative staff | Logistics staff | ||
General staff | Drawing staff | ||
Legal staff | Design staff | ||
Marketing staff | Text staff | ||
Planning staff | Media dissemination staff | ||
Project management staff | Research staff | ||
Sales staff | Financial staff | ||
Trade staff |
Permissions for terminal data control.
Control group | Roles | Communication monitoring technology | |
---|---|---|---|
Terminal data control | Operations staff | System development staff | Backup data of computer equipment |
Human resource staff | Maintenance staff | ||
Administrative staff | Logistics staff | ||
General staff | Drawing staff | ||
Legal staff | Design staff | ||
Marketing staff | Text staff | ||
Planning staff | Media dissemination staff | ||
Project management staff | Research staff | ||
Sales staff | Financial staff | ||
Trade staff |
Permissions for web streaming media.
Control group | Roles | Communication monitoring technology | |
---|---|---|---|
Web stream media control | Operations staff | System development staff | Setting usage time of stream media |
Administrative staff | Maintenance staff | ||
General staff | Text staff | ||
Legal staff | Media dissemination staff | ||
Marketing staff | Research staff |
This section, first, demonstrates the proposed model, which combines a context-aware role-based access control model with communication monitoring technology for enterprise information security management and, second, presents the system’s architecture. Moreover, a relevant discussion between traditional management approaches and the proposed information security auditing system will be presented.
The research simulates an information security management system (ISMS), the system architecture of which is shown in Figure
System architecture of enterprise ISMS.
Most of the operation systems of information systems used in current enterprises involve Microsoft Windows Software. In order to manage user accounts and privileges effectively, system administrators usually adopt domain management in order to manage domain computers. When a domain user logs on, a domain account, that is, a user ID, is required. This study adopts a unique domain account with group policy object (GPO) to the log in system. When a user logs on to the system from an active directory (AD) server, the proposed control model mentioned in Section
System flow of enterprise ISMS.
Traditional information security management is passive. The system administrator must define different control rules for all information equipment in various systems. Typically, the system administrator spent a lot of time defining various permissions and auditing methods. However, given this, incorrect permissions settings or missing control items would often occur. For this reason, traditional information security management presented complicated work for system administrators. For example, the network architecture of case study of company M is illustrated in Figure
Network architecture of case company M.
Company M is a small and medium enterprise (SME) and only has one factory in Hsinchu Science Park in Taiwan. There are 80 PCs and 10 Servers in company M. The case company adopts “TrendMicro OfficeScan” as the antivirus software and “Scanmail For Exchange” for mail server. The security policy of case company is server control, antivirus software, and firewall. The security administrator defined various permissions and auditing methods on different servers. Besides, the company did not implement other policy, such as IM communication management, USB device management, and P2P usage control.
The proposed enterprise information security management system is a comprehensive framework based on context-aware RBAC and communication monitoring technology. Based on the characteristic of context-aware RBAC, the proposed enterprise information security management would significantly reduce the work load of system administrators. In place of the complicated work described previously, managers would confirm user-role assignments and the proposed system would automatically import the information security policy. Given that each role is assigned to certain control groups, the system would adopt, enforce, monitor, and audit the relevant communication monitoring technologies. Moreover, the monitoring equipment required for information security management can be purchased effectively and implemented in certain controlled roles. Other roles, which do not need to be monitored because they do not present a threat in terms of information leakage, would not require monitoring equipment. For this reason, an enterprise can reduce the cost spent on information security implementation and thereby reduce the load of system computing. Comparisons between traditional information security management approaches and the proposed approach are shown in Table
Comparisons between traditional ISMS and proposed ISMS.
Item | Approach | |
---|---|---|
Traditional ISMS | Proposed ISMS | |
Management approach | Passive | Active |
System management | More complicated | More convenient |
Strictness of security | Loose | Strict |
Permission management | Complex | Simple |
Audit trail setting | To be set in different monitoring devices | Simply define needed control items as per roles |
Licensed count of equipment | Unable to effectively control | Able to use limited number of licenses in required control |
With the progress of information technology, more and more systems, software, and technology are able to break through in the control of information security monitoring devices. Given this, a significant challenge for system administrators is the effective management of information equipment and assurance of all information assets in an enterprise. This research proposes a novel enterprise information security management model based on context-aware role-based access control and communication monitoring technology. According to the defined information security policy and implementing this policy with monitoring technology, enterprises will be able to effectively achieve information security management.
The planning of system architecture demonstrates the effectiveness of simply defining the needed control items based on roles. The main contributions of this work lie in its ability to reduce information security incidents, such as internal information leakage and reach the effective cost control of information systems. Furthermore, given that different organizations have different information security policies, objectively defining a complete information security policy allows for the implementation of the proposed model in various enterprises. Future research could take more information monitoring technologies into account.