SECURITY POLICY MANAGEMENT, THREAT ALLEVIATION AND TRUSTED PLATFORMS FOR EMBEDDED COMPUTING SYSTEMS
MetadataShow full item record
Security guarantees are a measure of trust that can be placed on computing services in the safeguarding of digital assets. These security goals and guarantees coupled with known and modeled threats to the digital assets shape the security policies for computing services. The creation, management and implementation of security policies in computing services is a challenge in defining the role of policy, the management principle for decision making when posed with threats and overall control over digital assets in a well-defined manner. In this Ph.D. thesis we establish a causal relationship of security policies with threats, provide an industry standard management framework (Six Sigma) for decision making, changes to the constructs of the trusted platform module to create a control framework and, finally show how the security framework can be used in a commercial service. The process of updating and refactoring security policy changes becomes a time consuming and tedious task, especially when threats evolve and computing service constructs change when security policy implementations are implicitly implemented. With the basis of correlation of policies over threats an explicit security policy implementation is proposed such that its adaptability, testability and risk quantification can be achieved when threats evolve. In this study we explore policy threat correlation on a Trusted Platform Module (TPM), a hardware system entrusted with security operations and guarantees. An effective TPM needs to adapt to evolving threats arising from firmware bugs or decay in the complexity of ciphering algorithms. Therefore, an adaptive TPM architecture is proposed to counter evolving threats by integrating an FPGA (Field Programmable Gate xi Arrays) block to alter and patch firmware and change ciphering systems. We present how security guarantees in an IT(Information Technology) infrastructure can be met using a TPM and thereby should be an integral part of computing services along with other security constructs like firewalls, intrusion detection systems, anti-virus, etc.. Adaptive security policy requires a management process wherein the risk management, and cost effectiveness principles can be identified. This is essential to make decisions on the trust criteria of digital assets in an industrial management framework. The security policy creation and management process presented in this thesis is based on Six Sigma model and presents a method to adapt security goals and risk management in an industrial framework. As an effective implementation of the security policy the case of application commerce workflow for developers is presented. Secure application distribution and execution guarantees lie in the transfer of trust between various processes in a computing service, also known as Chain of Trust in an embedded system. This study presents application development workflows facilitating secure commerce of digital assets thereby improving consumer trust.