Early Access ArticlesEarly Access articles are new content made available in advance of the final electronic or print versions and result from IEEE's Preprint or Rapid Post processes. Preprint articles are peer-reviewed but not fully edited. Rapid Post articles are peer-reviewed and edited but not paginated. Both these types of Early Access articles are fully citable from the moment they appear in IEEE Xplore.
Cryptographic protocol standards are expected to provide strong, well-understood security guarantees. However, many standards still suffer from basic mistakes and well-known flaws. In three case studies, we illustrate how many of these flaws can be prevented by providing clear threat models and security property specifications. Such specifications pave the way for the application of existing formal analysis techniques and enable the precise evaluation and comparison of standards. View full abstract»
Tthe United States Air Force recently completed Cyber Vision 2025, its vision for cyberspace Science and Technology (S&T) for theto assured cyberspace advantage in the air, space, and cyberspace domains. This article summarizes characterizes key cyberspace threats and identifies strategies to assure Air Force systems from this strategic computing study. Cyber Vision 2025 articulates where the Air Force should lead, follow, and watch in partnership with others in science and technology in the near, mid, and far term. This article summarizes several security principles identified during the study and describes a research roadmap for cyberspace assurance. It briefly describes four cross-domain, integrating themes that are guiding Air Force S&T investments: mission assurance and empowerment, agility and resilience, optimized human-machine systems, and software and hardware foundations of trust. This article explains the rationale and key strategies with the intent that other large scale planning efforts will benefit following a similar course. View full abstract»
An Information Technology (IT) auditor collects information on an organization's information systems, practices, and operations and critically analyzes the information for improvement. One of the primary goals of an IT audit is to determine if the information system and its maintainers are meeting both the legal expectations of protecting customer data and the company standards of achieving financial successes against various security threats. These goals are still relevant to the newly emerging cloud computing model of business, but with a need for customization. We believe that there are clear differences between cloud and traditional IT security auditing, which is validated by our interviews with cloud security auditors. Therefore, this paper explores potential challenges unique to cloud security auditing. The paper also examines additional challenges specific to particular cloud computing domains such as banking, medical, and government sectors. Finally, we present emerging cloud-specific security auditing approaches and provide our critical analysis. View full abstract»
The author determines the software diversity needed to halt multiple simultaneous malware outbreaks on networked computing platforms and argues that diversity slows down persistent threats. View full abstract»
Modeling of system quality attributes, including security, is often done with low fidelity software models and disjointed architectural specifications by various engineers using their own specialized notations. These models are typically not maintained or documented throughout the life cycle and make it difficult to obtain a system view. However, a single-source architecture model of the system that is annotated with analysis-specific information allows changes to the architecture to be reflected in the various analysis models with little effort. We describe how model-based development using the Architecture Analysis and Design Language (AADL) and compatible analysis tools provides the platform for multi-dimensional, multi-fidelity analysis and verification. A special emphasis is given to analysis approaches using Bell-LaPadula, Biba, and MILS approaches to security and that enable a system designer to exercise various architectural design options for confidentiality and data integrity prior to system realization. View full abstract»
Aims & Scope
The primary objective of IEEE Security & Privacy is to stimulate and track advances in information assurance and security and present these advances in a form that can be useful to a broad cross-section of the professional community-ranging from academic researchers to industry practitioners. It is intended to serve a broad readership.
Meet Our Editors
Shari Lawrence Pfleeger