How to compose and orchestrate security provision across diverse and heterogeneous evolving infrastructures with legacy and non-legacy elements (that change over a long infrastructure lifespan)?
Composing security provision in any system is a hard problem. For instance, a longstanding principle is that of secure distributed composition which states that when multiple sub-systems or components are composed, the resulting system does not weaken the security policies enforced by its components. Security policy enforcement approaches typically take an organisation- or networkcentric view of security. These tend to be either obligation-driven or authorisation-driven [26]. In the former case, policies are enforced actions in response to particular events or stimuli within a system while, in the latter, they provide access control rules specifying whether a particular subject can legitimately access (or not) a particular object. Such approaches assume that the system, whether distributed or not, is within a single administrative control and even where platform or geographical boundaries are crossed, this happens within the control of a single organisation or a federated security management framework [8]. This is not the case for digital infrastructures under discussion in this paper, which are globally interconnected open-ended networked environments.
The challenge is further compounded by the cyber-physical nature of many constituent systems where legacy hardware and software are abound and security assurances can vary widely—from poorly designed network protocol stacks to access control models that do not enforce privileges at suitable levels. Furthermore, such environments are not static. Devices, systems and services can dynamically (and, increasingly, automatically) compose based on context and locality. Human actors are integral to the dynamics, and often catalyse dynamic composition and delivery of services, e.g., through wearables that bridge multiple systems simultaneously. Consequently, security orchestration can be, at best, delivered through service-level agreements (SLAs). However, violation of such SLAs is often only detected post-hoc. Furthermore, in a large set of scenarios, e.g., those involving untrusted or partially- rusted third party systems, specification, agreement and enforcement of an SLA is impossible.