Operational security assurance evaluation in open infrastructures

Measuring and evaluating cyber security is of primary importance in IT systems. The fundamental need to assess security choices validity and effectiveness is growing. One of the main accepted approaches to this problem is a standardized offline security assurance evaluation. But, this method is static, time consuming and does not scale well to complex and dynamic Telco systems. As such, it does not apply to a continuous security assurance assessment for today´s complex operational systems. In this paper, we present a methodology together with the required tools for the operational security assurance assessment of Telco services. Our methodology enables (i) the definition and instantiation of a security Assurance Profile, and (ii) the use of a flexible measurement framework and a security cockpit for operational assurance metrics evaluation. The Assurance Profile provides a framework to the security expert community in order to collect descriptions and architectures of typical security mechanisms, and establish best practices on operational security assurance requirements and measurements for these architectures. The distributed dedicated measurement framework and the security assurance cockpit, as integral parts of the operational assurance assessment process, provide specifically adapted tools to evaluate operational security assurance on targeted systems.