An Organization-Driven Approach for Enterprise Security Development and Management

Enterprises security is a complex problem. Pure technology-driven development methods are not sufficient to solve a broad range of enterprise security issues. This paper analyzes the complexity of enterprise security and proposes an organization-driven approach for the problem. The approach combines a set of Unified Modeling Language-based approaches to bridge the gap between enterprise security architecture models and security application development models. It allows an enterprise to coordinate security resources from an enterprise point of view, and develop security applications systematically and efficiently. A comprehensive case study is conducted to illustrate the approach. The study shows through the refinement of enterprise security goals, both software goals and software requirements for a security application can be obtained. In particular, a security application is built to support the specification and automated verification of separation of duty access policies using the Object Constraint Language and formal method Alloy.