Quantifiable Security Metrics for Large Scale Heterogeneous Systems

The exponential growth of information technology and the prospect of increased public access to the computing, communications, and storage resources have made these systems more vulnerable to attacks. Use of heterogeneous devices and communication links has become a common practice which further exacerbates the management of security services of these systems. A widely accepted management principle is that an activity cannot be managed if it cannot be measured. Security also falls in this rubric. However, the complexity of today´s large scale heterogeneous systems makes it impossible to measure its security by simple examination. Moreover, for most users it is hardly possible to conduct more detailed checks, which are necessary for a qualified evaluation, as they can not afford the expenditure this would entail. The need to protect these systems is fueling the need of quantifying security metrics to determine the exact level of security assurances. In this article, we have identified those entities of a large scale heterogeneous system that enforce the security services and also those which are relevant to the security services. We have filtered out the measurable entities to simplify the metrics tree with optimal granularity. These entities serve as probes for the evaluation of the overall security assurance of the system. Based on these probes, topological and dependency graphs of the overall system are evaluated and federated for the system security cockpit that represents the interface for the administrator to perform necessary operations in order to obtain and maintain a particular security assurance level for a specified service. In order to provide a comprehensive and evaluative description of the various functions of our model, we have given a use case example of a telecommunication service $voice over the Internet protocol (VoIP)