Web software that is designed and deployed to collect end-user information and transmit it to a remote server destination is proliferating. This overall software paradigm spans many scenarios – from fully legitimate software updating and remote management, to profiling user surfing habits (i.e. adware), to illicitly collecting personal user-information (i.e. spyware). The research within this paper is based upon two research paradigms – a qualitative approach to explore the security challenge, followed by a design science approach to evolve an enhanced control solution. This solution comprises an information security management framework that extends existing code-signing conventions via an extended X.509 Version 3 digital certificate specifying: (1) whether the signed software transmits any information from the end-user machine to any remote destination, and if so (2) a concise summary of the type of this information and the remote destination address(es). This extended code-signing certificate is then used by the end-user’s operating system as the basis for a persistent security association which authenticates each outgoing Web transmission from each specific host-based software application. The security framework facilitates improved end-user management and regulatory governance of all Web communicated information transmitted from the user host computer.
Information, security, management, privacy
ISBN: [978-1-86435-644-1]; Full paper
Clutterbuck, Peter and Rowlands, Terry, "An Extended Public Key Infrastructure Framework For Host-Based Information Security Management" (2011). PACIS 2011 Proceedings. 48.