Next Article in Journal
Functional Damage Assessment Method for Preformed Fragment Warheads to Evaluate the Effect on the Phased-Array Antenna
Previous Article in Journal
Multi-Hop Knowledge Graph Question Answer Method Based on Relation Knowledge Enhancement
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Electronics
Volume 12
Issue 8
10.3390/electronics12081906
Review Report
electronics-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
Article
Peer-Review Record

Endpoint Device Risk-Scoring Algorithm Proposal for Zero Trust

Electronics 2023, 12(8), 1906; https://doi.org/10.3390/electronics12081906
by Ui Hyun Park †, Jeong-hyeop Hong †, Auk Kim * and Kyung Ho Son *
Reviewer 1:
Xiaolin Chang
Reviewer 3:
Fouzi Harrou
Reviewer 4:
Rainer Falk
Electronics 2023, 12(8), 1906; https://doi.org/10.3390/electronics12081906
Submission received: 8 February 2023 / Revised: 11 April 2023 / Accepted: 14 April 2023 / Published: 18 April 2023

Round 1

Reviewer 1 Report

The paper presented a risk-scoring method and system.

The reasons for rejecting are listed:

(1) All the references must be written in English. But at least ref.[7] is in your own language. 

(2) ZeroTrust required dynamic mornitoring and authenting of users. I donot understand why you want to evaluate device security in Zerotrust.  In trusted computing, the environment like device should be evaluated during user authentication. But it is not related to Zerotrust. 

The paper didnot give the strong motivation and didnot give the clear scenario to be studied. 

(3) Environment in CVSS is an important item. User role and resource access rights can be regarded as a special environment. Your scoring method is not clear described. 

Author Response

Response to Reviewer 1 Comments

Dear Reviewer,

Thank you for your feedback on our paper titled "Endpoint Device Risk-Scoring Algorithm Proposal for ZeroTrust". We appreciate your time and effort in reviewing our work. Please find our responses to each of your points below.

Point 1: All the references must be written in English. But at least ref.[7] is in your own language.

Response 1: Please accept our sincere apologies for the oversight of including a reference in the English language. We have removed the reference and replaced it with an alternative in English, as shown below.

Lee, H.j.; Son, K.h. A Study on a Smart City Supply Chain Security Model Based on Zero-Trust. Journal of the Korea Institute of Information Security & Cryptology 2022, 32, 123–140.

to

Department of Defense Chief Information Officer. Department of Defense Zero Trust Strategy. https://dodcio.defense.gov/ Portals/0/Documents/Library/DoD-ZTStrategy.pdf, 2020.

 

Point 2: ZeroTrust requires dynamic monitoring and authentication of users. I do not understand why you want to evaluate device security in ZeroTrust. In trusted computing, the environment like device should be evaluated during user authentication. But it is not related to ZeroTrust.

Response 2: We are aware that there was some confusion regarding the evaluation of the device security in the context of Zero Trust. To provide a stronger motivation, we have revised the introduction and included scenarios to explain the applicability of our research. The main revisions can be found in the Introduction and Related Work sections. In the introduction, we discuss the motivation for the evaluation based on the user role and the necessity of device inspection and assessment in Zero Trust's trust algorithms. We have strengthened the research motivation through revisions and examples.

 

Point 3: Environment in CVSS is an important item. User role and resource access rights can be regarded as a special environment. Your scoring method is not clearly described.

Response 3: Thank you for your insightful comments and suggestions. We would like to address your concerns regarding the use of user roles and resource access permissions in our study.

We acknowledge that user roles and resource access permissions can be considered as environmental factors in CVSS. However, the scoring system we utilize in our study is CCSS, not CVSS. It appears that our submitted manuscript may have lacked clear readability and sufficient explanation about CCSS.

Unlike CVSS, which represents vulnerabilities in the source code, CCSS evaluates the vulnerabilities of security configurations. CCSS environment metrics can consider various factors such as the 'degree of overall system damage caused by users' and the 'impact on CIA when significantly deviating from best-practice settings'. To use CCSS, a universal standard for evaluation is required. In companies with diverse business environments and stakeholders, Environmental Metrics are limited in providing the same evaluation criteria. Thus, the results for the environment can vary significantly among experts utilizing CCSS. Consequently, the trend for CCSS is to follow best practices and only use Base Metrics.

In response to your feedback, we have made the following revisions to our manuscript:

  1. We have included the content of CCSS in Section 2.2.2, titled "Common Configuration Scoring System", to provide a clearer explanation.
  2. We have added tables and examples to Section 3, titled "Proposed User Device Risk Scoring Algorithm", to clearly represent the proposed content.

In conclusion, we would like to express our sincere gratitude for your time and effort in reviewing our paper. Your comments have greatly contributed to the improvement of our work. We hope that our revisions have addressed your concerns, and we look forward to your further feedback.

Sincerely,

Uihyun Park

Reviewer 2 Report

Although the manuscript is interesting, there are some lacks, which the author needs to improve.

Abstract requires restructuring.

Highlight the contributions of the work at the end of introduction section.

Add a description of contributions.

The author also have to make sufficient checking for the paper readability by improving the language with technical English experts.

Recent related work need to be updated in reference section.

Limitations of the proposed system.

List the motivation of the proposed model.

Discuss about the dataset used for evaluation.

Discuss the Real time computation efficiency checking and possibilities. 

The paper is well designed but has limited contributions to the literature.

Do not use abbreviations before it's declared.

Algorithm proposed need more comprehensive description on its working structure and strategy.

Author Response

Response to Reviewer 2 Comments

Dear Reviewer,

Thank you for dedicating your time to reviewing our manuscript and offering valuable feedback. We sincerely appreciate your comments and suggestions. We have diligently considered each point and have made revisions accordingly. Please find our responses to each points below.

Point 1: Abstract restructuring 

Response 1: We concur that the abstract required restructuring. We have revised it to deliver a clearer and more succinct overview of our work.

 

Point 2: Highlight contributions in the introduction.

Response 2: In line with your suggestion, we have included a separate paragraph at the end of the introduction to clearly delineate the primary contributions of our research and more in-depth description of each contribution throughout the manuscript.

 

Point 3: Improve language with technical English experts

Response 3: Acknowledging your concern about the language quality, we have sought assistance from a technical English expert to meticulously proofread and revise the manuscript, thus enhancing its readability and clarity.

 

Point 4: Update recent related work in the reference section

Response 4: We concur that keeping the literature review current is crucial. We have added recent references.

 

Point 5: List limitations of the proposed system

Response 5: We greatly value your suggestion to discuss the limitations. Accordingly, we have included a section addressing the limitations of our proposed system and potential directions for future work.

 

Point 6: List motivation of the proposed model 

Response 6: In agreement with your recommendation, we have added a paragraph in the introduction to elucidate the motivations behind the development of the Ripple algorithm.

 

Point 7: Discuss the dataset used for evaluation

Response 7: Thank you for expressing interest in the dataset used for our evaluation. In accordance with your recommendation, we have utilized Microsoft's best-practice configuration list to represent the items. Microsoft's configuration best practices indicate recommended security settings for Operating Systems, such as the 'recommended password length'. We have displayed the vulnerability assessment results for the items in both CCSS and the proposed Risk Scoring in Table1.

 

Point 8: Discuss real-time computation efficiency and possibilities

Response 8: We concur that addressing computational efficiency is essential. However, our primary focus is the importance of user and resource access, as articulated in Section 2. Many corporations have implemented risk scoring for their services, but not based on user privileges. In the context of network access, ensuring secure user access requests and appropriate resource requests are of paramount importance.

 

Point 9: Limited contributions to literature

Response 9: We apologize if our contributions were not presented clearly and in sufficient detail. The main contribution of our study is the proposal of a user-based Risk Scoring approach that can be applied to Zero Trust environments. We have provided a more detailed explanation of this contribution in the introduction section of our manuscript.

Point 10: Avoid using abbreviations before declaring them

Response 10: We recognize your concern about abbreviations and have ensured that all abbreviations are properly introduced before their first use in the text.

 

Point 11: Provide a more comprehensive description of the working structure and strategy of the proposed algorithm.

Response 11: While we believed our initial description was sufficient, we respect your perspective and have modified the section on the Ripple algorithm to deliver a more thorough explanation of its working structure and strategy.

 

Once again, we extend our gratitude for your insightful comments. Please do not hesitate to share any further suggestions.

Sincerely,

Uihyun Park

Reviewer 3 Report

Dear Authors:

The paper addresses an important and timely topic, namely the need for enhanced device risk scoring in the context of ZeroTrust security. ZeroTrust is an access control technology that must be reliable through security technologies and policies. It is necessary to determine specific vulnerabilities for various devices, such as BYOD, and to determine whether the device's authority to access corporate resources secures the same safety as the resources required. Specifically,  this paper analyzes trends in device risk scoring by companies implementing ZeroTrust, reviews device configuration rating system technology, and proposes a device risk scoring approach to evaluate the user's authority and impact.

 I would like to provide the following key comments on the paper:

1) Abstract: Removing unnecessary information from the abstract by focusing on the problem statement, objectives, and findings.

2) The literature review section should be enhanced by citing more recent literature.
3) A more detailed explanation of the proposed approach is needed.
 The authors should provide more information on how the ripple metric is calculated, how the vulnerability level of user devices is determined, and how these factors are integrated into the overall device risk score. The authors could also provide more information on how the approach accounts for the diversity of remote access devices.

4) Discuss related work in ZeroTrust security and device risk scoring.  The authors should explain how their approach differs from existing approaches and how it builds on previous research.

 5) Provide more information on the limitations of the evaluation and potential avenues for future research.

Author Response

Response to Reviewer 3 Comments

Dear Reviewer,

Thank you for taking the time to review our manuscript and for your insightful comments. We appreciate your recognition of the importance of our research topic and your valuable suggestions for improvement. We have carefully considered each of your points and made revisions accordingly. Please find our responses to each points below.

Point 1:  Abstract: Focus on the problem statement, objectives, and findings

Response 1: We agree that the abstract should be more focused. We have revised it to emphasize the problem statement, objectives, and findings, while removing any unnecessary information.

 

Point 2:  Enhance the literature review section with more recent literature

Response 2: We concur that the literature review section should include more recent sources. We have updated the section with recent publications and developments in the field of Zero Trust security and device risk scoring.

 

Point 3:  Provide a more detailed explanation of the proposed approach

Response 3: Following your suggestion, we have expanded the explanation of our proposed approach. We have included more information on the calculation of the ripple metric, the determination of user device vulnerability levels, and the integration of these factors into the overall device risk score. Furthermore, we have discussed how our approach accommodates the diversity of remote access devices.

 

Point 4:  Discuss related work in ZeroTrust security and device risk scoring

Response 4: We have added a section, "Trust Algorithm in ZeroTrust", discussing relevant research in ZeroTrust security and device risk scoring. We have highlighted the distinctions between our approach and existing ones, as well as how our research builds upon previous work in the field.

 

Point 5:  Address limitations of the evaluation and potential avenues for future research

Response 5: In response to your suggestion, we have included a section discussing the limitations of our evaluation and possible directions for future research. This addition will provide a more comprehensive understanding of our work and its potential for further development.

 

We greatly appreciate your valuable feedback and the opportunity to improve our manuscript. Please let us know if you have any additional suggestions or concerns.

Sincerely,

Uihyun Park

Reviewer 4 Report

Zero trust, including assessing the security status of devices, is a highly relevant current topic. A risk score of an accessing is device, taking vulnerability information into account, and assessing the difficulty of exploiting the vulnerability. A specific aspect seems to include in the device risk calculation also the user's role / access capabilities. However, it remains unclear whether the underlying assumption is that a device is associated just with one single user, or whether the idea is that a combined risk score for the accessing user and the used device is determined. It is unclear whether the device risk score would change depending on which user is using it. 

Section 2: It is stated that a limitation of VPNs is the need for logging / security monitoring. Logging/security monitoring is important in all cases, also for zero trust. This is not a limitation of VPNs.  

The presented algorithms to calculate the risk score comprise various numerical constants. It remains unclear how these constants have been determined and how it has been evaluated that these constants and calculations (sum) end up in a meaningful risk score. Required would be an evaluation that makes is plausible for readers that the proposed risk score  can have some benefit (it is only claimed, but what are the specific evaluation criteria that provide some evidence)? 

The English seems to need a language check, as some formulations are from their meaning not correct. I have the impression that this is rather a language problem than a content problem, assuming that a different statement as the one as formulated was intended. Still, the statement as formulated seems to be not true. Examples:

- A main claimed contribution of the paper is the "ripple score": The intended meaning of the term "ripple" as used in this context is unclear (I have even checked english dictionaries, I could not link the usual meaning of the word "ripple" to the described content). 

- Introduction: "...security paradigm that improves network boundary security": Zero trust does not improve network boundary security, but rather complements it, or follows a different approach that does not rely on having the boundaries protected. 

- Introduction: "security scoring system that dynamically changes the security requirements... ": What is meant is probably not that the security requirements are changed, but that the access permissions are changed. 

- introduction: "accident", meant is probably "incident"

- Section 2: "safe access"; meant if probably "secure access"

Such incorrect/unclear formulations can be found in the whole paper.

 

Formatting: Add in text a space before a reference.

The text after "Acknowledgments: The authors declare no conflict of interest" does not fit to acknowledgement..

Author Response

Response to Reviewer 4 Comments

Dear Reviewer,

Thank you for taking the time to review our manuscript and for providing valuable feedback on our work. We appreciate the opportunity to address your concerns and improve the quality of our research. Please find our responses to each of your points below.

Point 1:  Clarify the assumption regarding single user or multiple users for each device

Response 1: We apologize for the confusion in our initial presentation. We have clarified in the manuscript that our proposed approach considers the scenario: the combined risk score for the accessing user and the user device is determined. The device risk score depends on the accessing user, and our method calculates a combined risk score for the user and the device.

 

Point 2:  Revise the statement on VPNs and logging/security monitoring

Response 2: We acknowledge that our initial statement regarding VPNs and logging/security monitoring was unclear. We have decided to remove the statement about VPN limitations from the manuscript as it was not directly related to our main focus on ZeroTrust.

 

Point 3:  Explain the numerical constants and evaluation criteria for the proposed risk score

Response 3: We have provided additional information in the manuscript regarding the selection and determination of the numerical constants in our algorithms. Furthermore, we have included an evaluation section that presents the specific criteria used to assess the effectiveness and benefits of our proposed risk score.

 

Point 4:  Perform a language check and correct unclear or incorrect statements

Response 4: We apologize for any confusion caused by the language issues in our manuscript. We have consulted with a technical English expert to proofread and revise the manuscript, ensuring a clear and accurate meaning of each statement. We have also addressed the specific examples you provided, offering clearer explanations and making necessary corrections.

 

Point 5:  Correct formatting issues with in-text references and the Acknowledgments section

Response 5: We have corrected the formatting issues by adding spaces before in-text references and revising the text following the "Acknowledgments" heading to fit the context better.

 

We greatly appreciate your thorough review and constructive feedback, which have helped us improve our manuscript. Please let us know if you have any additional suggestions or concerns.

Sincerely,

Uihyun Park

Round 2

Reviewer 1 Report

The authors  have made improvement to the paper. But before acception, they should carefully check the paper description in order to make them understandable. For example, what did the paragraphs starting with I, II and III  mean. 

Author Response

Response to Reviewer 1 Comments

Thank you very much for your valuable feedback on our manuscript. We appreciate the time and effort you have put into reviewing our paper. Following your suggestion, we have carefully revised our manuscript to improve the clarity and understandability of the paper description.

Point 1 The authors have made improvement to the paper. But before acception, they should carefully check the paper description in order to make them understandable. For example, what did the paragraphs starting with I, II and III  mean. 

Response 1 We have thoroughly reviewed and revised the paper description to ensure its clarity and understandability. In particular, we have clarified the meaning of the sections that previously started with I, II, and III, providing clear explanations for each of these contributions. We hope that these revisions will make it easier for readers to grasp the main points of our research.

Once again, we would like to express our gratitude for your invaluable feedback and the time and effort you have dedicated to reviewing our manuscript. We hope that the improvements made will meet your approval, and we look forward to any additional comments or suggestions you may have.

Sincerely,

Ui Hyun Park

Jeong Hyeop Hong

Paper Authors

Reviewer 2 Report

It's noticed in revised article review recommendation and suggestions are updated. The highlighted article adds more weight in trust mechanism if it is referred  DOI: 10.4018/978-1-7998-3375-8.ch013

 

Author Response

Response to Reviewer 2 Comments

Thank you very much for your feedback on our revised manuscript. We appreciate your time and effort in reviewing our paper.

Point 1 It's noticed in the revised article review recommendation and suggestions are updated. The highlighted article adds more weight in the trust mechanism if it is referred to DOI: 10.4018/978-1-7998-3375-8.ch013.

Response 1 Thank you very much for your thorough feedback on our manuscript. We have carefully reviewed the paper you mentioned (DOI: 10.4018/978-1-7998-3375-8.ch013) and found that the other references we have chosen already provide a clear and comprehensive explanation of the trust algorithm. Therefore, we decided not to include this specific paper in our list of references. Nevertheless, we appreciate your valuable suggestion and will keep it in mind for future research.

Once again, thank you for your valuable feedback. We look forward to any additional comments or suggestions you may have.

Sincerely,

Ui Hyun Park

Jeong Hyeop Hong

Paper Authors

Reviewer 3 Report

All my comments have been addressed in the revision.

Author Response

Response to Reviewer 3 Comments

We sincerely appreciate your feedback on our manuscript and the time and effort you have invested in reviewing our paper. We are glad to hear that all your comments have been addressed in the revised version.

Your valuable suggestions and insights have greatly contributed to the improvement of our manuscript, and we believe that the paper is now of higher quality thanks to your guidance.

Once again, thank you for your support and constructive feedback. We look forward to any additional comments or suggestions you may have.

Sincerely,

Ui Hyun Park

Jeong Hyeop Hong

Paper Authors

Reviewer 4 Report

Thank you for updating the paper, taking the comments into account. 

Please add a space before all references  (e.g., in introduction: "access devices[1][2][3]" -> "access devices [1][2][3]" (whole text).

The introduction contains the identical text twice, which furthermore seems to be rather an editorial note that has not been removed  (page 2, towards end of section I): " I. Summarize and describe the limitations of the risk scoring system that is used in companies that currently implement Zero Trust. II. Propose a Dynamic Importance metric that can measure the importance of resources that are accessible to users within systems that implement Zero Trust. III. Propose a risk scoring algorithm that uses the Dynamic Importance metric to efficiently increase confidentiality and availability for users who are accessing resources in systems that implement Zero Trust."

In section 2.1, paragraph below Fig. 1: At "Fig. 3 below", there is a line break between "Fig." and "3". The line break should be before or after "Fig. 3". 

Author Response

Response to Reviewer 4 Comments

Thank you very much for your thorough feedback on our manuscript. We appreciate the time and effort you have put into reviewing our paper. We have carefully read your comments and made the following changes to improve our manuscript according to your suggestions:

Point 1: Please add a space before all references  (e.g., in introduction: "access devices[1][2][3]" -> "access devices [1][2][3]" (whole text).

Response 1 We have added a space before all references throughout the text (e.g., in the introduction: "access devices [1][2][3]").

Point 2 The introduction contains the identical text twice, which furthermore seems to be rather an editorial note that has not been removed

Response 2 We have removed the duplicate text in the introduction and double-checked the manuscript to ensure there are no other repetitions.

Point 3 In section 2.1, paragraph below Fig. 1: At "Fig. 3 below", there is a line break between "Fig." and "3". The line break should be before or after "Fig. 3". 

Response 2 We have restructured the items I, II, and III in the manuscript's contribution section to clarify their meaning. And we have fixed the line break issue with "Fig. 3" in Section 2.1, ensuring the line break occurs at an appropriate position.

We are grateful for your valuable feedback, which has significantly contributed to the improvement of our manuscript. We look forward to any additional comments or suggestions you may have.

 

Sincerely,

Ui Hyun Park

Jeong Hyeop Hong

Paper Authors

Back to TopTop