Academic
Publications
Semantic context aware security policy deployment

Semantic context aware security policy deployment,10.1145/1533057.1533092,Stere Preda,Frédéric Cuppens,Nora Cuppens-boulahia,Joaquín García-alfaro,Lau

Semantic context aware security policy deployment   (Citations: 4)
BibTex | RIS | RefWorks Download
The successful deployment of a security policy is closely re- lated not only to the complexity of the security requirements but also to the capabilities/functionalities of the security devices. The complexity of the security requirements is ad- ditionally increased when contextual constraints are taken into account. Such situations appear when addressing the dynamism of some security requirements or when search- ing a finer granularity for the security rules. The context denotes those specific conditions in which the security re- quirements are to be met. (Re)deploying a contextual se- curity policy depends on the security device functionalities: either (1) the devices include all functionalities necessary to deal with a context and the policy is consequently de- ployed for ensuring its automatic changes or (2) the devices do not have the right functionalities to entirely interpret a contextual requirement. We present a solution to cope with this issue: the (re)deployment of access control policies in a system that lacks the necessary functionalities to deal with contexts.
Cumulative Annual
View Publication
The following links allow you to view full publications. These links are maintained by other sources not affiliated with Microsoft Academic Search.
    • ...[20] propose an operational semantic to specify event-based contexts associated to state-based contexts using the ECA (Event-Condition-Action) formalism [21]...
    • ...In other words, we do not need to specify explicitly new response rules that have an opposite ‘effect’ on the system [20]...

    Wael Kanounet al. Risk-Aware Framework for Activating and Deactivating Policy-Based Resp...

    • ...The deployment process will be carried on automatically [18] and for those contextual requirements which remain unaccomplished as a result of a missing or deficient functionality, the deployment process derives into (1) a deployment using slightly different contexts which are still managed by the system and/or (2) an optimization problem of finding the minimum deployment cost if case (1) does not exhaust all initially unmanaged contexts...
    • ...A first attempt to cope with the issue of managing contextual policies in systems where some functionalities are deficient was already made in [18]...
    • ...The approach in [18] is based on a central entity, the PDP (Policy Decision Point) that deals with all or part of the contexts unmanaged by the system’s PEPs (Policy Enforcement Points)...
    • ...We consider yet incomplete the works in [18] as some contexts may still remain unmanaged: neither the PDP alone nor the PDP-PEPs working together can handle them...
    • ...The works in this paper and the previous ones in [18] represent, if jointly used, a complete solution to contextual policy deployment...
    • ...In [18] we dealt with two types of contexts: 1) State based contexts: they correspond to the “classical” OrBAC context, defined with the hold predicate [5]: • HD: hold(Org, S, A, O, Ctx) :- p1(Y1), ..., pn(Yn),...
    • ...However, some of the Ci contexts cannot always be managed by the PDP and the PEPs as previously described, i.e., Ci � PEP ctx � PDP ctx; this is the context management that was in pending after [18] and we need the following hypotheses and definitions to take it into account...
    • ...• the protected context, related to an encrypted channel, is managed by IPsec and fw functionalities [18]...
    • ...In [18] we made the assumption of “shortest-paths” in the network; hence, the deployment algorithm can automatically select the well placed PEPs to enforce each SR rule...
    • ...Case0 “Dynamic Deployment”: if the PDP-PEPs manage the Ci context, than the SR rule is deployed using the dynamic deployment methodology discussed in [18]...

    Stere Predaet al. Architecture-Aware Adaptive Deployment of Contextual Security Policies

    • ...Obtaining these packages of rules (i.e., the configurations of PEPs) is the result of the downward translation process: the abstract policy, given the system architecture, is compiled through a set of algorithms at the PDP level into, for example, firewall scripts and IPsec tunnel configurations — all the way through bearing the system architecture details (interconnections and capabilities) [19]...

    Stere Predaet al. Model-Driven Security Policy Deployment: Property Oriented Approach

    • ...On the other hand, a third party tool that we presented in [24] allows us the automatic transformation of high level language policies into the specific set of configuration rules of each module...

    Stere Predaet al. A secured delegation of remote services on IPv6 home networks

Sort by: