Abstract
Policy refinement is the process of deriving low-level policies from high-level policy specifications. A basic example is that of the refinement of policies referring to users, resources and applications at a high level, such as the level of virtual organsiations, to policies referring to user ids, resource addresses and computational commands at the low level of system and network environments. This paper tackles the refinement problem by proposing an approach using model-to-model transformation techniques for transforming XACML-based VO policies to the resource level. Moreover, the transformation results in deployable policies referring to at most a single resource, hence avoiding the problem of cross-domain intereference. The applicability of our approach is demonstrated within the domain of distributed geographic map processing.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Arenas, A.E., Wilson, M., Matthews, B.: On Trust Management in Grids. In: International Conference on Autonomic Computing and Communication Systems, Autonomics 2007, ACM, New York (2007)
Wasson, G.S., Humphrey, M.: Toward Explicit Policy Management for Virtual Organisations. In: 4th IEEE Int. Workshop on Policies for Distributed Systems and Networks (2003)
Aziz, B., Arenas, A.E., Martinelli, F., Matteucci, I., Mori, P.: Controlling Usage in Business Process Workflows through Fine-Grained Security Policies. In: Furnell, S.M., Katsikas, S.K., Lioy, A. (eds.) TrustBus 2008. LNCS, vol. 5185, pp. 100–117. Springer, Heidelberg (2008)
Moffett, J.D., Sloman, M.S.: Policy hierarchies for distributed system management. IEEE Journal of Selected Areas in Comms., Special Issue on Network Management 11(9) (1993)
Su, L., Chadwick, D.W., Basden, A., Cunningham, J.A.: Automated decomposition of access control policies. In: Sixth IEEE International Workshop on Policies for Distributed Systems and Networks, POLICY 2005, pp. 3–13. IEEE, Los Alamitos (2005)
GridTrust: Deliverable D5.1(M19): Specifications of Applications and Test Cases (2007)
Aziz, B., Arenas, A.E., Cortese, G., Crispo, B., Causetti, S.: A Secure and Scalable Grid-based Content Management System. In: 5th International Workshop on Frontiers in Availability, Reliability and Security, FARES 2010. IEEE Computer Society, Los Alamitos (2010)
Landtsheer, R.D., Ponsard, C., Massonet, P.: Deriving Event-Based Usage Control Policies from Declarative Security Requirements Models. In: Second International Workshop on Security in Model Driven Architecture, Paris, France (2010)
Lupu, E., Sloman, M.: Conflict Analysis for Management Policies. In: Proceedings of the Fifth IFIP/IEEE International Symposium on Integrated Network Management V: Integrated Management in a Virtual World, London, UK, pp. 430–443. Chapman & Hall, Ltd., Boca Raton (1997)
Wasson, G.S., Humphrey, M.: Policy and Enforcement in Virtual Organizations. In: GRID, pp. 125–133. IEEE Computer Society, Los Alamitos (2003)
Moses, T. (ed.): eXtensible Access Control Markup Language (XACML) Version 2.0. OASIS Standard (2005)
Jouault, F., Kurtev, I.: Transforming Models with ATL. In: Bruel, J.-M. (ed.) MoDELS 2005. LNCS, vol. 3844, pp. 128–138. Springer, Heidelberg (2006)
Jouault, F., Allilaire, F., Bézivin, J., Kurtev, I.: ATL: A Mmodel Rransformation Tool. Sci. Comput. Program. 72(1-2), 31–39 (2008)
GridTrust: Deliverable D4.1: A Framework for Reasoning about Trust and Security in Grids at Requirement and Application Levels (2009)
Bandara, A.K., Lupu, E.C., Moffett, J., Russo, A.: A Goal-based Approach to Policy Refinement. In: Proceedings of the Fifth IEEE Int. Workshop on Policies for Distributed Systems and Networks, Washington, DC, USA, p. 229. IEEE Computer Society, Los Alamitos (2004)
Rubio-Loyola, J., Serrat, J., Charalambides, M., Flegkas, P., Pavlou, G., Lafuente, A.L.: Using Linear Temporal Model Checking for Goal-Oriented Policy Refinement Frameworks. In: Proceedings of the Sixth IEEE Int. Workshop on Policies for Distributed Systems and Networks, Washington, DC, USA, pp. 181–190. IEEE Computer Society, Los Alamitos (2005)
Udupi, Y.B., Sahai, A., Singhal, S.: A Classification-Based Approach to Policy Refinement. In: Integrated Network Management, pp. 785–788 (2007)
Guerrero, A., Villagrá, V.A., de Vergara, J.E.L., Sánchez-Macián, A., Berrocal, J.: Ontology-Based Policy Refinement Using SWRL Rules for Management Information Definitions in OWL. In: State, R., van der Meer, S., O’Sullivan, D., Pfeifer, T. (eds.) DSOM 2006. LNCS, vol. 4269, pp. 227–232. Springer, Heidelberg (2006)
Porto de Albuquerque, J., Krumm, H., Licio de Geus, P.: Policy Modeling and Refinement for Network Security Systems. In: Proceedings of the Sixth IEEE Int. Workshop on Policies for Distributed Systems and Networks, Washington, DC, USA, pp. 24–33. IEEE Computer Society, Los Alamitos (2005)
Kowalski, R., Sergot, M.: A Logic-Based Calculus of Events. New Gen. Comput. 4(1), 67–95 (1986)
Damianou, N., Dulay, N., Lupu, E., Sloman, M.: The Ponder Policy Specification Language. In: Sloman, M., Lobo, J., Lupu, E.C. (eds.) POLICY 2001. LNCS, vol. 1995, pp. 18–38. Springer, Heidelberg (2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Aziz, B., Arenas, A.E., Wilson, M. (2011). Model-Based Refinement of Security Policies in Collaborative Virtual Organisations. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds) Engineering Secure Software and Systems. ESSoS 2011. Lecture Notes in Computer Science, vol 6542. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-19125-1_1
Download citation
DOI: https://doi.org/10.1007/978-3-642-19125-1_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-19124-4
Online ISBN: 978-3-642-19125-1
eBook Packages: Computer ScienceComputer Science (R0)