1,196 research outputs found
Dynamic deployment of context-aware access control policies for constrained security devices
Securing the access to a server, guaranteeing a certain level of protection over an encrypted communication channel, executing particular counter measures when attacks are detected are examples of security requirements. Such requirements are identi ed based on organizational purposes and expectations in terms of resource access and availability and also on system vulnerabilities and threats. All these requirements belong to the so-called security policy. Deploying the policy means enforcing, i.e., con guring, those security components and mechanisms so that the system behavior be nally the one speci ed by the policy. The deployment issue becomes more di cult as the growing organizational requirements and expectations generally leave behind the integration of new security functionalities in the information system: the information system will not always embed the necessary security functionalities for the proper deployment of contextual security requirements. To overcome this issue, our solution is based on a central entity approach which takes in charge unmanaged contextual requirements and dynamically redeploys the policy when context changes are detected by this central entity. We also present an improvement over the OrBAC (Organization-Based Access Control) model. Up to now, a controller based on a contextual OrBAC policy is passive, in the sense that it assumes policy evaluation triggered by access requests. Therefore, it does not allow reasoning about policy state evolution when actions occur. The modi cations introduced by our work overcome this limitation and provide a proactive version of the model by integrating concepts from action speci cation languages
Design and Implementation of a Measurement-Based Policy-Driven Resource Management Framework For Converged Networks
This paper presents the design and implementation of a measurement-based QoS
and resource management framework, CNQF (Converged Networks QoS Management
Framework). CNQF is designed to provide unified, scalable QoS control and
resource management through the use of a policy-based network management
paradigm. It achieves this via distributed functional entities that are
deployed to co-ordinate the resources of the transport network through
centralized policy-driven decisions supported by measurement-based control
architecture. We present the CNQF architecture, implementation of the prototype
and validation of various inbuilt QoS control mechanisms using real traffic
flows on a Linux-based experimental test bed.Comment: in Ictact Journal On Communication Technology: Special Issue On Next
Generation Wireless Networks And Applications, June 2011, Volume 2, Issue 2,
Issn: 2229-6948(Online
On Using Encryption Techniques to Enhance Sticky Policies Enforcement
How to enforce privacy policies to protect sensitive personal data has become an urgent research topic for security researchers, as very little has been done in this field apart from some ad hoc research efforts. The sticky policy paradigm, proposed by Karjoth, Schunter, and Waidner, provides very useful inspiration on how we can protect sensitive personal data, but the enforcement is very weak. In this paper we provide an overview of the state of the art in enforcing sticky policies, especially the concept of sticky policy enforcement using encryption techniques including Public-Key Encryption (PKE), Identity-Based Encryption (IBE), Attribute-Based Encryption (ABE), and Proxy Re-Encryption (PRE). We provide detailed comparison results on the (dis)advantages of these enforcement mechanisms. As a result of the analysis, we provide a general framework for enhancing sticky policy enforcement using Type-based PRE (TPRE), which is an extension of general PRE
Formalisation and Implementation of the XACML Access Control Mechanism
We propose a formal account of XACML, an OASIS standard adhering to the Policy Based Access Control model for the specifica- tion and enforcement of access control policies. To clarify all ambiguous and intricate aspects of XACML, we provide it with a more manageable alternative syntax and with a solid semantic ground. This lays the basis
for developing tools and methodologies which allow software engineers to easily and precisely regulate access to resources using policies. To demonstrate feasibility and effectiveness of our approach, we provide a software tool, supporting the specification and evaluation of policies and access requests, whose implementation fully relies on our formal development
Towards transactional integrity issues in policy based network management systems
As networks increase in size, heterogeneity, complexity and pervasiveness, effective
management of such networks becomes more important and increasingly difficult. In this
context, PBNM (Policy-Based Network Management) has been gaining popularity in the
recent years. New demands on internetworking, services specification, QoS and
generically on network management functionality have been driving users to consider
this paradigm in their own networks.
As people start exploiting PBNM, another aspect comes to attention: transactional
integrity. Transactional control envisages achieving consistent state changes along the
network. In other words, state transition in network devices is only authorized if all the
related operations are successfully taken.
In this paper we propose a transactional control mechanism for PBNM systems,
namely its assurance across different systems and different network domains
On the frontline against money-laundering: the regulatory minefield
Intelligence gathering plays a vital role in the 'war' against money laundering. Particularly important in this intelligence gathering process is the global network of Financial Intelligence Units (FIUs) fed by a host of auxiliary (primarily financial) institutions required to report suspicious transactions. This paper briefly reviews the history of the international system of anti-money laundering measures imposed on the financial industry and other regulated businesses, the development of the global network of FIUs and their system of information gathering. It will examine some of the issues that arise from the regulatory framework within which this information gathering takes place. It will also address the issue of instrumental clarity and whether existing and new directives, requirements and approaches are sufficiently clear to enable reporting institutions on the 'front-line' to operate effectively
- …