skip to main content
10.1145/1463342.1463343acmotherconferencesArticle/Chapter ViewAbstractPublication PagesmiddlewareConference Proceedingsconference-collections
research-article

Enforcing "sticky" security policies throughout a distributed application

Published: 02 December 2008 Publication History

Abstract

Existing policy enforcement points (PEPs) typically call a local policy decision point (PDP) running at the local site, either embedded in the application, or running as a local stand alone service. In distributed applications, the PDPs at each site do not usually coordinate decision making amongst themselves, and do not pass policies between themselves. Thus it becomes very difficult to enforce "sticky" policies such as privacy policies and obligations at all the sites in a distributed application. This paper looks at different ways in which the PEPs and PDPs of a distributed application may share policies between themselves so as to enforce "sticky" policies throughout a distributed application. Three alternative models are described, the Application Protocol Enhancement Model, the Encapsulating Security Layer Model and the Back Channel Model. The strengths and weaknesses of the three models are evaluated, and we compare them to prior research in the field.

References

[1]
ITU-T Rec X.812 (1995) | ISO/IEC 10181-3:1996 "Security Frameworks for open systems: Access control framework"
[2]
J. Vollbrecht, P. Calhoun, S. Farrell, L. Gommans, G. Gross, B. de Bruijn, C. de Laat, M. Holdrege, D. Spence. "AAA Authorization Framework". RFC 2904 August 2000.
[3]
Sun's XACML PDP, available from http://sunxacml.sourceforge.net/
[4]
David W Chadwick, Linying Su, Romain Laborde. "Coordinating Access Control in Grid Services". Concurrency and Computation: Practice and Experience, Volume 20, Issue 9, Pages 1071--1094, 25 June 2008.
[5]
Mont, M. C.; Pearson, S.; Bramhall, P. "Towards accountable management of identity and privacy: sticky policies and enforceable tracing services". Proc 14th Int Workshop on Database and Expert Systems Applications, 1--5 Sept. 2003. Page(s): 377--382 Digital Object Identifier 10.1109/DEXA.2003.1232051
[6]
Lupu, E. and Sloman, M. "Reconciling role based management and role based access control." In Proc. of the Second ACM Workshop on Role-Based Access Control (Fairfax, Virginia, United States, November 06--07, 1997). RBAC '97. ACM, New York, NY, Pages 135--141.
[7]
David W Chadwick, Wensheng Xu, Sassa Otenko, Romain Laborde and Bassem Nasser. "Multi-Session Separation of Duties (MSoD) for RBAC". First International Workshop on Security Technologies for Next Generation Collaborative Business Applications (SECOBAP'07), April 16--20, 2007, Istanbul, Turkey.
[8]
OASIS "eXtensible Access Control Markup Language (XACML) Version 2.0" OASIS Standard, 1 Feb 2005
[9]
Bertino, E., Ferrari, E., Squicciarini, A.: Trust Negotiations: Concepts, Systems and Languages. IEEE Computer, pp. 27--34, 2004.
[10]
Sruthi Bandhakavi, Charles C. Zhang, Marianne Winslett. "Super-Sticky and Declassifiable Release Policies for Flexible Information Dissemination Control". Proceedings of the 5th ACM workshop on Privacy in electronic society. 2006, Pages: 51--58. ISBN:1-59593-556-8
[11]
Gansen Zhao, David Chadwick. "Trust Infrastructure for Policy based Messaging In Open Environments". Proc 14th IEEE International Workshops on Enabling Technologies: Infrastructures for Collaborative Enterprises (WETICE 2005), 13--15 June 2005, Linkoping, Sweden. pp144--149
[12]
B. Ramsdell et al. "Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification". RFC 3851. July 2004

Cited By

View all
  • (2020)An Efficient Policy Evaluation Engine for XACML Policy ManagementInformation Sciences10.1016/j.ins.2020.08.044Online publication date: Sep-2020
  • (2017)Camflow: Managed Data-Sharing for Cloud ServicesIEEE Transactions on Cloud Computing10.1109/TCC.2015.24892115:3(472-484)Online publication date: 1-Jul-2017
  • (2017)Overview of Mobile Containerization Approaches and Open Research DirectionsIEEE Security and Privacy10.1109/MSP.2017.1215:1(22-31)Online publication date: 1-Jan-2017
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
MidSec '08: Proceedings of the 2008 workshop on Middleware security
December 2008
48 pages
ISBN:9781605583631
DOI:10.1145/1463342
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 December 2008

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. PDP
  2. application independent PEP
  3. obligation enforcement
  4. privacy policy enforcement
  5. sticky policies

Qualifiers

  • Research-article

Funding Sources

Conference

Middleware '08

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)3
  • Downloads (Last 6 weeks)1
Reflects downloads up to 11 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2020)An Efficient Policy Evaluation Engine for XACML Policy ManagementInformation Sciences10.1016/j.ins.2020.08.044Online publication date: Sep-2020
  • (2017)Camflow: Managed Data-Sharing for Cloud ServicesIEEE Transactions on Cloud Computing10.1109/TCC.2015.24892115:3(472-484)Online publication date: 1-Jul-2017
  • (2017)Overview of Mobile Containerization Approaches and Open Research DirectionsIEEE Security and Privacy10.1109/MSP.2017.1215:1(22-31)Online publication date: 1-Jan-2017
  • (2016)Big ideas paperProceedings of the 17th International Middleware Conference10.1145/2988336.2988349(1-15)Online publication date: 28-Nov-2016
  • (2016)Data-Centric Access Control for Cloud ComputingProceedings of the 21st ACM on Symposium on Access Control Models and Technologies10.1145/2914642.2914662(81-88)Online publication date: 6-Jun-2016
  • (2016)Oblivion: Mitigating Privacy Leaks by Controlling the Discoverability of Online InformationApplied Cryptography and Network Security10.1007/978-3-319-28166-7_21(431-453)Online publication date: 9-Jan-2016
  • (2014)Privacy protection in data sharingProceedings of the 8th International Conference on Theory and Practice of Electronic Governance10.1145/2691195.2691279(28-36)Online publication date: 27-Oct-2014
  • (2013)Data usage control enforcement in distributed systemsProceedings of the third ACM conference on Data and application security and privacy10.1145/2435349.2435358(71-82)Online publication date: 18-Feb-2013
  • (2012)Securing an Interoperability Architecture for Home and Urban NetworkingProceedings of the 2012 26th International Conference on Advanced Information Networking and Applications Workshops10.1109/WAINA.2012.191(714-719)Online publication date: 26-Mar-2012
  • (2011)Group-Centric Secure Information-Sharing Models for Isolated GroupsACM Transactions on Information and System Security10.1145/2043621.204362314:3(1-29)Online publication date: 1-Nov-2011
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media