Security Policy Alignment: A Formal Approach

被引：14

作者：

Pieters, Wolter ^{[1
]}

Dimkov, Trajce ^{[2
]}

Pavlovic, Dusko ^{[3
,4
]}

机构：

[1] Delft Univ Technol, Fac Technol Policy & Management, Energy & Ind Grp, NL-2600 Delft, Netherlands

[2] Deloitte, Secur & Privacy Grp, NL-1183 Amstelveen, Netherlands

[3] Univ London, Informat Secur Grp, Egham TW20 0EX, Surrey, England

[4] Univ Twente, Fac Elect Engn Math & Comp Sci, Distributed & Embedded Secur Grp, NL-7500 Enschede, Netherlands

来源：

IEEE SYSTEMS JOURNAL | 2013年 / 7卷 / 02期

关键词：

Attack trees; security logics; security policies; security policy alignment; security policy refinement; socio-technical systems; system models; ATTACK; FOUNDATIONS;

D O I：

10.1109/JSYST.2012.2221933

中图分类号：

TP [自动化技术、计算机技术];

学科分类号：

0812 ;

摘要：

Security policy alignment concerns the matching of security policies specified at different levels in socio-technical systems, and delegated to different agents, technical and human. For example, the policy that sales data should not leave an organization is refined into policies on door locks, firewalls and employee behavior, and this refinement should be correct with respect to the original policy. Although alignment of security policies in socio-technical systems has been discussed in the literature, especially in relation to business goals, there has been no formal treatment of this topic so far in terms of consistency and completeness of policies. Wherever formal approaches are used in policy alignment, these are applied to well-defined technical access control scenarios instead. Therefore, we aim at formalizing security policy alignment for complex socio-technical systems in this paper, and our formalization is based on predicates over sequences of actions. We discuss how this formalization provides the foundations for existing and future methods for finding security weaknesses induced by misalignment of policies in socio-technical systems.

引用

页码：275 / 287

页数：13

共 36 条

[1] Abrams Marshall., 1995, Information Security: An Integrated Collection of Essays, P126
[2] [Anonymous], 2002, P 9 ACM C COMP COMM, DOI DOI 10.1145/586110.586140
[3] Baskerville R., 2002, Logistics Information Management, V15, P337, DOI 10.1108/09576050210447019
[4] Bidan C, 1998, LECT NOTES COMPUT SC, V1485, P51, DOI 10.1007/BFb0055855
[5] Bonatti P., 2002, ACM Transactions on Information and Systems Security, V5, P1, DOI 10.1145/504909.504910
[6] Analyzing consistency of security policies
Cholvy, L
Cuppens, F
[J]. 1997 IEEE SYMPOSIUM ON SECURITY AND PRIVACY - PROCEEDINGS, 1997, : 103 - 112
[7] Corpuz MS, 2010, WMSCI 2010: 14TH WORLD MULTI-CONFERENCE ON SYSTEMICS, CYBERNETICS AND INFORMATICS, VOL III, P337
[8] Craven Robert., 2009, SafeConfig '09: Proceedings of the 2nd ACM workshop on Assurable and usable security configuration, P25, DOI [10.1145/1655062.1655068, DOI 10.1145/1655062.1655068]
[9] Be secure
Creery, Adam A.
Byres, E. J.
[J]. IEEE INDUSTRY APPLICATIONS MAGAZINE, 2007, 13 (04) : 49 - 55
[10] Merging security policies: analysis of a practical example
Cuppens, F
Cholvy, L
Saurel, C
Carrere, J
[J]. 11TH IEEE COMPUTER SECURITY FOUNDATIONS WORKSHOP - PROCEEDINGS, 1998, : 123 - 136

← 1 2 3 4 →