1 / 20

semi-automated modelling of XACML policies

semi-automated modelling of XACML policies. Simon Parkin Aad van Moorsel Newcastle University. setting. Chief Information Security Officer (CISO) must continuously make IT investment decision should take into account: technology business priorities and impact employee reaction and impact

amoriarty
Download Presentation

semi-automated modelling of XACML policies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. semi-automated modelling of XACML policies Simon ParkinAad van Moorsel Newcastle University

  2. setting Chief Information Security Officer (CISO) must continuously make IT investment decision should take into account: • technology • business priorities and impact • employee reaction and impact tools to help CISO  trust economics (HP, ML) Aad van Moorsel, Newcastle University, DTI Trust Economics

  3. trust economics tools Aad van Moorsel, Newcastle University, DTI Trust Economics

  4. knowledge base and policies knowledge base: • existing base of policies, guidelines, e.g., ISO27k • add ontology for user behaviour, trade-offs, etc. • add calculators, models as appropriate • helps CISO to take into account the major elements when making decision interface to knowledge base through security policies: set of rules fed into knowledge base  if I do X, what happens and what else should I do? Aad van Moorsel, Newcastle University, DTI Trust Economics

  5. knowledge base and policies knowledge base (for integration) policies (to express decisions,interface with kb) Aad van Moorsel, Newcastle University, DTI Trust Economics

  6. prototype: XACML Policy Editor Aad van Moorsel, Newcastle University, DTI Trust Economics

  7. a prototype: XACML + Demos2K • IT Security officer uses XACML editor to write policies • tool feeds the policies in Demos2K (stochastic process algebra specification, solved using discrete-event simulation) • tool returns outcomes: loss of data, confidentiality, productivity, ... XACML • eXtensible Access Control Markup Language • OASIS standard • policy language + specified interpretation Aad van Moorsel, Newcastle University, DTI Trust Economics

  8. a prototype: XACML + Demos2K demos2k XACML Aad van Moorsel, Newcastle University, DTI Trust Economics

  9. a prototype: XACML + Demos2K demos2k Aad van Moorsel, Newcastle University, DTI Trust Economics

  10. Aad van Moorsel, Newcastle University, DTI Trust Economics

  11. USB stick modelling Aad van Moorsel, Newcastle University, DTI Trust Economics

  12. day in the life of a USB stick Aad van Moorsel, Newcastle University, DTI Trust Economics

  13. USB roles Aad van Moorsel, Newcastle University, DTI Trust Economics

  14. USB locations Aad van Moorsel, Newcastle University, DTI Trust Economics

  15. example demos2k // Here both the FRIEND and TRAITOR cases are taken as being very similar - after all the // TRAITOR player is supposed to be indistinguishable to the FRIEND - and thus the // accounting should treat them broadly the same way. etry [who == player__FRIEND || who == player__TRAITOR] then { try [ binom(1, prob_reading_unencrypted_item) == 1 ] then { // unencrypted case successful_reads := successful_reads + 1; successful_transfers := successful_transfers + 1; // accidental archive of accessable material - i.e. USB_unencrypted_items try [binom(1, probAccidentalArchive) == 1] then { syncV(USBreveal, [USB_unencrypted_items], []); } etry [] then { hold(0); } // if player is actually a TRAITOR try [who == player__TRAITOR] then { Aad van Moorsel, Newcastle University, DTI Trust Economics

  16. goals Aad van Moorsel, Newcastle University, DTI Trust Economics

  17. experiments Aad van Moorsel, Newcastle University, DTI Trust Economics

  18. Aad van Moorsel, Newcastle University, DTI Trust Economics

  19. Aad van Moorsel, Newcastle University, DTI Trust Economics

  20. evaluation XACML + Demos2K • prototype works (XACML as input to a stochastic model) to do: • formalise this • generalise this • is a policy language the right interface? • CISOs don’t normally use it • flexible enough as interface to knowledge base Aad van Moorsel, Newcastle University, DTI Trust Economics

More Related