Wednesday, 14 September 2011

Challenges facing security policies in PAIS

Source: M. Leitner. Security policies in adaptive process-aware information systems: Existing approaches and challenges. In ARES 2011, 6th International Conference on Availability, Reliability and Security, New York City, 2011. Institute of Electrical and Electronics Engineers (IEEE).

The paper provided 6 challenges that are facing security policies in PAIS, and also provided a requirement that if fulfilled then the challenge will be solved. the following are summary of the challenges and the requirements to solve the challenges.

** all information below is quoted directly from the source paper, non of this is in my own words **

Challenge 1: Modeling Security Policies

1) Policy Modeling:
Problems: While an imperative approach is very strict and definite, it may not be reasonable for certain domains where ad hoc decisions based on circumstances have to be made. In terms of security, a security expert has to examine all possibilities and specify all policies in advance in the declarative model. Especially in large systems, it is difficult to oversee all regulations, possible vulnerabilities, or risks for all processes. This might be demanding in a declarative model because all potential occurrences have to be examined.
Requirements: It is important to consider the policy modeling approach depending on the domain of the PAIS. A declarative approach presents a more flexible way for integrating ad hoc changes. However, enforcing security can be difficult because potential process paths have to be analyzed and the risks of threats minimized. An imperative modeling type enables a stringent security policy definition (e.g. authorization) and is therefore more solid because not all potential pathways have to be foreseen.

2) Process Modeling:
Problems: Current commercial systems mostly use attached and inherent process modeling but research proto- types tend to focus on a separate policy implementation. This distinction leads to various research scenarios.
Requirements: In general, it should be possible to separate the process model and the security policies from each other. Then, the checks for inconsistencies are more efficient in a repository (than e.g. going through each activity in a process). A repository supports also the administration of policies such as adding, updating or deleting which is essential due to continuously changing business requirements. Furthermore, separating process models from policies facilitates the evolution of processes. If the policies are not included in the data and control flow of the model, the process models can be significantly reduced to a minimal set of tasks.

3) Modeling Extensions:
Problems: Current approaches provide only some security function modeling and are at a very early stage. They neither provide patterns for all security policies nor specify a standardized vocabulary for enforcing security in PAIS. Current proposals use different symbols or text to display security. Modeling security policies in PAIS might include further challenges such as visualization. Imagine a large process model: Is it possible to present security-critical information in large models?
Requirements: It is necessary to identify the require- ments to enable security modeling extensions for standard notations. We require to investigate how to display semantical or technical security features. In large process models, the model should be kept simple and complexity should not increase due to security extensions.


Challenge 2: Separating Security Policies from other Constraints:

Problems: Imagine a PAIS within the health care domain. There are a lot of guidelines that have to be included in the processes such as medical guidelines, public health guidelines, law, and budget restrictions. However, all guidelines have to be integrated in the processes. But which guidelines can be specified as security policies?
Requirements: Security guidelines originate from various sources and have to be incorporated in PAIS. Security policies in PAIS should be related to the security objectives confidentiality, integrity, and availability. For example, the guideline “A surgery can only be performed with two doctors” is user- centric and relates to availability. Therefore, the rule can be categorized as a security policy in PAIS. This approach can be extended to other security principles (e.g. privacy).


Challenge 3: Mapping Policies to Process Activities:

Problems: Policies can be administered at build and run time. The inherent approach does not support all constraints such as inter-process constraints. Imagine, a large system with about 500 roles, 1500 activities, and 500 security policies. Associating each policy to many activities is troublesome and inefficient. At this point it gets difficult: How can policies be associated with activities? Which criteria should be considered?
Requirements: Ideally, there should be a mechanism that maps the security policies to process activities. However, to be able to handle the mapping, we need to know which rules should be associated with which activity. We demand an easy and manageable association of activities and policies at a fair level of complexity. Furthermore, we also require that scalability should be supported.


Challenge 4: Process Evolution:

Problems: When a process changes such as add, delete, or move an activity all associated constraints have to be checked for correctness.
Requirements: When a process changes, the corresponding policies (e.g. authorization constraints) should be validated. Because workflows can change at build and run time it is important to develop mechanisms to manage both scenarios. It should be possible to change an activity and to further maintain the security of the activity at the same level regardless of e.g. the changed control flow or data flow.


Challenge 5: Policy Evolution:

Problems: Approaches focus mostly on build time strategies where policies are set and checked for conflicts. However, policies such as authorization con- straints or legal regulations evolve over time.
Requirements: There is a need for administration of security policies such as adding, deleting, or updating rules. We require to enable an easy handling and maintenance of security policies at build, run, and change time. Therefore, security policies and process models should be administered separately.


Challenge 6: Inter-process Security Policies:

Problems: Current systems neither provide inter- process security policies nor enable a semantical support. However, the interaction between process instances becomes more importan.
Requirements: In PAIS, there is a growing need of more interaction between process instances. In particular, security policies should be enforced over multiple instances. When enabling interaction between instances, designers and practitioners have to tackle another challenge: How to model, implement, and enforce inter-instance constraints at a fair level of complexity.

Security policies in PAIS

Source: M. Leitner. Security policies in adaptive process-aware information systems: Existing approaches and challenges. In ARES 2011, 6th International Conference on Availability, Reliability and Security, New York City, 2011. Institute of Electrical and Electronics Engineers (IEEE).

** all information below is quoted directly from the source paper, non of this is in my own words **

In PAIS, security policies are often related to role-based access control restrictions or constraints (e.g. separation of duties). But to be more specific, security policies in PAIS might relate to access control, control flow, information flow, data integrity, and availability. Therefore, policies can be specified for users, information (data), control flow, activities, and process instances. Can be enforced at build time (static constraints) and run time (dynamic).

security policies in PAIS categorized by the main key concepts of information security: confidentiality, integrity, and availability:

Confidentiality: In PAIS, confidentiality is usually ensured by an access control model and constraints associated with activities. Information should only be accessible to authorized users.

Integrity: A security policy for the integrity of a control flow signifies that, for example, a certain activity has to be finished before another activity starts (e.g. activity PayQuotation has to be completed before SendShipment). Integrity of data means that no user who is unauthorized to access the data can modify it. Therefore, only authorized actions are carried out on data.

Availability: In PAIS, availability may refer to the system, resources (e.g. data, users), or the control flow which can be verified with the workflow liveliness and soundness.


Tuesday, 13 September 2011

Security Policies ..

Source: Maria Leitner,Stefanie Rinderle-Ma, and Juergen Mangler. Responsibility-driven Design and Development of Process-aware Security Policies. in Sixth International Conference on Availability, Reliability and Security. 2011.

** all information below is quoted directly from the source paper, non of this is in my own words **

Security policies are a set of principles that control which subject is allowed to access which object within an information systems. In PAIS, however, security policies require a more detailed definition due to the multi-faceted characteristics of such systems. Specifically, security policies in PAIS might relate to access control, control flow, information flow, data integrity, and availability.

Security aspects in security polices:
Structural Aspect: denotes a set of data objects and tasks, and how they occur in a process model.
- Responsibilities: We define a responsibility r to be a piece of data or interrelated tasks from the point of a certain role.
Operational Aspect: denotes constraints on this data objects and tasks, for example during process execution. I.e. under which circumstances something is allowed.
- Permissions: define which operations (execute, monitor) are allowed for which security objects (process execution, process model change, service selection).



What is a secure Workflow

Source: P. C. K. Hung and K. Karlapalem, “A secure workflow model,” in Proc. of AISC on ACSW frontiers 2003 - Volume 21.    Australian Computer Society, Inc., 2003, pp. 33–41.

** all information below is quoted directly from the source paper, non of this is in my own words **

Definition 1:    A secure workflow is a computer supported business process that is capable to against security threats and further satisfies the security requirements defined by the workflow modeler.

Definition 2: A secure Workflow Management System (WFMS) is a workflow management system that can specify, manage and execute a secure workflow.

==========

In a secure workflow model, there are three layers for a secure state: Workflow, Data and Control:

Workflow:
Availability in the workflow layer is: “For every task there must be at least one agent who is able to execute the task.”

Integrity and Authorization in the work- flow layer is: “An agent can only execute the assigned task if and only if the privilege “execute” is granted. The secure workflow has to revoke the privilege from an agent if the task has completed execution.”

Data:
Integrity and Authorization in the data layer is: “An agent can only access a document with a specific privilege if and only if the document access privilege is granted to the agent and also it is needed to access the document with the privilege during the task execution. The secure workflow has to revoke the document access privilege from an agent if the document access privilege is no longer needed.”


==========

To ensure the property of authorization:
The secure workflow model assigns the task to an agent if and only if the agent can execute the task.

To ensure the properties of integrity and authorization, the secure workflow model:
- Grants the task to the assigned agent for execution if and only if the set of input events is generated, the task is not started and all the dependent tasks are completed in the relevant session.
- Revokes the task from the assigned agent if and only if the set of output events is generated and all the granted privileges for documents are revoked in the session.
- Grants the document access privilege to the agent for execution if and only if it is authorized by the task’s TAC in the session.
- Revokes the document access privilege from the agent if and only if the document access privilege or task is completed in the session.
- (an agent can) generate the event for a task if and only if it is authorized in the session.