Pietro Mazzoleni
Bruno Crispo
Elisa Bertino
Abstract
XACML is the OASIS standard language specifically aimed at the specification of authorization policies. While XACML fits well with the security requirements of a single enterprise (even if large and composed by multiple departments), it does not address the requirements of virtual enterprises in which several autonomous subjects collaborate by sharing their resources to provide better services to customers. In this article we highlight such limitation, and we propose an XACML extension, the policy integration algorithms, to address them. In the article we also present the implementation of a system that makes use of the policy integration algorithms to securely replicate information in a P2P-like environment. In our solution, the data replication process considers the policies specified by both the owners of the data shared and the peers sharing data storage.
- Anderson, A. 2004. An introduction to the Web services policy language. IEEE Policy 2004 Workshop. Google Scholar
Digital Library
- Anderson, A. 2005a. A Comparison of Two Privacy Policy Languages: EPAL and XACML. Sun Microsystems, Inc.Google Scholar
- Anderson, A. 2005b. Ws-policyconstraints: A domain-independent Web services policy assertion language. Sun Microsystems, Inc.Google Scholar
- Backes, M., Bagga, W., Karjoth, G., and Schunter, M. 2004. Efficient comparison of enterprise privacy policies. In Proceedings of the ACM Symposium on Applied Computing. Google ScholarDigital Library
- Baker, M., Kimberly, K., and Sean, M. 2005. Why traditional storage systems do not help us save stuff forever. Tech. rep. HPL-2005-120. HP Labs.Google Scholar
- Barth, A., Mitchell, J. C., and Rosenstein, J. 2004. Conflict and combination in privacy policy languages. In Workshop on Privacy in the Electronic Society. Google ScholarDigital Library
- EU. 1995. Eu directive on data privacy 95/46/ec.Google Scholar
- Fisler, K., Krishnamurthi, S., Meyerovich, L., and Tschantz, M. 2005. Verification and change impact analysis of access-control policies. In International Conference on Software Engineering (ICSE). Google ScholarDigital Library
- HIPAA. 1996. U.S. government department of health and human services health. Insurance Portability and Accountability Act.Google Scholar
- HP. 2005. Virtualized infrastructure solutions for mysap business suite. http://h71028.www.hp.com/enterprise/downloads/HP-virtualSAP_Solution-Brief.pdf.Google Scholar
- Huang, D. 2005. Semantic policy-based security framework for business processes. 4th Semantic Web and Policy Workshop.Google Scholar
- IBM. 2004. Automate and integrate within and across it processes to support the continually changing needs of business processes. IBM White paper.Google Scholar
- Kusnetzky, D. and Olofson, C. W. 2004. Oracle 10g: Putting grids to work. http://www.oracle.com/technology/tech/grid/collateral/idc_oracle10g.pdf.Google Scholar
- Lionshare, Project. http://lionshare.its.psu.edu/main/.Google Scholar
- Lockss, Project. http://lockss.stanford.edu/.Google Scholar
- Lorch, M., Proctor, S., Lepro, R., Kafura, D., and Shah, S. 2003. First experiences using xacml for access control in distributed systems. Proceedings of the ACM Workshop on XML Security (XMLSEC'03). ACM, New York, NY, 25--37. Google ScholarDigital Library
- Mazzoleni, P., Crispo, B., Sivasubramanian, S., and Bertino, E. 2005. Efficient integration of fine-grained access control in large-scale grid services. In IEEE International Conference on Service Computing (SCC'05). Google ScholarDigital Library
- Morr, D. 2004a. Lionshare: A federated p2p app. In Internet2 Members Meeting.Google Scholar
- Morr, D. 2004b. Wspl: an xacml-based Web services policy language. In Internet2 Members Meeting.Google Scholar
- OASIS. 2002. ebxml collaboration protocol profile and agreement technical committee. Collaboration-Protocol Profile and Agreement Specification Version 2.0.Google Scholar
- OASIS. 2005. Security services technical committee. e{X}tendible {A}ccess {C}ontrol {M}arkup {L}anguage Committee Specification 2.0.Google Scholar
- OASIS. 2006. http://docs.oasis-open.org/xacml/xacmlrefs.html.Google Scholar
- OMG, O. M. G. 2003. Response to the uml 2.0 ocl rfp (ad/2000-09-03), revised submission, version 1.6, 6 January 2003. OMG Document ad/2003-01-07.Google Scholar
- Sun. Xacml implementation. http://sunxacml.sourceforge.net/.Google Scholar
- W3C. 2003. Enterprise privacy authorization language (epal).Google Scholar
- W3C. 2004a. Owl Web ontology language.Google Scholar
- W3C. 2004b. W3C Workshop on Constraints and Capabilities for Web Services.Google Scholar
- Zhang, N., Ryan, M., and Guelev, D. P. 2004. Synthesising verified access control systems in xacml. In 2nd ACM Workshop on Formal Methods in Security Engineering. Google ScholarDigital Library
Index Terms
- XACML Policy Integration Algorithms
Recommendations
An algebra for fine-grained integration of XACML policies
SACMAT '09: Proceedings of the 14th ACM symposium on Access control models and technologiesCollaborative and distributed applications, such as dynamic coalitions and virtualized grid computing, often require integrating access control policies of collaborating parties. Such an integration must be able to support complex authorization ...
XACML policy integration algorithms: not to be confused with XACML policy combination algorithms!
SACMAT '06: Proceedings of the eleventh ACM symposium on Access control models and technologiesXACML is the OASIS standard language for the specification of authorization and entitlement policies. However, while XACML well addresses security requirements of a single enterprise (even if large and composed by multiple departments), it does not ...
XACBench: a XACML policy benchmark
AbstractXACML standard defines a declarative language to determine access control policies which are critical for deploying security solutions. It is important to evaluate the performance of policies defined by XACML, for applications such as policy ...
Comments