The Internet has rapidly evolved to a platform that supports business and services such as e-commerce, electronic publishing, and health care. Security compromises now have real world consequences, resulting in release of sensitive or protected information and monetary loss. Attacks on medically critical computing capabilities might even result in loss of human life. The ability to define and enforce fine-grained security policies for systems and services is important in such systems. The ability to understand such security policies is critical if they are to be correctly written or implemented. Unfortunately, as the complexity of the systems grow, these polices are becoming harder to correctly define and more difficult to enforce.
To cope with the growing complexity of policy specification it is useful to design a conceptual model that gives a structured way to think about policies. A model enables one to better understand the domain of study, visualize the main elements and their behavior at some chosen level of detail and use a short hand notation for precise description and decreased ambiguity. Furthermore, the conceptual integrity of a system derives from a coherent high-level view of the system organization and functionality. Thus, one of the main objectives of this work is to construct a conceptual model for policy representation and evaluation. For doing so, we use a methodology based on concepts of sets and functions.
In our paper we are only interested in the class of authorization policies versus a wider range of policies, such as distributed system management policies. The goal of authorization polices is to govern access to objects. Supporting such policies takes the form of monitoring and restricting the user activity within the distributed system (access control), making authorization decisions (authorization) and performing necessary actions to modify the behavior of the system (policy enforcement).
An authorization policy specifies conditions, which must be satisfied before, during or after the access right is exercised. For example, it may be desirable to enforce the following policy: ``A process can be run on the host 1#1 if the request originates from a domain 2#2 and the process does not use more then 20% of the CPU time. An audit record about the started process must be generated''.
This policy specifies several conditions:
Our model captures this intuitive notion of authorization policy and provides a formalism for the policy representation and evaluation.
There has been extensive research in authorization and a number of formal models have been developed.
Some of these contributions focus on addressing authorization requirements for specific policy domains, e.g., database systems [3], collaborative environment [17] or separation of duty [2]. Others are concerned with a particular access control mechanism, such as an ACL [1].
What is still missing, is a unified view of authorization in a distributed, multi-policy environment. Such a environment is composed of connected independent computer systems managed by separate administrative authorities. In a multi-policy environment the policy integration should incorporate diverse authorization models, which can coexist in a distributed system. Administrators of each domain might express security policies by means of different formalism.
Generalizing the way that applications define their authorization requirements provides the means for integration of local and distributed security policies and translation of security policies across multiple authorization models.
Our paper describes an authorization model designed to meet these needs. In particular, our model allows us to represent existing access control models (e.g., ACL and capability) in a uniform and consistent manner.
The model simplifies the specification of complex authorization policies and provides a generic policy evaluation environment. Furthermore, the model provides a general basis for identifying and resolving issues, not well-understood before, such as side effects of the policy evaluation on the system state and related policies.
By separating generic from domain specific elements, we ensure that the model is extensible to arbitrary (authorization policy) domains.
We keep our model simple and practical to serve as an aid to implementation. We have found that the model suggested ideas for implementations, for example that condition implementation should be based on three phases.
Our final goal is to implement a subset of our conceptual model and provide a programmable framework for different kinds of polices. The framework maps real-world policy entities such as users, resources, and organizational policies, to the representation of these entities in the programming environment. The discussion of the initial implementation can be found in [14].