User-friendly and Tailored Policy Administration Points

Manuel Rudolph

2015

Abstract

Nowadays, more and more data are collected and processed including sensitive private and business-critical data. Also the need of their protection is increasing. Therefore, we must first know precisely how access and usage constraints must look like. Thus, users with varying levels of security expertise must be enabled to specify their security demands for protecting sensitive data. Security policies are an adequate instrument for specifying security demands, but policies can become very complex and therefore hard to understand and to specify. An error-prone specification can cause immense damage due to unintended data leakage and mistakenly perceived security. Current policy specification interfaces, so called Policy Administration Points (PAPs), are neither easy to use nor understandable by less experienced users. Currently, a systematic approach for developing user-friendly PAPs tailored to the specific needs of individual users and domains does not exist. With current engineering methods, such a tailoring of PAPs would be a very effort-consuming task. For tackling the problem, a novel approach for engineering user-friendly and tailored Policy Administration Points is tackled in the authors PhD and presented in this paper.

References

  1. Al-Morsy, M. and Faheem, H. (2009). A new standard security policy language. Potentials, IEEE, 28(2):19-26.
  2. Alexander, I. (2003). Misuse cases: use cases with hostile intent. Software, IEEE, 20(1):58-66.
  3. Chadwick, D. W. and Otenko, A. (2003). The permis x. 509 role based privilege management infrastructure. Future Generation Computer Systems, 19(2):277-289.
  4. Common Criteria Maintenance Board (2012). Common Criteria for Information Technology Security Evaluation, CCv3.1 Revision 4 (CCMB-2012-09-001, -002, -003). http://www.commoncriteriaportal.org/cc/.
  5. Damianou, N., Dulay, N., Lupu, E., and Sloman, M. (2001). The ponder policy specification language. In Sloman, M., Lupu, E., and Lobo, J., editors, Policies for Distributed Systems and Networks, volume 1995 of Lecture Notes in Computer Science, pages 18-38. Springer Berlin Heidelberg.
  6. De Coi, J. L. and Olmedilla, D. (2008). A review of trust management, security and privacy policy languages. In SECRYPT, pages 483-490. Citeseer.
  7. German Bundesamt fü r Sicherheit in der Informationstechnik (2005). BSI: IT-Grundschutz Catalogues. https://www.bsi.bund.de/EN/Topics/ITGrundschutz/ itgrundschutz.html (a more recent version from 2013 in German is available at https://www.bsi.bund.de/DE/Themen/ITGrundschutz /itgrundschutz node.html).
  8. Gutmann, P. and Grigg, I. (2005). Security usability. Security Privacy, IEEE, 3(4):56-58.
  9. Institute for Human & Machine Cognition (2013). KAoS Policy Services Framework: User Guide. http://ontology.ihmc.us/KAoS/KAoSUsersGuide.pdf.
  10. Kagal, L., Finin, T., and Joshi, A. (2003). A policy language for a pervasive computing environment. In Policies for Distributed Systems and Networks, 2003. Proceedings. POLICY 2003. IEEE 4th International Workshop on, pages 63-74.
  11. Karat, J., Karat, C.-M., Bertino, E., Li, N., Ni, Q., Brodie, C., Lobo, J., Calo, S. B., Cranor, L. F., Kumaraguru, P., and Reeder, R. W. (2009). Policy framework for security and privacy management. IBM J. Res. Dev., 53(2):242-255.
  12. Liu, Y., Gummadi, K. P., Krishnamurthy, B., and Mislove, A. (2011). Analyzing facebook privacy settings: User expectations vs. reality. In Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference, pages 61-70.
  13. McGraw, G. (2006). Software security: building security in, volume 1. Addison-Wesley Professional.
  14. Mead, N. R., Hough, E., and Jr., T. R. S. (2005). Security Quality Requirements Engineering (SQUARE) Methodology. Technical Report CMU/SEI-2005-TR009, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA.
  15. Mouratidis, H. and Giorgini, P. (2007). Secure tropos: A security-oriented extension of the tropos methodology. International Journal of Software Engineering and Knowledge Engineering, 17(02):285-309.
  16. Object Management Group (2014). Object Constraint Language (OCL). http://www.omg.org/spec/OCL/.
  17. Rudolph, M., Schwarz, R., and Jung, C. (2014). Security policy specification templates for critical infrastructure services in the cloud. (in press).
  18. Smith, P., Busby, J., Langer, L., Schöller, M., and Shirazi, N. (2013). SECCRIT Deliverable D3.1 Methodology for Risk Assessment and Management. https://seccrit.eu/publications/publicreports.
  19. Tenerowicz, C. L. (2008). Elicitation Techniques. https://confluence.cornell.edu/display/BAF/Elicitation +Techniques.
  20. University of Kent (2011). Permis. http://sec.cs.kent.ac.uk/permis/index.shtml.
  21. U.S. Computer Emergency Response Team (2007). SQUARE - Requirements Engineering for Improved System Security.
  22. U.S. Department of Defense (1985). DoD 5200.28- STD: Trusted Computer System Evaluation Criteria. http://csrc.nist.gov/publications/history/dod85.pdf.
  23. U.S. National Institute of Standards and Technology (2008). NIST Special Publication 800-55, Revision 1: Performance Measurement Guide for Information Security. http://csrc.nist.gov/publications/PubsSPs.html.
  24. U.S. National Institute of Standards and Technology (2014). NIST Special Publication 800-53, Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations. http://csrc.nist.gov/publications/PubsSPs.html.
  25. Vaniea, K., Karat, C.-M., Gross, J. B., Karat, J., and Brodie, C. (2008). Evaluating assistance of natural language policy authoring. In Proceedings of the 4th Symposium on Usable Privacy and Security, SOUPS 7808, pages 65-73, New York, NY, USA. ACM.
  26. Vollat, C. (2012). Graphical user interface development for usable policy administration points (paps). Master's thesis, University of Kaiserslautern.
  27. World Wide Web Consortium (2012). Web Ontology Language (OWL). http://www.w3.org/2001/sw/wiki/OWL.
Download


Paper Citation


in Harvard Style

Rudolph M. (2015). User-friendly and Tailored Policy Administration Points . In Doctoral Consortium - DCISSP, (ICISSP 2015) ISBN , pages 3-12


in Bibtex Style

@conference{dcissp15,
author={Manuel Rudolph},
title={User-friendly and Tailored Policy Administration Points},
booktitle={Doctoral Consortium - DCISSP, (ICISSP 2015)},
year={2015},
pages={3-12},
publisher={SciTePress},
organization={INSTICC},
doi={},
isbn={},
}


in EndNote Style

TY - CONF
JO - Doctoral Consortium - DCISSP, (ICISSP 2015)
TI - User-friendly and Tailored Policy Administration Points
SN -
AU - Rudolph M.
PY - 2015
SP - 3
EP - 12
DO -