共查询到20条相似文献,搜索用时 15 毫秒
1.
This paper briefly traces the evolution of information system architectures from mainframe-connected terminals to distributed multi-tier architectures. It presents the challenges facing developers of multi-tier information systems in providing effective consistent data policy enforcement, such as access control in these architectures. Finally, it introduces “Mobile Policy” (MoP) as a potential solution and presents a framework for using mobile policy in the business logic tier of multi-tier information systems. 相似文献
2.
Frédéric Cuppens Nora Cuppens-Boulahia 《International Journal of Information Security》2008,7(4):285-305
As computer infrastructures become more complex, security models must provide means to handle more flexible and dynamic requirements.
In the Organization Based Access Control (OrBAC) model, it is possible to express such requirements using the notion of context.
In OrBAC, each security rule (permission, prohibition, obligation or dispensation) only applies in a given context. A context
is viewed as an extra condition that must be satisfied to activate a given security rule. In this paper, we present a taxonomy
of different types of context and investigate the data the information system must manage in order to deal with these different
contexts. We then explain how to model and evaluate them in the OrBAC model.
相似文献
Nora Cuppens-BoulahiaEmail: |
3.
A security policy language for wireless sensor networks 总被引:1,自引:0,他引:1
David W. Marsh Author Vitae Author Vitae Barry E. Mullins Author Vitae Author Vitae Michael R. Grimaila Author Vitae 《Journal of Systems and Software》2009,82(1):101-111
Authenticated computer system users are only authorized to access certain data within the system. In the future, wireless sensor networks (WSNs) will need to restrict access to data as well. To date, WSN security has largely been based on encryption and authentication schemes. The WSN Authorization Specification Language (WASL) is a mechanism-independent composable WSN policy language that can specify arbitrary and composable security policies that are able to span and integrate multiple WSN policies. Using WASL, a multi-level security policy for a 1000 node network requires only 60 bytes of memory per node. 相似文献
4.
为了有效管理云系统间跨域互操作中安全策略的实施,提出一种适用于云计算环境的多域安全策略验证管理技术。首先,研究了安全互操作环境的访问控制规则和安全属性,通过角色层次关系区分域内管理和域间管理,形式化定义了基于多域的角色访问控制(domRBAC)模型和基于计算树逻辑(CTL)的安全属性规范;其次,给出了基于有向图的角色关联映射算法,以实现domRBAC角色层次推理,进而构造出了云安全策略验证算法。性能实验表明,多域互操作系统的属性验证时间开销会随着系统规模的扩大而增加。技术采用多进程并行检测方式可将属性验证时间减少70.1%~88.5%,其模型优化检测模式相比正常模式的时间折线波动更小,且在大规模系统中的时间开销要明显低于正常模式。该技术在规模较大的云系统安全互操作中具有稳定和高效率的属性验证性能。 相似文献
5.
6.
7.
授权与访问控制策略模型的研究 总被引:2,自引:0,他引:2
针对现有授权与访问控制系统大规模、跨地域、分布式、多应用的发展趋势,在分析系统中策略分类和策略管理的作用的基础上,从策略之间的约束关系和策略作用范围的角度出发,创建了适应分布式环境的策略层次、策略作用域模型。 相似文献
8.
传统的访问控制主要有自主型的访问控制DAC(Discretionary Access Control)和强制型的访问控制MAC(Mandatory Access Control)。强制型访问控制是“强加”给访问主体的,即系统强制主体服从访问控制政策。自主型的访问控制是在确认主体身份以及它们所属的组的基础上,对访问进行限定的一种方法。随着企业规模的增大,企业的信息化管理变得越来越重要,企业级访问控制和安全管理设计将是最难解决的问题之一,DAC和MAC已不能满足需要。20世纪90年代 相似文献
9.
如今,Web网页的种类繁多且复杂,因此网站容易被不法分子攻击,所以网站的安全问题是需要去重视的一个重要方面,本文详细讨论了几种web网页的安全策略,也同时也提出了防火墙这个安全防护技术。 相似文献
10.
在分布式系统中,安全策略的管理是很重要的,为了对分布式系统中的安全策略方便地进行管理,并且可以适应不同类型的分布式认证系统,该文通过对RBAC96模型的研究,给出了通过结构化的语言(XML)来描述应用安全平台体系中的安全策略模型和一个实例。 相似文献
11.
策略化的安全策略集中管理模型研究 总被引:1,自引:0,他引:1
苗莽 《网络安全技术与应用》2005,1(2):42-44
分析了现存安全策略集中管理模型,提出了一种更为灵活的策略化的安全集中管理模型,并就此模型实现的关键技术做论述。最后就本模型和既有模型作出对比。 相似文献
12.
Administering security in modern enterprise systems may prove an extremely complex task. Their large scale and dynamic nature
are the main factors that contribute to this fact. A robust and flexible model is needed in order to guarantee both the easy
management of security information and the efficient implementation of security mechanisms. In this paper, we present the
foundations and the prototypical implementation of a new access control framework. The framework is mainly targeted to highly
dynamic, large enterprise systems (e.g., service provisioning platforms, enterprise portals etc.), which contain various independent
functional entities. Significant advantages gained from the application of the designated framework in such systems are epitomized
in the easiness of managing access to their hosted resources (e.g., services) and the possibility of applying distributable
management schemes for achieving it. The proposed framework allows for multi-level access control through the support of both
role-based and user-based access control schemes. Discussion is structured in three distinct areas: the formal model of the
proposed framework, the data model for supporting its operation, and the presentation of a prototypical implementation. The
development of the framework is based on open technologies like XML, java and Directory Services. At the last part of the
paper the results of a performance assessment are presented, aiming to quantify the delay overhead, imposed by the application
of the new framework in a real system.
Ioannis Priggouris received his B.Sc. in Informatics from the Department of Informatics & Telecommunications of the University of Athens, Greece
in 1997 and his M.Sc. in Communication Systems and Data Networks from the same Department in 2000. Over the last years he
has been a PhD candidate in the department. Since 1999, he has been a member of the Communication Networks Laboratory (CNL)
of the University of Athens. As a senior researcher of the CNL he has participated in several EU projects implemented in the
context of IST, namely the EURO-CITI and the PoLoS projects. He has also been extensively involved in several National IT
Research projects. His research interests are in the areas of mobile computing, QoS and mobility support for IP networks,
and network security. He is the author of several papers and book chapters in the aforementioned areas.
Stathes Hadjiefthymiades received his B.Sc. (honors) and M.Sc. in Informatics from the Dept. of Informatics, University of Athens, Greece, in 1993
and 1996 respectively. In 1999 he received his Ph.D. from the University of Athens (Dept. of Informatics and Telecommunications).
In 2002 he received a joint engineering-economics M.Sc. from the National Technical University of Athens. In 1992 he joined
the Greek consulting firm Advanced Services Group, Ltd., where he was involved in the analysis, design and implementation
of telematic applications and other software systems. In 1995 he joined, as research engineer, the Communication Networks
Laboratory (UoA-CNL) of the University of Athens. During the period September 2001-July 2002, he served as a visiting assistant
professor at the University of Aegean, Dept. of Information and Communication Systems Engineering. On the summer of 2002 he
joined the faculty of the Hellenic Open University (Dept. of Informatics), Patras, Greece, as an assistant professor. Since
December 2003, he is in the faculty of the Dept. of Informatics and Telecommunications, University of Athens, where he is
presently an assistant professor and coordinator of the Pervasive Computing Research Group. He has participated in numerous
projects realized in the context of EU programs (ACTS, ORA, TAP, and IST), EURESCOM projects, as well as national initiatives.
His research interests are in the areas of web engineering, wireless/mobile computing, and networked multimedia applications.
He is the author of over 100 publications in the above areas. 相似文献
13.
Web服务中基于XML的RBAC策略模型 总被引:5,自引:2,他引:5
访问控制系统由于分布式网络的发展而日趋复杂,并且已经延伸到了多个领域,由于没有统一的描述语言,为各系统之间带来了互操作性问题。简要介绍了可扩展访问控制标记语言XACML的原理,针对Web服务中的访问控制问题,将XACML与基于角色的访问控制模型相结合,提出了一种基于角色的访问控制策略模型。策略模型适应网络分布式发展,提供了一种解决不同系统之间访问控制的互操作问题的方法。 相似文献
14.
针对基于角色的访问控制模型(RBAC)和职责分离(SoD)这一重要的安全原则,提出了一种基于风险的安全策略—Fuzzy Security Policy(FSP),采用资质表达式限定执行敏感任务的用户数量和身份,采用风险度向量方法量化用户角色授权风险,运用模糊综合评估法分析满足资质约束的用户集执行多项任务的聚集风险;进一步讨论了给定系统配置和风险阈值的安全策略的可满足性,并给出了判定用户集是否满足安全策略的算法。这种安全策略可以为组织选择符合安全需求的用户集执行任务。 相似文献
15.
One reason workflow systems have been criticized as being inflexible is that they lack support for delegation. This paper shows how delegation can be introduced in a workflow system by extending the role-based access control (RBAC) model. The current RBAC model is a security mechanism to implement access control in organizations by allowing users to be assigned to roles and privileges to be associated with the roles. Thus, users can perform tasks based on the privileges possessed by their own role or roles they inherit by virtue of their organizational position. However, there is no easy way to handle delegations within this model. This paper tries to treat the issues surrounding delegation in workflow systems in a comprehensive way. We show how delegations can be incorporated into the RBAC model in a simple and straightforward manner. The new extended model is called RBAC with delegation in a workflow context (DW-RBAC). It allows for delegations to be specified from a user to another user, and later revoked when the delegation is no longer required. The implications of such specifications and their subsequent revocations are examined. Several formal definitions for assertion, acceptance, execution and revocation are provided, and proofs are given for the important properties of our delegation framework. 相似文献
16.
The concept of roles has been prevalent in the area of Information Security for more than 15 years already. It promises simplified and flexible user management, reduced administrative costs, improved security, as well as the integration of employees’ business functions into the IT administration. A comprehensive scientific literature collection revealed more than 1300 publications dealing with the application of sociological role theory in the context of Information Security up to now. Although there is an ANSI/NIST standard and an ISO standard proposal, a variety of competing models and interpretations of the role concept have developed. The major contribution of this survey is a categorization of the complete underlying set of publications into different classes. The main part of the work is investigating 32 identified research directions, evaluating their importance and analyzing research tendencies. An electronic bibliography including all surveyed publications together with the classification information is provided additionally. As a final contribution potential future developments in the area of role-research are considered. 相似文献
17.
该文提出了在当今校园网环境下,从构建安全的分布式校园网边界路由防火墙系统角度出发,研究在边界路由器上采取针对校园网内部网络的报文过滤和针对路由系统本身的安全策略,并在淮阴师范学院校园网中进行了典型应用,实践证明可以达到事半功倍的网络安全目的。 相似文献
18.
The paper describes the development of a formal security policy model in Z for the NATO Air Command and Control System (ACCS): a large, distributed, multilevel-secure system. The model was subject to manual validation, and some of the issues and lessons in both writing and validating the model are discussed 相似文献
19.
Specification and static enforcement of scheduler-independent noninterference in a middleweight Java
We introduce a new timing covert channel that arises from the interplay between multithreading and object orientation. This example motivates us to explore the root of the problem and to devise a mechanism for preventing such errors. In doing so, we first add multithreading constructs to Middleweight Java, a subset of the Java programming language with a fairly rich set of features. A noninterference property is then presented which basically demands program executions be equivalent in the view of whom observing final public values in environments using the so-called high-independent schedulers. It is scheduler-independent in the sense that no matter which scheduler is employed, the executions of the program satisfying the property do not lead to illegal information flows in the form of explicit, implicit, or timing channels. We also give a provably sound type-based static mechanism to enforce the proposed property. 相似文献
20.
Despite the significant advancements made in understanding the factors that drive employees' compliance and noncompliance behaviours with information security policy (ISP), less is known about how different factors interact to impact such behaviours. Having been drawn on the social information processing theory, this research develops an integrative model that investigates how ethical work climate, beliefs, and neutralization interact to jointly explain ISP noncompliance. The model is tested via a survey of a broad cross section of employees. Neutralization, perceived cost of compliance, and perceived cost of noncompliance are found to significantly impact ISP noncompliance. Egoistic, benevolent, and principled climates are found to differentially influence neutralization and individuals' cognitive beliefs about the cost and benefit of ISP compliance versus noncompliance. Neutralization appears to be a more important moderator of the belief‐noncompliance relationship than the principled climate. 相似文献