A Framework for Policy Similarity Evaluation and Migration Based on Change Detection

Access control facilitates controlled sharing and protection of resources in an enterprise. However, given the ubiquity of collaborative applications and scenarios, enterprises no longer function in isolation. Being able to measure policy similarity and integrate heterogeneous policies appropriately is an essential step towards secure interoperation. Existing approaches for measuring policy similarity are based on computing similarity between different components of the access control policy. However, this does not provide a pathway for integrating policies, and may not sufficiently take the security context into account. In this paper, we propose a holistic change detection approach that enables policy similarity evaluation and policy migration. Our approach more comprehensively takes into account different access control semantics to compute policy similarity and finds the common organizational policy with the least cost.

[1]  Michael Backes,et al.  An Algebra for Composing Enterprise Privacy Policies , 2004, ESORICS.

[2]  Michael Huth,et al.  A simple and expressive semantic framework for policy composition in access control , 2007, FMSE '07.

[3]  Jorge Lobo,et al.  A Similarity Measure for Comparing XACML Policies , 2013, IEEE Transactions on Knowledge and Data Engineering.

[4]  Luigi V. Mancini,et al.  On the specification and evolution of access control policies , 2001, SACMAT '01.

[5]  Sabrina De Capitani di Vimercati,et al.  An algebra for composing access control policies , 2002, TSEC.

[6]  Atul Prakash,et al.  Methods and limitations of security policy reconciliation , 2006, TSEC.

[7]  Elisa Bertino,et al.  Secure interoperation in a multidomain environment employing RBAC policies , 2005, IEEE Transactions on Knowledge and Data Engineering.

[8]  Michael Carl Tschantz,et al.  Verification and change-impact analysis of access-control policies , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[9]  Serge Abiteboul,et al.  Detecting changes in XML documents , 2002, Proceedings 18th International Conference on Data Engineering.

[10]  Jorge Lobo,et al.  Policy ratification , 2005, Sixth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'05).

[11]  Li Gong,et al.  Computational Issues in Secure Interoperation , 1996, IEEE Trans. Software Eng..

[12]  Jorge Lobo,et al.  An approach to evaluate policy similarity , 2007, SACMAT '07.

[13]  Pierangela Samarati,et al.  Providing Security and Interoperation of Heterogeneous Systems , 2004, Distributed and Parallel Databases.

[14]  Elisa Bertino,et al.  XACML policy integration algorithms: not to be confused with XACML policy combination algorithms! , 2006, SACMAT '06.

[15]  Emil C. Lupu,et al.  Conflicts in Policy-Based Distributed Systems Management , 1999, IEEE Trans. Software Eng..

[16]  Morris Sloman,et al.  Policy Conflict Analysis in Distributed System Management , 1994 .