Security Policy Alignment: A Formal Approach

Security policy alignment concerns the matching of security policies specified at different levels in socio-technical systems, and delegated to different agents, technical and human. For example, the policy that sales data should not leave an organization is refined into policies on door locks, firewalls and employee behavior, and this refinement should be correct with respect to the original policy. Although alignment of security policies in socio-technical systems has been discussed in the literature, especially in relation to business goals, there has been no formal treatment of this topic so far in terms of consistency and completeness of policies. Wherever formal approaches are used in policy alignment, these are applied to well-defined technical access control scenarios instead. Therefore, we aim at formalizing security policy alignment for complex socio-technical systems in this paper, and our formalization is based on predicates over sequences of actions. We discuss how this formalization provides the foundations for existing and future methods for finding security weaknesses induced by misalignment of policies in socio-technical systems.

[1]  Dusko Pavlovic,et al.  Actor-Network Procedures - (Extended Abstract) , 2012, ICDCIT.

[2]  Joan Feigenbaum,et al.  Towards a formal model of accountability , 2011, NSPW '11.

[3]  Frédéric Cuppens,et al.  Merging security policies: analysis of a practical example , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[4]  Ehab Al-Shaer,et al.  Taxonomy of conflicts in network security policies , 2006, IEEE Communications Magazine.

[5]  Christian W. Probst,et al.  Analysing Access Control Specifications , 2009, 2009 Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering.

[6]  Marshall Abrams,et al.  Abstraction and Refinement of Layered Security Policy , 2006 .

[7]  Donald Sannella,et al.  Foundations of Algebraic Specification and Formal Software Development , 2012, Monographs in Theoretical Computer Science. An EATCS Series.

[8]  Eugene H. Spafford,et al.  PFIRES: a policy framework for information security , 2003, CACM.

[9]  Christian W. Probst,et al.  An extensible analysable system model , 2008, Inf. Secur. Tech. Rep..

[10]  V. Nunes Leal Franqueira,et al.  Towards alignment of architectural domains in security policy specifications , 2006 .

[11]  A.A. Creery,et al.  Industrial cybersecurity for a power system and SCADA networks - Be secure , 2007, IEEE Industry Applications Magazine.

[12]  Romain Laborde,et al.  Network security policy refinement process: Expression and analysis , 2006, J. High Speed Networks.

[13]  Clare-Marie Karat,et al.  Usable privacy and security for personal information management , 2006, CACM.

[14]  Sabrina De Capitani di Vimercati,et al.  An algebra for composing access control policies , 2002, TSEC.

[15]  Wolter Pieters,et al.  Representing Humans in System Security Models: An Actor-Network Approach , 2011, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[16]  Pieter H. Hartel,et al.  Portunes: Representing Attack Scenarios Spanning through the Physical, Digital and Social Domain , 2010, ARSPA-WITS.

[17]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[18]  Trajce Dimkov,et al.  Alignment of organizational security policies: Theory and Practice , 2012 .

[19]  Valérie Issarny,et al.  Dealing with Multi-policy Security in Large Open Distributed Systems , 1998, ESORICS.

[20]  James Bret Michael,et al.  Integration of formal and heuristic reasoning as a basis for testing and debugging computer security policy , 1993, NSPW '92-93.

[21]  Vaughan R. Pratt,et al.  Modeling concurrency with partial orders , 1986, International Journal of Parallel Programming.

[22]  R. Baskerville,et al.  An information security meta‐policy for emergent organizations , 2002 .

[23]  Flemming Nielson,et al.  Where Can an Insider Attack? , 2006, Formal Aspects in Security and Trust.

[24]  Dusko Pavlovic,et al.  Software Development by Refinement , 2002, 10th Anniversary Colloquium of UNU/IIST.

[25]  Frédéric Cuppens,et al.  Analyzing consistency of security policies , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[26]  Paul H. Barnes,et al.  Integrating information security policy management with corporate risk management for strategic alignment , 2010 .

[27]  Jorge Lobo,et al.  Security policy refinement using data integration: a position paper , 2009, SafeConfig '09.

[28]  John L. Darby,et al.  Risk-based cost-benefit analysis for security assessment problems , 2010, 44th Annual 2010 IEEE International Carnahan Conference on Security Technology.

[29]  N. Doherty,et al.  Aligning the information security policy with the strategic information systems plan , 2006, Comput. Secur..

[30]  Barbara Kordy,et al.  Foundations of Attack-Defense Trees , 2010, Formal Aspects in Security and Trust.

[31]  Sushil Jajodia,et al.  A logical language for expressing authorizations , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[32]  Ketil Stølen,et al.  Preservation of Policy Adherence under Refinement , 2011, Int. J. Softw. Informatics.

[33]  S. Jajodia,et al.  Information Security: An Integrated Collection of Essays , 1994 .

[34]  Sjouke Mauw,et al.  Foundations of Attack Trees , 2005, ICISC.