Defense in Depth Formulation and Usage in Dynamic Access Control

Many network systems secure their resources using a defense in depth strategy, which can result in complex policies being distributed on the many access control points of a network. These policies are subject to frequent changes to deal with different factors such as change in security situation or change in resources. Moreover, while we have a vague intuitive understanding of the defense in depth strategy, we certainly lack a rigorous definition for it that would allow us to objectively assess whether a policy distribution on a network satisfies this strategy. In this paper, we propose a definition for defense in depth based on a notion of refinement given in product family algebra. We use this definition to articulate several implementations of the defense in depth strategy taking into account local access policies and global constraints on the resources of the considered network. We also discuss the automation of the calculations needed to derive the appropriate access policies to deploy at the nodes of a network.

[1]  Ridha Khédri,et al.  Algebraic View Reconciliation , 2008, 2008 Sixth IEEE International Conference on Software Engineering and Formal Methods.

[2]  Qinglei Zhang,et al.  An aspect-oriented language for feature-modeling , 2014, J. Ambient Intell. Humaniz. Comput..

[3]  Sabrina De Capitani di Vimercati,et al.  Access Control Policies, Models, and Mechanisms , 2011, Encyclopedia of Cryptography and Security.

[4]  David Clark,et al.  A Purpose-built Global Network: Google’s Move to SDN , 2015, ACM Queue.

[5]  Georg Struth,et al.  Wp is wip , 2006 .

[6]  Tom Melham,et al.  Higher Order Logic Theorem Proving and Its Applications , 1995, Lecture Notes in Computer Science.

[7]  Ridha Khédri,et al.  An algebra of product families , 2009, Software & Systems Modeling.

[8]  Edsger W. Dijkstra,et al.  Predicate Calculus and Program Semantics , 1989, Texts and Monographs in Computer Science.

[9]  David Lorge Parnas,et al.  Tabular Representation of Relations , 1992 .

[10]  Simon Foster,et al.  Automated Engineering of Relational and Algebraic Methods in Isabelle/HOL - (Invited Tutorial) , 2011, RAMiCS.

[11]  Torsten Bumgarner Foundations Of Security Analysis And Design Tutorial Lectures , 2016 .

[12]  David F. Ferraiolo,et al.  Guide to Attribute Based Access Control (ABAC) Definition and Considerations , 2014 .

[13]  Georg Struth,et al.  wp Is wlp , 2005 .

[14]  Fred B. Schneider,et al.  A Logical Approach to Discrete Math , 1993, Texts and Monographs in Computer Science.

[15]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[16]  Prasad Rao,et al.  Automatic management of network security policy , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[17]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[18]  Tom Mens,et al.  The Ecology of Software Ecosystems , 2015, Computer.

[19]  David Lorge Parnas A generalized control structure and its formal definition , 1983, CACM.

[20]  Marc Frappier,et al.  Integration of Sequential Scenarios , 1998, IEEE Trans. Software Eng..

[21]  Karen A. Scarfone,et al.  Guidelines on Firewalls and Firewall Policy , 2009 .

[22]  Ravi S. Sandhu,et al.  The NIST model for role-based access control: towards a unified standard , 2000, RBAC '00.

[23]  D. Richard Kuhn,et al.  Attribute-Based Access Control , 2017, Computer.

[24]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[25]  Qinglei Zhang,et al.  Verification of Aspectual Composition in Feature-Modeling , 2012, SEFM.

[26]  Mandayam K. Srivas,et al.  Using PVS to Prove Some Theorems Of David Parnas , 1993, HUG.

[27]  R. Cunningham,et al.  Validating and Restoring Defense in Depth Using Attack Graphs , 2006, MILCOM 2006 - 2006 IEEE Military Communications conference.

[28]  Ryszard Janicki,et al.  On a formal semantics of tabular expressions , 2001, Sci. Comput. Program..

[29]  Qinglei Zhang,et al.  On the weaving process of aspect-oriented product family algebra , 2016, J. Log. Algebraic Methods Program..

[30]  Ridha Khédri,et al.  Supplementing Product Families with Behaviour , 2011, Int. J. Softw. Informatics.

[31]  Lidia Fuentes,et al.  Closing the Gap between the Specification and Enforcement of Security Policies , 2014, TrustBus.

[32]  Claudia Keser,et al.  Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[33]  David Lorge Parnas,et al.  Precise description and specification of software , 1998 .

[34]  Ridha Khédri,et al.  Feature Algebra , 2006, FM.