Policy-based authorization systems are becoming more common as information systems become larger and more complex. In these systems, to authorize a requester to access a particular resource, the authorization system must verify that the policy authorizes the access. The overall authorization policy may consist of a number of policy groups, where each group consists of policies defined by different entities. Each policy contains a number of authorization rules. The access request is evaluated against these policies, which may produce conflicting authorization decisions. To resolve these conflicts and to reach a unique decision for the access request at the rule and policy level, rule and policy combination algorithms are used. In the current systems, these rule and policy combination algorithms are defined on a static basis during policy composition, which is not desirable in dynamic systems with fast changing environments. In this paper, we motivate the need for changing the rule and policy combination algorithms dynamically based on contextual information. We propose a framework that supports this functionality and also eliminates the need to recompose policies if the owner decides to change the combination algorithm. It provides a novel method to dynamically add and remove specialized policies, while retaining the clarity and modularity in the policies. The proposed framework also provides a mechanism to reduce the set of potential target matches, thereby increasing the efficiency of the evaluation mechanism. We developed a prototype system to demonstrate the usefulness of this framework by extending some basic capabilities of the XACML policy language. We implemented these enhancements by adding two specialized modules and several new combination algorithms to the Sun XACML engine.
Demand response (DR) systems are gaining fast adoption and utilities are increasingly relying on them for peak load shaving, demand side management, and maintaining power quality. DR systems are cyber-physical systems (CPS) where the communication component is cyber, whereas the control components have physical effects. As DR systems experience wider adoption and manipulate much larger loads, achieving scalability has become an important concern. On the other hand, demand response events are often sporadic, and maintaining systems and infrastructure that could easily scale up or down is often desirable for utility companies in terms of operational cost, which makes us envision that DR systems would eventually move to the cloud. However, moving to cloud is not an elixir as it brings some concerns of its own. In this paper, we focus on OpenADR 2.0-based systems and discuss security properties and challenges that must be considered when migrating DR systems to the cloud.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.