Security policy compliance with violation management

Brunel, Julien; Cuppens, Frédéric; Cuppens, Nora; Sans, Thierry; Bodeveix, Jean-Paul

doi:10.1145/1314436.1314441

Cited by 17 publications

(4 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For instance, in Liu et al 2007 the problem of static (i.e., before process execution) compliance checking of process models against compliance rules is addressed by expressing the models in pi-calculus and the corresponding rules in linear temporal logic; then, model checking techniques are used to determine whether a process model complies with the rules or not. In Brunel et al 2007, policies are modeled and checked as deontic sentences (i.e., rules are of the form "it is obligatory that X..." or "it is permitted that Y..."); then, a system can be compliant even if violations occur, in which case, a second-level set of rules might be applied, for which, again, compliance needs to be checked. A similar modeling technique is presented in Saqid et al 2007 from it and used to annotate the process model so that control concerns can be visualized in the process model space.…”

Section: Related Workmentioning

confidence: 99%

Aiding Compliance Governance in Service-Based Business Processes

Silveira

Rodríguez

Birukou

et al. 2012

Handbook of Research on Service-Oriented Systems and Non-Functional Properties

View full text Add to dashboard Cite

Assessing whether a company’s business practices conform to laws and regulations and follow standards and SLAs, i.e., compliance management, is a complex and costly task. Few software tools aiding compliance management exist; yet, they typically do not address the needs of who is actually in charge of assessing and understanding compliance. We advocate the use of a compliance governance dashboard and suitable root cause analysis techniques that are specifically tailored to the needs of compliance experts and auditors. The design and implementation of these instruments are challenging for at least three reasons: (1) it is fundamental to identify the right level of abstraction for the information to be shown; (2) it is not trivial to visualize different analysis perspectives; and (3) it is difficult to manage and analyze the large amount of involved concepts, instruments, and data. This chapter shows how to address these issues, which concepts and models underlie the problem, and, eventually, how IT can effectively support compliance analysis in Service-Oriented Architectures (SOAs).

show abstract

Section: Related Workmentioning

confidence: 99%

Aiding Compliance Governance in Service-Based Business Processes

Silveira

Rodríguez

Birukou

et al. 2012

Handbook of Research on Service-Oriented Systems and Non-Functional Properties

View full text Add to dashboard Cite

show abstract

“…Subsequently the consumer must provide evidence that the provisional actions have been taken and that he has committed himself to the obligations and compensations. Compensations, or sanctions as they are termed, is also proposed formally in [5]. The authors show how a system may violate certain rules in a policy and still be compliant with the policy through fulfilling a set of sanctions.…”

Section: Reactive Enforcementmentioning

confidence: 99%

Usage Control Enforcement - A Survey

Nyre

2011

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Sharing information allows businesses to take advantage of hidden knowledge, improve work processes and cooperation both within and across organisations. Thus there is a need for improved information protection capable of restricting how information is used, as opposed to only accessed. Usage Control has been proposed to achieve this by combining and extending traditional access control, Digital Rights Management and various encryption schemes. Advances in usage control enforcement has received considerable attention from the research community and we therefore believe there is a need to synthesise these efforts to minimise the potential for overlap. This paper surveys the previous efforts on providing usage control enforcement and analyses the general strengths and weaknesses of these approaches. In this paper we demonstrate that there are several promising mechanisms for enforcing usage control, but that reliable empirical evidence is required in order to ensure the appropriateness and usability of the enforcement mechanisms.

show abstract

“…Unaware of any implementation of a generic usage control language that supports compensations, we have developed a proof-of-concept policy language fit for the ESB. Compared to theoretic works on access control compensations [17], violation management [18] and obligation assessment [19,20], we go beyond access control and provide an implementation of compensations on the fly. This means that whenever a violation of some service usage rule is detected, the correction happens as the event travels through the system, before it reaches some interested party.…”

Section: Related Workmentioning

confidence: 99%

xESB: An Enterprise Service Bus for Access and Usage Control Policy Enforcement

Gheorghe

Neuhaus

Crispo

2010

IFIP Advances in Information and Communication Technology

View full text Add to dashboard Cite

Enforcing complex policies that span organizational domains is an open challenge. Current work on SOA policy enforcement splits security in logical components that can be distributed across domains, but does not offer any concrete solution to integrate this security functionality so that it works across security services for organization-wide policies. In this paper, we propose xESB, an enhanced version of an Enterprise Message Bus (ESB), where we monitor and enforce preventive and reactive policies, both for access control and usage control policies, and both inside one domain and between domains. In addition, we introduce indicators that help SOA administrators assess the effectiveness of their policies. Our performance measurements show that policy enforcement at the ESB level comes with only moderate penalties.

show abstract

Security policy compliance with violation management

Cited by 17 publications

References 25 publications

Aiding Compliance Governance in Service-Based Business Processes

Aiding Compliance Governance in Service-Based Business Processes

Usage Control Enforcement - A Survey

xESB: An Enterprise Service Bus for Access and Usage Control Policy Enforcement

Contact Info

Product

Resources

About