A framework for managing and analyzing changes of security policies

Proceedings - 2011 IEEE International Symposium on Policies for Distributed Systems and Networks, POLICY 2011

Volumn , Issue , 2011, Pages 105-112

  Brucker, Achim D ^a   Petritsch, Helmut ^a  

^a SAP RESEARCH   (Germany)

Author keywords

[No Author keywords available]

Indexed keywords

AMOUNT OF INFORMATION; BASEL II; DYNAMIC ACCESS CONTROL; ENTERPRISE SYSTEM; EXTENSIBLE FRAMEWORK; LEGAL REGULATION; LOG FILE; SECURITY POLICY; VERSIONING;

ACCESS CONTROL; ANIMATION; LAWS AND LEGISLATION; SECURITY SYSTEMS; STATIC ANALYSIS;

NETWORK SECURITY;

EID: 80052395728     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/POLICY.2011.47     Document Type: Conference Paper

References (28)

1. M. Backes, G. Karjoth, W. Bagga, and M. Schunter. Efficient comparison of enterprise privacy policies. In H. Haddad, A. Omicini, R. L. Wainwright, and L. M. Liebrock, editors, SAC, pages 375-382, New York, NY USA, 2004. ACM Press. doi: 10.1145/967900.967983.
2. Basel Committee on Banking Supervision. Basel II: International convergence of capital measurement and capital standards. Technical report, Bank for International Settlements, Basel, Switzerland, 2004. URL http://www.bis.org/publ/bcbsca.htm.
3. D. Basin, M. Clavel, J. Doser, and M. Egea. Automated analysis of security-design models. Information and Software Technology, 51(5):815-831, 2009. ISSN 0950- 5849. doi: 10.1016/j.infsof.2008.05.011. Special Issue on Model-Driven Development for Secure Information Systems.
4. A. D. Brucker and H. Petritsch. Extending access control models with break-glass. In B. Carminati and J. Joshi, editors, ACM symposium on access control models and technologies (SACMAT), pages 197-206. ACM Press, 2009. doi: 10.1145/1542207.1542239.
5. A. D. Brucker and B. Wolff. Symbolic test case generation for primitive recursive functions. In J. Grabowski and B. Nielsen, editors, Formal Approaches to Testing of Software, number 3395 in Lecture Notes in Computer Science, pages 16-32. Springer-Verlag, 2004. doi: 10.1007/b106767.
6. A. D. Brucker and B. Wolff. HOL-TESTGEN: An interactive test-case generation framework. In M. Chechik and M. Wirsing, editors, Fundamental Approaches to Software Engineering (FASE09), number 5503 in Lecture Notes in Computer Science, pages 417-420. Springer- Verlag, 2009. doi: 10.1007/978-3-642-00593-0 28.
7. A. D. Brucker, L. Brügger, P. Kearney, and B. Wolff. Verified firewall policy transformations for test-case generation. In Third International Conference on Software Testing, Verification, and Validation (ICST), pages 345- 354. 2010. doi: 10.1109/ICST.2010.50.
8. A. D. Brucker, L. Brügger, M. P. Krieger, and B. Wolff. HOL-TESTGEN 1.5.0 user guide. Technical Report 670, ETH Zurich, Apr. 2010.
9. A. D. Brucker, L. Brügger, P. Kearney, and B. Wolff. An approach to modular and testable security models of realworld health-care applications. In ACM symposium on access control models and technologies (SACMAT). ACM Press, 2011.
10. J. Dick and A. Faivre. Automating the generation and sequencing of test cases from model-based specifications. In J. Woodcock and P. Larsen, editors, Formal Methods Europe 93: Industrial-Strength Formal Methods, volume 670 of Lecture Notes in Computer Science, pages 268- 284, Heidelberg, Apr. 1993. Springer-Verlag.
11. A. Ferreira, R. Cruz-Correia, L. Antunes, P. Farinha, E. Oliveira-Palhares, D. Chadwick, and A. Costa-Pereira. How to break access control in a controlled manner. In Proceedings of the IEEE International Symposium on Computer-Based Medical Systems (CBMS), pages 847- 854, 2006. doi: 10.1109/CBMS.2006.95.
12. K. Fisler, S. Krishnamurthi, L. A. Meyerovich, and M. C. Tschantz. Verification and change-impact analysis of access-control policies. In G.-C. Roman, W. G. Griswold, and B. Nuseibeh, editors, ICSE, pages 196- 205, New York, NY USA, 2005. ACM Press. doi: 10.1145/1062455.1062502.
13. C. Fox and P. Zonneveld. IT Control Objectives for Sarbanes-Oxley: The Role of IT in the Design and Implementation of Internal Control Over Financial Reporting. IT Governance Institute, Rolling Meadows, IL, USA, 2nd edition, Sept. 2006.
14. S. K. Ghai, P. Nigam, and P. Kumaraguru. Cue: a framework for generating meaningful feedback in XACML. In Proceedings of the 3rd ACM workshop on Assurable and usable security configuration, SafeConfig '10, pages 9-16, New York, NY USA, 2010. ACM Press. doi: 10.1145/1866898.1866901.
15. A. Ghose. Information disclosure and regulatory compliance: Economic issues and research directions. http: //ssrn.com/abstract=921770, July 2006.
16. HIPAA. Health Insurance Portability and Accountability Act of 1996. http://www.cms.hhs.gov/HIPAAGenInfo/, 1996.
17. H. Hu and G.-J. Ahn. Enabling verification and conformance testing for access control model. In ACM symposium on Access control models and technologies (SACMAT), pages 195-204, New York, NY USA, 2008. ACM Press. doi: 10.1145/1377836.1377867.
18. G. Hughes and T. Bultan. Automated verification of access control policies using a sat solver. International Journal on Software Tools for Technology, 10:503- 520, October 2008. ISSN 1433-2779. doi: 10.1007/ s10009-008-0087-9.
19. D. Jackson. Alloy: a lightweight object modelling notation. ACM Transactions on Software Engineering and Methodology, 11(2):256-290, 2002. ISSN 1049-331X. doi: 10.1145/505145.505149.
20. V. Kolovski, J. Hendler, and B. Parsia. Analyzing web access control policies. In Proceedings of the 16th international conference on World Wide Web, WWW '07, pages 677-686, New York, NY USA, 2007. ACM Press. doi: 10.1145/1242572.1242664.
21. D. Lin, P. Rao, E. Bertino, and J. Lobo. An approach to evaluate policy similarity. In V. Lotz and B. M. Thuraisingham, editors, SACMAT, pages 1-10, New York, NY USA, 2007. ACM Press. doi: 10.1145/1266840.1266842.
22. A. X. Liu, F. Chen, J. Hwang, and T. Xie. XEngine: A fast and scalable XACML policy evaluation engine. In Proceedings of the International Conference on Measurement and Modeling of Computer Systems (Sigmetrics), Annapolis, Maryland, June 2008.
23. M. Mankai and L. Logrippo. Access control policies: Modeling and validation. In Conférence Internationale sur les Nouvelles Technologies de la Repartition (NOTERE), pages 85-91, 2005.
24. OASIS. eXtensible Access Control Markup Language (XACML), version 2.0, 2005. URL http://docs.oasis-open.org/xacml/2.0/XACML-2. 0-OS-NORMATIVE.zip.
25. D. Povey. Optimistic security: A new access control paradigm. In Proceedings of the 1999 workshop on new security paradigms, pages 40-45, New York, NY USA, 1999. ACM Press. doi: 10.1145/335169.335188.
26. L. Rostad and O. Edsberg. A study of access control requirements for healthcare systems based on audit trails from access logs. In Annual Computer Security Applications Conference (ACSAC), pages 175-186, Los Alamitos, CA, USA, 2006. IEEE Computer Society. doi: 10.1109/ACSAC.2006.8.
27. A. Schaad and J. D. Moffett. A lightweight approach to specification and analysis of role-based access control extensions. In Proceedings of the seventh ACM symposium on Access control models and technologies, SACMAT '02, pages 13-22. ACM Press, 2002. doi: 10.1145/507711.507714.
28. L. Sneller and H. Langendijk. Sarbanes Oxley Section 404 Costs of Compliance: a case study. Corporate Governance: An International Review, 15(2):101- 111, 2007. URL http://econpapers.repec.org/RePEc:bla: corgov:v:15:y:2007:i:2:p:101-111.