Applied Dynamic Policy Selection

Florian Reimair, Bernd Prünster, Andreas Reiter, Christian Ertler

Research output: Chapter in Book/Report/Conference proceedingConference contributionResearchpeer-review

Abstract

Abstract--- Cloud key services are prominent targets for attacks. In fact, every service guarding sensitive data uses a policy system to do so. As of today, such policies are mostly static. However, as system environments change and attacks grow more sophisticated, such static policies cannot always sufficiently cope with attacks and may even unnecessarily hinder the legitimate user. We believe that more fine-grained and reactive protection systems are needed to meet modern security requirements. We propose a concept to separate the concerns of policy enforcement and the policies themselves as a basis for more flexible and dynamic policy enforcement. With policies no longer interfering with a system's business logic, we can introduce strategies and actions which preselect rules based on system information for the policy enforcement to use. In order to understand the characteristics and capabilities of the proposed concept, we implemented two case studies based on CrySIL and XACML. We show that our concept can can be gradually integrated with existing systems while at the same time easing maintenance of policy sets. Furthermore, it enables policy sharing and joint definition and refinement of strategies, actions, and security rules, resulting in powerful security policies at minimal cost. All in all, our solution fosters deployment of reactive security systems.
Original languageEnglish
Title of host publication2016 IEEE Conference on Communications and Network Security (CNS 2016)
Number of pages9
ISBN (Electronic)978-1-5090-3065-1
DOIs
Publication statusPublished - 19 Oct 2016

Fingerprint

Security systems
Information systems
Costs
Industry

Keywords

  • dynamic security policies
  • reactive security systems
  • cloud key service

ASJC Scopus subject areas

  • Computer Science (miscellaneous)

Cite this

Reimair, F., Prünster, B., Reiter, A., & Ertler, C. (2016). Applied Dynamic Policy Selection. In 2016 IEEE Conference on Communications and Network Security (CNS 2016) https://doi.org/10.1109/CNS.2016.7860542

Applied Dynamic Policy Selection. / Reimair, Florian; Prünster, Bernd; Reiter, Andreas; Ertler, Christian.

2016 IEEE Conference on Communications and Network Security (CNS 2016). 2016.

Research output: Chapter in Book/Report/Conference proceedingConference contributionResearchpeer-review

Reimair, F, Prünster, B, Reiter, A & Ertler, C 2016, Applied Dynamic Policy Selection. in 2016 IEEE Conference on Communications and Network Security (CNS 2016). https://doi.org/10.1109/CNS.2016.7860542
Reimair F, Prünster B, Reiter A, Ertler C. Applied Dynamic Policy Selection. In 2016 IEEE Conference on Communications and Network Security (CNS 2016). 2016 https://doi.org/10.1109/CNS.2016.7860542
Reimair, Florian ; Prünster, Bernd ; Reiter, Andreas ; Ertler, Christian. / Applied Dynamic Policy Selection. 2016 IEEE Conference on Communications and Network Security (CNS 2016). 2016.
@inproceedings{2461c6f66714461e8b7dd5e2fa1b5054,
title = "Applied Dynamic Policy Selection",
abstract = "Abstract--- Cloud key services are prominent targets for attacks. In fact, every service guarding sensitive data uses a policy system to do so. As of today, such policies are mostly static. However, as system environments change and attacks grow more sophisticated, such static policies cannot always sufficiently cope with attacks and may even unnecessarily hinder the legitimate user. We believe that more fine-grained and reactive protection systems are needed to meet modern security requirements. We propose a concept to separate the concerns of policy enforcement and the policies themselves as a basis for more flexible and dynamic policy enforcement. With policies no longer interfering with a system's business logic, we can introduce strategies and actions which preselect rules based on system information for the policy enforcement to use. In order to understand the characteristics and capabilities of the proposed concept, we implemented two case studies based on CrySIL and XACML. We show that our concept can can be gradually integrated with existing systems while at the same time easing maintenance of policy sets. Furthermore, it enables policy sharing and joint definition and refinement of strategies, actions, and security rules, resulting in powerful security policies at minimal cost. All in all, our solution fosters deployment of reactive security systems.",
keywords = "dynamic security policies, reactive security systems, cloud key service",
author = "Florian Reimair and Bernd Pr{\"u}nster and Andreas Reiter and Christian Ertler",
year = "2016",
month = "10",
day = "19",
doi = "10.1109/CNS.2016.7860542",
language = "English",
booktitle = "2016 IEEE Conference on Communications and Network Security (CNS 2016)",

}

TY - GEN

T1 - Applied Dynamic Policy Selection

AU - Reimair, Florian

AU - Prünster, Bernd

AU - Reiter, Andreas

AU - Ertler, Christian

PY - 2016/10/19

Y1 - 2016/10/19

N2 - Abstract--- Cloud key services are prominent targets for attacks. In fact, every service guarding sensitive data uses a policy system to do so. As of today, such policies are mostly static. However, as system environments change and attacks grow more sophisticated, such static policies cannot always sufficiently cope with attacks and may even unnecessarily hinder the legitimate user. We believe that more fine-grained and reactive protection systems are needed to meet modern security requirements. We propose a concept to separate the concerns of policy enforcement and the policies themselves as a basis for more flexible and dynamic policy enforcement. With policies no longer interfering with a system's business logic, we can introduce strategies and actions which preselect rules based on system information for the policy enforcement to use. In order to understand the characteristics and capabilities of the proposed concept, we implemented two case studies based on CrySIL and XACML. We show that our concept can can be gradually integrated with existing systems while at the same time easing maintenance of policy sets. Furthermore, it enables policy sharing and joint definition and refinement of strategies, actions, and security rules, resulting in powerful security policies at minimal cost. All in all, our solution fosters deployment of reactive security systems.

AB - Abstract--- Cloud key services are prominent targets for attacks. In fact, every service guarding sensitive data uses a policy system to do so. As of today, such policies are mostly static. However, as system environments change and attacks grow more sophisticated, such static policies cannot always sufficiently cope with attacks and may even unnecessarily hinder the legitimate user. We believe that more fine-grained and reactive protection systems are needed to meet modern security requirements. We propose a concept to separate the concerns of policy enforcement and the policies themselves as a basis for more flexible and dynamic policy enforcement. With policies no longer interfering with a system's business logic, we can introduce strategies and actions which preselect rules based on system information for the policy enforcement to use. In order to understand the characteristics and capabilities of the proposed concept, we implemented two case studies based on CrySIL and XACML. We show that our concept can can be gradually integrated with existing systems while at the same time easing maintenance of policy sets. Furthermore, it enables policy sharing and joint definition and refinement of strategies, actions, and security rules, resulting in powerful security policies at minimal cost. All in all, our solution fosters deployment of reactive security systems.

KW - dynamic security policies

KW - reactive security systems

KW - cloud key service

U2 - 10.1109/CNS.2016.7860542

DO - 10.1109/CNS.2016.7860542

M3 - Conference contribution

BT - 2016 IEEE Conference on Communications and Network Security (CNS 2016)

ER -