Current project
I'm currently working on a project titled IISMM: a model for integrated information security management.
Motivation
Traditionally, computer security is often something that is not an
integral part of software systems. It is in practice more often than
not the case that "security" is limited to periodical backups and
whatever access controls are present in the operating system. When
entering into a society where possession of information and the
ability to process are becoming strategic resources that can be vital
to the survival of an organization a broad and coordinated view on
information security becomes paramount. At the same time as
information becomes increasingly important, advances in communication
technology make it possible to build software systems that are highly
distributed. While providing many new possibilities, there are also
many security issues tied to the use distributed systems. This
project is intended to contribute to the knowledge necessary for
making the transition to a new view on security that both place
security issues as an integral part of the activities within an
organization and that also take into account the problems arising
through the use of distributed technology.
Aim
The aim of the project is to provide a way to model an organization
that can take into account the activities taking place within the
organization. It should also be possible to model how information
flows and is processed within the organization. The area of Workflow
Management deal with many of these issues. A key goal of the project
is to augment Workflow models with security concepts and measures.
An important entity for describing the security structure of an
organization is the concept of role. We define a role to be a position
or job function within an organizational structure. Individuals
assigned to a certain role may vary over time. What organizational
roles that exist is more static. By assigning access privileges to a
role rather than to individual users it is possible to achieve an
essentially static information security structure. Roles are also a
component in workflow task and process descriptions. Here again the
use of roles can make these descriptions independent of the
individuals that currently makes up the organization.
When handling documents the trend is towards an all electronic
document life-cycle. The original document is the one stored in the
information system, print-outs are just copies of it. Storing
documents electronically opens up a number of new possibilities. One
of these is to define different views of a document. Views can be use
to restrict the access of a document for some users to certain parts
only. Views can also be used as a tool to present information in a
structured way. Another possibility for electronically stored
documents is differentiate access to a document according to its
evolutionary state. E.g. a document draft might changed by members of
role assigned to work with the document while the same role might have
no access at all to the document once the document changes into the
"approved" state.
Status
To date, roles and the application of roles to access control in the
field Role-Based Access Control have been studied. Building on work in
this field we have developed a framework for describing roles
[GS96]. In the framework an organization can modeled as set of roles
together with a description of how these roles are related to each
other. A role is represented by a Role Descriptor Object, RDO, that is
a 4-tuple where
- F is a function description for the role
- R is an entity describing the relations the role has to other roles
- A is a block of application data associated with the role
- U is a list of users that can assume the role.
The framework can be applied to Role-Based Access Control but
is primarily intended to be a common denominator when we move on to
achieve the sought after integration between workflow management,
information handling and access control and security.
Pulbications
[GS96] Mats Gustafsson and Nahid Shahmehri, A Role Description Framework
and its Applications to Role-Based Access Control, Presented at the
IEEE WET ICE '96 International Workshop on Enterprise Security,
Stanford University, June 19-21 1996.
Mats Gustafsson
<matgu@ida.liu.se>
Last modified
1-Jul-96 12:55