Mats Gustafsson's research interests

Current project

I'm currently working on a project titled IISMM: a model for integrated information security management.

Motivation

Traditionally, computer security is often something that is not an integral part of software systems. It is in practice more often than not the case that "security" is limited to periodical backups and whatever access controls are present in the operating system. When entering into a society where possession of information and the ability to process are becoming strategic resources that can be vital to the survival of an organization a broad and coordinated view on information security becomes paramount. At the same time as information becomes increasingly important, advances in communication technology make it possible to build software systems that are highly distributed. While providing many new possibilities, there are also many security issues tied to the use distributed systems. This project is intended to contribute to the knowledge necessary for making the transition to a new view on security that both place security issues as an integral part of the activities within an organization and that also take into account the problems arising through the use of distributed technology.

Aim

The aim of the project is to provide a way to model an organization that can take into account the activities taking place within the organization. It should also be possible to model how information flows and is processed within the organization. The area of Workflow Management deal with many of these issues. A key goal of the project is to augment Workflow models with security concepts and measures. An important entity for describing the security structure of an organization is the concept of role. We define a role to be a position or job function within an organizational structure. Individuals assigned to a certain role may vary over time. What organizational roles that exist is more static. By assigning access privileges to a role rather than to individual users it is possible to achieve an essentially static information security structure. Roles are also a component in workflow task and process descriptions. Here again the use of roles can make these descriptions independent of the individuals that currently makes up the organization. When handling documents the trend is towards an all electronic document life-cycle. The original document is the one stored in the information system, print-outs are just copies of it. Storing documents electronically opens up a number of new possibilities. One of these is to define different views of a document. Views can be use to restrict the access of a document for some users to certain parts only. Views can also be used as a tool to present information in a structured way. Another possibility for electronically stored documents is differentiate access to a document according to its evolutionary state. E.g. a document draft might changed by members of role assigned to work with the document while the same role might have no access at all to the document once the document changes into the "approved" state.

Status

To date, roles and the application of roles to access control in the field Role-Based Access Control have been studied. Building on work in this field we have developed a framework for describing roles [GS96]. In the framework an organization can modeled as set of roles together with a description of how these roles are related to each other. A role is represented by a Role Descriptor Object, RDO, that is a 4-tuple where

F is a function description for the role
R is an entity describing the relations the role has to other roles
A is a block of application data associated with the role
U is a list of users that can assume the role.

The framework can be applied to Role-Based Access Control but is primarily intended to be a common denominator when we move on to achieve the sought after integration between workflow management, information handling and access control and security.

Pulbications

[GS96] Mats Gustafsson and Nahid Shahmehri, A Role Description Framework and its Applications to Role-Based Access Control, Presented at the IEEE WET ICE '96 International Workshop on Enterprise Security, Stanford University, June 19-21 1996.

Mats Gustafsson <matgu@ida.liu.se>

Last modified 1-Jul-96 12:55