Policies are at the heart of any assured information sharing infrastructure for collaborative applications and may include those for access control, trust and accountability. Policies can be a key component in deciding what and how much to reveal in the discovery stage for both information seekers and providers. Policies can also drive the process of negotiation in the acquisition and release stage. Policies are needed to monitor and enforce usage control as well as for auditing and accountability. Fine-grained policy integration algorithms are needed to support dynamic coalitions and virtual organizations that need to quickly share and integrate information. Policies must adapt, based on events and contexts, to support continuous access to critical information resources. Enforcement mechanisms are also needed to allow different parties to take joint decisions about data accesses. In this talk, we first discuss the various policies that are relevant in the context of secure information sharing across collaborating organizations. We then present EXAM – an environment supporting several functions for XACML policy analysis, including a policy similarity tool, and integration. The policy similarity tool is based on a light-weight ranking approach to help a party quickly locate parties with potentially similar policies for collaboration. In particular, given a policy P, the similarity measure assigns a ranking (similarity score) to each policy compared with P. We formally define the measure by taking into account various factors and prove several important properties of the measure. Our extensive experimental study demonstrates the efficiency and practical value of our approach. EXAM also supports a more fine-grained comparison technique for policies as well as an integration algebra for combining different policies. We finally discuss a model for obligation support in XACML and present a reference architecture for collaborative enforcement of access control policies.
Elisa Bertino is a Fellow of ACM and of IEEE. She received the IEEE Computer Society 2002 Technical Achievement Award and the IEEE Computer Society 2005 Kanai Award. She a member of the editorial board of IEEE Transactions on Dependable and Secure Computing, and IEEE Security & Privacy. She is currently serving as chair of the ACM Special Interest Group on Security, Audit and Control (ACM SIGSAC).
