Elisa Bertino, Purdue University EXAM - A Comprehensive Environment for the Analysis and Management of Access Control Policies Friday, October 26 ABSTRACT Policies are at the heart of any assured information sharing infrastructure for collaborative applications and may include those for access control, trust and accountability. Policies can be a key component in deciding what and how much to reveal in the discovery stage for both information seekers and providers. Policies can also drive the process of negotiation in the acquisition and release stage. Policies are needed to monitor and enforce usage control as well as for auditing and accountability. Fine-grained policy integration algorithms are needed to support dynamic coalitions and virtual organizations that need to quickly share and integrate information. Policies must adapt, based on events and contexts, to support continuous access to critical information resources. Enforcement mechanisms are also needed to allow different parties to take joint decisions about data accesses. In this talk, we first discuss the various policies that are relevant in the context of secure information sharing across collaborating organizations. We then present EXAM - an environment supporting several functions for XACML policy analysis, including a policy similarity tool, and integration. The policy similarity tool is based on a light-weight ranking approach to help a party quickly locate parties with potentially similar policies for collaboration. In particular, given a policy P, the similarity measure assigns a ranking (similarity score) to each policy compared with P. We formally define the measure by taking into account various factors and prove several important properties of the measure. Our extensive experimental study demonstrates the efficiency and practical value of our approach. EXAM also supports a more fine-grained comparison technique for policies as well as an integration algebra for combining different policies. We finally discuss a model for obligation support in XACML and present a reference architecture for collaborative enforcement of access control policies. BIOGRAPHY Elisa Bertino is professor of computer science at Purdue University, and serves as Director of Purdue Cyber Center and Research Director of the Center for Information and Research in Information Assurance and Security (CERIAS). Prior to joining Purdue in 2004, she was a professor and department head at the Department of Computer Science and Communication of the University of Milan. She has been a visiting researcher at the IBM Research Laboratory (now Almaden) in San Jose, at the Microelectronics and Computer Technology Corporation, at Rutgers University, at Telcordia Technologies. Her recent research focuses on database security, digital identity management, policy systems, and security for web services. Elisa Bertino is a Fellow of ACM and of IEEE. She received the IEEE Computer Society 2002 Technical Achievement Award and the IEEE Computer Society 2005 Kanai Award. She a member of the editorial board of IEEE Transactions on Dependable and Secure Computing, and IEEE Security & Privacy. She is currently serving as chair of the ACM Special Interest Group on Security, Audit and Control (ACM SIGSAC).