TY - GEN
T1 - Policy Reconciliation and Migration in Attribute Based Access Control
AU - Batra, Gunjan
AU - Atluri, Vijayalakshmi
AU - Vaidya, Jaideep
AU - Sural, Shamik
N1 - Funding Information:
Research reported in this publication was supported by the National Science Foundation under awards CNS-1624503 and CNS-1747728. The content is solely the responsibility of the authors and does not necessarily represent the official views of the agencies funding the research. We would like to thank Dr. Yiannis Koutis for his valuable suggestions.
Publisher Copyright:
© 2019, Springer Nature Switzerland AG.
PY - 2019
Y1 - 2019
N2 - Today, organizations do not work in silos, but rather collaborate, work jointly and share data resources for various business benefits such as storage, management, analytics, etc. In this scenario, organizations want to ensure that their own security requirements are always met, even though they may be sharing/moving their resources to another organization. Hence, there is a need to evaluate the extent to which their policies are similar (or equivalent) i.e., to what extent do they both agree on a common set of security requirements (policy)? When the policies are not identical, there is also a need to evaluate the differences and see how these differences can be reconciled so that the organizations can be brought to agreement in terms of their security requirements. To address this issue, in this paper, we first propose the notion of policy equivalence and develop methods to evaluate the policy similarity. We also propose two different approaches for accomplishing policy reconciliation where one is based on ABAC mining and the other is based on finding maximal common subsets. Both of the approaches guarantee that the organization’s policies are never violated as they are both conservative in nature. Further, it is also possible that the organizations in the collaboration decide to pick one organization and each of them migrates to the policy. We propose a migration approach for organizations in this setting which will incur least migration cost for all the organizations. We compare both the reconciliation approaches and policy migration with respect to their reconciliation results as well as performance.
AB - Today, organizations do not work in silos, but rather collaborate, work jointly and share data resources for various business benefits such as storage, management, analytics, etc. In this scenario, organizations want to ensure that their own security requirements are always met, even though they may be sharing/moving their resources to another organization. Hence, there is a need to evaluate the extent to which their policies are similar (or equivalent) i.e., to what extent do they both agree on a common set of security requirements (policy)? When the policies are not identical, there is also a need to evaluate the differences and see how these differences can be reconciled so that the organizations can be brought to agreement in terms of their security requirements. To address this issue, in this paper, we first propose the notion of policy equivalence and develop methods to evaluate the policy similarity. We also propose two different approaches for accomplishing policy reconciliation where one is based on ABAC mining and the other is based on finding maximal common subsets. Both of the approaches guarantee that the organization’s policies are never violated as they are both conservative in nature. Further, it is also possible that the organizations in the collaboration decide to pick one organization and each of them migrates to the policy. We propose a migration approach for organizations in this setting which will incur least migration cost for all the organizations. We compare both the reconciliation approaches and policy migration with respect to their reconciliation results as well as performance.
KW - ABAC
KW - Policy equivalence
KW - Policy migration
KW - Policy reconciliation
KW - Policy similarity
UR - http://www.scopus.com/inward/record.url?scp=85076883717&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85076883717&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-36945-3_6
DO - 10.1007/978-3-030-36945-3_6
M3 - Conference contribution
AN - SCOPUS:85076883717
SN - 9783030369446
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 99
EP - 120
BT - Information Systems Security - 15th International Conference, ICISS 2019, Proceedings
A2 - Garg, Deepak
A2 - Kumar, N. V.
A2 - Shyamasundar, Rudrapatna K.
PB - Springer
T2 - 15th International Conference on Information Systems Security, ICISS 2019
Y2 - 16 December 2019 through 20 December 2019
ER -