Download - Academy Publisher
Download - Academy Publisher
Download - Academy Publisher
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
ISBN 978-952-5726-09-1 (Print)<br />
Proceedings of the Second International Symposium on Networking and Network Security (ISNNS ’10)<br />
Jinggangshan, P. R. China, 2-4, April. 2010, pp. 214-217<br />
Research on Security Policy and Framework<br />
Dongliang Jiao 1,2 , Lianzhong Liu 1 , Shilong Ma 2 , and Xiaoni Wang 1<br />
1 Key Laboratory of Beijing Network Technology, Beihang University, Beijing, China<br />
Email: {jiao_dl, lianzhong-liu, xiaoni_wang}@163.com<br />
2 State Key Laboratory of Software Development Environment, Beihang University, Beijing, China<br />
Email: slma@nlsde.buaa.edu.cn<br />
Abstract—Policies are rules that govern the choices in<br />
behaviors of a system. Security policies define what actions<br />
are permitted or not permitted, for what or for whom, and<br />
under what conditions. In this paper, the present situation<br />
of research on policy is overviewed, including policy and<br />
security policy definition, policy language, the conflict<br />
detection of policy and policy framework. Finally, the<br />
summary and the future trends of policy and security policy<br />
study are given.<br />
Index Terms—Policy, Security policy, Policy Framework,<br />
Interval Temporal Logic (ITL), Ponder Language<br />
Ⅰ. INTRODUCTION<br />
As systems become increasingly complex, the<br />
development of methodologies for their security and<br />
effective management becomes more and more critical. One<br />
important aspect of this general systems management<br />
problem is that of being able to raise the level of abstraction<br />
[1]. This requirement is commonly described as the ability<br />
to deal with systems in terms of policies rather than<br />
explicit controls.<br />
Policy means different things to different people. For<br />
our purposes, the term “policy” is defined as high-level<br />
rules for implementing the goals, beliefs, and objectives<br />
of an enterprise. There are three types of policies, and you<br />
will use each type at different times in your information<br />
security program and throughout the organization to<br />
support the business process or mission. The three types<br />
of policies include [2]:<br />
1) Global policies. These are used to create the<br />
organization’s overall vision and direction.<br />
2) Topic-specific policies. These address particular<br />
subjects of concern. We discuss the information security<br />
architecture and each category.<br />
3) Application-specific policies. These focus on<br />
decisions taken by management to control particular<br />
applications (financial reporting, payroll, etc.) or systems<br />
(budgeting system).<br />
Ⅱ. SECURITY POLICY<br />
A security policy establishes what must be done to<br />
protect information stored on computers. A well-written<br />
policy contains sufficient definition of “what” to do so<br />
that the “how” can be identified and measured or<br />
evaluated [3].<br />
Supported by Co-Funding Project of Beijing Municipal<br />
Education Commission under Grant No. JD100060630<br />
© 2010 ACADEMY PUBLISHER<br />
AP-PROC-CS-10CN006<br />
214<br />
Policies lay<br />
Global policies<br />
Topic-specific<br />
policies<br />
Application-spe<br />
cific policies<br />
Figure 1.<br />
Three kinds of<br />
Policies describe<br />
ways<br />
Policy<br />
specification<br />
description<br />
language<br />
Rule-based<br />
language<br />
Logic-based<br />
language<br />
Three types of policies<br />
The goal of a security policy is to maintain the integrity,<br />
confidentiality, and availability of information resources<br />
[4].Confidentiality requires that the information or<br />
resources in a computer system only be disclosed to<br />
authorized parties. Integrity includes data integrity (the<br />
content of the information) and origin integrity (the<br />
source of the data, often called authentication).<br />
Availability is concerned with the ability to use the<br />
information or resource desired. The aspect of<br />
availability that is relevant to security is that someone<br />
may deliberately arrange to deny access to data or to a<br />
service by making it unavailable to legitimate parties.<br />
To enforce the above requirements, authentication,<br />
access control and auditing, three mutually supportive<br />
technologies are used [5].<br />
1) Authentication: deals with identification of users.<br />
2) Access control: concerned with limiting the activity<br />
of users who have been successfully authenticated by<br />
ensuring that every access to information or resources is<br />
controlled and that only authorized accesses can take<br />
place.<br />
3) Auditing: is the process of recording information<br />
about accesses to resources so as to be able to establish<br />
responsibilities in the event of a security breach.<br />
Ⅲ. SECURITY POLICY REPRESENTATION<br />
A. Policy Language<br />
One of the main factors constrains the policy<br />
applications is that policy description language is not<br />
uniform. Each language can only support one or several<br />
models. At present, the policy language of the research<br />
Increasing degree of abstraction