Knowledge-based security administration in a distributed environment

Quantified Score

Visualization

Abstract

The problem of computer security has recently become more prominent, especially with the growing interest in distributed systems. One major aspect is access control, especially to ensure that only those users who need to work with sensitive data are authorized to do so.A major drawback of most existing systems for security administration is the difficulty to enforce the compliance of an actual implementation with the intended security policies. Traditionally, an enterprise has expected its system administrators to ensure policy compliance. However, the complexity of distributed systems and cumbersome security administration programs make it almost impossible for an administrator to achieve this. Moreover, the same problems exist for an auditor who has to review the security system and check its consistency with enterprise policies.In this article we propose to use knowledge-based methods to support administrators and auditors in their respective tasks. Global enterprise security policies can be laid down in a separate enterprise-wide security database which may then be consulted during normal administrative work.The knowledge-based system itself performs consistency checks of the authorization changes formulated by the administrator and helps to detect holes in the security specification. Whenever the system comes up with an inconsistency the administrator may choose to receive an explanation of why the proposed action would violate the security policies and thus he or she is able to select an appropriate alternative action.Finally, it supports the auditor in finding out whether certain security principles are satisfied by the underlying operational access control system. The auditor can formulate security principles on an intuitive declarative level and have them checked against the existing authorizations.