Policy-Driven Systems for Enterprise-Wide Security

Policy-Driven Systems for Enterprise-Wide Security Using PKI and Policiesto buildTrusted Distributed Authorization Systems Joe PatoMarco Casassa MontHewlett-Packard LabsSep 18, 2000

Enterprise User B-2-B Internet E-Services Service Provider Business Model Business-to-Business Relationships betweenService Providers and Enterpriseson the Internet

Requirements Trust Management • Establishment • Sustained Relationship • Privacy • Enterprise Population • Individual’s Roles • Customization • Local Policies • Enterprise Enforcement

Requirements Performance • Distributed Processing • Services • Policy Enforcement • Authorization • Bandwidth Consumption • Reduced • Amortized

Current Business Model Service Provider E-Services Operation Enterprise • Service Provider Policies • Business Constraints • Local Configuration Operation Operation User B-2-B Operation Operation Internet Policy Enforcement Point (PEP) Authorization Service

E-Services User Operation Operation Operation Enterprise Policies Authorization Service Operation Operation Policy Distribution Point (PDP) Policies Policy Enforcement Point (PEP) Moving TowardsHigh Level Symmetric Business Model Enterprise Service Provider Internet • Service Provider Policies • Business Constraints • Local Configuration B-2-B Authorization Service Policy Enforcement Point (PEP) Policy Distribution Point (PDP)

Distributed Authorization • Policy Driven Authorization • (A)Symmetric Authorization • Operation at both parties • Policy Distribution Points • Distribute across enterprises • Policy Enforcement Points • Both local and remote policies

Business Model Simplifications • Sustained Relationships • Contracts • Auditing and Monitoring • Dispute Resolution

Technology Problems • Trust Establishment • Tamper Resistant Policy Enforcement Point • Verifiability of Identity of Involved Parties • Verifiability of Policies sent across Enterprise Boundaries • Instrumentation to Gather Evidence • Archival of Evidence

Role of PKI • Verifiability for Business Relationships • Digital certificates • Certificate management • “Tamper Proof” exchange of messages and policies • Signed XML

Policies • Statements describing expected behavior for • Systems • Services • People • Formal Modeling • High Level Specification • Refined to programmatically enforceable data • Abstraction suitable for sharing across enterprises

Role of Policies • Policies • Describe authorization constraints • Drive authorization decisions • Are exchanged between Enterprises in a Distributed Authorization Framework

Conclusion • Distributed Authorization enhances privacy and performance for B2B interactions < www.hp.com/security >

Policy-Driven Systems for Enterprise-Wide Security

Policy-Driven Systems for Enterprise-Wide Security

Presentation Transcript

Enterprise Information Security Policy (EISP)

SEWP Solutions for Enterprise-Wide Procurement

Solutions for Enterprise Wide Procurement (SEWP)

Enterprise-Wide Information Systems

Solutions for Enterprise Wide Procurement (SEWP)

Solutions for Enterprise Wide Procurement (SEWP)

Chapter 7 Enterprise-Wide Information Systems

Logic-based, data-driven enterprise network security analysis

Solutions for Enterprise Wide Procurement (SEWP)

Solutions for Enterprise Wide Procurement (SEWP)

Solutions for Enterprise Wide Procurement (SEWP)

Deploying Directory-Enabled Enterprise-Wide Security

SEWP Solutions for Enterprise-Wide Procurement

Solutions for Enterprise Wide Procurement (SEWP )

Chapter 7 Enterprise-Wide Information Systems prenhall/jessup

Solutions for Enterprise Wide Procurement (SEWP)

Enterprise Wide Information Systems The Procurement Process

Chapter 7 Enterprise-Wide Information Systems

Clinical Information Systems Security Policy