Abstract
Nowadays, the interaction between systems is absolutely essential to achieve business continuity. There is a need to exchange and share services and resources. Unfortunately, this does not come without security problems. The organizations (companies, enterprizes, etc.) have to manage accesses to their services and resources by external opponents. O2O is a formal approach we suggest in this paper to deal with access control in an interoperability context. It is based on two main concepts: Virtual Private Organization (VPO) and Role Single-Sign On (RSSO). A VPO enables any organization undertaking an inter-operation with other organizations to keep control over the ressources accessed during the interoperability phases. The RSSO principle allows a given subject to keep the same role when accessing to another organization but with privileges defined in the VPO. Thus, using O2O, each organization can define and enforce its own secure interoperability policy. O2O is integrated in the OrBAC model (Organization based access control).
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Abou El Kalam, A., Baida, R.E., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miège, A., Saurel, C., Trouessin, G.: Organization Based Access Control. In: Policy 2003, Como, Italie (June 2003)
Al-Kahtani, M.A., Sandhu, R.: A Model for Attribute-Based User-Role Assignment. In: 18th Annual Computer Security Applications Conference (ACSAC 2002), Las Vegas, Nevada (December 2002)
Bertino, E., Ferrari, E., Squicciarini, A.: X-TNL: An XML Based Language for Trust Negotiations. In: 4th IEEE International Workshop on Policies for Distributed Systems and Networks, pp. 81–84 (2003)
Cantor, S., Hodges, J., Kemp, J., Thompson, P.: Liberty ID-FF Architecture Overview. Wason, T. (ed.). Version 1.2 (2005), https://www.projectliberty.org/resources/specifications.php#box1
Cuppens, F., Cuppens-Boulahia, N., Sans, T., Miège, A.: A formal approach to specify and deploy a network security policy. In: Second Workshop FAST, Toulouse, France, August 26-27 (2004)
Cuppens, F., Miège, A.: Administration Model for Or-BAC. Computer Systems Science and Engineering (CSSE 2004) 19(3) (May 2004)
Davies, T.: Spheres of Control. IBM Systems Journal 17, 179–198 (1978)
O., et al.: The OrBAC Model Web Site (2006), http://www.orbac.org
Foster, I., Kesselman, C., Tsudik, G., Tuecke, S.: A Security Architecture for Computational Grids. In: 5th Conference on Computer and Communications Security, San Francisco, CA, pp. 83–91 (1998)
Hersberg, A., Mihaeli, Y., Naor, D., Ravid, Y.: Access Control System Meets Public Infrastructure, Or: Assigning Roles to Strangers. In: IEEE Symposium on Security and Privacy, Oakland, CA (May 2000)
Li, J., Li, N., Winsborough, W.H.: Automated Trust Negotiation Using Cryptographic Credentials. In: 12th ACM Conference on Computer and Communications Security (CCS 2005) November 7-11 (2005)
Mont, M.C., Thyne, R., Chan, K., Bramhall, P.: Extending HP Identity Management Solutions to Enforce Privacy Policies and Obligations for Regulatory Compliance by Enterprises. In: 12th HP OpenView University Association Workshop, July 10-13 (2005)
Mowshowitz, A.: Virtual organization. Communications of the ACM 40(9), 30–37 (1977)
Oppliger, R.: Microsoft.net passport: A security analysis. Computer 36(7), 29–35 (2003)
Pashalidis, A., Mitchell, C.J.: A Taxonomy of Single Sign-On Systems. In: Safavi-Naini, R., Seberry, J. (eds.) ACISP 2003. LNCS, vol. 2727, pp. 249–264. Springer, Heidelberg (2003)
Pearlman, L., Kesselman, C., Weich, V., Foster, I., Tuecke, S.: The Community Authorization Service: Status and Future. In: CHEP 2003, La Jolia, CA (March 2003)
Philips, C., Ting, T.C., Demurjian, S.: Information Sharing and Security in Dynamic Coalitions. In: SACMAT, Monterey, CA (June 2002)
Rittenbruch, M., Kahler, H., Cremers, A.: Supporting Cooperation in a Virtual Organization. In: ICIS (1998)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-Based Access Control Models. Computer 29(2), 38–47 (1996)
Ullman, J.D.: Principles of Database and Knowledge-Base Systems, vol. II. Computer Science Press, Rockville (1989)
Warner, J., Atluri, V., Mukkamala, R.: A Credential-Based Approach for Facilitating Automatic Resource Sharing among Ah-Hoc Dynamic Coalitions. In: 19th Annual IFIP WG 11.3 Working Conference on Data and Applications Security, Storrs, CT (August 2005)
Yu, T., Winslett, M., Seamons, K.: Supporting Structured Credentials and Sensitive Policies through Interoperable Strategies for Automated Trust Negociations. ACM Transactions and Information System Security 6(1) (February 2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Cuppens, F., Cuppens-Boulahia, N., Coma, C. (2006). O2O: Virtual Private Organizations to Manage Security Policy Interoperability. In: Bagchi, A., Atluri, V. (eds) Information Systems Security. ICISS 2006. Lecture Notes in Computer Science, vol 4332. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11961635_7
Download citation
DOI: https://doi.org/10.1007/11961635_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-68962-1
Online ISBN: 978-3-540-68963-8
eBook Packages: Computer ScienceComputer Science (R0)