Security solution frames and security patterns for authorization in distributed, collaborative systems

The design of an authorization infrastructure is one of the most important aspects of engineering a secure software system. Unlike other system types, distributed systems – and especially distributed collaborative systems – can require custom, fine-grained authorization models and enforcement approa...

Full description

Saved in:
Bibliographic Details
Published inComputers & security Vol. 55; pp. 193 - 234
Main Authors Uzunov, Anton V., Fernandez, Eduardo B., Falkner, Katrina
Format Journal Article
LanguageEnglish
Published Amsterdam Elsevier Ltd 01.11.2015
Elsevier Sequoia S.A
Subjects
Access control
Authorization
Collaboration
Cybersecurity
Design engineering
Distributed processing
Distributed systems
Distributed systems security
Mathematical models
Security engineering
Security patterns
Security solution frames
Software engineering
Studies
Authorization
Access control
Security patterns
Distributed systems
Distributed systems security
Security solution frames
Security engineering
Software engineering
Online AccessGet full text

Cover

More Information
Summary:The design of an authorization infrastructure is one of the most important aspects of engineering a secure software system. Unlike other system types, distributed systems – and especially distributed collaborative systems – can require custom, fine-grained authorization models and enforcement approaches that are able to take into account a range of semantic subtleties. In this paper we present a comprehensive, pattern-oriented software engineering approach to authorization for general distributed systems – with particular applicability to distributed collaborative systems – that allows developers to build custom, application-specific conceptual authorization models in a simple yet extensible manner, and to make informed decisions regarding their enforcement in software, as well as how their supporting rule/policy infrastructure should be designed. Our authorization approach is embodied in two instances of a new pattern-based security engineering construct called a security solution frame, which groups together related patterns – both security “product” and micro-process patterns – in different sub-structures, horizontally and vertically, for a single high-level security policy (in our case authorization and policy management). By applying specific micro-process patterns in each solution frame, developers are guided in using relevant “product” patterns to progressively construct a distributed authorization infrastructure – from abstract concepts toward concrete designs, via a number of levels of abstraction implying solution refinement and corresponding to stages of the development life-cycle. The summary-form “product” patterns encapsulated in each frame also help developers to form a holistic, “global” view when analyzing existing infrastructures. We illustrate and evaluate the proposal in the context of greenfield system development by applying our solution frames to design the authorization infrastructure of a (new) distributed system for secure file sharing and collaborative editing; and also use our solution frames to briefly analyze and capture the design decisions underlying two existing distributed authorization infrastructures: one based on UCON for collaborative Grid systems and another based on ZBAC for SOA-based systems.
ISSN:0167-4048
1872-6208
DOI:10.1016/j.cose.2015.08.003