Security solution frames and security patterns for authorization in distributed, collaborative systems
The design of an authorization infrastructure is one of the most important aspects of engineering a secure software system. Unlike other system types, distributed systems – and especially distributed collaborative systems – can require custom, fine-grained authorization models and enforcement approa...
Saved in:
Published in | Computers & security Vol. 55; pp. 193 - 234 |
---|---|
Main Authors | , , |
Format | Journal Article |
Language | English |
Published |
Amsterdam
Elsevier Ltd
01.11.2015
Elsevier Sequoia S.A |
Subjects | |
Online Access | Get full text |
Cover
Loading…
Summary: | The design of an authorization infrastructure is one of the most important aspects of engineering a secure software system. Unlike other system types, distributed systems – and especially distributed collaborative systems – can require custom, fine-grained authorization models and enforcement approaches that are able to take into account a range of semantic subtleties. In this paper we present a comprehensive, pattern-oriented software engineering approach to authorization for general distributed systems – with particular applicability to distributed collaborative systems – that allows developers to build custom, application-specific conceptual authorization models in a simple yet extensible manner, and to make informed decisions regarding their enforcement in software, as well as how their supporting rule/policy infrastructure should be designed. Our authorization approach is embodied in two instances of a new pattern-based security engineering construct called a security solution frame, which groups together related patterns – both security “product” and micro-process patterns – in different sub-structures, horizontally and vertically, for a single high-level security policy (in our case authorization and policy management). By applying specific micro-process patterns in each solution frame, developers are guided in using relevant “product” patterns to progressively construct a distributed authorization infrastructure – from abstract concepts toward concrete designs, via a number of levels of abstraction implying solution refinement and corresponding to stages of the development life-cycle. The summary-form “product” patterns encapsulated in each frame also help developers to form a holistic, “global” view when analyzing existing infrastructures. We illustrate and evaluate the proposal in the context of greenfield system development by applying our solution frames to design the authorization infrastructure of a (new) distributed system for secure file sharing and collaborative editing; and also use our solution frames to briefly analyze and capture the design decisions underlying two existing distributed authorization infrastructures: one based on UCON for collaborative Grid systems and another based on ZBAC for SOA-based systems. |
---|---|
ISSN: | 0167-4048 1872-6208 |
DOI: | 10.1016/j.cose.2015.08.003 |