Technologies
Security Policy and Management
Security policy automation has been established as a leading market capability resulting from changes generated by the Internet and intranets in the way business is transacted. A few short years ago, companies' computer systems were islands of automation, without much attachment to other departments and almost no connections outside the organization's physical offices. Even with the growth of local area networks and wide area networks, companies' most sensitive data was still kept in large databases, often in glass houses, with extremely tight physical and other access control.
IT security audits were relatively easy to perform in this type of environment, and the likelihood of human error small. The systems containing critical information assets were few in number, and the likelihood of breach, as well as the expected value of any loss, was small. Operational risk for the organization was thus not impacted by IT security issues.
With the advent of the Internet and open computing, this situation changed drastically. Now, critical information assets like customer databases or transaction engines have to be accessible by thousands or millions of individual users. The layers of physical and other types of security that protected these critical assets, previously impervious to penetration, were now purposely made porous so that legitimate business could be conducted.
Currently, the process by which system administrators create and manage low-level configurations for a variety of different enforcement mechanisms is ad hoc, labor intensive, and error-prone. This process often produces inconsistent system security configurations and may consequently introduce vulnerabilities into mission-critical information systems, thus jeopardizing the success of missions.
SPARTA ISSO studies and creates easy-to-manage technologies and systematic processes for the generation and management of consistent security policies.
We research policy specification, deployment, enforcement, and management techniques. We develop tools and techniques that assist system administrators by systematically and automatically creating configurations for access policy enforcement mechanisms across a range of devices.
Attribute-based access controls that are flexible, decentralized, and scalable for large collaborative environments are also being looked at by SPARTA ISSO. Our efforts base authorization decisions on cryptographically signed credentials containing requestor attributes. We also explore automated trust negotiation to manage credential exchange while regulating the flow of these potentially sensitive attributes.