SITIS Archives - Topic Details
Program:  SBIR
Topic Num:  AF071-088 (AirForce)
Title:  Policy Definition and Enforcement for Virtual Enterprises
Research & Technical Areas:  Information Systems

  Objective:  Develop tools and techniques for creating and managing semantics-based security and access policies across virtual enterprises.
  Description:  Semantic integration technologies are quickly creating an environment where both structured and unstructured data, once isolated in distributed silos and differing formats, can now be integrated to provide a more comprehensive picture of activities within the virtual enterprise. While this capability has tremendous potential for improving the efficiency and effectiveness of a wide array of organizations, it is not without risk. By providing an integrated view of an organization’s internal information, these systems create the opportunity for inappropriate access and damaging misuse. Semantic technologies can be used to more effectively identify the kinds of information that users may/may not have access to, as well as the kinds of user communities permitted access to particular kinds of information. Research is needed into “semantic-based security policies” that base information access on the meaning of its content rather than on conventional, role-based lockout techniques. The problem with these techniques is that they rely heavily on the “structure” of data sources rather than on the “meaning” inherent in the information to be accessed. For instance, users may be prevented from row or column access based on their role in the organization; or they may be prevented from accessing documents at a given classification level. This is a fragile and inflexible approach to information security, especially in federated environments where information is being dynamically combined with other information to create new meaning on the fly, as is endemic to “network-centric” environments. The conventional, “structural” approach to data access has severe limitations: 1. It assumes all data sources, and their structures, are known a priori and that systems can prevent access based on that known structure; 2. It is vulnerable when the structure of data sources change, such as deletion of a table column; 3. It is severely limited with respect to unstructured data, where access should be controlled based on the meaning of the content and the metadata; 4. It does not readily handle dynamically created information, such as aggregated data, facts inferred by rules, or information synthesized by combining numerous sources of information. To address these limitations, research is needed into information security techniques that base information assurance on the “meaning” of the information content and its metadata. Little has been done to semantically model the kinds of information a particular user or user group may have access to and to use these semantic models to control access based on the meaning of content. This is especially important to any command and control military organization that wants to operate securely under a Net-Centric Data Strategy that promotes information sharing, information discovery and information access of both structured and unstructured information . The specification, implementation, and verification of granular security policies is made more challenging by the transformation, compositing, unification, and inheritance capabilities of semantic data integration infrastructures, since micropolicies have typically focused on “structure-based” techniques, whereas it is the meaning of composite information, for example, that makes it more or less classified.

  PHASE I: Perform the initial research necessary to identify essential security policy enhancements for large semantic data integration systems composed of both structured and unstructured information. Demonstrate how semantic modeling can be used to provide automated guidance to systems that must determine access criteria for different user types. Research potential methodologies and tools for the specification, implementation, and verification of semantic security policies in such systems.
  
  PHASE II: Develop a full scale prototype implementation of semantics-based security policy enhancement capabilities for large semantic information integration environments comprised of both structured and unstructured information sources. Solutions must be aligned with the DoD Net-Centric Data Strategy, as well as inclusion of COTS / GOTS capabilities where applicable.

  DUAL USE COMMERCIALIZATION: Military application: Solidify a technology which can be applied to other domains where integrated data will directly contribute to enhancing and improving operational capability. Commercial application: Within the commercial sector, the capability to quickly provide actionable information to stakeholders across global enterprises engaged in business and research activities would be significant.

  References:  1. Oliva, Marta and Saltor, Felix “Maintaining the Confidentiality of Interoperable Databases with a Multilevel Federated Security System,” Database and Application Security XV. Kluwer Academic Publishers, 2002 (ISBN: 1-4020-7041-1). 2. Phillips, Charles E. Jr, and Ting, T.C. “Information Sharing and Security in Dynamic Coalitions,” Proceedings of the seventh ACM symposium on Access control models and technologies, Monterey, California, USA, 2002 3. Joshi, J.; Ghafoor, A.; Aref, W.G. and Spafford, E.H. “Digital government security infrastructure design challenges,” IEEE Computer, Feb 2001 4. Schneider, Fred B. “Enforceable Security Policies,” ACM Transactions on Information and System Security (TISSEC), 2000

Keywords:  Information Technology, DoD Net-Centric Data Strategy, Semantic Data Integration, Security Policies, Virtual Enterprises, ontology


Additional Information, Corrections, References, etc:
Ref #1: Available in libraries or through interlibrbary loan.
Ref #1: Available in libraries or through interlibrbary loan.
Ref #2: ISBN:1-58113-496-7
Available through online document delivery services.
Ref #2: ISBN:1-58113-496-7
Available through online document delivery services.
Ref #3: Available online to IEEE members.
Ref #3: Available online to IEEE members.
Ref #4: available at: http://www.cs.cornell.edu/fbs/publications/EnfSecPols.pdf
Ref #4: available at: http://www.cs.cornell.edu/fbs/publications/EnfSecPols.pdf

Questions and Answers:

No questions posed on this topic at this time

Record: of