Found this journal yesterday and started to look through it for some interesting articles. They've got two sections that would have articles every once and awhile for "Emerging Standards" and "Building Security In" that seemed interesting.
Anderson, A., "Web services policies," Security & Privacy, IEEE , vol.4, no.3, pp.84-87, May-June 2006
URL: http://www.ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=1637390&isnumber=34312
- In the Emerging Standards section
- They decompose a policy across different layers that build on each other: service-interface-binding, domain-binding, policy, assertion (or predicate), vocabulary
- They have something called a policy envelope
- For each layer they have defined they associate one or more different standards specifications that attempt to resolve the problem the layer addresses (all taken from Oasis or W3C)
- Many are XML based (in fact, I think the ones they investigate might -all- be XML)
- Details some of the problems with standardizations and policies, ws-desc failed to gain sufficient support and XACML standardization was blocked due to disagreements in the policy committee
- Several standards cross cut their layer stratification XACML is in 3 layers for example
- They bring up the issue of "if every service can shoose among increasing number of policy options, the probability of any two services having compatible policies diminishes"
- Also introduces the issue of a domain, wherein a particular domain might need a different mechanism to express their policies
URL: http://www.ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=4288052&isnumber=4288029
- Was really only looking at this to see if there was any intersting background references to look that would establish a base for linking security (policies) and graph based modeling
URL: http://www.ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=4402445&isnumber=4402432
and
Ferraiolo, D.; Kuhn, R.; Sandhu, R., "RBAC Standard Rationale: Comments on "A Critique of the ANSI Standard on Role-Based Access Control"," Security & Privacy, IEEE , vol.5, no.6, pp.51-53, Nov.-Dec. 2007
URL: http://www.ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=4402447&isnumber=4402432
- I was hoping this paper would show the specification language (if there was one) but it seems more focused on the formal specification of the standard. Lots of details about flaws in the standard.
URL: http://www.ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=4588236&isnumber=4588217
- Investigates the domains of industrail control systems (SCADA) and emergency management
- Market pressure and deregulation have moved existing closed loop systems to decentralized web based interconnected systems where security is now hard to control
- They talk as if NIST 800-53 is a standard, I never really thought of it as such as it seemed more like a documentation of available options
- Their references to emergency management standards groups are the Oasis Emergency Mgmt TC, Homeland Security's FEMA, and the Emergency Interoparability Consortium's EDXL
Posts
0 comments:
Post a Comment