No Slide Title
Download
Report
Transcript No Slide Title
Policy-Driven Systems
for Enterprise-Wide
Security
Using PKI and Policies
to build
Trusted Distributed
Authorization Systems
Joe Pato
Marco Casassa Mont
Hewlett-Packard Labs
Sep 18, 2000
Page 1
Business Model
Enterprise
User
B-2-B
Internet
E-Services
Business-toBusiness
Relationships
between
Service Providers
and Enterprises
on the Internet
Service Provider
Page 2
Trust Management
• Establishment
– Sustained Relationship
Requirements
• Privacy
– Enterprise Population
– Individual’s Roles
• Customization
– Local Policies
– Enterprise Enforcement
Page 3
Performance
• Distributed Processing
Requirements
– Services
– Policy Enforcement
– Authorization
• Bandwidth
Consumption
– Reduced
– Amortized
Page 4
Current Business Model
Service Provider
E-Services
Operation
Enterprise
Operation
Operation
• Service Provider Policies
• Business Constraints
• Local Configuration
User
B-2-B
Operation
Operation
Internet
Policy
Enforcement
Point (PEP)
Authorization
Service
Page 5
Moving Towards
High Level Symmetric Business Model
Enterprise
Service Provider
E-Services
User
Internet
Operation
Operation
Enterprise Policies
B-2-B
Authorization
Service
• Service Provider Policies
• Business Constraints
• Local Configuration
Operation
Operation
Authorization
Service
Operation
Policy
Enforcement
Point (PEP)
Policy
Distribution
Point (PDP)
Policy
Enforcement
Point (PEP)
Policies
Policy
Distribution
Point (PDP)
Page 6
• Policy Driven Authorization
• (A)Symmetric Authorization
• Operation at both parties
Distributed
Authorization
• Policy Distribution Points
• Distribute across
enterprises
• Policy Enforcement Points
• Both local and remote
policies
Page 7
• Sustained Relationships
Business Model
Simplifications
• Contracts
• Auditing and Monitoring
• Dispute Resolution
Page 8
• Trust Establishment
• Tamper Resistant Policy
Enforcement Point
Technology
Problems
• Verifiability of Identity of
Involved Parties
• Verifiability of Policies
sent across Enterprise
Boundaries
• Instrumentation to Gather
Evidence
• Archival of Evidence
Page 9
• Verifiability for Business
Relationships
• Digital certificates
Role of PKI
• Certificate
management
• “Tamper Proof” exchange
of messages and policies
• Signed XML
Page 10
• Statements describing
expected behavior for
• Systems
• Services
• People
Policies
• Formal Modeling
• High Level Specification
• Refined to
programmatically
enforceable data
• Abstraction suitable for
sharing across
enterprises
Page 11
• Policies
• Describe
authorization
constraints
Role of Policies
• Drive authorization
decisions
• Are exchanged
between Enterprises
in a Distributed
Authorization
Framework
Page 12
Conclusion
• Distributed Authorization
enhances privacy and
performance for B2B
interactions
< www.hp.com/security >
Page 13