1. Field of the Invention
The present invention relates generally to the field of security, and, more particularly, to managing and mitigating security risks through planning.
2. Description of the Related Art
Consider, for example, the following environment: a network of interconnected processing stations that produce one or more products by processing a plurality of primal entities, such as raw materials or information sources, supplied to the network. Exemplary processing stations may include businesses, manned workstations, factory machinery, software programs, agents, services, components, and the like. Exemplary primal entities may include, but are not limited to, business documents, machine parts, news feeds, data obtained from computer networks, and the like. While primal entities arrive into the system from the outside, the processing stations can produce new entities, called derived entities. In many such environments, the entities consumed or produced by the network as intermediate or final products can have value. A value of an entity (hereinafter referred to as “entity value”) can include the following.
(1) The actual value of the entity. For example, the entity may be a physical object of monetary value.
(2) The additional value of the entity that can be lost from publicly disclosing the entity or releasing the entity to another party. For example, the entity may be a document containing trade secrets.
(3) A combination of (1) and (2) above. For example, the entity may be a valuable physical object that can be reverse engineered to determine trade secrets. Special security procedures may be utilized in such environments to prevent potential losses of entity value. If the delivery channels between the stations are not secure or trusted, we will model such channels as single-input, single-output stations connected to channel endpoints by trusted and secure channels. That is, although not so limited, we will make the assumption that channels are secure and trusted. Hence, in our model of the system, the processing stations are connected by trusted and secure channels. Therefore, the losses can occur either at the processing station-side (if the stations distribute the entities) or at the consumer-side (if the consumers of the product distribute the entities).
Various discretionary access control (“DAC”) and mandatory access control (“MAC”) security policies can be implemented in such systems. A widely-used approach for providing security to such environments is a component-based technology known as multi-level security (hereinafter “MLS”). Although MLS was created before the creation of the modern computer, it is widely used in computer systems to ensure security of information flows. More information and examples of MLS systems can be found in David E. Bell and Leonard J. LaPadula, “Computer security model: Unified exposition and Multics interpretation”, Technical Report ESD-TR-75-306, The MITRE Corporation, Bedford, Mass., HQ Electronic Systems Division, Hanscom AFB, MA, June 1975, and in Multilevel Security in the Department Of Defense: The Basics” available from National Security Institute website, http://nsi.org/Library/Compsec/sec0.html, the disclosures of which are incorporated by reference herein in their entirety. MLS is currently implemented, for example, in the IBM® zSeries.
In a componentized system, such as MLS, each of the processing stations (i.e., components) is assigned a subject security label which determines the entities that the processing stations can process and output. Similarly, all entities that are processed or created by these processing stations also have a single object security label. The set of security labels forms a distributive lattice, and hence is at least partially ordered. The partial order provides a means for comparing the labels based on a dominance relation, such that for any label a subset of labels dominated by that label can be identified; however, the partial order does not guarantee that of any two labels one dominates the other.
Exemplary labels include MLS labels, traditionally defined as a combination of a secrecy level and security category set and integrity labels (e.g., Biba). When a label A dominates a label B in the distributive lattice, entities can flow from B to A without risk but not vice versa. MLS security policy requires that the subject label of the processing station dominate the labels assigned to each of the station's input entities. Further, the labels assigned to station's output entities must dominate the subject label of the processing station.
A security policy generally includes three (3) classes of rules.
(1) Each processing station cannot accept any input entity that has a higher object security label than the processing station's subject security label.
(2) Each processing station must label all derived entities that it produces with an object security label that dominates the subject label of the processing station. This rule ensures that entities are not incorrectly relabeled with lower security levels, thereby avoiding loss of entity value. However, special-purpose trusted processing stations, after a mandatory review of their operation, can be authorized to violate this rule and to assign lower security labels to their output with respect to their inputs without incurring unacceptable security risk. The review procedure is determined by the application and security policy guidelines, as well as by the nature of the processing stations, and may include, for example, software code review and certification, engineering design evaluation, and the like.
(3) The recipient of the entities produced by the network of processing stations is also assigned a subject security label. Therefore, the labels of the derived entities produced by the processing stations must be dominated by the subject security label of the recipient based on rule (1) above.
Violation of any of the rules (1), (2), or (3), except those by special-purpose trusted processing stations according to the permissions of the special-purpose trusted processing stations, result in security risk. That is, if the rules are violated, there exists a possibility that the loss of protected entities will occur.
As web services gain greater acceptance on the Internet, and as an increasing number of applications are relying on components that provide varying but formally-described services, the number of possible alternative service compositions begins to exceed the capabilities of manual analysis (which is currently performed by human analysts). Therefore, methods for automatically selecting and interconnecting these components become of greater importance. Examples of such methods can be found in J. Blythe, E. Deelman, Y. Gil, K. Kesselman, A. Agarwal, G. Mehta and K. Vahi, “The Role of Planning in Grid Computing”, ICAPS 2003; T. Kichkaylo, A. Ivan, V. Karamcheti, “Constrained Component Deployment in Wide-Area Networks Using AI Planning Techniques”, IPDPS 2003; P. Doshi, R. Goodwin, R. Akkiraju, K. Verma: Dynamic Workflow Composition using Markov Decision Processes, Proceedings of IEEE Second International Conference on Web Services, June, 2004 and B. Srivastava. A Decision-support Framework for Component Reuse and Maintenance in Software Project Management, CSMR'04, and references therein, the disclosures of which are incorporated by reference herein in their entirety. Generally, existing methods for automatically selecting and interconnecting components do not systematically consider security.