Judith N. Froscher

Access control mechanisms for inter-organizational workflow

As more businesses engage in globalization, inter-organizational collaborative computing grows in importance. Since we cannot expect homogeneous computing environments in participating organizations, heterogeneity and Internet-based technology are prevalent in inter-organizational collaborative computing environments. One technology that provides solutions for data sharing and work coordination at the global level is inter-organizational workflow. In this paper, we investigate the access control requirements for inter-organizational workflow. We then present access control solutions for inter-organizational workflow based on our implementation. Many of the requirements and solutions in this paper address the scalability of existing security solutions, the separation of inter-organizational workflow security from concrete organization level security enforcement, and the enforcement of fine-grained access control for inter-organizational workflow.

A software engineering methodology for rule-based systems

Current expert systems are typically difficult to change once they are built. The authors introduce a method for developing more easily maintainable rule-based expert systems, which is based on dividing the rules into groups and focusing attention on those facts that carry information between rules in different groups. They describe a new algorithm for grouping the rules of a knowledge base automatically and a notation set of software tools for the proposed method. The approach is supported by a study of the connectivity of rules and facts in rule-based systems; it is found that they indeed have the latent structure necessary for the programming methodology. Recent experimental results also support the approach. In contrast to the homogeneous way in which the facts of a rule-based system are usually viewed, this approach shows that certain facts are more important than others with regard to future modifications of the rules. >

A Multilevel Secure Workflow Management System

The Department of Defense (DoD) needs multilevel secure (MLS) workflow management systems to enable globally distributed users and applications to cooperate across classification levels to achieve mission critical goals. An MLS workflow management system that allows a user to program multilevel mission logic, to securely coordinate widely distributed tasks, and to monitor the progress of the workflow across classification levels is required. In this paper, we present a roadmap for implementing MLS workflows and focus on a workflow builder that is a graphical design tool for specifying such workflows.

An architecture for multilevel secure interoperability

As computer systems become distributed and heterogeneous, there is strong movement in the commercial sector to ease the problems of interoperability and security. Many standards have been proposed for these problems. However, the commercial sector has not shown strong interest in providing cost effective high assurance multilevel security (MLS) solutions to the relatively small communities (e.g., intelligence, military) that require them. We introduce a practical, cost effective, and high assurance secure solution for multilevel distributed and heterogeneous environments using COTS components. The solution is based on an MLS architecture that consists of commercial single level hardware and software, and a few specialized security devices. We show how an MLS CORBA can be constructed from single level CORBAs and two security devices; the NRL Pump and the Starlight Interactive Link. We also introduce the concept of MLS cooperative computing which is a way to semi automate distributed computing among organizations at different security levels.

A practical approach to high assurance multilevel secure computing service

Current projects aimed at providing MLS computing services rarely seem to exploit advances in related fields. Specifically, the concepts of data distribution, replication, and interoperation are currently receiving much attention in the commercial database system sector but have yet to be applied to the delivery of MLS computing services. This paper explains how these concepts might kelp deliver MLS computing services relatively, quickly and cheaply, and how they can ease integration of legacy systems and new technology into future MLS cooperative, distributed computing environments.<<ETX>>

Merging paradigms of survivability and security: stochastic faults and designed faults

Faults are examined by both the security and fault tolerance communities. These communities have strikingly different views of the types of faults that exist, the way they are modeled, and how they are addressed. One community can pronounce a system survivable but the other community would not find this to be so. This leaves us with two approaches that both fail to be comprehensive, depending on which community is looking at the system. While intrusion-tolerance and security researchers look at faults in terms of statistically dependent events caused by the hard intruder, the fault tolerance literature assumes that faults are statistically independent and can be described as random variables with probability distributions. When considering the survivability of a system, we cannot assume that the system is susceptible to only one type of fault or the other, but this is common practice in both communities. A new paradigm is needed.

A Strategy for an MLS Workflow Management System

Current DoD information systems need to support many different missions through cooperation with different organizations and allies. In todays fast paced and dynamic environment, it is almost impossible to design and implement a different information system for each mission. Therefore, DoD needs MLS workflow management systems (WFMS) to enable globally distributed users and existing applications to cooperate across classification domains to achieve mission critical goals. An MLS WFMS that allows users to program multilevel mission logic, securely coordinate widely distributed tasks, and monitor the progress of the workflow across classification domains is required. In this paper, we present requirements for MLS workflow and a strategy for implementing it, especially the method for decomposing an MLS workflow into multiple single-level workflows.

Towards an infrastructure for MLS distributed computing

Distributed computing owes its success to the development of infrastructure, middleware, and standards (e.g., CORBA) to support interoperability. The computing community has slowly recognized the need to protect information and has begun to develop commercial security infrastructures and standards. The US Government must protect national security information against unauthorized information flow. To support MLS distributed computing, a MLS infrastructure must be built that enables information sharing among users at different classification levels. This infrastructure should provide MLS services for protection of classified information and use both the emerging distributed computing and commercial security infrastructures, when possible. The resulting infrastructure will enable users to integrate commercial information technology products into their systems. In this paper, we examine the philosophy that has led to successful distributed computing among heterogeneous, autonomous components and propose an analogous approach for MLS distributed computing. We identify some services that are required to support MLS distributed computing, argue that these services are needed regardless of the MLS architecture used, present an approach for designing these services, and provide design guidance for a critical building block of the MLS infrastructure.

A Secure Workflow System for Dynamic Collaboration

The emergence of the Internet has broken down geographic and organizational boundaries, providing a virtual common workplace regardless of the heterogeneity of participating organizations. Enterprise projects that used to be done autonomously now span multiple organizations. While an inter-organizational workflow, as one of several technologies supporting inter-organizational collaboration, provides an easy-to-use collaborative work environment for users, it also increases the complexity of security maintenance and brings about security problems that are not considered before. Unconventional collaborations among business and organizations are formed to advance common goals. In this paper, we address the security services to support inter-organizational collaborative enterprises, which may span multiple organizations, and describe how we develop a secure workflow system to satisfy the requirements by integrating with existing, well known technologies. Although we apply our ideas to particular technologies, such as workflows and RBAC, in this paper, we believe it is always possible to apply our approaches to other systems, which support many users from different organizations.

Tools to support secure enterprise computing

Secure enterprise programming is a difficult and tedious task. Programmers need tools that support different levels of abstraction and that track all the components that participate in distributed enterprises. Those components must cooperate in a distributed environment to achieve higher level goals. A special case of secure enterprise computing is multilevel secure (MLS) computing. Components that may reside in different security domains have to cooperate to achieve higher-level missions. To ease the programmers burden, we are developing an MLS workflow management system (WFMS), called MLS METEOR. A programmer can specify a distributed programming logic through a GUI based workflow design tool. Based on the programming logic, MLS METEOR will generate a distributed runtime system that handles communication among different hosts, even those that reside in different classification domains, The multilevel security enforcement of MLS METEOR does not depend on the WFMS itself but rather on the underlying MLS infrastructure and a few security critical components. The paper concentrates on the system organization of MLS METEOR and the rationale for this structure. We explain which portions of the system can be used in generic enterprise computing and which portions are specific to MLS computing.