The security of complex infrastructures depends on many technical and organizational issues that need to be properly addressed by a security policy. For purpose of our discussion, we define a security policy as a document that states what is and what is not allowed in a system during normal operation; it consists of a set of rules that could be expressed in formal, semi-formal or very informal language. In many contexts, a system can be considered secure and trustworthy if the policy enforced by its security administrator is trustworthy too; from this standpoint it is possible to evaluate the system security by evaluating its policy. In this paper we present a policy-based methodology to formalize and compare policies, and a Security Metric to evaluate the security level that a system is able to grant. All the steps of the methodology will be illustrated with an operative approach, by directly applying it to a real case study: the semi-automated Cross Certification among Public Key Infrastructures.
A policy-based methodology for security evaluation: A Security Metric for Public Key Infrastructures / Casola, Valentina; Mazzeo, Antonino; Mazzocca, Nicola; Vittorini, Valeria. - In: JOURNAL OF COMPUTER SECURITY. - ISSN 0926-227X. - STAMPA. - 15:2(2007), pp. 197-229.
A policy-based methodology for security evaluation: A Security Metric for Public Key Infrastructures
Valentina Casola;Antonino Mazzeo;Nicola Mazzocca;Valeria Vittorini
2007
Abstract
The security of complex infrastructures depends on many technical and organizational issues that need to be properly addressed by a security policy. For purpose of our discussion, we define a security policy as a document that states what is and what is not allowed in a system during normal operation; it consists of a set of rules that could be expressed in formal, semi-formal or very informal language. In many contexts, a system can be considered secure and trustworthy if the policy enforced by its security administrator is trustworthy too; from this standpoint it is possible to evaluate the system security by evaluating its policy. In this paper we present a policy-based methodology to formalize and compare policies, and a Security Metric to evaluate the security level that a system is able to grant. All the steps of the methodology will be illustrated with an operative approach, by directly applying it to a real case study: the semi-automated Cross Certification among Public Key Infrastructures.File | Dimensione | Formato | |
---|---|---|---|
Casola_JCS_submission.pdf
non disponibili
Tipologia:
Documento in Pre-print
Licenza:
Accesso privato/ristretto
Dimensione
274.83 kB
Formato
Adobe PDF
|
274.83 kB | Adobe PDF | Visualizza/Apri Richiedi una copia |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.