IRIS

The security of complex infrastructures depends on many technical and organizational issues that need to be properly addressed by a security policy. For purpose of our discussion, we define a security policy as a document that states what is and what is not allowed in a system during normal operation; it consists of a set of rules that could be expressed in formal, semi-formal or very informal language. In many contexts, a system can be considered secure and trustworthy if the policy enforced by its security administrator is trustworthy too; from this standpoint it is possible to evaluate the system security by evaluating its policy. In this paper we present a policy-based methodology to formalize and compare policies, and a Security Metric to evaluate the security level that a system is able to grant. All the steps of the methodology will be illustrated with an operative approach, by directly applying it to a real case study: the semi-automated Cross Certification among Public Key Infrastructures.

A policy-based methodology for security evaluation: A Security Metric for Public Key Infrastructures / Casola, Valentina; Mazzeo, Antonino; Mazzocca, Nicola; Vittorini, Valeria. - In: JOURNAL OF COMPUTER SECURITY. - ISSN 0926-227X. - STAMPA. - 15:2(2007), pp. 197-229.

A policy-based methodology for security evaluation: A Security Metric for Public Key Infrastructures

Valentina Casola;Antonino Mazzeo;Nicola Mazzocca;Valeria Vittorini
2007

Abstract

The security of complex infrastructures depends on many technical and organizational issues that need to be properly addressed by a security policy. For purpose of our discussion, we define a security policy as a document that states what is and what is not allowed in a system during normal operation; it consists of a set of rules that could be expressed in formal, semi-formal or very informal language. In many contexts, a system can be considered secure and trustworthy if the policy enforced by its security administrator is trustworthy too; from this standpoint it is possible to evaluate the system security by evaluating its policy. In this paper we present a policy-based methodology to formalize and compare policies, and a Security Metric to evaluate the security level that a system is able to grant. All the steps of the methodology will be illustrated with an operative approach, by directly applying it to a real case study: the semi-automated Cross Certification among Public Key Infrastructures.
2007
A policy-based methodology for security evaluation: A Security Metric for Public Key Infrastructures / Casola, Valentina; Mazzeo, Antonino; Mazzocca, Nicola; Vittorini, Valeria. - In: JOURNAL OF COMPUTER SECURITY. - ISSN 0926-227X. - STAMPA. - 15:2(2007), pp. 197-229.
1.1 Articolo in rivista
File in questo prodotto:
File Dimensione Formato  
Casola_JCS_submission.pdf

non disponibili

Tipologia: Documento in Pre-print
Licenza: Accesso privato/ristretto
Dimensione 274.83 kB
Formato Adobe PDF
  Visualizza/Apri   Richiedi una copia
274.83 kB Adobe PDF   Visualizza/Apri   Richiedi una copia

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11588/322142
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 37
  • ???jsp.display-item.citation.isi??? 17
social impact