Flexible Regulation of Virtual Enterprises

1
Flexible Regulation of Virtual Enterprises
Naftaly Minsky Rutgers University
Joint work with Xuhui Ao
2
Outline

• The challenges to access control posed by
  e-commerce.
• Regulation of virtual enterprises a case study.
• The law-governed interaction (LGI) mechanism, and
  how it meets the challenges to access control.
• Conclusion

3
The Challenges to AC

• The distributed and open nature of E-commerce,
  and its scale.
• PKI facilitates scalability
• but enforcement of AC policies is still done
  largely in a centralized fashion, making it hard
  to scale.
• The need for more sophisticated policies, e.g.,
• Stateful policies, sensitive to the history of
  interaction, like budgetary control.
• Policies that mandate extra actions, like state
  change, or auditing.

4
The Challenges to AC (cont)

• The need for communal (rather than
  server-centric) policies, such as
• An enterprise-wide policy governing a set of
  servers.
• Decentralized electronic marketplace.
• B2B commerce, and supply chains.
• The need for interoperation between different
  policies, and for hierarchical organization of
  policies.
• All these challenges need to be met via a single
  scalable mechanismfor specifying policies, and
  for enforcing them.

5
Governance of Virtual Enterprise(a Case Study)

• Consider a coalition C of enterprises E1,...,
  En, governed by a coalition-policy PC---where
  each Ei is governed by its own internal-policy
  Pi .
• As in virtual enterprises, supply chains, grid
  computing, etc.

6
Policies Governing a Virtual Enterprise(an
Example)
Roles each Ei should have its director Di()
and the coalition C a director DC.
A director Di can mint Ei-currency i needed to
pay for services provided by Ei and it can give
DC some of this currency
A director DC can distribute some of its i
currency among other directors.
i Currency cannot be forgedby anyone!
Servers at E1 can send their earning in 1 back
to their director
A director D2 can distribute its i budget among
agents at its enterprise

7
The Main Challenges

• The flexible formulation of such policies, so
  that
• they will be consistent, and
• their specification and evolution would be
  manageable.
• Enforcement of such policies, and in a scalable
  manner.

8
The Compositions Approach

• Given the set PC , P1,. . ., Pn of policies.
• Construct a set composed policies Pi,j
  composition (Pi , PC , Pj)
• Provide these compositions to the reference
  monitor (RM) that mediates all
  coalition-relevant interactions.
• Compositions were studied by Gong Qian 96,
  and by Bidan Issarny 98, ...

9
and its Problematics

• It is unlikely for arbitrary, and independently
  formulated, policies to be consistentso such
  composition is likely to fail.
• Policy composition is computationally
  intractable(McDaniel Prakash 2002)and, we
  need N2 such compositions!
• Inflexibility consider changing a single Pi . .
  .

10
The Proposed Approach

• Instead of creating N2 compositions (Pi , PC ,
  Pj), we will enable each enterprise Ei to create
  it own policy Pi , subject only to the constraint
  that Pi would conform to PC .
• We will then allow Ei and Ej to interoperate,
  each enforcing its own policy, Pi Pj
  respectively
• We will do this via the control mechanism called
  law-governed interaction (LGI).

11
Law-Governed Interaction (LGI)(main
characteristics)

• LGI is an access-control and coordination
  mechanism
• LGI is communal can impose mandatory policies
  (called laws) over an entire community.
• Enforcement is decentralized for scalability
  (actually, supports a whole spectrum of
  decentralization).
• Supports a wide range of laws including those
  that mandate extra actions, in a stateful
  manner.
• Supports hierarchy and interoperability.
• Efficient (overhead of about 0.1 ms), and
  incremental.
• Due to be released this summer.

12
Centralized Enforcement of Communal Policies
The problems potential congestion, and single
point of failure
Replication does not help, if S changes
rapidly enough
13
Distributed Law-Enforcement under LGI
14
Deployment of LGIvia a Distributed TCB (DTCB)
15
On the basis for trust between members of a
community

• For a pair of interlocutors to trust each other
  to comply with the same law, one needs to ensure
  
• that the exchange of messages is mediated by
  correctly implemented controllers .
• that interacting controllers operate under the
  same law L.
• Such assurances are provided, basically, via
  certification of controllers, and the exchange of
  the hash of the law.

16
Hierarchy Organization of Coalition
Policies(back to the case study)
PC
superior
subordinate
P1
P2
Pn
Pi is defined as subordinate to Pc, as thus
constrained to conform to it.
17
Interoperability

• Let us focus on the interoperability between E2
  and E1

18
Interoperability (cont.)
19
Conclusion

• LGI implementation via the Moses middleware is to
  be released in May 2005, viahttp//www.cs.rutger
  s.edu/moses/
• This initial release would not support policy
  hierarchy.
• For a complete treatment of the coalition
  problem, see Flexible Regulation of Distributed
  Coalitions Ao and Minsky In Proc. of the 8th
  European Symposium on Research in Computer
  Security (ESORICS) October 2003.

20
Questions?
21
Server-Centric Access-Control (AC)
server
Reference Monitor(RM)
It generally supports only stateless, purely
reactive, ACL-based policies, enhanced with
RBACand this is far from sufficient.
22
Enforcing a Communal AC Policy
The communal policy may be that certain type of
transactions need to be monitores
Enterprise-wide (communal) policy P
Enterprise