Shrink-Wrapped Security: Tightly Coupling Situation and Security

Abstract

The mobile workforce, which consists of employees that do not have one fixed place of work and are linked to a corporate base using a mobile computing device, is expected to grow to 75% of the total United States workforce, or approximately 212.1 million people, by 2015. Advances in technology, such as the increasing abundance of portable computing devices and the prevalence of wireless broadband, combined with the fact that more companies are allowing employees to use their own devices to access the enterprise, create an environment in which these workers can access corporate resources anytime, anywhere, with a myriad of devices having varying configurations. Having ubiquitous access to resources has its benefits, like increased productivity, but also creates unique challenges to ensuring appropriate security. Traditional approaches to security are not suitable for this emerging computing environment, because they are based on assumptions that no longer hold, such as well-defined situations, consistent configurations, and static contexts. For this reason, these approaches typically base security decisions on statically assigned attributes like identity or role. In the highly dynamic computing environment of mobile workers, context-aware security, in which context is utilized to allow security to adapt to the current situation, is essential. This dissertation presents our efforts to address the mismatch between traditional, context-insensitive security and this emerging dynamic computing environment with a novel security paradigm, shrink-wrapped security. With shrink-wrapped security, as the situation changes, the security changes also, providing a tight coupling between a user's current situation and security. Contributions of this dissertation include the following: *A novel security paradigm, shrink-wrapped security, which involves utilizing context to tightly fuse a user's situation and security. *A usable definition of security-relevant context, along with goal oriented guidelines and a corresponding taxonomy to facilitate the systematic identification of contextual attributes that are most pertinent to a security service. These contributions deal with a key challenge of context-aware system development- identifying relevant context. *A context acquisition and management framework to facilitate the development and use of shrink-wrapped security services for the mobile workforce. The layered architecture of this framework supports secure context acquisition and utilization by security services and was designed with the resource constraints of mobile devices in mind. *An approach based on logic programming to practically incorporate the use of security-relevant context into the security policies that govern security services. This technique is aligned with the shrink-wrapped security concept of utilizing a comprehensive set of relevant context, while remaining practical and manageable by abstracting relevant contextual attributes to a security level associated with the objectives of a security service. *The implementation and evaluation of shrink-wrapped access control, which serves as a practical demonstration of the feasibility of shrink-wrapped security.