Shrink-Wrapped Security: Tightly Coupling Situation and Security
Publication or External Link
The mobile workforce, which consists of employees that do not have one fixed place of work and are linked to a corporate base using a mobile computing device, is expected to grow to 75% of the total United States workforce, or approximately 212.1 million people, by 2015. Advances in technology, such as the increasing abundance of portable computing devices and the prevalence of wireless broadband, combined with the fact that more companies are allowing employees to use their own devices to access the enterprise, create an environment in which these workers can access corporate resources anytime, anywhere, with a myriad of devices having varying configurations. Having ubiquitous access to resources has its benefits, like increased productivity, but also creates unique challenges to ensuring appropriate security. Traditional approaches to security are not suitable for this emerging computing environment, because they are based on assumptions that no longer hold, such as well-defined situations,
consistent configurations, and static contexts. For this reason, these
approaches typically base security decisions on statically assigned
attributes like identity or role. In the highly dynamic computing
environment of mobile workers, context-aware security, in which context is utilized to allow security to adapt to the current situation, is
essential. This dissertation presents our efforts to address the mismatch between traditional, context-insensitive security and this emerging dynamic computing environment with a novel security paradigm, shrink-wrapped security. With shrink-wrapped security, as the situation changes, the security changes also, providing a tight coupling between a user's current situation and security. Contributions of this dissertation include the following:
*A novel security paradigm, shrink-wrapped security, which involves
utilizing context to tightly fuse a user's situation and security.
*A usable definition of security-relevant context, along with goal
oriented guidelines and a corresponding taxonomy to facilitate the
systematic identification of contextual attributes that are most pertinent
to a security service. These contributions deal with a key challenge of
context-aware system development- identifying relevant context.
*A context acquisition and management framework to facilitate the
development and use of shrink-wrapped security services for the mobile
workforce. The layered architecture of this framework supports secure
context acquisition and utilization by security services and was designed
with the resource constraints of mobile devices in mind.
*An approach based on logic programming to practically incorporate the use of security-relevant context into the security policies that govern
security services. This technique is aligned with the shrink-wrapped
security concept of utilizing a comprehensive set of relevant context,
while remaining practical and manageable by abstracting relevant
contextual attributes to a security level associated with the objectives
of a security service.
*The implementation and evaluation of shrink-wrapped access control, which serves as a practical demonstration of the feasibility of shrink-wrapped security.