Date of Completion

6-19-2014

Embargo Period

6-19-2014

Keywords

Information security, tree-structured documents, access control, RBAC, LBAC, DAC, secure information engineering

Major Advisor

Steven Demurjian

Associate Advisor

Jinbo Bi

Associate Advisor

Swapna Gokhale

Associate Advisor

Xiaoyan Wang

Field of Study

Computer Science and Engineering

Degree

Doctor of Philosophy

Open Access

Open Access

Abstract

Information modeling is focused on representing, using, and exchanging information in large-scale applications that include law-enforcement, healthcare, e-commerce, and others. Information modeling, as achieved by varied data formats, creates new security challenges. First, there is a need to integrate the security requirements of existing information applications that use and exchange information in via tree-structured documents. Second, there exists a need to consolidate this security in support of a newly developed information system. Third, we ask if is it possible to develop an approach for security for information applications that is able to reconcile the security policies across potential constituent component systems in an information exchange scenario. In this dissertation we present a security framework aimed towards an approach to modeling the security of information at global and local levels. This framework leverages the three major access control models: RBAC, LBAC, and DAC to achieve security assurance throughout varied scenarios. First, we introduce a security model that creates the base for the rest of the framework. This security model considers the access control requirements as realized in tree-structured documents with schemas. Second, we extend UML model and metamodel layers with new diagrams that provide a graphical notation for the security model. Third, we present a mapping process between the UML diagrams and the XACML that yields security policies ready to be deployed. Last, towards the overall purpose of the dissertation, we advance the information security problem to a software engineering perspective, elevating information security to a first-class citizen of the software design and development process, resulting in secure information engineering. By tackling the problem from a perspective of tree-structured documents, any data format that is represented by such a structure (e.g. XML, specialized JSON structures, RDF, OWL, etc.) can be secured. This effectively allows us to provide separation of concerns with respect to information security by defining security requirements in one software process phase and generating enforcement policies in another phase. These enforcement policies are not embedded in the system, on the contraire, they are agents evaluated and enforced in the overall security architecture of the application.

COinS