Usage control [ 1, 2 ] is an extension of access control that puts conditions on the future usage of data. At the level of end users, such requirements are expressed in abstract terms, for example, “picture may not be printed” or “document may not be distributed”. Several enforcements of usage control exist for various policy languages [ 3–7 ] and at different layers of abstraction in the system [ 8–11 ]. These solutions focus on the enforcement of the policies and do not look into specification, translation, conflicts and other policy-related issues. In other words, they assume the policies to somehow exist and enable the enforcement of them. Such solutions have a drawback that system implementations of usage control policies might not always adequately reflect end user requirements. This is due to several reasons, one of which is the problem of mapping concepts in the end user’s domain to technical events and artifacts. For instance, semantics of basic operators such as “copy” or “delete”, which are fundamental for specifying policies, tend to vary according to context. For this reason they might be mapped to incomplete or incorrect sets of system events in enforcement. This might allow events that should have been inhibited and might wrongly block those that should have been allowed. I fill this gap by addressing the translation of specification-level policies into implementation-level policies in the context of the usage control model introduced in [ 6 ] and later extended in [ 12 ]. Enforcement of policies and related guarantees are not in the scope of this work.

The problem. Usage control policies are specified as temporal and cardinality constraints on user actions on data. In order to translate specification-level policies, we need, firstly, to define the meaning of actions on data in technical terms. Secondly, because specification-level policies tend to be formulated in terms of the future usage of data, we need to transform the constraints to their past forms [ 6 ]; otherwise, the system would need to be able to look into the future. Thirdly, a well-defined methodology is required to automate the translation. The solution. To address the first challenge, I propose a domain meta-model that captures the relationships among different artifacts in any domain, at different levels of technical details (step 1). This meta-model is then combined with an existing usage control model to formalize policy derivation (step 2). The second challenge, the translation of constraints, is essentially the problem of deriving past-time rules. As there is no generic way to formulate this derivation, this part of policy translation is handled via fixed rules. To go from policies to event-condition-action rules (that are finally deployed), predefined templates are used. The methodological aspects of policy derivation are addressed in step 3 which runs parallel to step 1 and 2. Till step 3 however, I do not take into account the fact that the domain structure changes over time. Though unrealistic, this assumption is reasonable in order to simplify the problem for initial results. Step 4, which is also a part of the methodological aspect of the problem, handles the dynamic domain structure and describes the adaptive policy translation.

The rest of this paper is structured as follows: §2 argues about the relevance of this work with respect to related work; §3 discusses the general research methodology and briefly describes the results published so far. §4 discusses the current status and the approach to complete the thesis and, §5 concludes. 2

The goal of this work is to achieve a model-based derivation of policies in the context of usage control. In general, this aims to fill the gap between user and system requirements which is a fundamental problem in the area of Requirements Engineering. There are several approaches in the literature based on goals, models, clasifications, ontologies etc. that attempt to fill this gap by distinguishing between the user-level abstractions and the corresponding technical constructs at system levels. Some researchers have also addressed policy derivation targeting issues like conflict prevention, where the focus has been on the refinement of constraints rather than resources, objects or events [ 13 ].

Some of the prominent work on policy derivation have used resource hierarchies [ 14 ], commitment/obligations analysis [ 15 ], goal decomposition [ 16 ] and data classification [ 17 ]. In the context of action refinement, in [ 18 ], [ 19 ] and [ 20 ], ontology-based refinement techniques are described for semi-automated translation of access control policies. This is similar to my action refinement model because of the hierarchical structure of the resources considered. However, their policies are refined from the abstract level (users, resources and applications) to the logical level (user ids, resource addresses and computational commands like read/write); further technical representations of policy elements in concrete systems are not considered. [ 21 ] also addresses action decomposition for policy refinement: subjects perform operations on targets (services and devices) which are specified at a higher level. Using a system model and a set of refinement rules, actions are decomposed and one higher level policy is refined into multiple policies. In the context of giving meanings to abstract actions, although secure deletion is covered in [ 22 ], there is no further discussion on the different interpretations of deletion. In contrast to these works, I give a formal definition of policy refinement along with a generic way of modeling semantics of actions like “copy” and “delete”. My approach is to classify the abstract and the concrete elements according to the technical details into different models and perform transformations on the elements of these models.

In the context of usage control, the only known work on policy derivation is described in [ 23 ]. A major difference with my work however is the absence of a generic and formal definition of the refinements. Other existing work on usage control, as mentioned in §2, focus on the enforcement part, derivation of policies from specification to implementation levels has not been addressed.

Contribution. Firstly, this work provides a formal definition of policy derivation and a generic way to model high-level actions like copy and delete for security policies, specifically, usage control policies. Secondly, along with adding to the expressiveness of the policy language, this work enables the derivation of security policies from specification to enforcement, in an automated way with limited user intervention. I am not aware of any other work that achieves automated policy derivation and deployment for usage control. Hence the contribution of this thesis with respect to related work. 3

Use Case. I explain the major steps of this work through an example from the social network domain: Alice wants to protect the pictures she posts in her profile so that her friends who get access to them should not be able to make local copies of those pictures. Alice can specify the policy “never copy photos” using one of the policy templates described in step 3 below. Because of the domain model and the mappings already provided by an administrator (step 1), this policy is translated to many technical policies at various levels of abstraction (step 2) and, sets of implementation-specific executable rules are generated, deployed and enforced in the machines of Alice’s friends who access her photos. If her friends update/change the systems installed on their machines, the adaptive policy translation accommodates these changes (step 4). Step 1: The Domain Meta-Model. As user actions and data in usage control policies vary according to the domain context, I address the problem at the domain-level. In the meta-model, I distinguish between data and user actions (the platform-independent model), their corresponding technical representations (the platform-specific model) and, the implementations of those technical representations (the implementation-specific model). This is analogous to the MDA viewpoints [ 24 ] with a minor difference in the naming of the different levels. The meanings of all the model elements starting from action and data at the top level are provided by mapping them to their next lower technical representations. A detailed description of the meta-model, a high-level translation methodology and the initial evaluation by example has been published in [ 25 ].

Step 2: Policy Derivation. For derivation of policies, the domain meta-model of step 1 is combined with the extended usage control model of [ 12 ]. This is useful in formalizing the semantics of the meta-model mappings. Additionally, it also enables another type of action refinement: in terms of the states of the system as states are already part of the extended usage control model. A few new operators are also added to the policy language in order to model the semantics of actions like “copy”. The combined model and the formalization of policy derivation that includes action refinement and rule-based future to past translation of conditions has been published in [ 26 ].

Step 3: Policy Derivation Methodology. In this step I address the methodological aspect that consists of the definitions of various models and the specification, derivation, instantiation and deployment of policies. The specification of policies is simplified via templates defined by an administrator which are later configured by the end user. The policy derivation is semi-automated. One of the reasons that the complete process cannot be automated is that one specification-level usage control policy can be enforced in different ways and a decision making on enforcement strategy is required. For example, “never copy photos” can be enforced by altogether inhibiting a copy action or replacing the original photo by a predefined one or, allowing the copy with logs. I plan to partially automate this decision making with templates where majority of cases are covered by the predefined templates and only “exceptions” are handled by the administrators. The complete policy derivation methodology is discussed in [ 25 ]. Step 4: Adaptive Policy Derivation. To provide a realistic solution to the problem at hand, we must get rid of the assumption of static domain structures. However, if the systems evolve over time, we need a way to keep track of all the changes that take place. Additionally, we must handle cases of pending obligations and modification of action refinements in the domain. For this, I am working on a methodological guidance to dynamically accommodate changes in the domain structure. Intuitively, this includes considering all cases when the domain model needs to be updated, provide interfaces for systems to register, publish their technical artifacts and eventually de-register.

Evaluation. The complete research work is planned in two phases: the derivation of policies for static domains; and the extension of the framework to enable the adaptive policy derivation. The results of each phase are planned to be evaluated at the end of the phase by instantiating the translation of policies for existing usage control enforcements for two use cases: one, a web-based social network example with Firefox, X11 and OpenBSD; two, a semi-closed enterprise setup with Thunderbird and Windows 7 OS. The results are to be evaluated with respect to (i) requirements and (ii) related work answering if this work can be classified as filling a gap or as improving an existing process or both. Also, insights on generic semantics of actions are to be discussed. 4

By the time of submission of this paper, most of the work described in steps 1-3 has already been done for the translation of policies in static domains. This also includes the investigation of typical specification-level policies in a web-based social network and the design of templates to be used by end-users to specify usage control policies. The respective publications at each step are mentioned in §3. Currently, I am implementing static policy translation for a semi-closed enterprise setup with Thunderbird and Windows 7. I am also working on the adaptive semantics of actions and writing the dissertation. As next steps, I will extend the implementations of policy translation for adaptive cases. I plan to complete the work described in §3 by Autumn 2014. 5

Through this research, I want to fill the gap between the end user’s understanding of usage control policies and the actual enforcement of them in real systems. For this, I provide a way to define the meanings of abstract constructs in end-user policies. It is hard to establish a notion of correctness between the meanings of low-level and high-level policies because the semantics of high-level propositions is not explicitly defined but rather exists in the user’s mind. Hence the correctness of the policy derivation is bound by that of the domain model on which the derivation is based. The contribution comprises both the technical and the methodological aspects of deriving implementation-level policies from specification-level policies. It might be contended that the latter are too complex for end users to understand and specify them at all. In that case, data protection officers or any other trusted authority might specify these policies for particular domains. Besides users, service providers would also benefit from this research because their contracts/terms of use could be audited for compliance.