framework of REWERSE, has a rich set of unique features that are
currently not supported by standard systems and languages. Some
of these features can be individually found in some systems (sometimes
research prototypes), however Protune currently offers one of the most complete sets of features [see this paper]. Here are some examples of the benefits resulting from specifying, managing, and enforcing policies with Protune.
1. Flexibility without program coding
Protune policies can express a variety of static and dynamic requirements without requiring ad-hoc program code. It supports attribute based access control where attribute values may be extracted from different kinds of evidence of different strength and deployment cost,
such as digital credentials, single-sign-on tokens, unsigned
declarations (web forms), and reputation measures. This makes it
possible to balance the risks involved in a transaction with the cost
of enforcing the policy. Protune's software interprets the given
policies and activates the right procedures for gathering the required
kind of evidence.
Protune's policies may enforce simple obligations by linking some logical preconditions (such as event_logged or admin_notified) to actions
(implementing event logging, notifications, etc.) that make the
corresponding precondition true. Policies can declaratively
specify when actions are to be executed and which are the peers in
charge of their execution. Actions can be implemented as shell
scripts or Java method calls (yes, one needs some programming
here...). Changing the policy does not necessarily imply
re-implementing actions; programming is required only when the need for
new kinds of actions arises.
Actions provide also an effective integration method for legacy software and data.
2. User awareness and documentation
Proper policy documentation is essential to raise user trust in a system, and to make a system more usable and competitive [see the discussion of cooperative enforcement here].
Here we are talking both of end users and security administrators; both
categories may include users with little or no expertise on security
languages and standards, who need documentation to be formulated in a
nontechnical language. Handwritten documentation is obviously very
expensive, especially as policies evolve along time, and the risk of
documentation not being aligned with the currently enforced policy
becomes higher and higher during a system's life.
Protune's framework comprises Protune-X, a unique second-generation explanation facility that presents policies and explains access control decisions in natural language. Since explanations are automatically derived from the executable policy, (i)
costs are reduced, (ii) documentation is always up-to-date, (iii)
explanations can be contextualized specifically to the current
3. Policy confidentiality
needs and cooperative enforcement require policies to be accessible, to
some extent. This should be done with care, as policies
themselves may be confidential. There are plenty of examples in
the industrial world (e.g. a policy may reveal collaborations between
different organizations), and some examples concern typical
private uses of the Web, too (such as social networks). For
instance, think about a person trying to download the pictures of a
friend and realizing that the operation is not allowed because she is
not regarded as a "best friend". Standard policy frameworks are not
equipped for defining policies on policies. Protune allows policy
writers to assign sensitivity levels to policy rules and predicates, and restricts policy release appropriately.
4. Access control and usability
are application-domain dependent and so are the predicates in access
control conditions. In standard frameworks such as XACML the
context is a black box and application-specific terms are not specified
in a machine-understandable way. This prevents any support to
information exchange during authentication phases: users have
to be involved because the server cannot specify its credential
requests directly to heterogeneous user agents. In Protune,
interoperability is enhanced by means of lightweight ontologies
that can specify in a machine-understandable way what it means to be
authenticated to a specific system, what are the accepted credit cards,
which resources are public, and so on. This enables automated support to access control procedures:
a user agent can autonomously check whether the user can possibly
fulfill the server's policy, and present the possible options to her,
as appropriate for the current transaction (e.g. releasing a membership
card, a credit card, or both - say, to get a discount). This approach
may significantly improve a user's navigation experience, and harmonize usability requirements with strong and articulated access control requirements.
Such techniques are particularly interesting in pervasive computing
scenarios, where the interactions with small computing devices are
5. Privacy and usability
Before using a service for the first time, a user may wish to inspect the service's certifications
(e.g. membership to some seal program such as e-Trust and BBB). Today
this must necessarily be done manually. Protune supports this
process by letting user agents ask servers for certificates and
other forms of evidence (if so desired). The semantic
infrastructure for interoperability mentioned above is well suited for
automating this task, too. By relieving the user from the burden of
checking server properties, this approach encourages the development of
more rigorous service selection procedures, with stronger guarantees for the user.
Moreover, Protune enhances user privacy by supporting information release policies on the clients.
The most common decisions about releasing sensitive pieces of
information (be they credentials, unsigned declarations, or whatever)
can be specified once and for all as a policy that the user agent can
automatically apply, thereby improving the users' navigation experience
without sacrificing privacy.
6. Low deployment and maintenance costs
has been designed to reduce the cost of deployment in new application
domains and subsequent maintenance. By minimizing program coding
(almost totally replaced by configuration-like activities) and
exploiting knowledge-based techniques to automate a wide range of
operations, the costs related to instantiating Protune's framework in a
new domain, and the costs related to writing and maintaining policies
are significantly reduced. Protune supports also extensibility
mechanisms based on metapolicies.
How do we get all of the above (and why others can't)
- Policies are formulated and treated as (lightweight) knowledge bases.
In this way, many operations can be automated, thereby reducing ad-hoc
program coding to a minimum (cf. Point 1) and enabling automated
documentation (Point 2). By the same means we support interoperability
(Points 4,5) and reduce costs (Point 6). A crucial property is that the
context is itself described in a machine understandable way and it is
not a black box, unlike XACML's contexts.
- Protune supports negotiations
between the agents involved in a transaction. In the simplest case, the
server publishes its policy and the client tries to fulfill it; this
procedure is at the core of (i) the flexibility mentioned in Point 1,
and (ii) the assisted access control procedures mentioned in Point 4.
In the general case, negotiations improve policy confidentiality
(Point 3) - as policies can be disclosed incrementally, as needed by
the current transaction - and let clients gather information about
servers, as explained in Point 5.
- Protune behavior can be controlled and configured in a declarative way with metapolicies.
This gives the framework much of its flexibility without requiring
ad-hoc programming (Point 1), especially as actions (and more generally
dynamic behavior) are concerned. Metapolicies provide also a simple
means to specify which parts of the policy are sensitive (Point 3), and
how application-specific atomic conditions are to be verbalized in the
documentation (complex conditions and rules are explained by
automatically assembling such "atomic" verbalizations). The role played
by metapolicies in governing the behavior ot Protune's framework
contributes significantly to reducing ad-hoc programming efforts and
improving policy readability and maintainability. As such, metapolicies
are one of the pillars of our cost reduction strategy (Point 6).