Enforcement of Security Policies across Corporate Boundaries

The Software Cluster in southwestern Germany is considered Europe’s Silicon Valley. Clustered around the software development centers Kaiserslautern, Darmstadt, Karlsruhe, Saarbrücken, and Walldorf are well-established universities, companies, and research institutions that are working together in close cooperation. They are jointly developing concepts and solutions for the enterprise software of the future, i.e., software for the management of business processes within and particularly between companies. There are currently three joint research projects with a total volume of more than 53 million euros; a fourth project is in the planning phase. As the consortium leader of the flagship project EMRGENT, Fraunhofer IESE is deeply involved in research and development for future concepts and solutions.

As a central result of the joint research project EMERGENT, a concept was developed by Fraunhofer IESE in a cross-organizational context for the enforcement of so-called security policies intended to regulate access to and use of sensitive data (usage control). Central components of this concept are a technology-independent decision component for security policies, the so-called Policy Decision Point (PDP), and several technology-dependent components, the Policy Enforcement Points (PEP). A PEP serves to intercept all messages on one level of abstraction (e.g., on the service level inside an enterprise service bus) and to forward, block, modify, or delay them based on the decision of the PDP. Additional actions can also be triggered, such as the creation of a log file or notification of responsible persons. In addition, reputation models are used for assessing trust in services on the basis of cross-organizational feedback and expert knowledge. The decision, i.e., the actual security policy, is formulated with the help of the policy language OSL (Obligation Specification Language). This allows specifying strong usage control in order to ensure the flow of information and thus the protection of the data. It is thus possible, for instance, to restrict the use of specific data to recipients determined a priori (who are thus authorized), or to limit the type and frequency of processing (e.g., by means of cardinal and temporal operators). The scientific highlights of the concept are: „„

  • Technology-independent specification of security requirements through a generic central policy decision point (PDP)
  • „„Technology-dependent policy enforcement points (PEP) „„
  • Use of temporal and cardinal operators in the policy language for expressing future-oriented policies (forward obligations) „„
  • Enforcement of security policies on various levels of abstraction (e.g., operating system, service, or application level) controlled by a central decision component

Another one of the cluster’s projects, SWINNG, focuses on designing suitable development processes for the enterprise software of the future and on the so-called cluster governance, i.e., the optimization of the cluster’s internal workflows, as well as on the dissemination of the developed innovations within the cluster region and beyond. One of the central tasks of Fraunhofer IESE is the evaluation of the cluster as such as well as the developed concepts and solutions. In this regard, the networking between the cluster partners and the qualification demand of specialists are examples of what was investigated last year. Currently, more empirical studies are being set up to study the concrete added value of the cluster concepts and solutions in industrial practice. Another task is to capture and optimize the critical workflows within the cluster itself. This includes, for example, processes regarding technology transfer, support for new entrepreneurs, or international communication / public relations. Fraunhofer IESE thus makes a central contribution to the evolution of the Software Cluster.

Gefördert vom