Towards Policy Enforcement Point as a Service (PEPS)

Arash Shaghaghi; Mohamed Ali (Dali) Kaafar; Sandra Scott-Hayward; Salil S. Kanhere; Sanjay Jha

Towards Policy Enforcement Point as a Service (PEPS)

Arash Shaghaghi, Mohamed Ali (Dali) Kaafar, Sandra Scott-Hayward, Salil S. Kanhere, Sanjay Jha

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

3 Citations (Scopus)

253 Downloads (Pure)

Abstract

In this paper, we coin the term Policy Enforcement as a Service (PEPS), which enables the provision of innovative inter-layer and inter-domain Access Control. We leverage the architecture of Software-Defined-Network (SDN) to introduce a common network-level enforcement point, which is made available to a range of access control systems. With our PEPS model, it is possible to have a ‘defense in depth’ protection model and drop unsuccessful access requests before engaging the data provider (e.g. a database system). Moreover, the current implementation of access control within the ‘trusted’ perimeter of an organization is no longer a restriction so that the potential for novel, distributed and cooperative security services can be realized. We conduct an analysis of the security requirements and technical challenges for implementing Policy Enforcement as a Service. To illustrate the benefits of our proposal in practice, we include a report on our prototype PEPS-enabled location-based access control.

Original language	English
Title of host publication	Proceedings of the IEEE Conference on Network Functions Virtualization and Software-Defined Networking
Place of Publication	Palo Alto, California
Publisher	Institute of Electrical and Electronics Engineers (IEEE)
Number of pages	6
ISBN (Print)	978-1-5090-0933-6
Publication status	Published - 08 May 2017
Event	2016 IEEE Conference on Network Functions Virtualization and Software-Defined Networking - Palo Alto, United States Duration: 07 Nov 2016 → 09 Nov 2016 http://nfvsdn2016.ieee-nfvsdn.org/ (Link to event details online)

Conference

Conference	2016 IEEE Conference on Network Functions Virtualization and Software-Defined Networking
Abbreviated title	NFV-SDN '16
Country	United States
City	Palo Alto
Period	07/11/2016 → 09/11/2016
Internet address	http://nfvsdn2016.ieee-nfvsdn.org/ (Link to event details online)

Access to Document

Towards Policy Enforcement Point as a Service (PEPS)
© 2016 IEEE. This work is made available online in accordance with the publisher’s policies. Please refer to any applicable terms of use of the publisher.
Accepted author manuscript, 4.08 MBLicence: Unspecified

Fingerprint Dive into the research topics of 'Towards Policy Enforcement Point as a Service (PEPS)'. Together they form a unique fingerprint.

Cite this

Shaghaghi, A., Kaafar, M. A. D., Scott-Hayward, S., Kanhere, S. S., & Jha, S. (2017). Towards Policy Enforcement Point as a Service (PEPS). In Proceedings of the IEEE Conference on Network Functions Virtualization and Software-Defined Networking Institute of Electrical and Electronics Engineers (IEEE).

@inproceedings{8d941a834c19439b9ac9ff140690b271,

title = "Towards Policy Enforcement Point as a Service (PEPS)",

abstract = "In this paper, we coin the term Policy Enforcement as a Service (PEPS), which enables the provision of innovative inter-layer and inter-domain Access Control. We leverage the architecture of Software-Defined-Network (SDN) to introduce a common network-level enforcement point, which is made available to a range of access control systems. With our PEPS model, it is possible to have a {\textquoteleft}defense in depth{\textquoteright} protection model and drop unsuccessful access requests before engaging the data provider (e.g. a database system). Moreover, the current implementation of access control within the {\textquoteleft}trusted{\textquoteright} perimeter of an organization is no longer a restriction so that the potential for novel, distributed and cooperative security services can be realized. We conduct an analysis of the security requirements and technical challenges for implementing Policy Enforcement as a Service. To illustrate the benefits of our proposal in practice, we include a report on our prototype PEPS-enabled location-based access control. ",

author = "Arash Shaghaghi and Kaafar, {Mohamed Ali (Dali)} and Sandra Scott-Hayward and Kanhere, {Salil S.} and Sanjay Jha",

year = "2017",

month = may,

day = "8",

language = "English",

isbn = "978-1-5090-0933-6",

booktitle = "Proceedings of the IEEE Conference on Network Functions Virtualization and Software-Defined Networking",

publisher = "Institute of Electrical and Electronics Engineers (IEEE)",

note = "2016 IEEE Conference on Network Functions Virtualization and Software-Defined Networking, NFV-SDN '16 ; Conference date: 07-11-2016 Through 09-11-2016",

url = "http://nfvsdn2016.ieee-nfvsdn.org/",

}

Shaghaghi, A, Kaafar, MAD, Scott-Hayward, S, Kanhere, SS & Jha, S 2017, Towards Policy Enforcement Point as a Service (PEPS). in Proceedings of the IEEE Conference on Network Functions Virtualization and Software-Defined Networking. Institute of Electrical and Electronics Engineers (IEEE), Palo Alto, California, 2016 IEEE Conference on Network Functions Virtualization and Software-Defined Networking, Palo Alto, United States, 07/11/2016.

Towards Policy Enforcement Point as a Service (PEPS). / Shaghaghi, Arash; Kaafar, Mohamed Ali (Dali); Scott-Hayward, Sandra; Kanhere, Salil S.; Jha, Sanjay.

Proceedings of the IEEE Conference on Network Functions Virtualization and Software-Defined Networking. Palo Alto, California : Institute of Electrical and Electronics Engineers (IEEE), 2017.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Towards Policy Enforcement Point as a Service (PEPS)

AU - Shaghaghi, Arash

AU - Kaafar, Mohamed Ali (Dali)

AU - Scott-Hayward, Sandra

AU - Kanhere, Salil S.

AU - Jha, Sanjay

PY - 2017/5/8

Y1 - 2017/5/8

N2 - In this paper, we coin the term Policy Enforcement as a Service (PEPS), which enables the provision of innovative inter-layer and inter-domain Access Control. We leverage the architecture of Software-Defined-Network (SDN) to introduce a common network-level enforcement point, which is made available to a range of access control systems. With our PEPS model, it is possible to have a ‘defense in depth’ protection model and drop unsuccessful access requests before engaging the data provider (e.g. a database system). Moreover, the current implementation of access control within the ‘trusted’ perimeter of an organization is no longer a restriction so that the potential for novel, distributed and cooperative security services can be realized. We conduct an analysis of the security requirements and technical challenges for implementing Policy Enforcement as a Service. To illustrate the benefits of our proposal in practice, we include a report on our prototype PEPS-enabled location-based access control.

AB - In this paper, we coin the term Policy Enforcement as a Service (PEPS), which enables the provision of innovative inter-layer and inter-domain Access Control. We leverage the architecture of Software-Defined-Network (SDN) to introduce a common network-level enforcement point, which is made available to a range of access control systems. With our PEPS model, it is possible to have a ‘defense in depth’ protection model and drop unsuccessful access requests before engaging the data provider (e.g. a database system). Moreover, the current implementation of access control within the ‘trusted’ perimeter of an organization is no longer a restriction so that the potential for novel, distributed and cooperative security services can be realized. We conduct an analysis of the security requirements and technical challenges for implementing Policy Enforcement as a Service. To illustrate the benefits of our proposal in practice, we include a report on our prototype PEPS-enabled location-based access control.

M3 - Conference contribution

SN - 978-1-5090-0933-6

BT - Proceedings of the IEEE Conference on Network Functions Virtualization and Software-Defined Networking

PB - Institute of Electrical and Electronics Engineers (IEEE)

CY - Palo Alto, California

T2 - 2016 IEEE Conference on Network Functions Virtualization and Software-Defined Networking

Y2 - 7 November 2016 through 9 November 2016

ER -