Distributed Trust Based Management: Who's Getting In?

With the explosion of the use of the Internet for nearly all forms of negotiable instrument exchange, the constant transmission of time sensitive and vital corporate communications, and the ubiquitous presence of malicious software writers, verifying who gets access to what has become a high-priority mission for all.

The idea that resources being sought after may be defined differently by different systems only underscores the complexity of the access-granting or access-restricting process (Blaze al., 1999). One method used for access control and authentication purposes is the Access Control List (ACL). The ACL is simply a list describing the access rights a given user has in a system. As Blaze writes, “The UnixTM-filesystem ‘permissions’ mechanism is essentially an ACL” (1999).

Although easy to grasp and well documented, the complexity of authentication in distributed systems has made the ACL “…inadequate for distributed-system security” (Blaze et al., 1999). The concept of a decentralized collaborative system, as described by Li et al, whose membership changes frequently and whose existence poses a new set of security problems, comprises a unique situation wherein there is no single authority to rely upon for access control or resource dedication.

As in the case of a national accounting firm that handles accounts related to a wide variety of industries and company size, there would be multiple offices across a wide geographical area with many managers vying for control and access to data or information. Few data sources are more confidential than the financials of a business. Maintaining strict confidentiality through precise access control is an absolute must. In a company managing funds and accounts for an eclectic set of clients, multiple access attempts from users of all levels and needs will be ongoing. A simple list attempting to identify and then delegate appropriate access authorization will not be adequate.

A programming language based control structure that verifies who is asking for exactly what and then uses a comparison structure to match up the user or the role the user adopts with a policy that distributes access rights and authorization based on “security policies, credentials, and relationships that allows direct authorization of security-critical actions” (Blaze et al., 1999) is a more modern and practical approach. A system that that has a huge number of people spread over a large geographical area that are making multiple requests for information, sometimes for the first time, makes a traditional system-security approach inadequate.

Multiple queries for access demand that not only are the authorizations appropriate but also that the policy referred to that allows access has authorization to grant access (Blaze et al., 1999). If, in the case of the national accounting firm, there is not an access scheme that ensures that those gaining access to sensitive information are authorized to do so, then there is no control. It becomes a case of knowing which objects are being requested by whom. After determining those two factors, a number of variables are considered in making an access decision.

Another way of stating the problem is as follows: “Does the set…of credentials prove that the request…complies with the local security policy…”. A general, company-wide policy being in effect, some degree of specificity by local entities is desirable. In this way, the policy may delegate the responsibility of authorization to those issuing the credentials. With the expertise of issuing credentials comes the domain expertise as well as understanding the relationships with those requesting access authorization. By using a “general-purpose, application independent algorithm for checking proofs of compliance,” a more sound and reliable “proof of compliance” will result (Ioannidis).

As the complexity of sharing information over a wide area with multiple possible users increases more and more, the need for a more comprehensive access authorization model has become apparent. Trust management has evolved as a method to handle that increased complexity. By the use of some fundamental concepts underlying trust management, including a programming language based control structure verifying identities, a comparison structure to match up the user with a role and a policy that distributes access rights and authorization, a fundamental authorization question may be answered. Proper credentials verify that a request complies with policy.

In a national accounting firm spread over a large geographical area, distributed trust management offers the level of scrutiny and complexity needed in order to ensure that not only are appropriate access authorizations maintained, but also that the authorizing body is also maintained. With a large enterprise, no one governing entity is able to handle the considerable amount of information requests. An independent application set up to handle requests, verify identities, compare requests with policies and grant access is necessary. Distributed trust management enables such control over sensitive data.

---

Blaze, M., Feigenbaum, J., Ioannidis, J., Keromytis, A. (1999). The role of trust management in distributed systems security. Retrieved April 13, 2009, from http://cs-www.cs.yale.edu/homes/jf/BFIK-SIP.pdf

Li, N., Mitchell, J., Winsborough, W. (No Date). Design of a role-based trust-management framework. Retrieved April 13, 2009, from http://crypto.stanford.edu/~ninghui/papers/rt_oakland02.pdf

Ioannidis, J., Keromytis, A. (No Date). Distributed trust. Retrieved April 13, 2009, from http://www1.cs.columbia.edu/~angelos/Papers/2004/tmreview.pdf