Today had two keynote addresses scheduled.
The first was by Andreas Schaad from SAP Research. Andreas presented “observations on security in large-scale industrial landscape”. He presented an interesting talk covering, inter alia, the area of access control and workflow, which of course were the general area of my PhD. I found the following observations particularly interesting:
- There exist a big communication gap between business process experts and security experts. He demonstrated some work done on the graphical representation of access control policies.
- He suggested that access control policies should be dependent on the state of the business objects. I don’t think this is a new idea, but it does not seem to be done in industrial systems yet. Personally I think this might be related to the administration detail and the gap mentioned in the previous bullet.
- While rule engines exist, many access control policy is still hidden deep in code.
- He presented some results regarding the caching of access control decisions as to speed up performance. In this case caching is historic and predictive, i.e. fore-warding looking dependent on the business process.
One of the areas currently investigated by his group is to bring more context into the access control decision. This could for example be location information from a mobile device.
My conclusion: the area of access control is still well and alive. Theory and practice is not quite aligned…
The second keynote address is professor Joachim Biskup. His talk is entitled “Principles of Inference Control Applied to Controlled Query and Update Execution”. He addressed the issue from a formal approach. Inference control is, in lay men’s terms, about thinking about the implications of an action. Should therefore be an integral part of things like the granting of access control. Two techniques of inference control are static inspection and dynamic modeling. Static inspection happens at design-time, while dynamic monitoring deals with actual situations. He described some work they did in controlled query and update execution. Sounded interesting, but not quite my kettle of fish at the current moment.