Architectural Separation of Authorization and Application Logic in Distributed Systems

Konstantin Beznosov

16 October 2005

Abstract: Security is an essential feature and foremost concern to enterprise software systems. Today, application-level access control (and other security) functions are based on complex, fine-grain and/or context-dependent policies, and thus are largely embedded in application systems. This results in multiple-point security control, which makes system integration and security administration tremendously difficult, costly and error-prone. In this talk, we present our ongoing effort to address the above problems and to achieve the objectives of application access control by integrating the latest results in distributed object technology and software security under an architecture-centered approach for system composition. The main direction of our approach is the development of an open, adaptive and application-independent distributed authorization service based on emerging middleware standards such as CORBA. The service provides authorization decisions to distributed application systems. It establishes the structural basis for system composition, and for ensuring overall performance, availability and reliability of enterprise-wide authorization services. The use of external authorization service has a promise to overcome most of the drawbacks of coupling authorization logic with application logic. The same approach might be generalized and applied for other security properties of distributed application systems. However several important questions have to be addressed before the approach could be considered viable. We expect the study to show (1) if the architectural separation of functional and nonfunctional system properties is viable for contemporary distributed computing technologies in general, and (2) if authorization logic can be effectively decoupled from application logic in particular. The research has direct implications on the practice of constructing distributed application systems. The talk was given at: * Department of Computer Science, Middlesex College, The University of Western Ontario, London, ON, Canada, 30 May. * Department of Computer Science, York University, Toronto, ON, Canada, 29 May. * IBM Zurich Research Laboratory, Rüeschlikon, Switzerland, 22 May. * Erik Jonsson School of Engineering and Computer Science, The University of Texas at Dallas, TX, USA, 1 May. * Computer and Information Sciences Department, Temple University, Philadelphia, PA, USA, 11 April.

Keyword(s): access control ; software engineering ; CORBA ; distributed applications ; Engineering Security Mechanisms

Published in: Konstantin Beznosov, "Architectural Separation of Authorization and Application Logic in Distributed Systems," talk given at several organizations, see abstract for details, April--May, 2000. :

The record appears in these collections:
Engineering Security Mechanisms

 Record created 2009-04-27, last modified 2013-05-22

Transfer from CDS 0.99.7:
Download fulltext

Rate this document:

Rate this document:
(Not yet reviewed)