Decentralized Enforcement of Security Policies for Distributed Computational Systems

The shift from single server environments to globally distributed systems presents a great challenge in terms of defining and enforcing appropriate security policies. This is, among other things, due to the fact that the actual order between events in an asynchronous distributed environments is not always defined. In addition, security policies often depend on the actual information exchange among the distributed entities. In this paper we study the problem of adapting security policies to distributed environments such as grids and mobile code systems. We define global security policy and indicate some of the difficulties in translating local policies to the distributed environment. Then, we propose an efficient and scalable decentralized security mechanism for the enforcement of global stateful security policies in distributed computational systems. The mechanism is based on multiple instances of execution monitors (smart sandboxes) running on the distributed entities and on efficient security information sharing among them. We show that the subclasses of EM policies enforceable by this mechanism contain useful and real live security policies such as global information flow policies.