Computer and Network Security Group   TORSEC The PoSecCo Security Decision Support System (SDSS) projects publications thesis members contact us

The PoSecCo Security Decision Support System (SDSS)

The PoSecCo project aims at establishing a traceable and sustainable link between high-level requirements and low-level configurations. This link, also named policy chain, is created by means of ad hoc refinement models and tools that permit the translation of the business security requirements (or other intermediate policy abstractions) into a set of low-level settings that, once enforced by appropriate security controls, actually implement them.

The policy abstractions used in the PoSecCo policy chain are the Business Requirements, the IT Policies, and the Abstract Configurations. Together with these abstraction, another format is used to split the refinement of IT Policies into abstract configurations for infrastructure security controls: the Logical Associations. However, they do not belong to the policy chain.

The policy chain is created by the Security Decision Support System (SDSS), a framework that drives the user during the policy-driven (automatic or semi-automatic) generation of the configurations for security controls available in a target information system. In practice, the SDSS implements the PoSecCo top top down approach.

The SDSS components

The SDSS consists of the following components, each one implementing a specific SDSS workflow phase:

the Project Manager

manages and coordinates all the refinement and management activities that can be performed with the SDSS;

the IT Policy Tool

permits the specification of IT Policies and the explicit link to existing Business requirements;

the IT Harmonization Service

verifies the coherence of the written IT Policies;

the IT Refinement Service

translates IT Policy into Abstract Configurations;

the LA Generator

refines IT Policy into Logical Association;

the LA Editor

permits the specification of Logical Associations

the Infrastructure Configuration Service

refines Logical Association into Abstract Configurations;

the Analysis Service

analyses both logical associations and configurations;

the Configuration Editor

permits the specification of configurations for filtering and data protection policies.

Download and install

The SDSS is available as an Eclipse Remote Application Platform (RAP) and as a web application. It is provided under the EPL licence.

The SDSS is complemented by the LA Editor, a standalone application (based on XText) that allows you to edit Logical Associations. It can be downloaded from here:

• LA Editor (Linux i386)
• LA Editor (Linux x64)
• LA Editor (Win i386)
• LA Editor (Win x64)

Latest version

The current version of the SDSS (1.0.0) is available here.

Installation and manuals

The SDSS getting started guide is the SDSS - user's manual document. It also includes installation instructions.

User Manuals

The following user manuals are available to work with the SDSS:

• IT Policy Tool - user's manual
• LA Generator - user's manual
• Infrastructure Configuration Services - user's manual
• Analysis Service - user's manual
• Analysis Service LA - user's manual
• Configuration Editor - user's manual

For developers

The SDSS source code is available here.

The SDSS uses several third-party open source libraries. All the required libraries for this version are available for download at this folder.

Further information on how to configure Eclipse to run and extend the SDSS are available here.

Developer's Manuals

To better understand the components' internals or to extend them, the following developer's manuals support the SDSS:

• IT Policy Tool - developer's manual
• LA Generator - developer's manual
• Infrastructure Configuration Services - developer's manual
• Analysis Service - developer's manual
• Configuration Editor - developer's manual

Last modified on Friday, 13-Dec-2013 19:54:42