Policy and Security Conguration Management in Distributed Systems

The evolution of information system sees a continuously increasing need of flexible and sophisticated approaches for the management of security requirements. On one hand, systems are increasingly more integrated (e.g., Bring Your Own Device) and present interfaces for the invocation of services accessible through network connections. On the other hand, system administrators have the responsibility to guarantee that this integration and the consequent exposure of internal resources does not introduce vulnerabilities. The need to prove that the system correctly manages the security requirements is not only motivated by the increased exposure, but also by the need to show compliance with respect to the many regulations promulgated by governments and commercial bodies. In modern information systems a particular area of security requirement is access control management, with security policies that describe how resources and services should be protected. These policies offer a classification of the actions on the system that distinguishes them into authorized and forbidden, depending on a variety of parameters. Given the critical role of security and their large size and complexity, concerns arise about the correctness of the policy. It is not possible anymore to rely on the security designer to have a guarantee that the policy correctly represents how the system should protect the access to resources. The research documented in this thesis investigates new approaches for the development of a collection of both methodologies and tools, which are flexible enough to help the system administrators, or generally users, in the correct management of security requirements. Due to the complexity of this topic, the research was focused on (i) enterprise and (ii) mobile scenario.