CORBA security : an introduction to safe computing with objects

The CORBAsecurity specification adopted by the Object Management Group (OMG) represents a major step forward in making object technology suitable for business application development. The specification document, however, is long, detailed, and complex; it is a time-consuming task for software developers to make their way through it, and it is inaccessible to CIOs and other technical managers who need to understand object security and its impact on their organizations. CORBA Security provides a readable and less technical overview of the specification and a guide to the security of object systems. Written from a policy point of view, the book will help you decide what security policies are appropriate for your organization and evaluate the object-based security options that can help you manage those policies. For those unfamiliar with basic security and object technology concepts, clear introductions to these topics will bring you up to speed. The book also provides a list of questions you can ask your secure object system vendor-questions that will get behind the jargon and acronyms and give you the information you need to determine just how safe the product really is. Readers will get an in-depth look at each element of computer security and how the CORBAsecurity specification fulfills each of these security needs. Topics covered include identification, authentication, and privilege; access control; message protection; delegation and proxy problems; auditing; and, non-repudiation. The author also provides numerous real-world examples of how secure object systems can be used to enforce useful security policies. 0201325659B04062001

1. Objects and Security. What Are Objects? How Do Objects Send Messages? What Is Security? Protection. Authorization. Accountability. Availability. Assurance. 2. Object Security. Special Object Security Requirements. Naming. Scale. Encapsulation. An Overview of the CORBA Security Model. 3. Policy. Protection and Policy. Subjects. Objects. Actions. Access Control Policy. Message Protection Policy. Audit Policy. Non-Repudiation Policy. 4. Identification, Authentication, and Privilege. Subjects. Authentication and Credentials. Contexts. 5. Access Control. Managing Access Control Policy. The Problem of Scale. Controlling Access Control Policy Scale. Privilege Attributes Are Groups of Subjects. Domains Are Groups of Objects. Required Rights Are Groups of Actions. Enforcing Access Control Policy. The accessDecision Procedure. Combining Policies to Make Access Decisions. 6. Message Protection. Managing Message Protection Policy. Quality of Protection. Defining Message Protection Policy. Enforcing Message Protection Policy. 7. Delegation. The Secure Proxy Problem. Managing Delegation Policy. Enforcing Delegation Policy. 8. Security Auditing. Managing Audit Policy. Event Generation Policy. Enforcing Audit Policy. Audit Decisions. Audit Channels. 9. Non-Repudiation. Disputes, Evidence, and the Burden of Proof. Disputes. Non-Repudiation Evidence. Non-Repudiation Policies. Managing Non-Repudiation Policy. Enforcing Non-Repudiation Policy. Non-Repudiation Credentials. Generating Non-Repudiation Evidence. Arbitrating Disputes Using Non-Repudiation Evidence. Examples of Disputes. Non-Repudiation Service Structures. 10. Questions to Ask Your Secure Object System Vendor. Suggested Reading. Glossary. Index. 0201325659T04062001