Control: diseñar un procedimiento para prever o detectar los errores o las fallas del plan, así como para prevenirlos o corregirlos sobre una base de

The specifi cation of adequate access control policies in mobile enterprise settings requires tackling several challenges. Recall, for instance, the example of spontane- ous meeting described at the beginning of the chapter. In this situation, the complete list of participants may not be known in advance or may be modifi ed just before the meeting starts or even during a meeting, thus making it infeasible to defi ne access control policies based on requestor’s identity. Even the RBAC approach seems cumbersome in cross-organizational situations, since role defi nitions and hierarchies

might vary across organizational boundaries. Therefore, recent research aims at a more general and comprehensive approach to access control that exploits not only identity/role information but also additional contextual information, such as location, time, and ongoing activities. In particular, it may be advantageous for each participant to defi ne access control policies for his/her managed resources according to the cur- rent resource context. For instance, in an informal meeting, access should be granted to those who are currently located in the same room where the resource owner is located, if they actually participate in the activity/project relating to the meeting, as long as the current time corresponds to the time scheduled for the meeting.

The integration of access control with the multifaceted context concept has the following two main characteristics:

First, it is an example of an active access control model [38]. Active security •

models are aware of the context associated with an ongoing activity, which distinguishes it from the passive concept of permission.

Second, the exploitation of context as a mechanism for grouping policies •

and for evaluating applicable ones can simplify access control management by encouraging policy specifi cation reuse and by facilitating policy update/ revocation.

In traditional access control solutions, the tight coupling of the identities/roles of principals with their permissions and with the operating conditions requires security administrators to foresee all execution environments where each principal is likely to operate. In a context-centric access control approach, instead of managing princi- pals and their permissions individually, administrators can benefi t from the simple defi nition of the set of permitted actions for each context: when a principal operates in a specifi c context, the evaluation process of his/her permissions in that context is triggered.

The idea of adapting access control policies to changing context recently emerged in a fi rst few research activities, such as the Proteus access control framework [39]. In this framework, a context-aware policy model allows dynamic adaptation of access control policies to variations in context. The importance of taking context into account for securing pervasive applications is also evident in the work of Covington et al. [41] where contexts are represented through a new type of role, called environment role. Environment roles capture the relevant conditions used for restricting and regulating user privileges. Permissions are assigned both to (tradi- tional and environmental) roles and role-activation/deactivation mechanisms.

By focusing on access control in spontaneous coalitions in pervasive environ- ments, Liscano and Wang [42] proposed a delegation-based approach, where users participating to a communication session can delegate a set of their permissions to a temporary session role and enable access to each other’s resources. In particular, one endpoint user assigns the session role to the entities he/she is willing to communicate with. Contextual information is used to defi ne the conditions for the assignment to take place, thus limiting the applicability scope of this process. Only a limited set of contextual information can be specifi ed and there is no support for semantic representation of the session role and delegation context constraints. In addition,

security problems may arise whenever the entity delegated to play the session role leaves the communication session. In fact, unless the user explicitly states he/she is leaving the session, there is no way for the framework to be aware that the session role must be revoked.

Finally, the most recent trend in access control policy defi nition for highly dynamic wireless environments is the integration of context awareness with seman- tic technologies. Relevant examples include the Proteus framework, which relies on a combined ontology/rule-based approach to policy and context representation/rea- soning, and the policy model presented in Ref. [40], where contexts and policies are defi ned by adopting an OWL-based representation, and OWL inference rules are exploited to derive relationships among contexts. Let us note that a semantic-based approach allows the description of contexts and associated policies at a high level of abstraction, in a form that enables their classifi cation and comparison. This feature is essential, for instance, in order to detect confl icts between policies before they are actually enforced. In addition, semantic techniques can provide the reasoning fea- tures needed to deduce new information from existing knowledge. This ability may be exploited by the policy framework when faced with unexpected situations to react in a context-dependent and appropriate way.

A PRACTICAL EXAMPLE OF EMERGING SOLUTION