Security solution frames and security patterns for authorization in distributed, collaborative systems

The design of an authorization infrastructure is one of the most important aspects of engineering a secure software system. Unlike other system types, distributed systems - and especially distributed collaborative systems - can require custom, fine-grained authorization models and enforcement approaches that are able to take into account a range of semantic subtleties. In this paper we present a comprehensive, pattern-oriented software engineering approach to authorization for general distributed systems - with particular applicability to distributed collaborative systems - that allows developers to build custom, application-specific conceptual authorization models in a simple yet extensible manner, and to make informed decisions regarding their enforcement in software, as well as how their supporting rule/policy infrastructure should be designed. Our authorization approach is embodied in two instances of a new pattern-based security engineering construct called a security solution frame, which groups together related patterns - both security \"product\" and micro-process patterns - in different sub-structures, horizontally and vertically, for a single high-level security policy (in our case authorization and policy management). By applying specific micro-process patterns in each solution frame, developers are guided in using relevant \"product\" patterns to progressively construct a distributed authorization infrastructure - from abstract concepts toward concrete designs, via a number of levels of abstraction implying solution refinement and corresponding to stages of the development life-cycle. The summary-form \"product\" patterns encapsulated in each frame also help developers to form a holistic, \"global\" view when analyzing existing infrastructures. We illustrate and evaluate the proposal in the context of greenfield system development by applying our solution frames to design the authorization infrastructure of a (new) distributed system for secure file sharing and collaborative editing; and also use our solution frames to briefly analyze and capture the design decisions underlying two existing distributed authorization infrastructures: one based on UCON for collaborative Grid systems and another based on ZBAC for SOA-based systems.