A Reference Model for Security Level Evaluation: Policy and Fuzzy Techniques

In a world made of interconnected systems which manage huge amounts of confidential and shared data, security plays a significant role. Policies are the means by which security rules are defined and enforced. The ability to evaluate policies is becoming more and more relevant, especially when referred to the cooperation of services belonging to un-trusted domains. We have focused our attention on Public Key Infrastructures (PKIs); at the state of the art security policies evaluation is manually performed by technical and organizational people coming from the domains that need to interoperate. However, policy evaluation must face uncertainties derived from different perspectives, verbal judgments and lack of information. Fuzzy techniques and uncertainty reasoning can provide a meaningful way for dealing with these issues. In this paper we propose a fuzzy technique to characterize a policy and to define a Reference Evaluation Model representing different security levels against which we are able to evaluate and compare policies. The comparison takes into account not only minimal system needs but evaluator’s severity, too; furthermore it gives clear information regarding policy weakness that could be used to help security administrators to better enforce rules. Finally we present a case study which evaluates the security level of a ”legally recognized” policy.