Efficient Policy Checking across Administrative Domains

Abstract

Information flow control provides formal techniques for specifying policies that dictate what data may flow where, and for ensuring compliance with those policies. In event-based systems, this amounts to deciding whether a particular event should be delivered to a recipient and what parts of that event the recipient should be allowed to see. This is usually effected through labels that identify the privileges required for access to, and the integrity of, parts of events. Within an organisation, agreement on the meanings of these labels can be reached by flat. However, when multiple organisations are involved, interpretation of these labels is tied up with the data usage agreements defining how the organisations interact. We provide a means to link inter- and intra-organisation information flow control, using the same mechanism for each when checking policy compliance. Event producers are insulated from concerns about whether event receivers are within their organisation or outside it.