Engineering Policies for Secure Interorganizational Information Flow

Information flow between organizations has increased tremendously in recent years, for example in information federations of closely cooperating partners in a value chain. With this intensified exchange, information security becomes a major issue. In particular, coordinated access control policies must be derived by multiple organizations in a systematic fashion. However, current access-control modeling methodologies do not sufficiently address interorganizational information flow. In order to close this gap, we provide a methodology for engineering access control policies between multiple organizations, which is motivated and exemplified by a case study on information federation in the industrial service sector. Furthermore, we present a tool-supported approach for semi-automatic generation of interorganizational role-based access control policies derived from graphical business process models.