Policy Specification, Analysis and Transformation

Policy Specification, Analysis and Transformation

International Technology Alliance in Network and Information Sciences

A scenario based demo will illustrate the research concepts in the security policy management area.

Demonstration Components

SPARCLE Policy Workbench

The SPARCLE project is developing a highly usable policy workbench that enables organizations to:• Create policies in natural language • Connect policy definition to system entities• Check policy compliance

Provides natural language analysis of textual policies, displays results for expert review, and generates the machine-readable XML version of the policies, with 94% parsing precision. • Displays parsing and analysis results for expert review.• Transforms the policy sets into machine-readable XML version of the policies.

Project Team• Mandis Beigi, Carolyn Brodie, Seraphin Calo, David George, Clare-Marie Karat, John Karat, Jorge Lobo, Dinesh Verma, and Xiping Wang (IBM Watson)• Morris Sloman, Alberto Schaeffer-Filho (Imperial College)

Policy Deployment

In our scenario we are working with Self-Managed Cells (SMC) resources• SMCs are agents built using the Ponder2 policy framework developed at Imperial College

SMC policy service - Ponder2 framework• Two types of policies

• Obligation policies (event-condition-action) define management actions performed in response to events• Authorization policies specify which actions are permitted on which resources and services

• Managed objects to which policies apply can be • Internal resources • Adapters for external services• Policies themselves

Policy Specification

In Natural Language

Subclasses (NLS)

In a Formal Language (FL)

Abstract Policy Models

Goals, High Level Policies

In System Context

Executable Policies

Databases, XML Stores, Rule Engines, State Machines, etc

Concrete Policy Sets

Information Control Flow

Domain Policies

Data User Choices & Model Consent

Policy Analysis

Conflict/Dominance/Coverage

Policy TransformationUser defined transformation

Management

SPARCLE

NLP Analysis & Transformation

Policy DeploymentUsing Ponder 2 for

implementation

Policy AnalysisProvides a formal process that allows policy administrators to certify the “correctness” of a policy.Demo highlights the use of advanced algorithms to systematically identify potential problems.

Conflict Identification – Check consistency• Policies are in conflict if they can be simultaneously applicable and prescribe incompatible actions.

Dominance Analysis – Discover redundancies • A policy is dominated by one or more other policies when the addition of the first policy does not effect the behavior of the system governed by the set of policies.

Coverage Analysis – Check Completeness• A set of policies may (or may not) provide definition for a range of input parameters. This analysis method determines if there are gaps in the coverage.

Policy Transformation

Transform high level policies into low level policies using rule based transformation. Example:• Input policy

• If user is from U.S. then provide high security• Transformation rules

• Replace U.S. with subnet 9.2.x.x• Replace high security with 256 bit encryption and

DES encryption• Output Policy

• If user is from subnet 9.2.x.x Then use 256 bit encryption and DES encryption

VisualizationOf

Policy

Policy A

nalysis Modu

le

TransformPolicy

AuthorPolicy

Ponder

Managed

Resource Policy T

ransform

ations

Policy D

eploym

ent

Ponder

Managed

Resource

Ponder

Managed

Resource

Demonstration Architecture