Policy Specification, Analysis and Transformation International Technology Alliance in Network and...
-
Upload
jeremiah-cannon -
Category
Documents
-
view
212 -
download
0
Transcript of Policy Specification, Analysis and Transformation International Technology Alliance in Network and...
Policy Specification, Analysis and Transformation
Policy Specification, Analysis and Transformation
International Technology Alliance in Network and Information Sciences
A scenario based demo will illustrate the research concepts in the security policy management area.
Demonstration Components
SPARCLE Policy Workbench
The SPARCLE project is developing a highly usable policy workbench that enables organizations to:• Create policies in natural language • Connect policy definition to system entities• Check policy compliance
Provides natural language analysis of textual policies, displays results for expert review, and generates the machine-readable XML version of the policies, with 94% parsing precision. • Displays parsing and analysis results for expert review.• Transforms the policy sets into machine-readable XML version of the policies.
Project Team• Mandis Beigi, Carolyn Brodie, Seraphin Calo, David George, Clare-Marie Karat, John Karat, Jorge Lobo, Dinesh Verma, and Xiping Wang (IBM Watson)• Morris Sloman, Alberto Schaeffer-Filho (Imperial College)
Policy Deployment
In our scenario we are working with Self-Managed Cells (SMC) resources• SMCs are agents built using the Ponder2 policy framework developed at Imperial College
SMC policy service - Ponder2 framework• Two types of policies
• Obligation policies (event-condition-action) define management actions performed in response to events• Authorization policies specify which actions are permitted on which resources and services
• Managed objects to which policies apply can be • Internal resources • Adapters for external services• Policies themselves
Policy Specification
In Natural Language
Subclasses (NLS)
In a Formal Language (FL)
Abstract Policy Models
Goals, High Level Policies
In System Context
Executable Policies
Databases, XML Stores, Rule Engines, State Machines, etc
Concrete Policy Sets
Information Control Flow
Domain Policies
Data User Choices & Model Consent
Policy Analysis
Conflict/Dominance/Coverage
Policy TransformationUser defined transformation
Management
SPARCLE
NLP Analysis & Transformation
Policy DeploymentUsing Ponder 2 for
implementation
Policy AnalysisProvides a formal process that allows policy administrators to certify the “correctness” of a policy.Demo highlights the use of advanced algorithms to systematically identify potential problems.
Conflict Identification – Check consistency• Policies are in conflict if they can be simultaneously applicable and prescribe incompatible actions.
Dominance Analysis – Discover redundancies • A policy is dominated by one or more other policies when the addition of the first policy does not effect the behavior of the system governed by the set of policies.
Coverage Analysis – Check Completeness• A set of policies may (or may not) provide definition for a range of input parameters. This analysis method determines if there are gaps in the coverage.
Policy Transformation
Transform high level policies into low level policies using rule based transformation. Example:• Input policy
• If user is from U.S. then provide high security• Transformation rules
• Replace U.S. with subnet 9.2.x.x• Replace high security with 256 bit encryption and
DES encryption• Output Policy
• If user is from subnet 9.2.x.x Then use 256 bit encryption and DES encryption
VisualizationOf
Policy
Policy A
nalysis Modu
le
TransformPolicy
AuthorPolicy
Ponder
Managed
Resource Policy T
ransform
ations
Policy D
eploym
ent
Ponder
Managed
Resource
Ponder
Managed
Resource
Demonstration Architecture