1

International Technology AllianceIn Network & Information Sciences

International Technology AllianceIn Network & Information Sciences

Policy Specification, Analysis and Transformation

Policy Specification, Analysis and Transformation

Mandis Beigi, Carolyn Brodie, Seraphin Calo, David George, Clare-Marie Karat, John Karat, Jorge Lobo, Dinesh Verma, and Xiping Wang

Mandis Beigi, Carolyn Brodie, Seraphin Calo, David George, Clare-Marie Karat, John Karat, Jorge Lobo, Dinesh Verma, and Xiping Wang

2

Policy Life Cycle

Task 3

Task 1

Task 2

Author, Analyze & Transform NL

Policies

Mapping onto Network

Security MechanismsPolicy Algebra

Task 4

3

Security Policy Framework–TA2 P4

Policy Specification

In Natural LanguageSubclasses (NLS)

In a Formal Language (FL)

System Side

Algorithms & Tools

User Side

Author NL policies

Convert NL policies to FL policies

Author FL policies

Convert FL policies to NL policies

Abstract Policy ModelsPrivacy / Security Ontologies

Policy Transformation

Policy Synchronization

Goals, High Level PoliciesIn System Context

Concrete Policy Sets

Executable Policies

Information Control Flow

Policy Ratification

Policy Authoring

Policy Ratification

Databases, XML Stores, Rule Engines, State Machines, etc

Global Principles and GoalsLarge Scale Analyses of

NL and FL PoliciesSurvey & Coding of Related Practices

Policy Transformation

Policy Synchronization

Human Factors Based Design & Usability Studies

Policy Presentation

Processing & User Interaction

User Preferences in

a FL

User-Level Paradigms for Preferences

Preference Specification Tools

AC & Audit Policies Data User Risk Choices & Model Model Model Consent

4

Demonstration Components

Policy Specification

In Natural Language

Subclasses (NLS)

In a Formal Language (FL)

Abstract Policy Models

Goals, High Level Policies

In System Context

Executable Policies

Databases, XML Stores, Rule Engines, State Machines, etc

Concrete Policy Sets

Information Control Flow

Domain Policies

Data User Choices & Model Consent

Policy Analysis

Conflict/Dominance/Coverage

Policy TransformationUser defined transformation

Management

SPARCLE

NLP Analysis & Transformation

Policy DeploymentUsing Ponder 2 for

implementation

5

SPARCLE Policy Workbench

• Motivation for SPARCLE:–Policies provide a powerful mechanism to

manage many kinds of infrastructures including security and network management.

–Currently, policy management methods (e.g., editing XML files) are not sufficient to address user skills of varying technical abilities.

–There is a large, error-prone gap between high level policy specification and deployment.

–Goal: Create a usable, integrated capability for policy management across heterogeneous systems.

6

SPARCLE Policy Workbench

• Project Scope: The SPARCLE (Server Privacy ARchitecture and CapabiLity Enablement) project will create a highly usable policy workbench that enables organizations to:– Create access control policies (Author, Analyze, and Transform)– Connect policy definition to system entities (Implement)– Check policy compliance (Audit)

• Authoring Tool Description:– Provides natural language analysis of textual policies, displays

results for expert review, and generates the machine-readable XML version of the policies, with 94% parsing precision.

– Provides analysis of conflicts and redundancies in access control policies at the structured language level.

– Displays results for expert review.– Transforms the policy sets into machine-readable XML version

of the policies.

7

Marketing employees

name, address, and phone number

for the purpose of direct advertising

if the customer has opted-in.

can collect and use

User category

Actions

Data categories

Purpose

Condition

SPARCLE Parsing Example

8

Policy Analysis

• Motivation:– Provides a formal process that allows policy

administrators to certify the “correctness” of a policy before the policy is activated.

– Demo highlights the use of advanced algorithms to systematically determine if a policy is problematic.

– Analysis can be performed when a policy is authored and the whole process of analysis is automated.

9

Policy Analysis Types in Demo

• Conflict Identification:– Two policies are in conflict if they can be simultaneously

applicable and prescribe incompatible actions. – This analysis method is used to determine if two policies are

consistent.• Dominance Analysis:

– A policy is dominated by a set of one or more other policies when the addition of the first policy does not effect the behavior of the system governed by the set of policies.

– This analysis method is used to discover redundant policies.

• Coverage Analysis:– A set of policies may (or may not) provide definition for a range

of input parameters. This analysis method determines if there are gaps in the coverage.

– This analysis method is used to examine the completeness of a set of policies.

10

Conflict Identification

Security Level

already existing policy

new policy

Teams

• Conflict: Applicability subspaces intersect.

• Variables can take values in spaces of different characteristics– We first find the policy

hyper-space intersect– Then we check if the policy

effects are incompatible

11

Dominance Analysis

Battery capacity

Draining rate

Already

existing policy

100 mAmp

95 mAmp/h

30 mAmp/h

• Dominance check:– A subspace is inside another

subspace– Subspaces might not be convex

• A policy is dominated if its hyper-space is completely contained in the hyper-space of the existing policies

new policy

12

Coverage AnalysisB

atte

ry c

apac

ity

Draining rate10 35

P2

40

100

350

P4

P3

Uncovered area

Device space (dashed line)

• Coverage check:– A subspace is contained by another

subspace (the space to be covered)– Subspaces might not be convex

• A device space is covered if it is completely covered by the hyper-space of a set of policies

• To cover the device space the lower bound of draining rate of P4 can be changed to 35

13

Policy Transformation

• Motivation and Explanation:– Transform high level policies into low level policies– Rule based transformation– Modify condition and action sections of the policies– Simple search and replace– Transformation rules are written in an XML format by

an expert user

14

Transformation Example

Input policy

If user is from U.S. Then provide high security

Transformation rules

1. Replace U.S. with subnet 9.2.x.x

2. Replace high security with 256 bit encryption and DES encryption

Output Policy

If user is from subnet 9.2.x.x Then use 256 bit encryption and DES encryption

15

Policy Deployment

• The last step is to deploy policies into managed resources

• This is done in two sub-steps:– A last translation of the policies into the executable

commands or policies understood by each resource– Transmission of the policy to the resource

• In our scenario we are working with Self-Managed Cells (SMC) resources– SMCs are agents built using the Ponder2 policy

framework developed at Imperial College

08/13/2007 Security Management in Dynamic Communities 16

Policy Deployment

• SMC policy service - Ponder2 framework– Cater for two types of policies

• Obligation policies (event-condition-action) define management actions that are performed in response to events

• Authorization policies specify which actions are permitted on which resources and services

– Managed objects to which policies apply can be • Internal resources • Adapters for external services• Policies themselves

resource

Domain structure

policy

…

…

…

remote

– Policies can be added, removed, enabled and disabled to change SMC behavior

• Without interrupting its functioning

– Managed objects kept in domain structure that implements hierarchical namespace

• Use domains as subject/target of policies

08/13/2007 Security Management in Dynamic Communities 17

Backup and Alternative Slides

18

Demonstration

• A scenario based demo will illustrate the research concepts in the security policy management area.

19

VisualizationOf

Policy

Policy A

nalysis Modu

le

TransformPolicy

AuthorPolicy

Ponder

Managed

Resource Policy T

ransform

ations

Policy D

eploym

ent

Ponder

Managed

Resource

Ponder

Managed

Resource

Demo Architecture

08/13/2007 Security Management in Dynamic Communities 20

Policy Deployment

• Self-managed cell (SMC)– Consists of hardware and software components– Do not rely on human intervention nor central coordination– Implements a local feedback control-loop

• Architectural pattern– Basic building block of a pervasive environment

• Core services– Discovery service– Event service – Policy service

Measurement& Monitoring

ServiceDiscovery

RawMeasurements

Event Bus

PolicyManagement

Measurementand Control

Adapters

Context

ContextInformation

Goals andpolicies

InteractionAdaptation

Other

Managed Resources