Post on 17-Dec-2015
transcript
© E. Lupu, M. Sloman, 2003Page 1 /HP-Labs Bristol Mar. 2003
Policy Based Network ManagementPolicy Based Network Management
ControlControlactionsactions
DecisionsDecisionsManaged Managed ObjectsObjects
MonitorMonitorEventsEvents
Manager Manager AgentAgent
EventsEvents
PoliciesPolicies
New functionalityNew functionalityProgrammable NetworksProgrammable Networks
PoliciesPolicies
© E. Lupu, M. Sloman, 2003Page 2 /HP-Labs Bristol Mar. 2003
Security SpecificationSecurity Specification
E-commerce, healthcare E-commerce, healthcare –– multiple organisations multiple organisations Complex security policies with many constraints and Complex security policies with many constraints and
exceptionsexceptions Common security policy specification which can map Common security policy specification which can map
onto heterogeneous implementation mechanisms for OS, onto heterogeneous implementation mechanisms for OS, firewalls, databases …..firewalls, databases …..
Need to specify security policy for groups and roles Need to specify security policy for groups and roles (organisational positions)(organisational positions)
Need to manage security – what actions Need to manage security – what actions to perform when a violation detected?to perform when a violation detected?
Need for analysis toolsNeed for analysis tools
© E. Lupu, M. Sloman, 2003Page 3 /HP-Labs Bristol Mar. 2003
Policy Agents for ManagementPolicy Agents for Management
ControlControl
MonitoringMonitoring
ObligationObligationPolicyPolicy
AuthorisationAuthorisationPolicyPolicy
ManagerManager(SubjectSubject)
ManagedManaged ObjectObject(TargetTarget)
© E. Lupu, M. Sloman, 2003Page 4 /HP-Labs Bristol Mar. 2003
Example PoliciesExample Policies Who is permitted to access a service, what operations they Who is permitted to access a service, what operations they
can they perform, and when. E.g. Research staff can set up can they perform, and when. E.g. Research staff can set up video conferences between UK and USA only between video conferences between UK and USA only between 16:00 and 19:00, Monday to Wednesday.16:00 and 19:00, Monday to Wednesday.
What resources a mobile user can access when visiting a What resources a mobile user can access when visiting a remote locationremote location
What information transformations and UI adaptations should What information transformations and UI adaptations should take place when a user is mobile.take place when a user is mobile.
What actions should be performed when a login violation is What actions should be performed when a login violation is detected. detected.
What diagnostic tests should be performed when an error What diagnostic tests should be performed when an error count is exceeded in a network component.count is exceeded in a network component.
Allocate 10% of available bandwidth to voice over IPAllocate 10% of available bandwidth to voice over IP
© E. Lupu, M. Sloman, 2003Page 5 /HP-Labs Bristol Mar. 2003
Policy DefinitionPolicy Definition
Derived from enterprise goals and service level Derived from enterprise goals and service level agreementsagreements
Need to specify and modify policies without coding Need to specify and modify policies without coding into automated agentsinto automated agents
Policies are Policies are persistent persistent But can be dynamically modifiedBut can be dynamically modified Change system behaviour without modifying Change system behaviour without modifying
implementation implementation –– not new functionalitynot new functionality
Rule governing choices in behaviour of the system
© E. Lupu, M. Sloman, 2003Page 6 /HP-Labs Bristol Mar. 2003
Ponder Policy FrameworkPonder Policy Framework
DomainsDomains Primitive policiesPrimitive policies
AuthorisationAuthorisation ObligationObligation FiltersFilters DelegationDelegation
Composite PoliciesComposite Policies Object orientation Object orientation
© E. Lupu, M. Sloman, 2003Page 7 /HP-Labs Bristol Mar. 2003
Ponder Policy Based SolutionsPonder Policy Based Solutions
ObligationPolicies
TriggeringTriggeringmigrationmigrationdelegation etc.delegation etc.
Large scaleLarge scale Multiple Multiple
OrganisationsOrganisations
Domains/directories
AuthorisationPolicies
SecuritySecurity
© E. Lupu, M. Sloman, 2003Page 8 /HP-Labs Bristol Mar. 2003
Domains Domains Grouping Grouping
A domain is a collection of objects which have A domain is a collection of objects which have been explicitly grouped together for management been explicitly grouped together for management purposes e.g. to apply a common policy purposes e.g. to apply a common policy
(LDAP) directory(LDAP) directory
PeoplePeople SoftwareSoftwareComponentsComponents
Hardware Hardware ComponentsComponents
Hub
© E. Lupu, M. Sloman, 2003Page 9 /HP-Labs Bristol Mar. 2003
Domains Domains Hierarchy Hierarchy
Sub-domains & overlapping domainsSub-domains & overlapping domains
AB C
D
EED
A
B C
© E. Lupu, M. Sloman, 2003Page 10 /HP-Labs Bristol Mar. 2003
Domains and PoliciesDomains and Policies
Impractical to specify policy for individual objects in Impractical to specify policy for individual objects in large systems with many objectslarge systems with many objects
specify policy for domainsspecify policy for domains Can change domain membership without changing Can change domain membership without changing
policypolicy
PolicyPolicyPolicyPolicy
ManagersManagers Manager AgentsManager AgentsManaged ObjectsManaged Objects
© E. Lupu, M. Sloman, 2003Page 11 /HP-Labs Bristol Mar. 2003
Policy PropagationPolicy Propagation
SubjectsSubjects TargetsTargets
© E. Lupu, M. Sloman, 2003Page 12 /HP-Labs Bristol Mar. 2003
Primitive PoliciesPrimitive Policies
Ponder declarative notation for specifying policyPonder declarative notation for specifying policy Primitive policiesPrimitive policies
AuthorisationAuthorisation ObligationObligation FiltersFilters Delegation Delegation
© E. Lupu, M. Sloman, 2003Page 13 /HP-Labs Bristol Mar. 2003
PolicyPolicy
Need to specify and modify policies without Need to specify and modify policies without coding into automated agentscoding into automated agents
Policies are Policies are persistent persistent But can be dynamically modifiedBut can be dynamically modified Many different types of policy Many different types of policy extensible extensible
notationnotation
Rule governing choices in behaviour of the systemRule governing choices in behaviour of the system
© E. Lupu, M. Sloman, 2003Page 14 /HP-Labs Bristol Mar. 2003
Policy NotationPolicy Notation
Precise specification of subjects, targets, actions Precise specification of subjects, targets, actions and constraints for authorisations and obligationsand constraints for authorisations and obligations
Needed for both:Needed for both:
Human Human managersmanagers
Clear specification of responsibility, Clear specification of responsibility, rights and duties rights and duties “job description” “job description”
Automated Automated agentsagents
© E. Lupu, M. Sloman, 2003Page 15 /HP-Labs Bristol Mar. 2003
Authorisation PolicyAuthorisation Policy
Defines what a subject is permitted or Defines what a subject is permitted or not permitted (prohibited) to do to a targetnot permitted (prohibited) to do to a target Permitted operationsPermitted operations
Protect target objects from unauthorised Protect target objects from unauthorised management actionsmanagement actions Target basedTarget based interpretation and enforcement interpretation and enforcement
© E. Lupu, M. Sloman, 2003Page 16 /HP-Labs Bristol Mar. 2003
Authorisation PoliciesAuthorisation Policies
All policies can be specified as a parameterised type from All policies can be specified as a parameterised type from which instances can be createdwhich instances can be created
typetype auth+ auth+ videovideo ( (subjectsubject s, string start, string end) { s, string start, string end) {targettarget videoChannel; videoChannel;actionaction setup; setup;whenwhen time.between (start, end); } time.between (start, end); }
instinst kidsVideokidsVideo = = videovideo (/family/kids, “1400”,“1900”); (/family/kids, “1400”,“1900”);
adultVideo adultVideo = = videovideo (/family/adults, “2000”, “2400”); (/family/adults, “2000”, “2400”);
© E. Lupu, M. Sloman, 2003Page 17 /HP-Labs Bristol Mar. 2003
FiltersFilters
Transformations on parameters of positive authorisation Transformations on parameters of positive authorisation policies, where it is not practical to provide different policies, where it is not practical to provide different operations to reflect permitted parametersoperations to reflect permitted parameters
inst auth+inst auth+ employeeAccess { employeeAccess {subjectsubject employees + managers ;employees + managers ;targettarget <DB> employeeDB ;<DB> employeeDB ;actionaction getEmp (empID) ;getEmp (empID) ;
ifif (subject = employees) (subject = employees)resultresult = reject (result, salary, homeAddr); = reject (result, salary, homeAddr);
}}
© E. Lupu, M. Sloman, 2003Page 18 /HP-Labs Bristol Mar. 2003
Negative AuthorisationNegative Authorisation
Used for revocation of access rightsUsed for revocation of access rights
instinst authauth-- revoke { revoke {subjectsubject /users/JoeBloggs; /users/JoeBloggs;
targettarget /resources/database ;/resources/database ;actionaction - ; - ; // any action// any action
whenwhen time.date > 30:9:2002 }time.date > 30:9:2002 }
Reflect organisational policies and lawsReflect organisational policies and lawsinst auth-inst auth- nostrangle { nostrangle {
subjectsubject projectmanagers; projectmanagers; actionaction strangle; strangle;
targettarget trainees; }trainees; }
© E. Lupu, M. Sloman, 2003Page 19 /HP-Labs Bristol Mar. 2003
Default AuthorisationDefault Authorisation
Default NegativeDefault Negative Everything forbidden unless explicitly authorisedEverything forbidden unless explicitly authorised
Default PositiveDefault Positive Anything permitted unless explicitly forbiddenAnything permitted unless explicitly forbidden
inst auth- gateway {subject s=sysAdmin; target gateways; action load, enable, disable ; when (s.location ComputerRoom) ; }
auth+ gateway {subject s=sysAdmin; target gateways ;action load, enable, disable ;when (s.location = ComputerRoom) ; }
© E. Lupu, M. Sloman, 2003Page 20 /HP-Labs Bristol Mar. 2003
Obligation PolicyObligation Policy
Defines what actions a subject must do Defines what actions a subject must do Subject basedSubject based subject interprets policy and subject interprets policy and
performs actions on targetsperforms actions on targets Event triggered obligationEvent triggered obligation Actions can be remote invocations or local scriptsActions can be remote invocations or local scripts Can specify sequencing or concurrency of Can specify sequencing or concurrency of
actionsactions
© E. Lupu, M. Sloman, 2003Page 21 /HP-Labs Bristol Mar. 2003
Obligation ExampleObligation Example
On a TX circuit failure, replace the circuit with a backup, and, On a TX circuit failure, replace the circuit with a backup, and, in parallel, reconfigure the transceiver with logging the failurein parallel, reconfigure the transceiver with logging the failure
typetype obligoblig fail_reconfigurefail_reconfigure ( (subjectsubject s, s, setset b) { b) { onon failure (cir, trans, failure (cir, trans, switchswitch) ;) ;
targettarget <switchT> f = b ^ {<switchT> f = b ^ {switchswitch} ;} ;dodo f.disable(trans, f.disable(trans, circir) -> {f.enable(trans, “backup”) ) -> {f.enable(trans, “backup”)
|| s.log (|| s.log (circir, trans, switch); }, trans, switch); }}}
instinst p = p = fail_reconfigurefail_reconfigure (.../roles/netops/, (.../roles/netops/, … …/network/switches) ;/network/switches) ;
© E. Lupu, M. Sloman, 2003Page 22 /HP-Labs Bristol Mar. 2003
Refrain PolicyRefrain Policy
instinst refrainrefrain politeBehaviour { politeBehaviour {subjectsubject Agroup ;Agroup ;targettarget AGroupNY + AGroupNY +
DGroupBoston ;DGroupBoston ;actionaction videoconf ; videoconf ; whenwhen (time.day=Friday); }(time.day=Friday); }
Similar to negative authorisation but subject Similar to negative authorisation but subject based interpretationbased interpretation
© E. Lupu, M. Sloman, 2003Page 23 /HP-Labs Bristol Mar. 2003
Delegation PolicyDelegation Policy
Specify which actions a subject can delegate to a Specify which actions a subject can delegate to a granteegrantee
Must be a subset of subjects, actions and targets in an Must be a subset of subjects, actions and targets in an authorisation policyauthorisation policy
enable deleg
reset, enable, disable
auth+
enable auth+
© E. Lupu, M. Sloman, 2003Page 24 /HP-Labs Bristol Mar. 2003
Delegation ExampleDelegation Example
inst auth+inst auth+ serviceMan { serviceMan {subjectsubject brManager; brManager; targettarget brServices ; brServices ;actionaction resetSchedule, enable, disable; } resetSchedule, enable, disable; }
inst deleg+inst deleg+ sDeleg (serviceMan) { sDeleg (serviceMan) {subjectsubject; brManager; ; brManager; granteegrantee brEngineer ; brEngineer ;actionaction resetSchedule ; } resetSchedule ; }
Note: deleg- forbids delegationNote: deleg- forbids delegation
© E. Lupu, M. Sloman, 2003Page 25 /HP-Labs Bristol Mar. 2003
Composite PoliciesComposite Policies
Group PoliciesGroup Policies Manager position roles Manager position roles
and component roles and component roles Role relationships Role relationships Management structuresManagement structures Object orientationObject orientation
© E. Lupu, M. Sloman, 2003Page 26 /HP-Labs Bristol Mar. 2003
Group PoliciesGroup Policies
Defines a syntactic scope for specifying a set of related Defines a syntactic scope for specifying a set of related policies to be instantiated at the same time + constraints policies to be instantiated at the same time + constraints on the policieson the policies
typetype groupgroup serviceFailserviceFail ( (setset < <manager>manager> m, m, setset < <service>service> s) { s) {
constraintconstraint c = time.between(“0800”,”1800”); c = time.between(“0800”,”1800”);
instinst auth+auth+ scheduleReset { scheduleReset {subjectsubject m ; m ; targettarget s; s;actionaction resetSchedule; resetSchedule; whenwhen c;} c;}
obligoblig failReset { failReset {subjectsubject m; m; targettarget s; s;onon failure failure dodo resetSchedule; resetSchedule;
whenwhen c;} c;}}}
© E. Lupu, M. Sloman, 2003Page 27 /HP-Labs Bristol Mar. 2003
User Representation DomainUser Representation Domain
Persistent representation of a registered userPersistent representation of a registered user URD is subject of policies applying to a specific URD is subject of policies applying to a specific
personperson At login adapter object created to represent and At login adapter object created to represent and
act on behalf of person in systemact on behalf of person in system command interpreter command interpreter
authauth+
PersonalPersonal Resources
AdapterAdapter
URDURD
© E. Lupu, M. Sloman, 2003Page 28 /HP-Labs Bristol Mar. 2003
RolesRoles
Role groups the rights and duties related to a Role groups the rights and duties related to a positionposition in an organisation in an organisation
E.g., network operator, network manager, E.g., network operator, network manager, finance director, ward-nursefinance director, ward-nurse
Specify policy in terms of Specify policy in terms of rolesroles rather than rather than personspersons
do not have to re-specify policies when person do not have to re-specify policies when person assigned to new roleassigned to new role
© E. Lupu, M. Sloman, 2003Page 29 /HP-Labs Bristol Mar. 2003
Manager RolesManager Roles
PositionPositionDomainDomain
RoleRolePoliciesPolicies
Target ManagedTarget ManagedObjectsObjects
RoleRole
Agent
authauth+ connectconnectUser
RepresentationRepresentationDomain
AdapterAdapter
RoleRole
© E. Lupu, M. Sloman, 2003Page 30 /HP-Labs Bristol Mar. 2003
Role ExampleRole Example
typetype rolerole opop ( (setset t) { t) {
// restarts failed equipment in target domain t// restarts failed equipment in target domain tinstinst obligoblig restart { restart { targettarget f = t ^ {id}; f = t ^ {id};
onon failure (id); failure (id); dodo f.restart () -> f.run_self_test() ;} f.restart () -> f.run_self_test() ;}
// other authorisation and obligation policies// other authorisation and obligation policies… …
}}
© E. Lupu, M. Sloman, 2003Page 31 /HP-Labs Bristol Mar. 2003
London Site
Paris Site
Role InstancesRole Instances
Multiple operator role Multiple operator role instancesinstances
Different persons Different persons assigned to rolesassigned to roles
Different target Different target componentscomponents
Similar policiesSimilar policies Role TypeRole Type Reuse of role Reuse of role
specificationspecification
Site policies
Site policies
© E. Lupu, M. Sloman, 2003Page 32 /HP-Labs Bristol Mar. 2003
Role SpecialisationRole Specialisation Derive new composite policy specifications from Derive new composite policy specifications from
existing onesexisting ones Specialise roles by adding policiesSpecialise roles by adding policies
InheritanceInheritance
OperatorOperatorRouter OperatorRouter Operator
type role routerOp (…) extends op(…), { … }
Policy
Network Network AdministratorAdministrator
typetype role netAdminT(…) extends op(…), { … }
© E. Lupu, M. Sloman, 2003Page 33 /HP-Labs Bristol Mar. 2003
Example Specialised RoleExample Specialised Role
typetype rolerole routerOprouterOp ( (setset < <routers_typerouters_type> r) > r) extendsextends opop (r) { (r) {
// On link failure the link must be reset.// On link failure the link must be reset.instinst obligoblig reset { reset { targettarget t = r ^ {router} ; t = r ^ {router} ;
onon link_failure (x, router) link_failure (x, router) dodo t.reset (x) ; }t.reset (x) ; }
// other policies// other policies }}
iinstnst LondonOp = LondonOp = routerOProuterOP (londonNetwork); (londonNetwork);
ParisOpParisOp = = routerOprouterOp (parisNetwork); (parisNetwork);
© E. Lupu, M. Sloman, 2003Page 34 /HP-Labs Bristol Mar. 2003
Component RolesComponent Roles
Group policies related to a particular type of Group policies related to a particular type of network component e.g. edge or core routernetwork component e.g. edge or core router
Use same hardware for both types of routersUse same hardware for both types of routers
Role defines policies applying to (i.e. loaded) Role defines policies applying to (i.e. loaded) onto router hardware which is assigned to a role onto router hardware which is assigned to a role
© E. Lupu, M. Sloman, 2003Page 35 /HP-Labs Bristol Mar. 2003
Role RelationshipsRole Relationships RelationshipsRelationships
Rights and duties of roles towards each otherRights and duties of roles towards each other Usage of shared resourcesUsage of shared resources Interaction protocolsInteraction protocols
typetype relrel qSupervision ( qSupervision (
routerOProuterOP netOp, netOp, qEdgeRtr qEdgeRtr qAgent) {qAgent) {
instinst obligoblig report { report { subjectsubject qAgent ; qAgent ;onon timer.at (1800); timer.at (1800);
dodo report(q_info); report(q_info); targettarget netOp; } netOp; }authauth++ config { config { subjectsubject netOp ; netOp ;
actionaction setStrategy; setStrategy; targettarget qAgent; } qAgent; }} }
queue config.queue config.role (qEdgeRtr)role (qEdgeRtr)
routerrouteroperatoroperator
queuequeuesupervisionsupervision
site site networknetwork
corecorenetworknetwork
edge routeredge router
© E. Lupu, M. Sloman, 2003Page 36 /HP-Labs Bristol Mar. 2003
qos
traffictrafficqueue config.queue config.role (qEdgeRtr)role (qEdgeRtr)
routerrouteroperatoroperator
queuequeuesupervisionsupervisionqosqos
Management Structures 1Management Structures 1
Configurations of roles and relationships in Configurations of roles and relationships in organisational units organisational units
site networksite networkedge routeredge router
admissionadmissioncontrolcontrol
traffictrafficshapingshaping
configconfig
© E. Lupu, M. Sloman, 2003Page 37 /HP-Labs Bristol Mar. 2003
Management Structures 2Management Structures 2
type mstruct trafficT (domain site) {import /type/qEdgRtr, /type/routerOp; /type/qSupervision
domain rtr = site/routers;
inst role netOP = routerOp (rtr); qAgent = qEdgRtr (rtr); rel qs = qSupervision (netOP, qAgent);mstruct qos {
inst role admControl {…}; trShaping {…}; rel selectTraffic{…}; } ;
rel configAdmission {inst auth+ { subject netOp; target qos.admControl; action update ( ) }
}
© E. Lupu, M. Sloman, 2003Page 38 /HP-Labs Bristol Mar. 2003
Organisational PatternsOrganisational Patterns
LondonLondonnetworknetwork
edge routeredge router
tr1tr1edgeedge routerrouter
tr2tr2
ParisParisnetworknetworkinst inst mstruct
london/tr1 = trafficT(london)
corecore networknetwork
paris/tr2paris/tr2 = = trafficTtrafficT(paris)(paris)
© E. Lupu, M. Sloman, 2003Page 39 /HP-Labs Bristol Mar. 2003
Ponder SummaryPonder Summary
Object
MetaPol CompositePolicy BasicPolicy
auth oblig refrain deleg role mstruct
auth+ auth- deleg+ deleg-
group rel
Object Meta ModelClass Hierarchy
© E. Lupu, M. Sloman, 2003Page 40 /HP-Labs Bristol Mar. 2003
ConflictsConflicts
Modality conflict detection and resolutionModality conflict detection and resolution Policy priorityPolicy priority Semantic conflicts and meta-policies Semantic conflicts and meta-policies Policy analysis toolsPolicy analysis tools
© E. Lupu, M. Sloman, 2003Page 41 /HP-Labs Bristol Mar. 2003
Multiple Policies May ApplyMultiple Policies May Apply
An object can be a member of multiple domains An object can be a member of multiple domains (overlap)(overlap)
Multiple policies can apply to single domainMultiple policies can apply to single domain
PerformancePolicy
testB, query
Security Policy
testA, testB, query,stop, start
PerformancePolicy
Need conflict detection and resolutionNeed conflict detection and resolution
© E. Lupu, M. Sloman, 2003Page 42 /HP-Labs Bristol Mar. 2003
Modality ConflictsModality Conflicts
Potential conflict from overlap of Potential conflict from overlap of subjects, targets and actionssubjects, targets and actions
3 types: auth+/auth-, oblig/auth-, 3 types: auth+/auth-, oblig/auth-, oblig/refrainoblig/refrain
Note: auth+/refrain is not a conflictNote: auth+/refrain is not a conflict Detected by syntactic analysisDetected by syntactic analysis
Actions+ve
-ve
© E. Lupu, M. Sloman, 2003Page 43 /HP-Labs Bristol Mar. 2003
Example ConflictsExample Conflicts
inst auth-inst auth- bootWS { bootWS {subjectsubject students; students; targettarget workstations; workstations; actionaction reboot ; } reboot ; }
Exception:Exception:
inst auth+inst auth+ projectWS { projectWS {subjectsubject smith; smith; targettarget workstations/project; workstations/project; actionaction reboot ; } reboot ; }
reboot
auth+
auth-Students Workstations
ProjectSmith
© E. Lupu, M. Sloman, 2003Page 44 /HP-Labs Bristol Mar. 2003
PrecedencePrecedence
Can resolve some conflicts automatically by Can resolve some conflicts automatically by specifying precedence. e.g.:specifying precedence. e.g.:
Negative policies overrideNegative policies overrideDoes not permit positive exceptions to negative policies.Does not permit positive exceptions to negative policies.
Specified PrioritiesSpecified Priorities Hard to define priorityHard to define priority Several managers may specify inconsistent priority Several managers may specify inconsistent priority
Evaluating a Evaluating a ‘distance’‘distance’ between a policy and the object between a policy and the object to which it refersto which it refers
Refinement level – more concrete overrides?Refinement level – more concrete overrides? Time of last update – more recent overrides?Time of last update – more recent overrides?
© E. Lupu, M. Sloman, 2003Page 45 /HP-Labs Bristol Mar. 2003
Domain Nesting PrecedenceDomain Nesting Precedence
A particular type of A particular type of distancedistance based on domain based on domain nesting nesting
Priority given to the policy which is Priority given to the policy which is more specificmore specific for either subjects or targetsfor either subjects or targets
Intuitive, flexible, allows incremental specifications Intuitive, flexible, allows incremental specifications and exceptionsand exceptions
Not always validNot always valid
reboot
auth+
auth-Students Workstations
ProjectSmith
© E. Lupu, M. Sloman, 2003Page 46 /HP-Labs Bristol Mar. 2003
Determined & Undetermined CasesDetermined & Undetermined CasesP2 overrides P1 for the areas in which they overlap
No Precedence between P1 or P2 can be determined
P1
P2
P1
P2
P1
P2
P1
P2
P1
P2
P1
P2
and symmetric ...
© E. Lupu, M. Sloman, 2003Page 47 /HP-Labs Bristol Mar. 2003
Precedence between policiesPrecedence between policies
© E. Lupu, M. Sloman, 2003Page 48 /HP-Labs Bristol Mar. 2003
The Conflict Detection ToolThe Conflict Detection ToolP1
P2
positive policiespositive policies negative policiesnegative policies
messagemessagedistinguishes:distinguishes:O+/refrain, O+/A-, A+/A-O+/refrain, O+/A-, A+/A-
© E. Lupu, M. Sloman, 2003Page 49 /HP-Labs Bristol Mar. 2003
Policy Analysis, Refinement and Policy Analysis, Refinement and ValidationValidation
Policy AnalysisPolicy Analysis – policy analysis is insufficient – policy analysis is insufficient Consider constraints when detecting conflictsConsider constraints when detecting conflicts Identify which situations lead to conflict Identify which situations lead to conflict Reason with partial specificationsReason with partial specifications
Policy RefinementPolicy Refinement – derive policies from SLAs and – derive policies from SLAs and business goalsbusiness goals Not automatable but can apply refinement patternsNot automatable but can apply refinement patterns Maintain consistency during refinementMaintain consistency during refinement Ensure completeness – refined policies fully implement Ensure completeness – refined policies fully implement
more abstract onesmore abstract ones
Policy ValidationPolicy Validation – Can a policy be implemented? – Can a policy be implemented?
© E. Lupu, M. Sloman, 2003Page 50 /HP-Labs Bristol Mar. 2003
Policy Refinement
Goal refinementGoal refinement Policy RefinementPolicy Refinement Relationship to Requirements Relationship to Requirements
EngineeringEngineering
© E. Lupu, M. Sloman, 2003Page 51 /HP-Labs Bristol Mar. 2003
Policy RefinementPolicy Refinement
Policies are derived from business and organisational Policies are derived from business and organisational goals or service level agreements (SLA)goals or service level agreements (SLA)
Goals are progressively refined into operational policy Goals are progressively refined into operational policy specifications specifications refinement hierarchy refinement hierarchy
Leaf policies mapped onto implementation mechanisms Leaf policies mapped onto implementation mechanisms eg ACL or router interfaceeg ACL or router interface
Similar to refining requirements and going from Similar to refining requirements and going from specification to implementationspecification to implementation
Cannot be fully automatedCannot be fully automated Use requirements engineering techniques for elicitation of Use requirements engineering techniques for elicitation of
non-functional requirementsnon-functional requirements
© E. Lupu, M. Sloman, 2003Page 52 /HP-Labs Bristol Mar. 2003
Policy RefinementPolicy Refinement
oblig videoconf {oblig videoconf {subject NetMan; target users/groupA; do /* setup videoconf facilities *;/ subject NetMan; target users/groupA; do /* setup videoconf facilities *;/ when time.between("14:00", "15:00") ; }when time.between("14:00", "15:00") ; }
oblig oblig enableenable { { on timer.at("13:55“); on timer.at("13:55“); subject NetMan; do enable(); target pol/vid_reserve; } subject NetMan; do enable(); target pol/vid_reserve; }
oblig oblig disabledisable { { on timer.at("15:00“);on timer.at("15:00“);subject NetMan; do disable(); target pol/vid_reserve; }subject NetMan; do disable(); target pol/vid_reserve; }
auth+ auth+ polauthpolauth { { subject NetMan; action enable, disable;subject NetMan; action enable, disable;target pol/vid_reserve }target pol/vid_reserve }
oblig oblig lower_reservelower_reserve { { on request(bw, chanId);on request(bw, chanId);subject edgeRouter; do reduceReserved(bw); target chan/chanId;subject edgeRouter; do reduceReserved(bw); target chan/chanId;when bw < getReserved(chanId) ;}when bw < getReserved(chanId) ;}
oblig oblig increase_reserveincrease_reserve { { on request(bw, chanId) ; on request(bw, chanId) ;subject edgeRouter; do increaseReserve(min(bw,x)); target chan/chanId;subject edgeRouter; do increaseReserve(min(bw,x)); target chan/chanId;when bw > getReserved(chanId) ;}when bw > getReserved(chanId) ;}
© E. Lupu, M. Sloman, 2003Page 53 /HP-Labs Bristol Mar. 2003
ChallengesChallenges
Refinement does not preserve policy modality Refinement does not preserve policy modality e.g., an obligation may be refined to a set of e.g., an obligation may be refined to a set of obligation, refrain, authorisation and delegation obligation, refrain, authorisation and delegation policies policies
Refinement may introduce inconsistenciesRefinement may introduce inconsistencies The set of refined policies may not fully The set of refined policies may not fully
implement the goal they were refined fromimplement the goal they were refined fromPreserve consistencyPreserve consistencyEnsure CoverageEnsure Coverage
© E. Lupu, M. Sloman, 2003Page 54 /HP-Labs Bristol Mar. 2003
Static Analysis ApproachStatic Analysis Approach
Need both system behavioural model and policies. Need both system behavioural model and policies. Abduction applied to Event Calculus representation.Abduction applied to Event Calculus representation.
Conflict specification
A
B
C
Behavioural model of managed objects
Translation to Event Calculus
Ponder PoliciesConflicts
© E. Lupu, M. Sloman, 2003Page 55 /HP-Labs Bristol Mar. 2003
Analysis & Refinement: Current StatusAnalysis & Refinement: Current Status
Representation of policies in Event CalculusRepresentation of policies in Event Calculus A. Bandara, E. Lupu, A.Russo. A. Bandara, E. Lupu, A.Russo. Using Event Calculus Using Event Calculus
to Formalise Policy Specification and Analysisto Formalise Policy Specification and Analysis. Policy . Policy 2003, (see last slide).2003, (see last slide).
Currently 2 point timeline -> Generalisation.Currently 2 point timeline -> Generalisation. Stratification -> Decidable. Computable in polynomial Stratification -> Decidable. Computable in polynomial
time.time.
Future WorkFuture Work Generalisation to infinite discrete timeline. Generalisation to infinite discrete timeline. Identify and express requirements patterns. Identify and express requirements patterns. Use goal regression to elaborate plans of actions and Use goal regression to elaborate plans of actions and
identify alternatives for refinement. identify alternatives for refinement.
© E. Lupu, M. Sloman, 2003Page 56 /HP-Labs Bristol Mar. 2003
ConstraintsConstraints
Only potential modality conflicts are detected as Only potential modality conflicts are detected as constraints may limit the applicability of a policy e.g., to a constraints may limit the applicability of a policy e.g., to a particular time intervalparticular time interval
Typed Constraints:Typed Constraints:
Inst auth+Inst auth+lineop { lineop { subjectsubject s = operators ; s = operators ;actionsactions enable, disable, reset, off ; enable, disable, reset, off ;targettarget Sregion ;Sregion ;whenwhen time.between(0800,1800) and time.between(0800,1800) and
s.state = ‘active’}s.state = ‘active’}
inst auth- inst auth- lineop {lineop {subjectsubject s= operators s= operatorsactionsactions enable, disable, reset, off}enable, disable, reset, off}
targettarget SregionSregionwhenwhen time.between(1600,2400) andtime.between(1600,2400) and
s.state = ‘standby’ }s.state = ‘standby’ }
time
subjectstate
© E. Lupu, M. Sloman, 2003Page 57 /HP-Labs Bristol Mar. 2003
Semantic ConflictsSemantic Conflicts
Types of conflict:Types of conflict: separation of duty e.g., the same person is not allowed separation of duty e.g., the same person is not allowed
to authorise payments and initiate themto authorise payments and initiate them self-management e.g., a manager cannot authorise it’s self-management e.g., a manager cannot authorise it’s
own expensesown expenses conflict for resources e.g., not more than 5 persons are conflict for resources e.g., not more than 5 persons are
authorised to change the DBauthorised to change the DB Need to specify the conditions which result in conflictNeed to specify the conditions which result in conflict Constraints on a set of policies (Meta-Policies). Constraints on a set of policies (Meta-Policies).
Specified using Prolog, OCLSpecified using Prolog, OCL Included in composite policies such as roles or mstructsIncluded in composite policies such as roles or mstructs
© E. Lupu, M. Sloman, 2003Page 58 /HP-Labs Bristol Mar. 2003
Separation of DutiesSeparation of Duties
/policies/accounting->exists (P1, P2 | /policies/accounting->exists (P1, P2 |
P1.subjects->intersection(P2.subjects)->notEmpty andP1.subjects->intersection(P2.subjects)->notEmpty and
P1.actions->exists(a | a.name = ‘authorise’) and P1.actions->exists(a | a.name = ‘authorise’) and
P2.actions->exists(a | a.name = ‘initiate’) and P2.actions->exists(a | a.name = ‘initiate’) and
P1.targets->intersection(P2.targets)->exists(t | P1.targets->intersection(P2.targets)->exists(t | t.isOclKindOf(payment))) t.isOclKindOf(payment)))
© E. Lupu, M. Sloman, 2003Page 59 /HP-Labs Bristol Mar. 2003
Implementation Issues
Policies as objectsPolicies as objects Implementation architectureImplementation architecture Obligation policy agent Obligation policy agent Authorisation policy agentAuthorisation policy agent Policy deploymentPolicy deployment Ponder compiler outputPonder compiler output
© E. Lupu, M. Sloman, 2003Page 60 /HP-Labs Bristol Mar. 2003
Protecting PoliciesProtecting Policies
Basic policy is implemented as LDAP objectBasic policy is implemented as LDAP object most primitive unitmost primitive unit Source text = object attributeSource text = object attribute Can generate XML Can generate XML – – store as another attribute store as another attribute
Composite policy derived from domain object Composite policy derived from domain object Policy objects can be protected by authorisation Policy objects can be protected by authorisation
policiespolicies
Security Administrator roleSecurity Administrator role
Policy servicePolicy service
Edit, enable, Edit, enable, disable, removedisable, remove
auth+auth+
© E. Lupu, M. Sloman, 2003Page 61 /HP-Labs Bristol Mar. 2003
Policy ImplementationPolicy Implementation
Query targetsQuery targets
Domain serviceDomain service
Query Query subjects subjects & targets& targets
Policy Management Policy Management Agents (Subjects)Agents (Subjects)
ObligationObligation& Refrain& RefrainPoliciesPolicies
AuthorisationAuthorisationPoliciesPolicies
TargetTargetObjectsObjects
ActionsActions
EventsEvents
Monitoring service
Events
Policy servicePolicy service
Edit, enableEdit, enabledisable ...disable ...
© E. Lupu, M. Sloman, 2003Page 62 /HP-Labs Bristol Mar. 2003
Policy ManagementAgentPolicy ManagementAgent
EventsEvents
OperationsOperationson targeton targetobjectsobjects
Distribute,Distribute,Remove, Remove, Enable, Enable, DisableDisableobligationobligation& refrain& refrainpoliciespolicies
Load,Load,UnloadUnloadcodecode
Execution EnvironmentExecution Environment
Agent specific functionsAgent specific functionsProgrammingProgramming
PoliciesPolicies
Generic InterfaceGeneric Interface Application Specific Application Specific InterfaceInterface
© E. Lupu, M. Sloman, 2003Page 63 /HP-Labs Bristol Mar. 2003
Authorisation AgentAuthorisation Agent
Load,Load,Remove, Remove, Enable, Enable, Disable,Disable,policiespolicies
PoliciesPolicies
Map onto Map onto operating systemoperating systemor object-supportor object-supportaccess control access control mechanismsmechanisms
AuthenticationAuthentication
© E. Lupu, M. Sloman, 2003Page 64 /HP-Labs Bristol Mar. 2003
The Life of a Policy The Life of a Policy
PolicySpec.
Policy Class
compile
Policy Object
instantiatewrite
Dormant
instantiate
© E. Lupu, M. Sloman, 2003Page 65 /HP-Labs Bristol Mar. 2003
The Life of a Policy (load)The Life of a Policy (load)
PolicyObject
load
Enforcement Agents
load
Enforcement Objects
Dormant
Loadedload
instantiate
© E. Lupu, M. Sloman, 2003Page 66 /HP-Labs Bristol Mar. 2003
The Life of a Policy (enable, disable, …)The Life of a Policy (enable, disable, …)
PolicyObject
enable
Enforcement Agents
enable
DeletedDormant
Loaded
Enabled
load unload
enable disable
instantiate
Access Controllers
(Authorisation Policies)
Policy Management
Agents(Obligation &
Refrain Policies)
© E. Lupu, M. Sloman, 2003Page 67 /HP-Labs Bristol Mar. 2003
Loading an Authorisation PolicyLoading an Authorisation Policy
Enforcement Objects Enforcement Objects Enforcement Agents Enforcement Agents
Policy Object Enforcement Agents (EA)
Target Set
1 EA for each Target Object Host1 EO per EA per Host
© E. Lupu, M. Sloman, 2003Page 68 /HP-Labs Bristol Mar. 2003
Loading an Obligation/Refrain PolicyLoading an Obligation/Refrain Policy
Each Subject Object is an Enforcement Agent!Each Subject Object is an Enforcement Agent!
Policy Object Enforcement Agents
Subject Set
© E. Lupu, M. Sloman, 2003Page 69 /HP-Labs Bristol Mar. 2003
Enforcement (Obligation/Refrain)Enforcement (Obligation/Refrain)
OPOsRPOs
load, enable,..
checkRefrains
enable,disable
eventHandler
obligMethod
enable,disable
checkRefrain
register, ...
eventEngine
ACs
OEOs
REOs
Policy Management AgentEvent Service
OPO (Obligation Policy Object)RPO (Refrain Policy Object)
OEO (Obligation Enforcement Object) REO (Refrain Enforcement Object)
Access Controllers
1 2 3
7
4
56
28
9
© E. Lupu, M. Sloman, 2003Page 70 /HP-Labs Bristol Mar. 2003
Policy Refinement
Goal refinementGoal refinement Relationship to Requirements Relationship to Requirements
EngineeringEngineering AnalysisAnalysis Refinement tools Refinement tools
© E. Lupu, M. Sloman, 2003Page 71 /HP-Labs Bristol Mar. 2003
Policy RefinementPolicy Refinement
Policies are derived from business and organisational Policies are derived from business and organisational goals or service level agreements (SLA)goals or service level agreements (SLA)
Goals are progressively refined into operational policy Goals are progressively refined into operational policy specifications specifications refinement hierarchy refinement hierarchy
Leaf policies mapped onto implementation mechanisms Leaf policies mapped onto implementation mechanisms eg ACL or router interfaceeg ACL or router interface
Similar to refining requirements and going from Similar to refining requirements and going from specification to implementationspecification to implementation
Cannot be fully automatedCannot be fully automated Use requirements engineering techniques for elicitation of Use requirements engineering techniques for elicitation of
non-functional requirementsnon-functional requirements
© E. Lupu, M. Sloman, 2003Page 72 /HP-Labs Bristol Mar. 2003
Policy RefinementPolicy Refinement
oblig videoconf {oblig videoconf {subject NetMan; target users/groupA; do /* setup videoconf facilities *;/ subject NetMan; target users/groupA; do /* setup videoconf facilities *;/ when time.between("14:00", "15:00") ; }when time.between("14:00", "15:00") ; }
oblig oblig enableenable { { on timer.at("13:55“); on timer.at("13:55“); subject NetMan; do enable(); target pol/vid_reserve; } subject NetMan; do enable(); target pol/vid_reserve; }
oblig oblig disabledisable { { on timer.at("15:00“);on timer.at("15:00“);subject NetMan; do disable(); target pol/vid_reserve; }subject NetMan; do disable(); target pol/vid_reserve; }
auth+ auth+ polauthpolauth { { subject NetMan; action enable, disable;subject NetMan; action enable, disable;target pol/vid_reserve }target pol/vid_reserve }
oblig oblig lower_reservelower_reserve { { on request(bw, chanId);on request(bw, chanId);subject edgeRouter; do reduceReserved(bw); target chan/chanId;subject edgeRouter; do reduceReserved(bw); target chan/chanId;when bw < getReserved(chanId) ;}when bw < getReserved(chanId) ;}
oblig oblig increase_reserveincrease_reserve { { on request(bw, chanId) ; on request(bw, chanId) ;subject edgeRouter; do increaseReserve(min(bw,x)); target chan/chanId;subject edgeRouter; do increaseReserve(min(bw,x)); target chan/chanId;when bw > getReserved(chanId) ;}when bw > getReserved(chanId) ;}
© E. Lupu, M. Sloman, 2003Page 73 /HP-Labs Bristol Mar. 2003
ChallengesChallenges
Refinement does not preserve policy modality Refinement does not preserve policy modality e.g., an obligation may be refined to a set of e.g., an obligation may be refined to a set of obligation, refrain, authorisation and delegation obligation, refrain, authorisation and delegation policies policies
Refinement may introduce inconsistenciesRefinement may introduce inconsistencies The set of refined policies may not fully The set of refined policies may not fully
implement the goal they were refined fromimplement the goal they were refined fromPreserve consistencyPreserve consistencyEnsure CoverageEnsure Coverage
© E. Lupu, M. Sloman, 2003Page 74 /HP-Labs Bristol Mar. 2003
Case Study
Scenario overviewScenario overview Management StructuresManagement Structures RolesRoles PoliciesPolicies
© E. Lupu, M. Sloman, 2003Page 75 /HP-Labs Bristol Mar. 2003
GSM NetworksGSM Networks
BTS
BTS
MSC
SS7
Operations &Maintenance
Centre (OMC)
VLR
HLR
EIR
GatewayMSC
OMC-Radio
NetworkElement
Administrator
Help DeskOperations
Network
Help DeskManagement Servers
BSC BSC
BSC
connection
control
VisitorLocationRegister
EquipmentIdentityRegister
BaseTransceiver
Stations(BTS)
HomeLocationRegister
Mobile SwitchingCentre
BaseStation
Controllers
© E. Lupu, M. Sloman, 2003Page 76 /HP-Labs Bristol Mar. 2003
Scenario OverviewScenario Overview
OA&M of GSM networksOA&M of GSM networks Problem characterised by:Problem characterised by:
large scalelarge scale large number of policieslarge number of policies multiple instances of roles which often work in teams multiple instances of roles which often work in teams
e.g., network administrators, switch administrators, e.g., network administrators, switch administrators, help-desk staffhelp-desk staff
Need to define: Need to define: geographical repartition and organisational structuregeographical repartition and organisational structure the roles and the rights and duties corresponding to the roles and the rights and duties corresponding to
the those rolesthe those roles
© E. Lupu, M. Sloman, 2003Page 77 /HP-Labs Bristol Mar. 2003
National NetworkNational Network
Regions
BranchesSS7
VLR
HLR
EIR
VisitorLocationRegister
NetworkElementAdministrator
BTS
BSC
Help Desk
BTS
BTS
MSC
BSC
NetworkNetworkElementElementAdministratorAdministrator
BTSBTS
BSCBSC
Help DeskHelp Desk
BTSBTS
BTSBTS
MSCMSC
BSCBSC
© E. Lupu, M. Sloman, 2003Page 78 /HP-Labs Bristol Mar. 2003
Organisational RolesOrganisational Roles
Help-Desk staff (HD)Help-Desk staff (HD) provide the interface between provide the interface between customers and the company (not elaborated in this customers and the company (not elaborated in this scenario).scenario).
Telephone Service Engineers (TSE)Telephone Service Engineers (TSE) investigate faults investigate faults occurring between mobile stations and base transceiver occurring between mobile stations and base transceiver stations, and determine whether a base network operator stations, and determine whether a base network operator should be alerted to deal with the fault.should be alerted to deal with the fault.
Base Network Operators – Switches (BNoS)Base Network Operators – Switches (BNoS) are are responsible for managing the Mobile Switching service responsible for managing the Mobile Switching service Centre (MSC) and Visitors Location Register (VLR) Centre (MSC) and Visitors Location Register (VLR)
Base Network Operators – Radio (BNoR)Base Network Operators – Radio (BNoR) are responsible are responsible for Base Transceiver Systems (BTS)for Base Transceiver Systems (BTS)
Network Element Administrators (NEA)Network Element Administrators (NEA) perform all on-site perform all on-site management tasks requested by BNoS and BNoRmanagement tasks requested by BNoS and BNoR
© E. Lupu, M. Sloman, 2003Page 79 /HP-Labs Bristol Mar. 2003
Management Structures – BranchManagement Structures – Branch
BranchBranch
Customer careCustomer care
HD1HD1 HD2HD2
TSETSE
Net. Elt. ManagmentNet. Elt. Managment
BNoSBNoSBNoRBNoR
NEA1NEA1
NEA2NEA2
© E. Lupu, M. Sloman, 2003Page 80 /HP-Labs Bristol Mar. 2003
Branch Management StructureBranch Management Structure
mstructmstruct branchbranch((domaindomain d, d, domaindomain nw) { nw) {importimport custcare; netelementscustcare; netelements;;
instinst mstructmstruct cc = cc = custcarecustcare (d, nw); (d, nw);mstructmstruct ne = ne = netelementsnetelements (d, nw); (d, nw);
typetype relrel radiofailradiofail ( (rolerole eng, eng, rolerole radio_op) { … } radio_op) { … }// procedures for radio failures investigation// procedures for radio failures investigation
instinst rel rel f = f = radiofailradiofail(cc.tse, ne.bnor);(cc.tse, ne.bnor);}}
domain c = …/wales/branches/cardiff;domain c = …/wales/branches/cardiff;instinst cardiff = cardiff = branchbranch (c, c/nw); (c, c/nw);
d – branch locationnw – network elts.
domain
instantiate substructures
create relationships(type if not imported)
create instance of structure
© E. Lupu, M. Sloman, 2003Page 81 /HP-Labs Bristol Mar. 2003
Netelements management structureNetelements management structure
typetype mstruct mstruct netelementsnetelements ( (domaindomain br, br, domaindomain nw) { nw) {importimport administratoradministrator; ; switch_opswitch_op; ; radio_opradio_op; ;
switchswitch__repair; radio_repair; switch_baserepair; radio_repair; switch_base;;domaindomain r = br/roles/; a = r/nea/; s = br/rel/;r = br/roles/; a = r/nea/; s = br/rel/;
instinst role role a/nea1 = a/nea1 = administratoradministrator ( ... ) ; ( ... ) ;a/nea2 = a/nea2 = administratoradministrator ( ... ) ; ( ... ) ;r/bnos = r/bnos = switch_opswitch_op (nw/bsc/, nw/msc) ; (nw/bsc/, nw/msc) ;r/bnor = r/bnor = radio_opradio_op (nw/bsc/) ; (nw/bsc/) ;
instinst rel rel s/bnos_nea1 = s/bnos_nea1 = switch_repairswitch_repair (bnos, nea1); (bnos, nea1);s/bnos_nea2 = s/bnos_nea2 = switch_repairswitch_repair (bnos, nea2); (bnos, nea2);s/bnor_nea1 = s/bnor_nea1 = radio_repairradio_repair (bnor, nea1); (bnor, nea1);s/bnor_nea2 = s/bnor_nea2 = radio_repairradio_repair (bnor, nea2); (bnor, nea2);s/bnos_bnor = s/bnos_bnor = switch_baseswitch_base (bnos, bnor); (bnos, bnor); }}
BNoSBNoSBNoRBNoR
NEA1NEA1
NEA2NEA2
© E. Lupu, M. Sloman, 2003Page 82 /HP-Labs Bristol Mar. 2003
Base and Switch OperatorsBase and Switch Operators
typetyperole role base_opbase_op ( (setset n) { n) {
instinst obligoblig restart { restart { targettarget f = n^{ f = n^{idid}; }; onon failure( failure(idid); ); dodo restart()- restart()-
>runSelfTest(); } }>runSelfTest(); } }
Base rights and duties for all operatorsBase rights and duties for all operators
specialisationspecialisationrolerole switch_opswitch_op ( (setset <bsc><bsc> bscdbscd, , mscmsc m) m) extendsextends base_opbase_op ( (bscdbscd) {) {
instinstobligoblig reset { reset { targettarget f = bscd^{id}; f = bscd^{id};
onon A_failure(cir, id); A_failure(cir, id); dodo block(cir); block(cir); reset(cir); }reset(cir); }
auth+auth+ circuit { circuit { actionaction block,reset; block,reset; targettarget bscd;} bscd;} } // switch_op} // switch_op
© E. Lupu, M. Sloman, 2003Page 83 /HP-Labs Bristol Mar. 2003
Radio OperatorRadio Operator
typerole radio_op (set <bsc> bscd) extends base_op(bscd) {
inst
oblig clearCell { target f = bscd^{id};on cellOverload(BTSid, id); do forceHO(BTSid);}
oblig increaseTX { target f = bscd^{id};on 3*radioLinkFail(BTSid,id); do
setTxPower(+1);}…
}
radio operators responsible for base transceiver systemsradio operators responsible for base transceiver systems
On cell overload, force a hand-over of connected mobiles
On 3 consecutive radio failures, increase BTS transmission
© E. Lupu, M. Sloman, 2003Page 84 /HP-Labs Bristol Mar. 2003
Authorisation PoliciesAuthorisation Policies
typetype groupgroup gen_auth gen_auth ((setset s1, s1, setset s2, s2, hlrhlr h, h, eireir e, e, vlrvlr v) { v) {
constraintconstraint workHours = time.between(“0800”, “1800”); workHours = time.between(“0800”, “1800”);
instinstauth+auth+ pt1 { pt1 { subjectsubject s1; s1; targettarget h; h; whenwhen workHours workHours
actionaction add, traceSubscriber, lockSubscriber; } add, traceSubscriber, lockSubscriber; }
auth-auth- pt2 { pt2 {subjectsubject s1; s1; targettarget e; e; actionaction blackListEquipment; } blackListEquipment; }
auth+auth+ pt3 { pt3 { subjectsubject s2; s2; targettarget v; v; whenwhen workHours; workHours; actionaction trace; checkHandover; checkRadio;} } trace; checkHandover; checkRadio;} }
Common constraint definitionCommon constraint definition
© E. Lupu, M. Sloman, 2003Page 85 /HP-Labs Bristol Mar. 2003
Scenario SummaryScenario Summary
Scenario exemplifies:Scenario exemplifies: large number of managed objectslarge number of managed objects large numbers of distributed manager (agents) large numbers of distributed manager (agents) reasonable number of policy and role typesreasonable number of policy and role types
O-O style specifications are a real benefit. O-O style specifications are a real benefit. However, it requires regular and well planned domain However, it requires regular and well planned domain
structures. structures. Ponder approach provides an easy means for:Ponder approach provides an easy means for:
creating and using new policy typescreating and using new policy types structuring policies and management teams structuring policies and management teams instantiating and deploying large number of policiesinstantiating and deploying large number of policies
© E. Lupu, M. Sloman, 2003Page 86 /HP-Labs Bristol Mar. 2003
Future Directions
Ponder future workPonder future work ConclusionsConclusions ReferencesReferences
© E. Lupu, M. Sloman, 2003Page 87 /HP-Labs Bristol Mar. 2003
Comparison With Vendor ProductsComparison With Vendor Products
Management SecurityM S M S M S M S M S M S M S M S M S M S M S M S M S
Service Level Agreement / Trust specification
SLA/Trust to policy refinement
Privacy management
OSS or workflow integration
Mobile and Ubiquitous systems WAP
Inter domain policy negotiation
Policy Analysis ?
Automated deployment
Adaptive management
Roles ?
Provisioning Single sign on
MonitoringWeb/DB access
control ?
Event Correlation Intrusion Detection
Application Management Windows AC
QoS Unix AC
Element Management Firewall/ router AC
Future
TivoliPonder PacketeerAccess
360RSA
SecuritiesComputer Assoc.
HP Products
Orche-stream
MS Active
DirectoryCisco Assure SolSoft SystorAllot
© E. Lupu, M. Sloman, 2003Page 88 /HP-Labs Bristol Mar. 2003
Ponder Future WorkPonder Future Work
Policy based programmable networksPolicy based programmable networks Policy aware applicationsPolicy aware applications Policy based network elements Policy based network elements –– routers and firewalls routers and firewalls Direct implementation of policy in hardware (FPGAs)Direct implementation of policy in hardware (FPGAs)
Inter-organisational policy negotiationInter-organisational policy negotiation Policy based response to network attacksPolicy based response to network attacks Refinement and analysis toolsRefinement and analysis tools Trust specification, analysis and refinement into Trust specification, analysis and refinement into
security management policy security management policy Case studies and implementationCase studies and implementation
© E. Lupu, M. Sloman, 2003Page 89 /HP-Labs Bristol Mar. 2003
ConclusionsConclusions
Security Security specificationspecification
Authorisation, filter,Refrain,delegation, role
Event-triggeredObligation, role
ManagementManagement
AnalysisAnalysis Declarative language
Large scaleLarge scale Multiple Multiple
OrganisationsOrganisations
Domains + Composite policies
© E. Lupu, M. Sloman, 2003Page 90 /HP-Labs Bristol Mar. 2003
Trust & Security ManagementTrust & Security Management
What is TrustWhat is Trust Trust ClassificationTrust Classification Trust SpecificationTrust Specification Use of TrustUse of Trust
© E. Lupu, M. Sloman, 2003Page 91 /HP-Labs Bristol Mar. 2003
What is TrustWhat is Trust
A quantified belief by a trustor with respect to the A quantified belief by a trustor with respect to the competence, honesty, security and dependability of a competence, honesty, security and dependability of a trustee within a specified contexttrustee within a specified context
Context: Hotel ServicesTrustor Trustee
Trust relationship
Distrust useful for trust revocation or in default trusted environments
Quantification implies various degrees of trust/distrust
© E. Lupu, M. Sloman, 2003Page 92 /HP-Labs Bristol Mar. 2003
Trust ClassificationTrust Classification
3. Certification of trustee eg VeriSign or Brit. Medical Assoc.
5. Infrastructure trust eg, network, storage
1. Access to Trustor Resources eg MSN Messenger
MyMachine trusts MSNMess to save files
Trustor Trustee
2. Provision of Service by Trustee eg e-news deliveries, email, archive
Tom trusts news.com Trustor Trustee
4. Delegation of trust eg use certification authority for trust decisions
May delegates all decisions concerning verification to her bank
Trustor Trustee
© E. Lupu, M. Sloman, 2003Page 93 /HP-Labs Bristol Mar. 2003
Trust SpecificationTrust Specification
Trust PredicateTrust Predicate
trust (trustor, trustee, actions, level, ) trust (trustor, trustee, actions, level, ) constraint set constraint set
trust (Helen, _hotel, print; processing, 50) trust (Helen, _hotel, print; processing, 50) hotelGroup ( _hotel, HolidayInn)hotelGroup ( _hotel, HolidayInn)
Distrust when level < 0Distrust when level < 0
Recommend PredicateRecommend Predicate
recommend (recommendor, recomendee, actions, level) recommend (recommendor, recomendee, actions, level)
constraint setconstraint set
recommend (Morris, _attendee, verifyCredential, medium) recommend (Morris, _attendee, verifyCredential, medium) ICstaffMember (_attendee)ICstaffMember (_attendee)
trust (Harry, GameCo, DownloadGames, medium) trust (Harry, GameCo, DownloadGames, medium) recommend (Tom, GameCo, DownloadGames, high)recommend (Tom, GameCo, DownloadGames, high)
© E. Lupu, M. Sloman, 2003Page 94 /HP-Labs Bristol Mar. 2003
Trust, Experience and RiskTrust, Experience and Risk
Trust is not static but changes with time as a Trust is not static but changes with time as a result of experience/reputationresult of experience/reputation
Reputation = evaluation of experienceReputation = evaluation of experience Need for 3rd party recommendations c.f. PGPNeed for 3rd party recommendations c.f. PGP Trust is related to risk and valueTrust is related to risk and value
High risk High risk low trust low trustBut high risk, low value may be medium trustBut high risk, low value may be medium trust
Trust framework must monitor experience, Trust framework must monitor experience, risk and constraints in order to dynamically risk and constraints in order to dynamically update trust levels and relationships.update trust levels and relationships.
© E. Lupu, M. Sloman, 2003Page 95 /HP-Labs Bristol Mar. 2003
Trust-based Authorisation PolicyTrust-based Authorisation Policy
type auth+ Access ( domain sub-directory, string TrustValue){
subject Client;
target sub-directory;
action downloadMusic();
when trust+(FrontEnd, ClientApp, downloadMusic(ContentDatabase), TrustValue ) };
inst auth+ AccessHigh = Access(/BMW/ContentBase, HighTrust);
inst auth+ AccessLow = Access(/BMW/ContentBase/Restricted, LowTrust);
© E. Lupu, M. Sloman, 2003Page 96 /HP-Labs Bristol Mar. 2003
Trust Refinement & Adaptive SecurityTrust Refinement & Adaptive Security
Medium Trust
Authorisations Delegation
Monitoring and reacting to unusual behaviour
Low Trust
© E. Lupu, M. Sloman, 2003Page 97 /HP-Labs Bristol Mar. 2003
Communities of DevicesCommunities of Devices
External services
Trust based relationships
© E. Lupu, M. Sloman, 2003Page 98 /HP-Labs Bristol Mar. 2003
Policy-driven ArchitecturePolicy-driven Architecture
Context
Trust Evaluation
Trust Specification
AccessControl
Authorisations
Adaptation
Adaptationpolicies
events
change
Filtering
Privacy
Selectedinformation