Method and system for managing security policies
First Claim
1. A policy management system, comprising:
- at least one policy management device including a processor, memory having a computer executable program and a policy input and/or a template stored and/or a functional model therein, the at least one policy management device being configured to manage the policy input and/or the template and/or the functional model when the computer executable program is executed by the processor;
at least one policy enforced device that includes a processor, memory having a computer executable program and is directly or indirectly connected to the policy management device via a network and that is configured when the computer executable program is executed by the processor, such that at least a part of the functional model managed by the policy management device reflects the functional features/behaviors of the at least one policy enforced device;
at least one policy enforcement device that is a part of or connected to the at least one policy enforced device and/or at least one policy decision device and is configured, when the respective executable program is executed by the respective processor, to execute policy enforcement on the policy enforced device, the policy enforcement device being a part of or connected to the at least one policy enforced device and/or at least one policy decision device; and
the at least one policy decision device including a processor and a memory having a computer executable program, the at least one policy decision device being configured, when the computer executable program is executed by the processor, to receive at least one generated rule and/or configuration from the at least one policy management device and to determine a policy decision based on the received rule and/or configuration,wherein the at least one policy management device receives a policy input loaded from the memory, or entered by a user via a user interface, indicating at least one input policy for the at least one policy enforced device, the received input policy relating to non-functional system attributes for the at least one policy enforced device,wherein the at least one policy management device determines at least one functional model for the at least one policy enforced device relevant for the received input policy based on which functional system attributes are indicated by the input policy and/or configuration template, the at least one functional model indicating functional system attributes used to iteratively fill placeholders,wherein the at least one policy management device loads at least one pre-configured rule and/or configuration template from the memory to the processor,wherein the at least one policy management device automatically or semi-automatically generates at least one rule and/or configuration that is in a ready to implement format in a manner compliant with the received input policy by selecting the at least one pre-configured rule and/or configuration template corresponding to the input policy, and iteratively fills placeholders or values in the at least one input policy with functional system values indicated by the at least one functional model or with other placeholders, wherein the at least one rule and/or configuration, which indicates at least one instruction that corresponds to the input policy that is produced by the processor from the received policy input, the at least one functional model, and/or the at least one pre-configured rule and/or configuration template,wherein the at least one policy management device transmits the at least one rule and/or configuration to the at least one policy decision device that determines the result(s) of the at least one pre-configured rule and/or configuration template for the policy enforced device, andwherein the at least one policy enforcement device, when a policy relevant event occurs, instructs the at least one policy decision device to determine the result of the at least one condition of the transmitted at least one rule and/or configuration for implementing the policy input for the at least one policy enforced device, thereby modifying an operation of the at least one policy enforced device or the at least one policy enforcement device to execute the at least one instruction.
0 Assignments
0 Petitions
Accused Products
Abstract
A policy management system includes a policy management device that is configured to manage a policy input and/or a template and/or a functional model, a policy enforced device that is directly or indirectly connected to the policy management device via a network and that is configured such that at least a part of the functional model managed by the policy management device reflects the functional features/behaviors of the policy enforced device, a policy enforcement device that is configured to execute policy enforcement on the policy enforced device, and a policy decision device that is configured to receive machine-enforceable rule and/or configuration from the policy management device. The policy enforcement device, when a policy relevant event occurs, instructs the policy decision device to determine the result of the condition of the transmitted machine-enforceable rule and/or configuration for implementing the policy input for the policy enforced device, thereby modifying an operation of the policy enforced device or the policy enforcement device to execute the action.
-
Citations
20 Claims
-
1. A policy management system, comprising:
-
at least one policy management device including a processor, memory having a computer executable program and a policy input and/or a template stored and/or a functional model therein, the at least one policy management device being configured to manage the policy input and/or the template and/or the functional model when the computer executable program is executed by the processor; at least one policy enforced device that includes a processor, memory having a computer executable program and is directly or indirectly connected to the policy management device via a network and that is configured when the computer executable program is executed by the processor, such that at least a part of the functional model managed by the policy management device reflects the functional features/behaviors of the at least one policy enforced device; at least one policy enforcement device that is a part of or connected to the at least one policy enforced device and/or at least one policy decision device and is configured, when the respective executable program is executed by the respective processor, to execute policy enforcement on the policy enforced device, the policy enforcement device being a part of or connected to the at least one policy enforced device and/or at least one policy decision device; and the at least one policy decision device including a processor and a memory having a computer executable program, the at least one policy decision device being configured, when the computer executable program is executed by the processor, to receive at least one generated rule and/or configuration from the at least one policy management device and to determine a policy decision based on the received rule and/or configuration, wherein the at least one policy management device receives a policy input loaded from the memory, or entered by a user via a user interface, indicating at least one input policy for the at least one policy enforced device, the received input policy relating to non-functional system attributes for the at least one policy enforced device, wherein the at least one policy management device determines at least one functional model for the at least one policy enforced device relevant for the received input policy based on which functional system attributes are indicated by the input policy and/or configuration template, the at least one functional model indicating functional system attributes used to iteratively fill placeholders, wherein the at least one policy management device loads at least one pre-configured rule and/or configuration template from the memory to the processor, wherein the at least one policy management device automatically or semi-automatically generates at least one rule and/or configuration that is in a ready to implement format in a manner compliant with the received input policy by selecting the at least one pre-configured rule and/or configuration template corresponding to the input policy, and iteratively fills placeholders or values in the at least one input policy with functional system values indicated by the at least one functional model or with other placeholders, wherein the at least one rule and/or configuration, which indicates at least one instruction that corresponds to the input policy that is produced by the processor from the received policy input, the at least one functional model, and/or the at least one pre-configured rule and/or configuration template, wherein the at least one policy management device transmits the at least one rule and/or configuration to the at least one policy decision device that determines the result(s) of the at least one pre-configured rule and/or configuration template for the policy enforced device, and wherein the at least one policy enforcement device, when a policy relevant event occurs, instructs the at least one policy decision device to determine the result of the at least one condition of the transmitted at least one rule and/or configuration for implementing the policy input for the at least one policy enforced device, thereby modifying an operation of the at least one policy enforced device or the at least one policy enforcement device to execute the at least one instruction. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification