Method and system for managing security policies

US 10,348,774 B2
Filed: 06/25/2018
Issued: 07/09/2019
Est. Priority Date: 09/17/2007
Status: Active Grant

First Claim

Patent Images

1. A policy management system, comprising:

at least one policy management device including a processor, memory having a computer executable program and a policy input and/or a template stored and/or a functional model therein, the at least one policy management device being configured to manage the policy input and/or the template and/or the functional model when the computer executable program is executed by the processor;

at least one policy enforced device that includes a processor, memory having a computer executable program and is directly or indirectly connected to the policy management device via a network and that is configured when the computer executable program is executed by the processor, such that at least a part of the functional model managed by the policy management device reflects the functional features/behaviors of the at least one policy enforced device;

at least one policy enforcement device that is a part of or connected to the at least one policy enforced device and/or at least one policy decision device and is configured, when the respective executable program is executed by the respective processor, to execute policy enforcement on the policy enforced device, the policy enforcement device being a part of or connected to the at least one policy enforced device and/or at least one policy decision device; and

the at least one policy decision device including a processor and a memory having a computer executable program, the at least one policy decision device being configured, when the computer executable program is executed by the processor, to receive at least one generated rule and/or configuration from the at least one policy management device and to determine a policy decision based on the received rule and/or configuration,wherein the at least one policy management device receives a policy input loaded from the memory, or entered by a user via a user interface, indicating at least one input policy for the at least one policy enforced device, the received input policy relating to non-functional system attributes for the at least one policy enforced device,wherein the at least one policy management device determines at least one functional model for the at least one policy enforced device relevant for the received input policy based on which functional system attributes are indicated by the input policy and/or configuration template, the at least one functional model indicating functional system attributes used to iteratively fill placeholders,wherein the at least one policy management device loads at least one pre-configured rule and/or configuration template from the memory to the processor,wherein the at least one policy management device automatically or semi-automatically generates at least one rule and/or configuration that is in a ready to implement format in a manner compliant with the received input policy by selecting the at least one pre-configured rule and/or configuration template corresponding to the input policy, and iteratively fills placeholders or values in the at least one input policy with functional system values indicated by the at least one functional model or with other placeholders, wherein the at least one rule and/or configuration, which indicates at least one instruction that corresponds to the input policy that is produced by the processor from the received policy input, the at least one functional model, and/or the at least one pre-configured rule and/or configuration template,wherein the at least one policy management device transmits the at least one rule and/or configuration to the at least one policy decision device that determines the result(s) of the at least one pre-configured rule and/or configuration template for the policy enforced device, andwherein the at least one policy enforcement device, when a policy relevant event occurs, instructs the at least one policy decision device to determine the result of the at least one condition of the transmitted at least one rule and/or configuration for implementing the policy input for the at least one policy enforced device, thereby modifying an operation of the at least one policy enforced device or the at least one policy enforcement device to execute the at least one instruction.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A policy management system includes a policy management device that is configured to manage a policy input and/or a template and/or a functional model, a policy enforced device that is directly or indirectly connected to the policy management device via a network and that is configured such that at least a part of the functional model managed by the policy management device reflects the functional features/behaviors of the policy enforced device, a policy enforcement device that is configured to execute policy enforcement on the policy enforced device, and a policy decision device that is configured to receive machine-enforceable rule and/or configuration from the policy management device. The policy enforcement device, when a policy relevant event occurs, instructs the policy decision device to determine the result of the condition of the transmitted machine-enforceable rule and/or configuration for implementing the policy input for the policy enforced device, thereby modifying an operation of the policy enforced device or the policy enforcement device to execute the action.

Citations

20 Claims

1. A policy management system, comprising:
- at least one policy management device including a processor, memory having a computer executable program and a policy input and/or a template stored and/or a functional model therein, the at least one policy management device being configured to manage the policy input and/or the template and/or the functional model when the computer executable program is executed by the processor;
  
  at least one policy enforced device that includes a processor, memory having a computer executable program and is directly or indirectly connected to the policy management device via a network and that is configured when the computer executable program is executed by the processor, such that at least a part of the functional model managed by the policy management device reflects the functional features/behaviors of the at least one policy enforced device;
  
  at least one policy enforcement device that is a part of or connected to the at least one policy enforced device and/or at least one policy decision device and is configured, when the respective executable program is executed by the respective processor, to execute policy enforcement on the policy enforced device, the policy enforcement device being a part of or connected to the at least one policy enforced device and/or at least one policy decision device; and
  
  the at least one policy decision device including a processor and a memory having a computer executable program, the at least one policy decision device being configured, when the computer executable program is executed by the processor, to receive at least one generated rule and/or configuration from the at least one policy management device and to determine a policy decision based on the received rule and/or configuration,wherein the at least one policy management device receives a policy input loaded from the memory, or entered by a user via a user interface, indicating at least one input policy for the at least one policy enforced device, the received input policy relating to non-functional system attributes for the at least one policy enforced device,wherein the at least one policy management device determines at least one functional model for the at least one policy enforced device relevant for the received input policy based on which functional system attributes are indicated by the input policy and/or configuration template, the at least one functional model indicating functional system attributes used to iteratively fill placeholders,wherein the at least one policy management device loads at least one pre-configured rule and/or configuration template from the memory to the processor,wherein the at least one policy management device automatically or semi-automatically generates at least one rule and/or configuration that is in a ready to implement format in a manner compliant with the received input policy by selecting the at least one pre-configured rule and/or configuration template corresponding to the input policy, and iteratively fills placeholders or values in the at least one input policy with functional system values indicated by the at least one functional model or with other placeholders, wherein the at least one rule and/or configuration, which indicates at least one instruction that corresponds to the input policy that is produced by the processor from the received policy input, the at least one functional model, and/or the at least one pre-configured rule and/or configuration template,wherein the at least one policy management device transmits the at least one rule and/or configuration to the at least one policy decision device that determines the result(s) of the at least one pre-configured rule and/or configuration template for the policy enforced device, andwherein the at least one policy enforcement device, when a policy relevant event occurs, instructs the at least one policy decision device to determine the result of the at least one condition of the transmitted at least one rule and/or configuration for implementing the policy input for the at least one policy enforced device, thereby modifying an operation of the at least one policy enforced device or the at least one policy enforcement device to execute the at least one instruction.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The policy management system according to claim 1, wherein a placeholder is a slot in the policy input or the pre-configured rule and/or configuration template that indicates implicitly or explicitly which values can be filled in during generating the at least one rule and/or configuration.
  - 3. The policy management system according to claim 1, wherein the at least one value is copied over unchanged from the policy input into the generated rule and/or configuration.
  - 4. The policy management system according to claim 1, wherein generating includes producing the rule/configuration in a syntax suitable for configuring the policy decision device.
  - 5. The policy management system according to claim 1, wherein the input policy includes at least one value that is a placeholder to at least one more replacement value, with the replacement values being specified as part of the functional model, and the policy management system filling the placeholder with all of the replacement values.
  - 6. The policy management system according to claim 5, wherein filling the placeholder with all of the replacement values involves creating separate rules for each replacement value, or creating a single rule that contains all replacement values.
  - 7. The policy management system according to claim 1, wherein the at least one policy management device transmits the at least one generated rule and/or configuration to the at least one policy decision device which determines instructions which should be or should not be executed by the at least one policy enforcement device, which implements the at least one instruction at the at least one policy enforced device.
  - 8. The policy management system according to claim 5, wherein the pre-configured rule and/or configuration template specifies which placeholders of the received policy input are to be filled in using which functional system attributes.
  - 9. The policy management system according to claim 1, wherein the at least one functional model specifies at least one subset of the model elements of the at least one functional model, the subset indicating the model elements available as inputs.
  - 10. The policy management system according to claim 1, wherein the received policy input includes monitoring, alarm and logging policies, which include conditions and actions that trigger monitoring alerts to be created, log entries to be created, and/or alarms to be triggered.
  - 11. The policy management system according to claim 1, wherein the at least one policy decision device is not collocated with the at least one policy enforcement device and communicates with the at least one policy enforcement device on or connected with another policy enforced device and that makes a decision based on the at least one action, or that is collocated on the same policy enforced device with the at least one policy enforcement device that enforces the at least one generated rule and/or configuration.
  - 12. The policy management system according to claim 1, wherein functional system attribute values that are filled by the at least one policy management device include values that are available or known before the at least one generated rule and/or configuration is decided at the at least one policy decision device and/or enforced at the at least one policy enforcement device.
  - 13. The policy management system according to claim 1, wherein functional system attributes values that are filled by the at least one policy management device include values that are not available or known until the at least one generated rule and/or configuration is decided at the at least one policy decision device and/or enforced at the at least one policy enforcement device.
  - 14. The policy management system according to claim 1, wherein the functional system attributes specify attribute values, calculation result values, and/or comparison values of the at least one template that is filled in.
  - 15. The policy management system according to claim 12, wherein the at least one action includes at least one of a request for the at least one policy enforced device or policy enforcement device to proceed with the policy relevant event, a request for the at least one policy enforced device or policy enforcement device not to proceed with the policy relevant event, a request for the at least one policy enforced device or policy enforcement device to remove some or all of a content transmitted as part of the policy relevant event, a request for the at least one policy enforced device or policy enforcement device to proceed with the policy relevant event but to modify some or all of the content of transmitted as part of the policy relevant event, a request for the at least one policy enforced device or policy enforcement device to create a log entry about subsequent requests available on the at least one policy enforced device, and a request for the at least one policy enforced device or policy enforcement device to raise monitoring alerts and/or alarms.
  - 16. The policy management system according to claim 1, wherein the input policy includes an indication that facilities the processor to select a particular template, so that the processor loads at least one template needed to process a particular input policy, and does not load a template not needed to process the particular input policy.
  - 17. The policy management system according to claim 1, wherein the policy enforcement device is connected to the at least one policy enforced device via the network.
  - 18. The policy management system according to claim 1, wherein the at least one policy decision device is included in the at least one policy enforced device.
  - 19. The policy management system according to claim 1, wherein the at least one policy decision device is included in the at least one policy enforcement device.
  - 20. The policy management system according to claim 1, wherein instructions comprise one or more of rules, groupings, assignments, and configurations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rudolf Schreiner, Ulrich Lang
Original Assignee
Rudolf Schreiner, Ulrich Lang
Inventors
Lang, Ulrich, Schreiner, Rudolf
Primary Examiner(s)
Rahman, Shawnchoy

Application Number

US16/017,301
Publication Number

US 20180309796A1
Time in Patent Office

379 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

Method and system for managing security policies

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for managing security policies

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links