Method and system for managing security policies
First Claim
1. A method of managing security policies in an information technologies (IT) system, comprising:
- receiving an input indicating a high-level security policy for the IT system, the received high-level security policy relating to non-functional system attributes for the IT system and received in a format that is not machine-enforceable at an enforcement entity of the IT system;
determining a functional model for the IT system, the functional model indicating functional system attributes of the IT system;
loading at least one pre-configured rule template;
automatically or semi-automatically generating, by a processor, at least one machine-enforceable rule that is in a ready to execute format in a manner compliant with the received high-level security policy by iteratively filling the at least one pre-configured rule template with functional system attributes indicated by the functional model, wherein the at least one machine-enforceable rule is an output of a model-driven process and are produced from high-level models; and
distributing the at least one machine-enforceable rule.
0 Assignments
0 Petitions
Accused Products
Abstract
A system and method of managing security policies in an information technologies (IT) system are provided. In an example, the method includes receiving an input indicating a high-level security policy for the IT system, the received high-level security policy relating to non-functional system attributes for the IT system and received in a format that is not machine-enforceable at an enforcement entity of the IT system. A functional model for the IT system is determined, where the functional model indicates functional system attributes of the IT system. At least one pre-configured rule template is loaded, and at least one machine-enforceable rule is generated in a manner compliant with the received high-level security policy by iteratively filling the at least one pre-configured rule template with functional system attributes indicated by the functional model. After the generating step, the at least one machine-enforceable rule can be distributed (e.g., to an enforcement entity, an Intrusion Detection System (IDS), etc.). In another example, the receiving, determining, loading, generating and distributing steps can be performed at a policy node within an IT system.
-
Citations
71 Claims
-
1. A method of managing security policies in an information technologies (IT) system, comprising:
-
receiving an input indicating a high-level security policy for the IT system, the received high-level security policy relating to non-functional system attributes for the IT system and received in a format that is not machine-enforceable at an enforcement entity of the IT system; determining a functional model for the IT system, the functional model indicating functional system attributes of the IT system; loading at least one pre-configured rule template; automatically or semi-automatically generating, by a processor, at least one machine-enforceable rule that is in a ready to execute format in a manner compliant with the received high-level security policy by iteratively filling the at least one pre-configured rule template with functional system attributes indicated by the functional model, wherein the at least one machine-enforceable rule is an output of a model-driven process and are produced from high-level models; and distributing the at least one machine-enforceable rule. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 63, 64, 68)
-
-
31. An information technologies (IT) system, comprising:
a policy node configured to receive an input indicating a high-level security policy for the IT system, the received high-level security policy relating to non-functional system attributes for the IT system and received in a format that is not machine-enforceable at an enforcement entity of the IT system, the policy node further configured to determine a functional model for the IT system, the functional model indicating functional system attributes of the IT system, to load at least one pre-configured rule template, to automatically or semi-automatically generate at least one machine-enforceable rule that is in a ready to execute format in a manner compliant with the received high-level security policy by iteratively filling the at least one pre-configured rule template with functional system attributes indicated by the functional model and distributing the at least one machine-enforceable rule, wherein the at least one machine-enforceable rule is an output of a model-driven process and are produced from high-level models. - View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 65, 69)
-
61. A method of managing security policies in an information technologies (IT) system, comprising:
-
receiving an input indicating a high-level security policy for the IT system, the received high-level security policy relating to non-functional system attributes for the IT system and received in a format that is not machine-enforceable at an enforcement entity of the IT system and expressed in a high-level security policy meta model and separated from the functional model of the IT system; determining a functional model for the IT system, the functional model indicating functional system attributes of the IT system; loading at least one pre-configured rule template; automatically or semi-automatically generating, by a processor, at least one machine-enforceable rule that is in a ready to execute format in a manner compliant with the received high-level security policy by iteratively filling the at least one pre-configured rule template with functional system attributes indicated by the functional model, wherein the at least one machine-enforceable rule is an output of a model-driven process and are produced from high-level models; and distributing the at least one machine-enforceable rule. - View Dependent Claims (66, 70)
-
-
62. An information technologies (IT) system, comprising:
a policy node configured to receive an input indicating a high-level security policy for the IT system, the received high-level security policy relating to non-functional system attributes for the IT system and received in a format that is not machine-enforceable at an enforcement entity of the IT system and expressed in a high-level security policy meta model and separated from the functional model of the IT system, the policy node further configured to determine a functional model for the IT system, the functional model indicating functional system attributes of the IT system, to load at least one pre-configured rule template, to automatically or semi-automatically generate at least one machine-enforceable rule that is in a ready to execute format in a manner compliant with the received high-level security policy by iteratively filling the at least one pre-configured rule template with functional system attributes indicated by the functional model and distributing the at least one machine-enforceable rule, wherein the at least one machine-enforceable rule is an output of a model-driven process and are produced from hiqh-level models. - View Dependent Claims (67, 71)
Specification