Method and system for managing security policies
First Claim
1. A method of managing policies in an at least one information technologies (IT) system, comprising:
- receiving a policy input indicating at least one input policy for the at least one IT system, the received policy input relating to non-functional system attributes for the IT system and received in a format that is not machine-enforceable at a policy implementation entity of the IT system;
determining at least one functional model for the IT system, the at least one functional model indicating functional system attributes of the IT system;
loading at least one pre-configured rule and/or configuration template from a memory;
automatically or semi-automatically generating, by a processor, at least one machine-enforceable rule and/or configuration that is in a ready to implement format in a manner compliant with the received policy input by iteratively filling the at least one pre-configured rule and/or configuration template with functional system attributes indicated by the at least one functional model, wherein the at least one machine-enforceable rule and/or configuration is an output of a model-driven process and is produced from the received policy input; and
distributing the at least one machine-enforceable rule and/or configuration to at least one policy implementation entity.
0 Assignments
0 Petitions
Accused Products
Abstract
A system and method of managing security policies in an information technologies (IT) system are provided. In an example, the method includes receiving an input indicating a high-level security policy for the IT system, the received high-level security policy relating to non-functional system attributes for the IT system and received in a format that is not machine-enforceable at an enforcement entity of the IT system. A functional model for the IT system is determined, where the functional model indicates functional system attributes of the IT system. At least one pre-configured rule template is loaded, and at least one machine-enforceable rule is generated in a manner compliant with the received high-level security policy by iteratively filling the at least one pre-configured rule template with functional system attributes indicated by the functional model. After the generating step, the at least one machine-enforceable rule can be distributed (e.g., to an enforcement entity, an Intrusion Detection System (IDS), etc.). In another example, the receiving, determining, loading, generating and distributing steps can be performed at a policy node within an IT system.
-
Citations
20 Claims
-
1. A method of managing policies in an at least one information technologies (IT) system, comprising:
-
receiving a policy input indicating at least one input policy for the at least one IT system, the received policy input relating to non-functional system attributes for the IT system and received in a format that is not machine-enforceable at a policy implementation entity of the IT system; determining at least one functional model for the IT system, the at least one functional model indicating functional system attributes of the IT system; loading at least one pre-configured rule and/or configuration template from a memory; automatically or semi-automatically generating, by a processor, at least one machine-enforceable rule and/or configuration that is in a ready to implement format in a manner compliant with the received policy input by iteratively filling the at least one pre-configured rule and/or configuration template with functional system attributes indicated by the at least one functional model, wherein the at least one machine-enforceable rule and/or configuration is an output of a model-driven process and is produced from the received policy input; and distributing the at least one machine-enforceable rule and/or configuration to at least one policy implementation entity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An information technologies (IT) system, comprising:
-
at least one policy node and at least one policy implementation entity; and a communication mechanism connecting the at at least one policy node and at least one policy implementation entity, wherein the at least one policy node is configured to receive a policy input indicating at least one input policy for the IT system, the received policy input relating to non-functional system attributes for the IT system and received in a format that is not machine-enforceable at an policy implementation entity of the IT system, the at least one policy node further configured to determine at least one functional model for the IT system, the at least one functional model indicating functional system attributes of the IT system, to load at least one pre-configured rule and/or configuration template from a memory, to automatically or semi-automatically generate at least one machine-enforceable rule and/or configuration that is in a ready to implement format in a manner compliant with the received policy input by iteratively filling the at least one pre-configured rule and/or configuration template with functional system attributes indicated by the at least one functional model and distributing the at least one machine-enforceable rule and/or configuration to the at least one policy implementation entity, and wherein the at least one machine-enforceable rule and/or configuration is an output of a model-driven process and are produced from the received policy input. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification