Method and system for managing security policies

US 9,420,006 B2
Filed: 04/27/2015
Issued: 08/16/2016
Est. Priority Date: 09/17/2007
Status: Active Grant

First Claim

Patent Images

1. A method of managing policies in an at least one information technologies (IT) system, comprising:

receiving a policy input indicating at least one input policy for the at least one IT system, the received policy input relating to non-functional system attributes for the IT system and received in a format that is not machine-enforceable at a policy implementation entity of the IT system;

determining at least one functional model for the IT system, the at least one functional model indicating functional system attributes of the IT system;

loading at least one pre-configured rule and/or configuration template from a memory;

automatically or semi-automatically generating, by a processor, at least one machine-enforceable rule and/or configuration that is in a ready to implement format in a manner compliant with the received policy input by iteratively filling the at least one pre-configured rule and/or configuration template with functional system attributes indicated by the at least one functional model, wherein the at least one machine-enforceable rule and/or configuration is an output of a model-driven process and is produced from the received policy input; and

distributing the at least one machine-enforceable rule and/or configuration to at least one policy implementation entity.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method of managing security policies in an information technologies (IT) system are provided. In an example, the method includes receiving an input indicating a high-level security policy for the IT system, the received high-level security policy relating to non-functional system attributes for the IT system and received in a format that is not machine-enforceable at an enforcement entity of the IT system. A functional model for the IT system is determined, where the functional model indicates functional system attributes of the IT system. At least one pre-configured rule template is loaded, and at least one machine-enforceable rule is generated in a manner compliant with the received high-level security policy by iteratively filling the at least one pre-configured rule template with functional system attributes indicated by the functional model. After the generating step, the at least one machine-enforceable rule can be distributed (e.g., to an enforcement entity, an Intrusion Detection System (IDS), etc.). In another example, the receiving, determining, loading, generating and distributing steps can be performed at a policy node within an IT system.

Citations

20 Claims

1. A method of managing policies in an at least one information technologies (IT) system, comprising:
- receiving a policy input indicating at least one input policy for the at least one IT system, the received policy input relating to non-functional system attributes for the IT system and received in a format that is not machine-enforceable at a policy implementation entity of the IT system;
  
  determining at least one functional model for the IT system, the at least one functional model indicating functional system attributes of the IT system;
  
  loading at least one pre-configured rule and/or configuration template from a memory;
  
  automatically or semi-automatically generating, by a processor, at least one machine-enforceable rule and/or configuration that is in a ready to implement format in a manner compliant with the received policy input by iteratively filling the at least one pre-configured rule and/or configuration template with functional system attributes indicated by the at least one functional model, wherein the at least one machine-enforceable rule and/or configuration is an output of a model-driven process and is produced from the received policy input; and
  
  distributing the at least one machine-enforceable rule and/or configuration to at least one policy implementation entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1, wherein the policy input includes at least one security policy, quality of service (QoS) policy, audit policy, monitoring policy, or compliance policy.
  - 3. The method according to claim 1, wherein the at least one input policy and/or the at least one machine-enforceable rule and/or configuration is based on Attribute-Based Access Control (ABAC).
  - 4. The method according to claim 1, wherein the at least one policy implementation entity implements the at least one machine-enforceable rule and/or configuration at at least one sender, at at least one receiver, or at the at least one sender and at the at least one receiver.
  - 5. The method according to claim 1, wherein the input policy is quality-of-protection (QoP) policy and/or event logging policy.
  - 6. The method according to claim 1, further comprising configuring system components to implement the distributed at least one machine-enforceable rule and/or configuration.
  - 7. The method of claim 6, wherein the system components to be configured include an application layer, a network layer, a virtual private network (VPN), and/or a firewall.
  - 8. The method according to claim 1, wherein the at least one functional model and/or input policy includes at least one event model that enables correct correlation of event instances with the model elements specified in the event model.
  - 9. The method according to claim 1, wherein the at least one functional model includes attributes pertaining to human users and/or technical entities.
  - 10. The method according to claim 9, wherein the attributes include at least one name, identity, identifier, clearance, or role.

11. An information technologies (IT) system, comprising:
- at least one policy node and at least one policy implementation entity; and
  
  a communication mechanism connecting the at at least one policy node and at least one policy implementation entity,wherein the at least one policy node is configured to receive a policy input indicating at least one input policy for the IT system, the received policy input relating to non-functional system attributes for the IT system and received in a format that is not machine-enforceable at an policy implementation entity of the IT system, the at least one policy node further configured to determine at least one functional model for the IT system, the at least one functional model indicating functional system attributes of the IT system, to load at least one pre-configured rule and/or configuration template from a memory, to automatically or semi-automatically generate at least one machine-enforceable rule and/or configuration that is in a ready to implement format in a manner compliant with the received policy input by iteratively filling the at least one pre-configured rule and/or configuration template with functional system attributes indicated by the at least one functional model and distributing the at least one machine-enforceable rule and/or configuration to the at least one policy implementation entity, andwherein the at least one machine-enforceable rule and/or configuration is an output of a model-driven process and are produced from the received policy input.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The IT system according to claim 11, wherein the policy input includes at least one security policy, quality of service (QoS) policy, audit policy, monitoring policy, or compliance policy.
  - 13. The IT system according to claim 11, wherein the at least one input policy and/or the at least one machine-enforceable rule and/or configuration is based on Attribute-Based Access Control (ABAC).
  - 14. The IT system according to claim 11, wherein the at least one policy implementation entity implements the at least one machine-enforceable rule and/or configuration at at least one sender, at at least one receiver, or at the at least one sender and at the at least one receiver.
  - 15. The IT system according to claim 11, wherein the input policy is quality-of-protection (QoP) policy and/or event logging policy.
  - 16. The IT system according to claim 11, wherein the policy node is further configured to configure system components to implement the distributed at least one machine-enforceable rule and/or configuration.
  - 17. The IT system of claim 16, wherein the system components to be considered include an application layer, a network layer, a virtual private network (VPN), and/or a firewall.
  - 18. The IT system according to claim 11, wherein the at least one functional model includes at least one event model that enables correct correlation of event instances with the model elements specified in the event model.
  - 19. The method according to claim 11, wherein the at least one functional model includes attributes pertaining to human users and/or technical entities.
  - 20. The IT system according to claim 19, wherein the attributes include at least one name, identity, identifier, clearance, or role.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rudolf Schreiner, Ulrich Lang
Original Assignee
Rudolf Schreiner
Inventors
Lang, Ulrich, Schreiner, Rudolf
Primary Examiner(s)
Rahman, Shawnchoy

Application Number

US14/697,230
Publication Number

US 20150237073A1
Time in Patent Office

477 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

Method and system for managing security policies

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for managing security policies

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links