Method and system for managing security policies

US 9,692,792 B2
Filed: 08/09/2016
Issued: 06/27/2017
Est. Priority Date: 09/17/2007
Status: Active Grant

First Claim

Patent Images

1. A method of managing policies in an at least one information technologies (IT) system including at least one policy implementation entity that operates in a user context or organizational context, comprising:

(a) receiving, by a processor, a policy input loaded from a data storage or a memory, or entered by a user via a user interface, indicating at least one input policy for the at least one IT system, the received input policy relating to non-functional system attributes for the IT system and received in a format that is not machine-enforceable at a policy implementation entity of the IT system;

(b) determining at least one functional model for the IT system in the received input policy based on which functional system attributes are indicated by the input policy and/or configuration template, the at least one functional model indicating functional system attributes of the user context or organizational context of the IT system;

(c) loading at least one pre-configured rule and/or configuration template from a memory to the processor;

(d) automatically or semi-automatically generating, by the processor, at least one machine-enforceable rule and/or configuration that is in a ready to implement format in a manner compliant with the received input policy by selecting the at least one pre-configured rule and/or configuration template corresponding to the input policy, and iteratively filling attribute placeholders of the at least one pre-configured rule and/or configuration template with functional system attributes values indicated by the at least one functional model, wherein the at least one machine-enforceable rule and/or configuration, which includes at least one condition and at least one action is an output that is produced by the processor from the received policy input, the at least one functional model, and/or the at least one pre-configured rule and/or configuration template;

(e) transmitting the at least one machine-enforceable rule and/or configuration to at least one policy implementation entity of the IT system; and

(f) executing the transmitted at least one machine-enforceable rule and/or configuration by the at least one policy implementation entity for implementing the policy input through the IT system, thereby modifying an operation of the processor of the IT system or the policy implementation entity to determine the result of the at least one condition, and executing the at least one action.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method of managing security policies in an information technologies (IT) system are provided. In an example, the method includes receiving an input indicating a high-level security policy for the IT system, the received high-level security policy relating to non-functional system attributes for the IT system and received in a format that is not machine-enforceable at an enforcement entity of the IT system. A functional model for the IT system is determined, where the functional model indicates functional system attributes of the IT system. At least one pre-configured rule template is loaded, and at least one machine-enforceable rule is generated in a manner compliant with the received high-level security policy by iteratively filling the at least one pre-configured rule template with functional system attributes indicated by the functional model. After the generating step, the at least one machine-enforceable rule can be distributed (e.g., to an enforcement entity, an Intrusion Detection System (IDS), etc.). In another example, the receiving, determining, loading, generating and distributing steps can be performed at a policy node within an IT system.

Citations

18 Claims

1. A method of managing policies in an at least one information technologies (IT) system including at least one policy implementation entity that operates in a user context or organizational context, comprising:
- (a) receiving, by a processor, a policy input loaded from a data storage or a memory, or entered by a user via a user interface, indicating at least one input policy for the at least one IT system, the received input policy relating to non-functional system attributes for the IT system and received in a format that is not machine-enforceable at a policy implementation entity of the IT system;
  
  (b) determining at least one functional model for the IT system in the received input policy based on which functional system attributes are indicated by the input policy and/or configuration template, the at least one functional model indicating functional system attributes of the user context or organizational context of the IT system;
  
  (c) loading at least one pre-configured rule and/or configuration template from a memory to the processor;
  
  (d) automatically or semi-automatically generating, by the processor, at least one machine-enforceable rule and/or configuration that is in a ready to implement format in a manner compliant with the received input policy by selecting the at least one pre-configured rule and/or configuration template corresponding to the input policy, and iteratively filling attribute placeholders of the at least one pre-configured rule and/or configuration template with functional system attributes values indicated by the at least one functional model, wherein the at least one machine-enforceable rule and/or configuration, which includes at least one condition and at least one action is an output that is produced by the processor from the received policy input, the at least one functional model, and/or the at least one pre-configured rule and/or configuration template;
  
  (e) transmitting the at least one machine-enforceable rule and/or configuration to at least one policy implementation entity of the IT system; and
  
  (f) executing the transmitted at least one machine-enforceable rule and/or configuration by the at least one policy implementation entity for implementing the policy input through the IT system, thereby modifying an operation of the processor of the IT system or the policy implementation entity to determine the result of the at least one condition, and executing the at least one action.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method according to claim 1, wherein transmitting includes transmitting to decision-making entities which determine which actions should be or should not be executed by enforcement entities, which implement the at least one machine-enforceable rule for communicating IT systems, to apply the at least one action on at least one IT system being a sender of a communication and/or at least one IT system being a receiver of a communication.
  - 3. The method according to claim 1, wherein the pre-configured rule and/or configuration template is implemented as a model-to-model transformation, a model-to-text transformation, hard-coded security models of the received policy input, or hard-coded processor instructions.
  - 4. The method according to claim 1, wherein the pre-configured rule and/or configuration template specifies the mappings, transformations or instructions how the at least one machine-enforceable rule and/or configuration is produced from the received policy input.
  - 5. The method according to claim 4, wherein the pre-configured rule and/or configuration template specifies which attributes of the received policy input are to be filled in using which functional system attributes.
  - 6. The method according to claim 1, wherein the pre-configured rule and/or configuration template and/or the at least one policy input and/or functional model each contain reference information that indicates a reference to information contained in the pre-configured rule and/or configuration template and/or in the at least one policy input and/or functional model.
  - 7. The method according to claim 6, wherein the reference to the information contained in the pre-configured rule and/or configuration template and/or in the at least one policy input and/or functional model directly indicates the referenced information in the pre-configured rule and/or configuration template and/or in the at least one policy input and/or functional model.
  - 8. The method according to claim 6, wherein the reference to the information contained in the pre-configured rule and/or configuration template and/or in the at least one policy input and/or functional model indicates a mapping element in the pre-configured rule and/or configuration template and/or in the at least one policy input and/or functional model, which reference information that indicates an indirect reference to information contained in the pre-configured rule and/or configuration template and/or in the at least one policy input and/or functional model.
  - 9. The method according to claim 6, wherein the policy input, the functional system attributes, and/or the pre-configured rule and/or configuration template include the reference information.
  - 10. The method according to claim 1, wherein the at least one functional model specifies at least one subset of the model elements of the functional model, the subset indicating the model elements available as inputs.
  - 11. The method according to claim 1, wherein the received policy input includes at least one of organization-specific, industry-specific, market-specific, user-specific, technical architecture-specific, enterprise architecture-specific, or business architecture-specific policy input.
  - 12. The method according to claim 1, wherein the received policy input includes monitoring, alarm and logging policies, which include conditions and actions that trigger monitoring alerts to be created, log entries to be created, and/or alarms to be triggered.
  - 13. The method according to claim 1, wherein the at least one policy implementation entity includes a policy decision entity that is centralized in at least one IT system and communicates with at least one policy enforcement entity on another IT system and that makes a decision based on the at least one action, or that is collocated on the same at least one IT system with an enforcement entity that enforces the at least one machine-enforceable rule and/or configuration.
  - 14. The method according to claim 1, wherein functional system attributes values that are filled in at the steps (a)-(e) include values that are available or known before the at least one machine-enforceable rule and/or configuration is decided at a decision-making entity and/or enforced at an enforcement entity.
  - 15. The method according to claim 1, wherein functional system attributes values that are filled in at the step of (f) include values that are not available or known until the at least one machine-enforceable rule and/or configuration is decided at a decision-making entity and/or enforced at an enforcement entity.
  - 16. The method according to claim 1, wherein the functional system attributes specify attribute values, calculation result values, and/or comparison values of the at least one template that is filled in.
  - 17. The method according to claim 12, wherein the at least one action includes at least one of a request for the IT system to proceed with the at least one machine-enforceable rule and/or configuration, a request for the IT system not to proceed with the at least one machine-enforceable rule and/or configuration, a request for the IT system to remove some or all of a content of the transmitted at least one machine-enforceable rule and/or configuration, a request for the IT system to proceed with the at least one machine-enforceable rule and/or configuration but to modify some or all of the content of transmitted at least one machine-enforceable rule and/or configuration, a request for the IT system to create a log entry about subsequent requests available on the IT system, and a request for the IT system to raise monitoring alerts and/or alarms.
  - 18. The method according to claim 1, wherein the input policy includes an indication that facilities the processor to select a particular template, so that the processor loads at least one template needed to process a particular input policy, and does not load a template not needed to process the particular input policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rudolf Schreiner, Ulrich Lang
Original Assignee
Rudolf Schreiner
Inventors
Lang, Ulrich, Schreiner, Rudolf
Primary Examiner(s)
Rahman, Shawnchoy

Application Number

US15/232,136
Publication Number

US 20160352780A1
Time in Patent Office

322 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0263   Rule management

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 67/10   in which an application is ...

Method and system for managing security policies

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for managing security policies

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links