Morris Sloman

The Ponder Policy Specification Language

The Ponder language provides a common means of specifying security policies that map onto various access control implementation mechanisms for firewalls, operating systems, databases and Java. It supports obligation policies that are event triggered condition-action rules for policy based management of networks and distributed systems. Ponder can also be used for security management activities such as registration of users or logging and auditing events for dealing with access to critical resources or security violations. Key concepts of the language include roles to group policies relating to a position in an organisation, relationships to define interactions between roles and management structures to define a configuration of roles and relationships pertaining to an organisational unit such as a department. These reusable composite policy specifications cater for the complexity of large enterprise information systems. Ponder is declarative, strongly-typed and object-oriented which makes the language flexible, extensible and adaptable to a wide range of management requirements.

A survey of trust in internet applications

Trust is an important aspect of decision making for Internet applications and particularly influences the specification of security policy, i.e., who is authorized to perform actions as well as the techniques needed to manage and implement security to and for the applications. This survey examines the various definitions of trust in the literature and provides a working definition of trust for Internet applications. The properties of trust relationships are explained and classes of different types of trust identified in the literature are discussed with examples. Some influential examples of trust management systems are described.

POLICY DRIVEN MANAGEMENT FOR DISTRIBUTED SYSTEMS

Separating management policy from the automated managers which interpret the policy facilitates the dynamic change of behavior of a distributed management system. This permits it to adapt to evolutionary changes in the system being managed and to new application requirements. Changing the behavior of automated managers can be achieved by changing the policy without having to reimplement them—this permits the reuse of the managers in different environments. It is also useful to have a clear specification of the policy applying to human managers in an enterprise. This paper describes the work on policy which has come out of two related ESPRIT funded projects, SysMan and IDSM. Two classes of policy are elaborated—authorization policies define what a manager is permitted to do and obligation policies define what a manager must do. Policies are specified as objects which define a relationship between subjects (managers) and targets (managed objects). Domains are used to group the objects to which a policy applies. Policy objects also have attributes specifying the action to be performed and constraints limiting the applicability of the policy. We show how a number of example policies can be modeled using these objects and briefly mention issues relating to policy hierarchy and conflicts between overlapping policies.

Conflicts in policy-based distributed systems management

Modern distributed systems contain a large number of objects and must be capable of evolving, without shutting down the complete system, to cater for changing requirements. There is a need for distributed, automated management agents whose behavior also has to dynamically change to reflect the evolution of the system being managed. Policies are a means of specifying and influencing management behavior within a distributed system, without coding the behavior into the manager agents. Our approach is aimed at specifying implementable policies, although policies may be initially specified at the organizational level and then refined to implementable actions. We are concerned with two types of policies. Authorization policies specify what activities a manager is permitted or forbidden to do to a set of target objects and are similar to security access-control policies. Obligation policies specify what activities a manager must or must not do to a set of target objects and essentially define the duties of a manager. Conflicts can arise in the set of policies. Conflicts may also arise during the refinement process between the high level goals and the implementable policies. The system may have to cater for conflicts such as exceptions to normal authorization policies. The paper reviews policy conflicts, focusing on the problems of conflict detection and resolution. We discuss the various precedence relationships that can be established between policies in order to allow inconsistent policies to coexist within the system and present a conflict analysis tool which forms part of a role based management framework. Software development and medical environments are used as example scenarios.

Constructing distributed systems in Conic

The Conic environment provides a language-based approach to the building of distributed systems which combines the simplicity and safety of a language approach with the flexibility and accessibility of an operating systems approach. It provides a comprehensive set of tools for program compilation, configuration, debugging, and execution in a distributed environment. A separate configuration language is used to specify the configuration of software components into logical nodes. This provides a concise configuration description and facilitates the reuse of program components in different configurations. Applications are constructed as sets of one or more interconnected logical nodes. Arbitrary, incremental change is supported by dynamic configuration. In addition, the system provides user-transparent datatype transformation between heterogeneous processors. Applications may be run on a mixed set of interconnected computers running the Unix operating system and on base target machines with no resident operating system. The basic principles adopted in the construction of the Conic environment are outlined and the configuration and run-time facilities provided are described. >

Policy hierarchies for distributed systems management

Distributed system management, involves monitoring the activity of a system, making management decisions and performing control actions to modify the behavior of the system. Most of the research on management has concentrated on management mechanisms related to network management or operating systems. However, in order to automate the management of very large distributed systems, it is necessary to be able to represent and manipulate management policy within the system. These objectives are typically set out in the form of general policies which require detailed interpretation by the system managers. The paper explores the refinement of general high-level policies into a number of more specific policies to form a policy hierarchy in which each policy in the hierarchy represents, to its maker, his plans to meet his objectives and, to its subject, the objectives which he must plan to meet. Management action policies are introduced, and the distinction between imperatival and authority policies is made. The relationship of hierarchies of imperatival policies to responsibility, and to authority policies, is discussed. An outline approach to the provision of automated support for the analysis of policy hierarchies is provided, by means of a more formal definition of policy hierarchy refinement relationships in Prolog. >

A survey of quality of service in mobile computing environments

The specification and management of quality of service (QoS) is important in networks and distributed computing systems, particularly to support multimedia applications. The advent of portable laptop computers, palmtops, and personal digital assistants with integrated communication capabilities facilitates mobile computing. This article is a survey of QoS concepts and techniques for mobile distributed computing environments. The requirements of current and future mobile computing are examined and the services required to support mobility are discussed. Generic concepts of QoS specification and management are overviewed followed by an analysis of the QoS work specific to mobile computing environments.

GEM: a generalized event monitoring language for distributed systems

Event-based monitoring is critical for managing and debugging networks and distributed systems. This paper presents GEM - an interpreted generalized event monitoring language. It allows high-level, abstract events to be specified in terms of combinations of lower-level events from different nodes in a loosely coupled distributed system. Event monitoring components can thus be distributed within the system to perform filtering, correlation and notification of events close to where they occur and thus reduce network traffic. GEM is a declarative rule-based language in which the notion of real time has been closely integrated and various temporal constraints can be specified for event composition. The paper discusses the effect of communication delays on composite event detection and presents a tree-based solution for dealing with out-of-order event arrivals at event monitors.

Security and management policy specification

Policies are rules governing the choices in behavior of a system. They are increasingly being used as a means of implementing flexible and adaptive systems for management of Internet services, networks, and security systems. There is also a need for a common specification of security policy for large-scale multi-organizational systems where access control is implemented in a variety of heterogeneous components. In this article we survey both security and management policy specification approaches, concentrating on practical systems in which the policy specification can be directly translated into an implementation.

A policy deployment model for the Ponder language

Policies are rules that govern the choices in behaviour of a system. Security policies define what actions are permitted or not permitted, for what or for whom, and under what conditions. Management policies define what actions need to be carried out when specific events occur within a system or what resources must be allocated under specific conditions. There is considerable interest in the use of policies for the security and management of large-scale networks and distributed services. Existing policy work has focussed on specification, information models and application-specific policy enforcement. We address the important goal of providing a general-purpose deployment model for policies that is independent of the underlying policy enforcement mechanisms and can be employed in mixed policy environments. In this paper, we present a deployment model that is object-oriented and addresses the instantiation, distribution and enabling of policies as well as the disabling, unloading and deletion of policies. The model defines objects for policies, for domains, and for the policy enforcement agent and outlines the interactions needed between them. The model also caters for changes in the memberships of domains since such changes also effect policy enforcement. The model forms part of the run-time support for Ponder; a new policy language that combines structuring ideas from object-oriented languages with a common set of policy basic types.