“Policies are used to drive access control decisions and enforce accesses to resources. How to “synchronise” policies that are used at different levels of abstraction – in complex telecom or enterprise environments?
Ideally an organisation might want to define high-level policies, check for their compliance and manage them in a centralised way. However, the idea of having a general purpose policy language is unfeasible, given the current legacy systems and the complexity of the real world.
In practice, different policies are defined and enforced at each different IT layers (e.g. network, system, OSs, middleware, application/services, etc.). Keeping these policies aligned with (high-level) business and security objectives and fully understanding the impact of local changes to the global context is often a challenging experience.”
In other words, the problem is how to “align” and keep consistent high-level policies with a multitude of lower-level policies, each of them potentially having their own operational context, their policy-decision-points (PDPs) and policy-enforcement-points (PEPs).
The idea of having a “Federation of Policies” would imply:
- Having a model of these multiple policies (syntax, semantic, ontology, etc.);
- Mapping dependencies between policies (that apply at the same IT layer and/or across IT layers);
- Having mechanisms to propagate changes top-down and bottom-up, depending on needs;
- Having “federated” mechanisms to translate these changes into policy modifications, at the right policy levels …
- Having a model of involved IT infrastructure (PEPs, PDPs, etc.) and associated requirements;
- Having (centralised?) supervision of all these policies, security, their auditing and compliance checking.
Has anybody in this community come across solutions or approaches to this problem?
Any other alternative approach to be aware of?
No comments:
Post a Comment