Dynamic and adaptive policy models for coalition operations Seraphin B. Calo
Overview Goal: develop approaches and mechanisms for policy based management that enable autonomy in the operation of the constituent elements of the coalition system Coalition Needs Principal Topics n A dynamic, secure and resilient information n Generative policy mechanisms: new policy infrastructure that conforms to the policies architectures in which elements can generate of each coalition member their policies under a loose set of guidance from a central coalition commander n Autonomous operations within the bounds n Algorithms that ensure consistency and of collaborative pursuit of common goals coherence in the operation of generative policy based systems n Understand human issues that impact policy definition and enforcement n Security and resource management: apply the generative policy model to the management of coalition operations Policy: a set of considerations designed to guide decisions on courses of action 2
Traditional Management Model A set of managed devices connected to a management system by a communication network Human Operator • Managed devices are given configuration information by the management system Managed Manual config Device • Operational information (e.g., alerts or logs) are provided by the managed device to the Managed management system Device Handled by • Management system would have a set of System Auto-config algorithms/policies/rules to deal with the set of Managed alerts and logs that are processed Device Management Alerts, logs System In order to handle an alert or log, the system may decide to send a reconfiguration command to the managed device • Syntax and semantics of alerts, logs and configurations are determined by the domain of management, e.g., fault management, security management, performance management etc. • When the system is not able to deal with the alerts or logs the human operator intervenes to deal with the situation, diagnoses the underlying cause, and then reconfigures the system to react to the unexpected situation 3
Policy Based Management Policies capture desired behaviors Human View • Human operator provides an objective for the of Policies managed device Alerts/Logs Configuration • Management system translates objectives into a Policy Refinement (PRF) Policy Enforcement Point machine view of policy through the process of (PEP) refinement or transformation Machine View • Policies are declarative, Event-Condition-Action of Policies (ECA) rules Policy Decision Point (PDP) DMTF/IETF Policy Model • Managed devices contain policy enforcement points (PEP) for externalizing decisions • When a situation requiring a decision arises, the relevant PEP converts it into a request to a policy decision point (PDP) • PDPs access the set of policies relevant to the decision that needs to be made • Policies determine the decision based on the managed device and its current state • PDP informs the PEP what actions to take • PEP can then change the system configuration to react to the environment 4
Evolution of Policy Based Management Generative Policy Device Mgmt System based Autonomy PEP PDP PRFD PRFM Device Mgmt System Policy based Autonomy PEP PDP PRF Device Mgmt System No Autonomy PEP PDP PRF Elements of the policy infrastructure can be configured in different ways • PEPs are associated with managed resources and will usually be co-located with them • Policy refinement process (PRF) will usually be embedded in the management system • PDPs could be embedded in the management system • Leads to more centralized management • PDP could be co-located with its associated PEPs in the managed environment • Supports distributed systems management configurations • Policies would be pushed to appropriate PDPs when they are specified or changed • System exhibits a greater degree of autonomic behavior Generative paradigm splits refinement between management and managed systems 5
Generative Policy Based Management Device Mgmt System Generative Policy Model PRFD Interaction PRFM Graph • PDP is embedded within the managed device • PDP gets its policies from the PRFD module that is Policies also embedded within the managed device PDP • PRFM is responsible for sending the overall coordination guidelines to the PRFD PEP Interaction Graph • Interaction graph is an abstract description of the various entities within the environment that the PRFD needs to interact with • It is defined as a relationship between entities in different roles, not as an exhaustive listing of all the different devices in the system. Information Flow • PRFM provides two types of information to each PRFD • Representation of an interaction graph • Role of each PRFD in the interaction graph is defined by the PRFM • PRFM also associates a set of attributes with each link in the interaction graph • Link attributes indicate what information is available on that link 6
Example: Secure Access Maintaining secure access to documents • Document server contains a set of documents, some of which are considered sensitive Web Server • Set of users have access to sensitive documents Packet Document Firewall Server - Can be accessed either using a web-based server or SSH Server via a secure shell based system • Packet filtering firewall is provided to safeguard access to both the web-based server and the SSH server Current Practice • Human administrator manually configures filtering and access control policies for the firewall, web- server, secure shell server and the document server • Ports on the firewall need to be configured to allow access to the web server If web-server employs a moving target defense , it changes its port for the web-server regularly ⎻ Configuration of the firewall needs to be repeated manually every-time such a change occurs ⎻ 7
Example: Secure Access (Generative) Global Interaction Graph Generative Approach N P D • Human operator specifies access requirements for documents Address, Port User Id • Packet firewall, Web server, SSH server, and Document server each derive their policies to comply with access requirements N P D • If web-server switches its port as part of the moving target Web Server N P P D Packet Document defense, the packet firewall would automatically adjust its N P D Firewall Server filtering policies accordingly SSH Server Component Interactions • Three roles: network protection role( N ), protocol protection role( P ), document protection role( D ) Web server and SSH server are both in the protocol protection role, Document server is in the ⎻ document protection role, and Firewall is in the network protection role • Attributes: entity in role D can provide User Ids to entity in role P, entity in role P can provide Address and Port number to entity in role N • PRFD for each device receives the interaction graph Discovers the other nodes that are associated with adjacent roles in the interaction graph ⎻ Gets the attribute values identified by the devices in those roles in the interaction graph ⎻ Generates its own set of policies to be used for its PDP ⎻ 8
Software Defined Coalitions (SDC) Coalition Operations • Members of a coalition establish dynamic communities of interest (CoI) to accomplish joint missions • CoIs may also be formed in non-military contexts, e.g. when different civilian agencies come together to deal with emergency situations (e.g., fires, hurricanes) • Coalition members retain their management policies, and not all members may be trusted equally IT Infrastructure • CoI assets come from the different coalition members • Many assets would be capable of significant processing power (e.g., drones, self-driving cars, robots, video cameras) Each of these assets can run the PEP, PDP and the PRFD components of the generative architecture, and take ⎻ decisions on their own • Coalition assets are subject to dual management • Must be able to deal with the instructions and commands from both managers • May have to work independently in a disconnected mode • A U.S. asset (e.g., drone) that is part of a coalition CoI initially needs to be prepared for participation by a U.S. operator using a U.S. management system • The CoI commander needs to prepare them for the mission using the mission management system • During the mission, the assets may be operating without a connection to any management system
Recommend
More recommend