IT & Wireless Convergence Policy-based Management Technologies Seraphin B. Calo © 2011 IBM Corporation IT & Wireless Convergence Agenda Policy-based Management Watson Policy Management Library (WPML) Policy Enabled Systems – Policy Enabled Network Gateway – Gaian Database Policy Controlled Coalition Information Dissemination 2 Policy-based Management Technologies © 2011 IBM Corporation IT & Wireless Convergence Self-Management A policy is a set of considerations designed to guide decisions on courses of actions. Policies – Goal or guidelines: System Constraints – Configuration policies: (Conditioned) Attribute/Value pairs – Event Condition Action rule Policy Technologies are essential for self-management – Allow software to be adapted to different environments – Provide mechanism for responding to changing conditions Policy Management Tool Policies Policies Policy Repository Policy Decision Point Actions Policy Enforcement Point – Capture constraints and best practices 3 Policy-based Management Technologies © 2011 IBM Corporation IT & Wireless Convergence Watson Policy Management Library Library built on Open Source Policy Engine – Imperius – provides base set of functionality and object model Analysis – Examines policies for problems Transformation – Converts abstract representations of policies (i.e. “excellent service”) to concrete policies (i.e. “bandwidth=100Mhz”) Deployment – Send policies to Policy Decision Points – Sensor Fabric contains 1 or more PDP NL Editor Policy Analysis Templatebased Editor Policy Management Tool Sensor Fabric (Policy Enabled) Gaian Database (Policy Enabled) Extended Policy Capabilities & Components Syntax Policy Metadata Evaluation Points Repositories Conflict Policy Templates Decision Points Deployment Policy matching Transformation Discovery Dominance Coverage Decision Points – Registry of evaluation points – Stores policies – Provides policy decisions … Imperius (Open Source) SPL Parser Evaluation Engine Repositories – Generalized storage model – Policies – Policy Evaluation Points 4 Policy-based Management Technologies © 2011 IBM Corporation IT & Wireless Convergence Usable interface easily navigates users through phases of policy lifecycle: Template Based Authoring • Authoring • Analysis • Negotiation • Deployment • Templates provide a structured policy language and yet a natural language feel Administration features: • Template and attribute authoring • User and group management 5 Policy-based Management Technologies © 2011 IBM Corporation IT & Wireless Convergence Policy Negotiation System Multi-Party, Assisted Electronic Agreements Support for multiple concurrent sessions – Each session has a set of participating organizations Plug-in architecture to allow customization of each negotiation session with its own: – Negotiation goal (termination criteria) – One or more evaluation algorithms – Turn taking algorithm – Offer visibility choice – Negotiation procedure – Negotiation termination Negotiation Session Manager Session 1 Offer Evaluation Negotiation Goal Negotiation Termination Turn Taking Offer Visibility Negotiation Procedure 6 Policy-based Management Technologies © 2011 IBM Corporation IT & Wireless Convergence Policy Negotiation System for Coalition Networks CWP Policy Negotiation Tool –Guides process, incorporates real-time analysis and checks for convergence –Coalition members can negotiate common, optimized mission policies in real time –Demonstration for ISR Sensor Network Scenario 7 Policy-based Management Technologies ITA Peer Review, Sept. 2010 © 2011 IBM Corporation 7 IT & Wireless Convergence Protocol-Specific Proxy Bundle Policy-Enabled Network Gateway Authorization and Filtering –Fine-grain, application-level filtering & authorization –Data column or row hiding, value altering –Message rerouting, modification, etc. PDP Policy Enforcement Point Inbound message Policy Repository Resource Model Outbound message Protocol Parser Pluggable protocol support on OSGi –Protocol/application-specific policies –OSGi: dynamic, modular, multi-protocol platform –Pluggable policy resource models –MQ, JDBC, SIP, … JDBC MQ … OSGi Coalition Interoperation PEG 8 Policy-based Management Technologies PEG © 2011 IBM Corporation IT & Wireless Convergence Information Federation: GaianDB A distributed, federated database approach N5 N4 N7 N6 –Follows the ‘Store Locally-Query Anywhere’ paradigm N8 N3 N9 SQL Query Queries are routed to all of the nodes –flood query, retrieving only the data required to satisfy a query N0 N1 N11 Network of GaianDB nodes established using autonomic discovery of neighbours N4 N7 N8 N3 N9 SQL Queries Query N0 N11 Policy-based Management Technologies N5 N6 –configuration only required for data sources 9 N10 N2 N10 N2 N1 © 2011 IBM Corporation Coalition Warfare Program Policy Controlled Coalition Information Dissemination Prepared by Tien Pham (ARL-SEDD) Graham Bent (IBM-UK) Seraphin Calo (IBM-US) OSD Coalition Warfare Program COALITION WARFARE PROGRAM (CWP) Sponsor by OUSD(AT&L) to facilitate international cooperative technology development that enables more effective full-spectrum coalition operations CWP Requirement: • International program agreement • US COCOM support • Equitable resourcing Excellent transition opportunities • Leverage ITA research Figure 4: Coalition Warfare Approach US-UK ITA program satisfies CWP requirements 11 ITA CWP Projects 1st ITA-CWP Project: Sensor & Policy Software Tools & Protocols for Networking of Disparate ISR Assets • FY09 & FY10 • Support from military programs • US: Empire Challenge, Networked UGS, • UK: Network Emulator, Base Surveillance & Area OverWatch • Technology demonstration at Empire Challenge 2010 • Demonstrate interoperability of US, UK and coalition ISR assets persistent surveillance –US acoustic mortar detection system cueing surrogate UK imaging sensor • Demonstrate use of policy for sensor data/information access and dissemination to KSAF and DDRE (US) networks 2nd ITA-CWP Project: Policy Controlled Information Query & Dissemination • FY11 & FY12 • Technology implementation at the Intelligence Fusion Centre (in support of NATO) located at Molesworth RAF • Enhance PED process for all-source analysts • Demonstrate policy controlled distributed federation of disparate intelligent data sources from NATO 12 Coalition Problem Addressed Sharing Information among different Coalition Partners Challenges A coalition partner may want to provide limited information to other partners A coalition partner may want to limit the type or nature of information its members receive from others Information access policies need to be supported transparently Burden of policy compliance ought to be shifted from the solider to the IT infrastructure Goal Demonstrate a system to allow information sharing across coalitions Move policy compliance burden to IT infrastructure away from individual 13 ITA Gaian Database Concept Distributed formal policy based techniques are used to control access to data and the flow of data through the network. Policy Repository Each node implements policies that can be stored at any other node(s) in the network 14 Implementation of Watson Policy Management Library (WPML) in a Gaian Database Node Managed Environment Policy Policy Enforcement Enforcement Point Point Policy Management Tool Policy Decision Point Policy Repository // Define resource p of type Properties Import Class java.util.Properties:p; // Define a resource authorizer that is used to signal // false values to the requesting PEP Import Class com.ibm.watson.pml.policy.types.IAuthorizer:authorizer // If the given instance is not empty… Condition { p.size() > 1 } // Then signal the PEP to allow the action is controlling. Decision { authorizer.allow() } Proposed Program – Year 1 • Demonstration using IFC Data Set – Develop representative entity extraction rules and policies at Dstl (Porton Down) using existing distributed policy mechanism. – Demonstration at Dstl and ARL • Demonstration on actual IFC systems – Configure demonstration system – Demonstration at IFC (November 2011) • Enhanced distributed policy mechanisms – Investigate capabilities of new distributed policy mechanisms Proposed Program – Year 2 • Demonstration of enhanced policy mechanisms using IFC Data Set – Configure new policy mechanisms at Dstl (Porton Down) and IFC (April 2012) – Demonstration on actual IFC systems • Demonstration across multi-agencies – Extend demonstration to multi agencies (e.g. IFC, NC3A) (Oct/November 2012) IFC Demonstration – Phase 1 DS3 IFC DS1 Federation of structured and unstructured data sources with distributed coalition policy based access control and dissemination Policy Authoring Tool Analyst queries for information from any node in the network – no policy applied With no policy applied – “Find people named ‘omar’ who are linked to any other person” The result returns 11 matches from across the distributed databases Policy Authoring Tool used to create new policy restricting access of all users to records derived from SIGINT sources Tool used to deploy policy into network Policy tool used to deploy policy into local node policy database table – this is then read by all other nodes through Gaian Database and implemented at each node Analyst queries for information - Policy restricting access to SIGINT sources only is now applied With policy applied – “Find people named ‘omar’ who are linked to any other person” The result returns only 3 matches from across the distributed databases with SIGINT. NOTE: There have been no changes made to the underlying data sources Analyst queries for additional information - Policy restricting access to SIGINT sources only is still applied With policy applied – “Find telephone numbers linking named individuals and SigInt reports that describe the communication” The result returns list of phone numbers and associated SIGINT reports from across the distributed data sources Extending to other agencies – Phase 2 DS9 DS7 DS5 DS6 DS4 DS8 ANOTHER NC3A DS3 DS10 Policy Authoring Tool IFC Policy Authoring Tool DS1 Policy Authoring Tool DS2 Contact Details & Disclaimer Contact Details: Dr Seraphin B. Calo Research Staff Member & Manager Policy Lifecycle Technologies IBM Research Division T. J. Watson Research Center 19 Skyline Drive, Hawthorne, NY 10532 Tel: +1 914-784-7514 Email: scalo@us.ibm.com Research was sponsored by the U.S. Army Research Laboratory and the U.K. Ministry of Defence and was accomplished under Agreement Number W911NF-06-3-0001. The views and conclusions contained in this document are those of the author(s) and should not be interpreted as representing the official policies, either expressed or implied, of the U.S. Army Research Laboratory, the U.S. Government, the U.K. Ministry of Defence or the U.K. Government. The U.S. and U.K. Governments are authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright notation hereon. . IT & Wireless Convergence END © 2011 IBM Corporation