Policy Based Management v3

advertisement
IT & Wireless Convergence
Policy-based Management
Technologies
Seraphin B. Calo
© 2011 IBM Corporation
IT & Wireless Convergence
Agenda
 Policy-based Management
 Watson Policy Management Library (WPML)
 Policy Enabled Systems
– Policy Enabled Network Gateway
– Gaian Database
 Policy Controlled Coalition Information Dissemination
2
Policy-based Management Technologies
© 2011 IBM Corporation
IT & Wireless Convergence
Self-Management
 A policy is a set of considerations
designed to guide decisions on courses
of actions.
Policies
– Goal or guidelines: System Constraints
– Configuration policies: (Conditioned)
Attribute/Value pairs
– Event Condition Action rule
 Policy Technologies are essential for
self-management
– Allow software to be adapted to
different environments
– Provide mechanism for responding to
changing conditions
Policy
Management
Tool
Policies
Policies
Policy
Repository
Policy
Decision
Point
Actions
Policy
Enforcement
Point
– Capture constraints and best practices
3
Policy-based Management Technologies
© 2011 IBM Corporation
IT & Wireless Convergence
Watson Policy Management Library

Library built on Open Source Policy
Engine
– Imperius – provides base set of
functionality and object model

Analysis
– Examines policies for problems

Transformation
– Converts abstract representations of
policies (i.e. “excellent service”) to
concrete policies (i.e.
“bandwidth=100Mhz”)



Deployment
– Send policies to Policy Decision
Points
– Sensor Fabric contains 1 or more
PDP
NL Editor
Policy
Analysis
Templatebased Editor
Policy
Management
Tool
Sensor Fabric
(Policy
Enabled)
Gaian
Database
(Policy
Enabled)
Extended Policy Capabilities & Components
Syntax
Policy Metadata
Evaluation Points
Repositories
Conflict
Policy Templates
Decision Points
Deployment
Policy matching
Transformation
Discovery
Dominance
Coverage
Decision Points
– Registry of evaluation points
– Stores policies
– Provides policy decisions
…
Imperius (Open Source)
SPL Parser
Evaluation Engine
Repositories
– Generalized storage model
– Policies
– Policy Evaluation Points
4
Policy-based Management Technologies
© 2011 IBM Corporation
IT & Wireless Convergence
 Usable interface
easily navigates
users through
phases of policy
lifecycle:
Template Based Authoring
• Authoring
• Analysis
• Negotiation
• Deployment
• Templates provide
a structured
policy language
and yet a natural
language feel
 Administration
features:
• Template and
attribute authoring
• User and group
management
5
Policy-based Management Technologies
© 2011 IBM Corporation
IT & Wireless Convergence
Policy Negotiation System
Multi-Party, Assisted Electronic Agreements
 Support for multiple concurrent sessions
–
Each session has a set of participating organizations
 Plug-in architecture to allow customization of each negotiation session
with its own:
–
Negotiation goal (termination criteria)
–
One or more evaluation algorithms
–
Turn taking algorithm
–
Offer visibility choice
–
Negotiation procedure
–
Negotiation termination
Negotiation Session Manager
Session 1
Offer
Evaluation
Negotiation
Goal
Negotiation
Termination
Turn Taking
Offer
Visibility
Negotiation Procedure
6
Policy-based Management Technologies
© 2011 IBM Corporation
IT & Wireless Convergence
Policy Negotiation System for Coalition Networks
 CWP Policy Negotiation
Tool
–Guides process,
incorporates real-time
analysis and checks for
convergence
–Coalition members can
negotiate common,
optimized mission
policies in real time
–Demonstration for ISR
Sensor Network
Scenario
7
Policy-based Management Technologies
ITA Peer Review, Sept. 2010
© 2011 IBM Corporation
7
IT & Wireless Convergence
Protocol-Specific
Proxy Bundle
Policy-Enabled Network Gateway
 Authorization and Filtering
–Fine-grain, application-level filtering &
authorization
–Data column or row hiding, value altering
–Message rerouting, modification, etc.
PDP
Policy
Enforcement
Point
Inbound
message
Policy
Repository
Resource
Model
Outbound
message
Protocol Parser
 Pluggable protocol support on OSGi
–Protocol/application-specific policies
–OSGi: dynamic, modular, multi-protocol
platform
–Pluggable policy resource models
–MQ, JDBC, SIP, …
JDBC MQ
…
OSGi
Coalition
Interoperation
PEG
8
Policy-based Management Technologies
PEG
© 2011 IBM Corporation
IT & Wireless Convergence
Information Federation: GaianDB
 A distributed, federated database
approach
N5
N4
N7
N6
–Follows the ‘Store Locally-Query
Anywhere’ paradigm
N8
N3
N9
SQL Query
 Queries are routed to all of the nodes
–flood query, retrieving only the data
required to satisfy a query
N0
N1
N11
 Network of GaianDB nodes
established using autonomic
discovery of neighbours
N4
N7
N8
N3
N9
SQL Queries
Query
N0
N11
Policy-based Management Technologies
N5
N6
–configuration only required for data
sources
9
N10
N2
N10
N2
N1
© 2011 IBM Corporation
Coalition Warfare
Program
Policy Controlled Coalition
Information Dissemination
Prepared by
Tien Pham (ARL-SEDD)
Graham Bent (IBM-UK)
Seraphin Calo (IBM-US)
OSD Coalition Warfare Program
COALITION WARFARE PROGRAM (CWP)

Sponsor by OUSD(AT&L) to facilitate international
cooperative technology development that enables more
effective full-spectrum coalition operations

CWP Requirement:
• International program agreement
• US COCOM support
• Equitable resourcing
Excellent transition opportunities
• Leverage ITA research

Figure
4: Coalition Warfare Approach
US-UK ITA program satisfies CWP
requirements
11
ITA CWP Projects

1st ITA-CWP Project: Sensor & Policy Software Tools
& Protocols for Networking of Disparate ISR Assets
• FY09 & FY10
• Support from military programs
• US: Empire Challenge, Networked UGS,
• UK: Network Emulator, Base Surveillance & Area OverWatch
• Technology demonstration at Empire Challenge 2010
• Demonstrate interoperability of US, UK and coalition ISR assets
persistent surveillance –US acoustic mortar detection system cueing
surrogate UK imaging sensor
• Demonstrate use of policy for sensor data/information access and
dissemination to KSAF and DDRE (US) networks

2nd ITA-CWP Project: Policy Controlled Information
Query & Dissemination
• FY11 & FY12
• Technology implementation at the Intelligence Fusion Centre
(in support of NATO) located at Molesworth RAF
• Enhance PED process for all-source analysts
• Demonstrate policy controlled distributed federation of disparate
intelligent data sources from NATO
12
Coalition Problem Addressed
Sharing Information among different Coalition Partners
Challenges
 A coalition partner may want to provide limited information to
other partners
 A coalition partner may want to limit the type or nature of
information its members receive from others
 Information access policies need to be supported transparently

Burden of policy compliance ought to be shifted from the solider to
the IT infrastructure
Goal
 Demonstrate a system to allow information sharing across
coalitions
 Move policy compliance burden to IT infrastructure away from
individual
13
ITA Gaian Database Concept
Distributed formal policy based
techniques are used to control
access to data and the flow of
data through the network.
Policy
Repository
Each node implements policies
that can be stored at any other
node(s) in the network
14
Implementation of Watson Policy Management
Library (WPML) in a Gaian Database Node
Managed
Environment
Policy
Policy
Enforcement
Enforcement
Point
Point
Policy
Management Tool
Policy
Decision
Point
Policy
Repository
// Define resource p of type Properties
Import Class java.util.Properties:p;
// Define a resource authorizer that is used to signal
// false values to the requesting PEP
Import Class
com.ibm.watson.pml.policy.types.IAuthorizer:authorizer
// If the given instance is not empty…
Condition { p.size() > 1 }
// Then signal the PEP to allow the action is controlling.
Decision { authorizer.allow() }
Proposed Program – Year 1
• Demonstration using IFC Data Set
– Develop representative entity extraction rules and
policies at Dstl (Porton Down) using existing
distributed policy mechanism.
– Demonstration at Dstl and ARL
• Demonstration on actual IFC systems
– Configure demonstration system
– Demonstration at IFC (November 2011)
• Enhanced distributed policy mechanisms
– Investigate capabilities of new distributed policy
mechanisms
Proposed Program – Year 2
• Demonstration of enhanced policy
mechanisms using IFC Data Set
– Configure new policy mechanisms at Dstl
(Porton Down) and IFC (April 2012)
– Demonstration on actual IFC systems
• Demonstration across multi-agencies
– Extend demonstration to multi agencies (e.g.
IFC, NC3A) (Oct/November 2012)
IFC Demonstration – Phase 1
DS3
IFC
DS1
Federation of structured and
unstructured data sources with
distributed coalition policy based
access control and dissemination
Policy
Authoring Tool
Analyst queries for information from any node in the
network – no policy applied
With no policy applied – “Find people named ‘omar’ who are linked to any other person”
The result returns 11 matches from across the distributed databases
Policy Authoring Tool used to create new policy
restricting access of all users to records derived from
SIGINT sources
Tool used to deploy policy into network
Policy tool used to deploy policy into local node policy database table
– this is then read by all other nodes through Gaian Database and implemented
at each node
Analyst queries for information - Policy restricting access
to SIGINT sources only is now applied
With policy applied – “Find people named ‘omar’ who are linked to any other person”
The result returns only 3 matches from across the distributed databases with SIGINT.
NOTE: There have been no changes made to the underlying data sources
Analyst queries for additional information - Policy
restricting access to SIGINT sources only is still applied
With policy applied – “Find telephone numbers linking named individuals and
SigInt reports that describe the communication”
The result returns list of phone numbers and associated SIGINT reports from across
the distributed data sources
Extending to other agencies – Phase 2
DS9
DS7
DS5
DS6
DS4
DS8
ANOTHER
NC3A
DS3
DS10
Policy
Authoring
Tool
IFC
Policy
Authoring
Tool
DS1
Policy
Authoring
Tool
DS2
Contact Details & Disclaimer
Contact Details:
Dr Seraphin B. Calo
Research Staff Member & Manager Policy Lifecycle Technologies
IBM Research Division
T. J. Watson Research Center
19 Skyline Drive, Hawthorne, NY 10532
Tel: +1 914-784-7514
Email: scalo@us.ibm.com
Research was sponsored by the U.S. Army Research Laboratory and the U.K. Ministry of
Defence and was accomplished under Agreement Number W911NF-06-3-0001. The views and
conclusions contained in this document are those of the author(s) and should not be interpreted
as representing the official policies, either expressed or implied, of the U.S. Army Research
Laboratory, the U.S. Government, the U.K. Ministry of Defence or the U.K. Government. The U.S.
and U.K. Governments are authorized to reproduce and distribute reprints for Government
purposes notwithstanding any copyright notation hereon. .
IT & Wireless Convergence
END
© 2011 IBM Corporation
Download