METHOD AND SYSTEM FOR MANAGING SECURITY POLICIES

摘要

A system and method of managing security policies in an information technologies (IT) system are provided. In an example, the method includes receiving an input indicating a high-level security policy for the IT system, the received high-level security policy relating to non-functional system attributes for the IT system and received in a format that is not machine-enforceable at an enforcement entity of the IT system. A functional model for the IT system is determined, where the functional model indicates functional system attributes of the IT system. At least one pre-configured rule template is loaded, and at least one machine-enforceable rule is generated in a manner compliant with the received high-level security policy by iteratively filling the at least one pre-configured rule template with functional system attributes indicated by the functional model. After the generating step, the at least one machine-enforceable rule can be distributed (e.g., to an enforcement entity, an Intrusion Detection System (IDS), etc.). In another example, the receiving, determining, loading, generating and distributing steps can be performed at a policy node within an IT system.

主权项

1. A method of managing policies in an at least one information technologies (IT) system including at least one policy implementation entity that operates in a user context or organizational context, comprising:
(a) receiving, by a processor, a policy input loaded from a data storage or a memory, or entered by a user via a user interface, indicating at least one input policy for the at least one IT system, the received input policy relating to non-functional system attributes for the IT system and received in a format that is not machine-enforceable at a policy implementation entity of the IT system; (b) determining at least one functional model for the IT system in the received input policy based on which functional system attributes are indicated by the input policy and/or configuration template, the at least one functional model indicating functional system attributes of the user context or organizational context of the IT system; (c) loading at least one pre-configured rule and/or configuration template from a memory to the processor; (d) automatically or semi-automatically generating, by the processor, at least one machine-enforceable rule and/or configuration that is in a ready to implement format in a manner compliant with the received input policy by selecting the at least one pre-configured rule and/or configuration template corresponding to the input policy, and iteratively filling attribute placeholders of the at least one pre-configured rule and/or configuration template with functional system attributes values indicated by the at least one functional model, wherein the at least one machine-enforceable rule and/or configuration, which includes at least one condition and at least one action is an output that is produced by the processor from the received policy input, the at least one functional model, and/or the at least one pre-configured rule and/or configuration template; (e) transmitting the at least one machine-enforceable rule and/or configuration to at least one policy implementation entity of the IT system; and (f) executing the transmitted at least one machine-enforceable rule and/or configuration by the at least one policy implementation entity for implementing the policy input through the IT system, thereby modifying an operation of the processor of the IT system or the policy implementation entity to determine the result of the at least one condition, and executing the at least one action.