IT & Wireless Convergence

© 2011 IBM Corporation

Policy-based ManagementTechnologies

Seraphin B. Calo

IT & Wireless Convergence

© 2011 IBM CorporationPolicy-based Management Technologies 2

Agenda

Policy-based Management

Watson Policy Management Library (WPML)

Policy Enabled Systems

– Policy Enabled Network Gateway

– Gaian Database

Policy Controlled Coalition Information Dissemination

IT & Wireless Convergence

© 2011 IBM CorporationPolicy-based Management Technologies 3

Self-Management

A policy is a set of considerations designed to guide decisions on courses of actions.

– Goal or guidelines: System Constraints

– Configuration policies: (Conditioned) Attribute/Value pairs

– Event Condition Action rule

Policy Technologies are essential for self-management

– Allow software to be adapted to different environments

– Provide mechanism for responding to changing conditions

– Capture constraints and best practices

Policies

Policy Decision

Point

Policy Enforcement

Point

Policy Management

Tool

Policies

Actions

Policy Repository

Policies

© 2011 IBM Corporation4 Policy-based Management Technologies

IT & Wireless Convergence

Imperius (Open Source)SPL Parser

Evaluation Engine

Template-based Editor

Sensor Fabric (Policy

Enabled)Policy Management

Tool

Watson Policy Management Library

Library built on Open Source Policy Engine– Imperius – provides base set of

functionality and object model

Analysis– Examines policies for problems

Transformation– Converts abstract representations of

policies (i.e. “excellent service”) to concrete policies (i.e. “bandwidth=100Mhz”)

Deployment– Send policies to Policy Decision

Points– Sensor Fabric contains 1 or more

PDP

Decision Points– Registry of evaluation points– Stores policies– Provides policy decisions

Repositories– Generalized storage model– Policies– Policy Evaluation Points

…

Extended Policy Capabilities & Components

Policy Metadata

Policy Templates

Policy matching

Repositories

Deployment

Discovery

Evaluation Points

Decision Points

Transformation

NL Editor

Policy Analysis

Syntax

Conflict

Dominance

Coverage

Gaian Database

(Policy Enabled)

© 2011 IBM Corporation5 Policy-based Management Technologies

IT & Wireless Convergence

Usable interface easily navigates users through phases of policy lifecycle:

• Authoring

• Analysis

• Negotiation

• Deployment

• Templates provide a structured policy language and yet a natural language feel

Administration features:

• Template and attribute authoring

• User and group management

Template Based Authoring

IT & Wireless Convergence

© 2011 IBM CorporationPolicy-based Management Technologies 6

Support for multiple concurrent sessions

– Each session has a set of participating organizations

Plug-in architecture to allow customization of each negotiation session with its own:

– Negotiation goal (termination criteria)

– One or more evaluation algorithms

– Turn taking algorithm

– Offer visibility choice

– Negotiation procedure

– Negotiation termination

OfferVisibility

Turn Taking

Negotiation Session Manager

Session 1

OfferEvaluation

NegotiationGoal

Negotiation Procedure

NegotiationTermination

Policy Negotiation SystemMulti-Party, Assisted Electronic Agreements

© 2011 IBM Corporation7 Policy-based Management Technologies

IT & Wireless Convergence

7ITA Peer Review, Sept. 2010

CWP Policy Negotiation Tool

–Guides process, incorporates real-time analysis and checks for convergence

–Coalition members can negotiate common, optimized mission policies in real time

–Demonstration for ISR Sensor Network Scenario

Policy Negotiation System for Coalition Networks

© 2011 IBM Corporation8 Policy-based Management Technologies

IT & Wireless Convergence

Protocol-SpecificProxy BundlePolicy-Enabled Network Gateway

Authorization and Filtering–Fine-grain, application-level filtering & authorization–Data column or row hiding, value altering–Message rerouting, modification, etc.

Pluggable protocol support on OSGi–Protocol/application-specific policies–OSGi: dynamic, modular, multi-protocol platform–Pluggable policy resource models –MQ, JDBC, SIP, …

PolicyEnforcement

Point

CoalitionInteroperation

PEG PEG

OSGi

JDBC MQ …

ResourceModel

PolicyRepository

PDP

Inboundmessage

Outboundmessage

Protocol Parser

© 2011 IBM Corporation9 Policy-based Management Technologies

IT & Wireless Convergence

Information Federation: GaianDB A distributed, federated database

approach

–Follows the ‘Store Locally-Query Anywhere’ paradigm

Queries are routed to all of the nodes

–flood query, retrieving only the data required to satisfy a query

Network of GaianDB nodes established using autonomic discovery of neighbours

–configuration only required for data sources

N0

N3

N11

N4N5

N1

N2

N6

N7

N8

N10N9

SQL Query

N0

N3

N11

N4N5

N1

N2

N6

N7

N8

N10N9

SQL Query

N0

N3

N11

N4N5

N1

N2

N6

N7

N8

N10N9

SQL QueryN0

N3

N11

N4N5

N1

N2

N6

N7

N8

N10N9

SQL Queries

Coalition Warfare Program

Policy Controlled Coalition Information Dissemination

Prepared by

Tien Pham (ARL-SEDD)Graham Bent (IBM-UK)Seraphin Calo (IBM-US)

11

OSD Coalition Warfare Program

COALITION WARFARE PROGRAM (CWP)

Sponsor by OUSD(AT&L) to facilitate international

cooperative technology development that enables more

effective full-spectrum coalition operations

CWP Requirement: • International program agreement• US COCOM support• Equitable resourcing

Excellent transition opportunities • Leverage ITA research

US-UK ITA program satisfies CWP requirementsUS-UK ITA program satisfies CWP requirements

12

ITA CWP Projects

1st ITA-CWP Project: Sensor & Policy Software Tools & Protocols for Networking of Disparate ISR Assets

• FY09 & FY10• Support from military programs

• US: Empire Challenge, Networked UGS,• UK: Network Emulator, Base Surveillance & Area OverWatch

• Technology demonstration at Empire Challenge 2010 • Demonstrate interoperability of US, UK and coalition ISR assets

persistent surveillance –US acoustic mortar detection system cueing surrogate UK imaging sensor

• Demonstrate use of policy for sensor data/information access and dissemination to KSAF and DDRE (US) networks

2nd ITA-CWP Project: Policy Controlled Information Query & Dissemination

• FY11 & FY12• Technology implementation at the Intelligence Fusion Centre

(in support of NATO) located at Molesworth RAF• Enhance PED process for all-source analysts • Demonstrate policy controlled distributed federation of disparate

intelligent data sources from NATO

13

Coalition Problem Addressed

Challenges A coalition partner may want to provide limited information to

other partners A coalition partner may want to limit the type or nature of

information its members receive from others Information access policies need to be supported transparently

Burden of policy compliance ought to be shifted from the solider to the IT infrastructure

Goal Demonstrate a system to allow information sharing across

coalitions Move policy compliance burden to IT infrastructure away from

individual

Sharing Information among different Coalition Partners

14

ITA Gaian Database Concept

Distributed formal policy based techniques are used to control access to data and the flow of data through the network.

Each node implements policies that can be stored at any other node(s) in the network

PolicyRepository

Implementation of Watson Policy Management Library (WPML) in a Gaian Database Node

Policy Enforcement

Point

Policy Management Tool

Policy Decision

Point

Policy Repository

Managed Environment

Policy Enforcement

Point

// Define resource p of type PropertiesImport Class java.util.Properties:p;// Define a resource authorizer that is used to signal // false values to the requesting PEPImport Class com.ibm.watson.pml.policy.types.IAuthorizer:authorizer// If the given instance is not empty…Condition { p.size() > 1 }// Then signal the PEP to allow the action is controlling.Decision { authorizer.allow() }

Proposed Program – Year 1

• Demonstration using IFC Data Set – Develop representative entity extraction rules and

policies at Dstl (Porton Down) using existing distributed policy mechanism.

– Demonstration at Dstl and ARL

• Demonstration on actual IFC systems– Configure demonstration system– Demonstration at IFC (November 2011)

• Enhanced distributed policy mechanisms– Investigate capabilities of new distributed policy

mechanisms

Proposed Program – Year 2

• Demonstration of enhanced policy mechanisms using IFC Data Set – Configure new policy mechanisms at Dstl

(Porton Down) and IFC (April 2012)– Demonstration on actual IFC systems

• Demonstration across multi-agencies– Extend demonstration to multi agencies (e.g.

IFC, NC3A) (Oct/November 2012)

IFC Demonstration – Phase 1

DS3

DS1

Policy Authoring Tool

IFC

Federation of structured and unstructured data sources withdistributed coalition policy based access control and dissemination

Analyst queries for information from any node in the network – no policy applied

With no policy applied – “Find people named ‘omar’ who are linked to any other person”The result returns 11 matches from across the distributed databases

Policy Authoring Tool used to create new policy restricting access of all users to records derived from

SIGINT sources

Tool used to deploy policy into network

Policy tool used to deploy policy into local node policy database table– this is then read by all other nodes through Gaian Database and implemented at each node

Analyst queries for information - Policy restricting access to SIGINT sources only is now applied

With policy applied – “Find people named ‘omar’ who are linked to any other person”The result returns only 3 matches from across the distributed databases with SIGINT.NOTE: There have been no changes made to the underlying data sources

Analyst queries for additional information - Policy restricting access to SIGINT sources only is still applied

With policy applied – “Find telephone numbers linking named individuals and SigInt reports that describe the communication”

The result returns list of phone numbers and associated SIGINT reports from across the distributed data sources

Extending to other agencies – Phase 2

DS10

DS8

DS9DS7

Policy Authoring

Tool

DS5DS6

DS4

DS3

DS1

DS2Policy Authoring

Tool

IFC

NC3A ANOTHER

Policy Authoring

Tool

Research was sponsored by the U.S. Army Research Laboratory and the U.K. Ministry of Defence and was accomplished under Agreement Number W911NF-06-3-0001. The views and conclusions contained in this document are those of the author(s) and should not be interpreted as representing the official policies, either expressed or implied, of the U.S. Army Research Laboratory, the U.S. Government, the U.K. Ministry of Defence or the U.K. Government. The U.S. and U.K. Governments are authorized to reproduce and distribute reprints for Government

purposes notwithstanding any copyright notation hereon. .

Contact Details & Disclaimer

Contact Details:

Dr Seraphin B. Calo Research Staff Member & Manager Policy Lifecycle TechnologiesIBM Research DivisionT. J. Watson Research Center 19 Skyline Drive, Hawthorne, NY 10532 Tel: +1 914-784-7514Email: scalo@us.ibm.com

IT & Wireless Convergence

© 2011 IBM Corporation

END