Policy-based Management: A Historical Perspective

Raouf Boutaba, Issam Aib
2007 Journal of Network and Systems Management  
This paper traces the history of policy-based management and how it evolved from the first security models dating back to the late 1960's until today's more elaborate frameworks, languages, and policy-based management tools. The focus will be on providing a synthesized chronicle of the evolution of ideas and research trends rather than on surveying the various specification formalisms, frameworks, and application domains of policy-based management. Keywords: policy-based management,
more » ... networking, policy history. I. INTRODUCTION Policy-Based Management (PBM) is a management paradigm that separates the rules governing the behavior of a system from its functionality. It promises to reduce maintenance costs of information and communication systems while improving flexibility and runtime adaptability. It is today present at the heart of a multitude of management architectures and paradigms including SLA-driven, Business-driven, autonomous, adaptive, and self-* management. This paper traces the history of policy-based management and how it evolved from the first security models dating back to the late 1960's until today's more elaborate frameworks, languages, and policy-based management tools. The focus will be on providing a synthesized chronicle of the evolution of ideas and research trends rather than on surveying the various specification formalisms, frameworks, and application domains of policy-based management. Although the focus is on the chronology of events, we have nevertheless classified the works based on different functional areas of policy in order to best highlight these areas and to bring a consolidated account of the research efforts that were conducted over the years. Section II presents the earliest works on security policy, dated as far back as 1966. Section III begins with the mid 1980's where policy started to be identified as a management paradigm within the network and distributed systems management community. Section IV relates the activities that emerged in the late 1980's and early 1990's in the use of policy for inter-networking and routing. Section V considers the evolution of policy specification in terms of languages as well as information models. Sections VI and VII trace the recent shift in interests of the community from policy specification to policy refinement techniques where the refinement and analysis problem was first identified in the 1990's. Section VIII-B relates the recent growing interests of the information systems management 2 community in the optimization of the business value [1] and using policy to design elaborate business-driven, autonomous, and self-managed frameworks. Finally, we conclude with a summary of the collective achievements of the research community some directions for the future. II. SECURITY FIRST The early works on policy focused on emphasizing security considerations first constrained to single time-sharing mainframe computers of the 1960's, expanded later to individual enterprise boundaries, and then evolved to target multi-network environments. The years from 1972 to 1975 marked a burst of security modeling activities which followed the security concerns raised by the widespread success of the time-sharing technology, the continuous decreasing cost and size of computers, as well as the spectacular success of computer-security experts such as the "tiger teams" in easily attacking and taking over systems [2] . A security policy defines the (high-level) rules according to which access control must be regulated. Access control is the process of mediating every request to resources and data maintained by a system and determining whether the request should be granted or denied. The access control decision is enforced by a mechanism implementing regulations established by a security policy. Different access-control policies can be applied, corresponding to different criteria for defining what should and should not be allowed, and to some extent define the different means of security assurances [3]. A security model implements security policy by providing a formal representation of the policy and its functions. The formalization allows the proof of properties on the security provided by the access control system being designed. The security mechanisms further define the low-level (software and hardware) functions that implement the controls imposed by the policy and formally stated in the model [3] . A. Access-control Matrices (1966 , 1969 In 1969, Butler W. Lampson [4], [5] introduced the abstract concepts of protection domains and access-control matrices for shared computer systems. In his model, the essential property of a domain is that it has potentially different access rights than other domains. Objects are shared between domains and are the things of the system that require protection. Typical objects include processes, files, memory segments, terminals, and domains. Access control is assured through an access control matrix. Each (domain, object) entry in the matrix contains a list of access attributes which define the access rights of that domain to the objects. Attributes can be of different forms, such as read, write, owner, call, control, etc. Lampson model, also known as the Access Control List (ACL), views the access control matrix in a column-wise fashion. An alternative approach would be to view them in a row-wise manner. This is the approach taken by the capability-based access control model. This model partition the access-control matrix by subject rather than by object. It was first introduced in 1966 by J.B. Dennis [6] and later elaborated by R.S. Fabry [7] in 1974. 3 B. Bell-LaPadula model (1973) The Bell-LaPadula Model [8] is considered to be the earliest formal model for data confidentiality through policies. A confidentiality policy prevents the unauthorized disclosure of information. The model was developed by David Elliott Bell and Len LaPadula in 1973 to formalize the United States department of defense multi-level security policy. It is a formal state transition model of computer security policy that describes a set of access-control rules (policies) which use security labels on objects and clearances for subjects. Security labels range from the most sensitive, e.g., "Top Secret", down to the least sensitive, e.g., "Unclassified" or "Public". The Bell-LaPadula model is built on the concept of a state machine with a set of allowable states in a system. The transition from one state to another state is defined by transition functions. A system state is defined to be"secure" if the only permitted access modes of subjects to objects are in accordance with a security policy. With Bell-LaPadula, users can create content only at or above their own security level (e.g. "Secret researchers" can create "Secret" or "Top-Secret" files but may not create "Public files") reflecting the no write-down policy. Conversely, users can view content only at or below their own security level (Secret researchers can view Public or Secret files, but may not view Top-Secret files) reflecting the no read-up policy. C. Integrity policies (1977) In conjunction with confidentiality, an integrity policy describes how the validity of the data items in the system should be maintained from one state of the system to another and specifies the capabilities of various principals in the system. The first model for integrity policy was proposed in 1977 by Biba [9]. Ten years later, D. Clark and D. Wilson's work on "A Comparison of Commercial and Military Security Policy" [10] stimulated further consideration of novel security policies. Clark's primary contribution to security policies was in introducing access triples (user, program, file), where previous work had used duples (user, file) or (subject, object). The following year witnessed an explosion of Clark-Wilson response papers. In 1989, D. Brewer and M Nash published "The ChineseWall Security Policy" [11], abstracting British financial regulations. Its contribution was a user's free-will choice limiting future actions in a non-discretionary way [12]. The multiplicity of these policies, however, was more apparent than real, as is explained in [12]. The henceforth mentioned security models are now classified as part of Mandatory access control (MAC) policies. These policies enforce access control on the basis of regulations mandated by a central authority. E. D. Estrin's access-control of IONs (1985) The need of policy in network management has first been addressed by Deborah Estrin in 1985 in her access control solution for Inter-Organization Networks (ION) [13], [14]. An ION is formed when two or more organizations interconnect their internal computer networks. She demonstrates that traditional network design criteria Curie, Paris, France, in 2002 and 2007 respectively. He is currently a Postdoctoral fellow at the school of computer science of the University of Waterloo (Canada) where he is conducting research on policy-based and business-driven management of networks and distributed systems since 2005. He is the recipient of the best student-paper award of the tenth IFIP/IEEE International Symposium on Integrated Network Management (IM 2007) for his work on the optimization of policy-based management solutions [108].
doi:10.1007/s10922-007-9083-8 fatcat:cftw6c3tibggvgujqlnlmlyf4q