An adaptive security policy for a computer system must have the flexibility to meet the security requirements of the organization that fields the system. There are two types of flexibility to consider:
The criteria identified here are not independent of one another; in fact, examining various implementations of adaptive security leads to a series of trade-offs with respect to these criteria. The conclusions that are drawn from the analysis of the four implementations reflect the nature of the dependence of the criteria upon one another.
In the context of adaptive security, the concept of policy flexibility could be measured by the amount of change one is allowed to make and whether the system can enforce an arbitrary new policy. Thus, policy flexibility depends on the number (or lack) of constraints that must be satisfied by the successor policy for a given predecessor policy.
Functional flexibility addresses whether the policy transition is graceful or harsh with respect to the applications that are running at the time of the transition. A harsh transition might be like turning off the power and re-booting the system, whereas a graceful transition may appear seemless to the user and most applications on the system. A harsh policy transition may prevent users from performing necessary, possibly urgent, tasks, rather than allowing them to complete their tasks in an evolving security environment. The ideal is to allow necessary tasks to complete while terminating tasks that are not only disallowed under the new policy, but which represent a security risk in the new environment.
The existence of a mechanism or method of changing policies may introduce security vulnerabilities. In assessing a method of policy adaptation, one must consider the security risks that are inherent in that method. Furthermore, each type of policy transition must be assessed for the relative difficulty of providing formal assurance evidence in support of the policy transition.
Each method of policy transition introduces a measure of complexity into the system. Changing policy may expose the system to certain risks which decrease the stability of the entire system.
The ability to change policies quickly has impact on the needs of the
user for security, functionality, and reliability. A complex hand-off
may allow greater flexibility between policies enforced before and
after the transition, but it may also present greater security risks.
A less complex hand-off may provide performance gains at the expense
of functional grace or flexibility.