Real organizations do not have static security policies. Rather, they have dynamic policies that change, either as a matter of course, or to allow them to react to exceptional circumstances. The computing resources of these organizations must reflect the organization's need for security while affording users the flexibility required to operate in a changing environment.
Any implementation of adaptive security presents its own set of advantages and disadvantages. While this paper compares four methods for implementing adaptive security policies, it is important to keep the needs of the organizations in mind in order to adequately compare implementations of adaptive security. Section 2 outlines some of the possible scenarios requiring adaptive security policies and provides a number of examples of adaptive policies that are useful to the later discussion. Section 3 describes the range of possible implementations for adaptive security given the basic security architecture of the DTOS prototype and provides a brief sketch of the implementations discussed in Section 5. Section 4 provides more background on DTOS, which was used to implement each of the four methods described in this paper. Section 5.1 describes the criteria against which implementations of adaptive security may be measured. The final subsections of Section 5 describes in greater detail the four specific implementations researched at Secure Computing Corporation and evaluates each with respect to the criteria from Section 5.1.