Check out the new USENIX Web site.

next up previous
Next: Loading A New Policy Up: Comparison of Implementations Previous: Comparison of Implementations

Criteria for Evaluation

 

An adaptive security policy for a computer system must have the flexibility to meet the security requirements of the organization that fields the system. There are two types of flexibility to consider:

However, greater flexibility may come at the expense of security, and the greater complexity required for some types of transitions may also have an impact on the reliability of the system.

The criteria identified here are not independent of one another; in fact, examining various implementations of adaptive security leads to a series of trade-offs with respect to these criteria. The conclusions that are drawn from the analysis of the four implementations reflect the nature of the dependence of the criteria upon one another.

Policy Flexibility

In the context of adaptive security, the concept of policy flexibility could be measured by the amount of change one is allowed to make and whether the system can enforce an arbitrary new policy. Thus, policy flexibility depends on the number (or lack) of constraints that must be satisfied by the successor policy for a given predecessor policy.

Functional Flexibility

Functional flexibility addresses whether the policy transition is graceful or harsh with respect to the applications that are running at the time of the transition. A harsh transition might be like turning off the power and re-booting the system, whereas a graceful transition may appear seemless to the user and most applications on the system. A harsh policy transition may prevent users from performing necessary, possibly urgent, tasks, rather than allowing them to complete their tasks in an evolving security environment. The ideal is to allow necessary tasks to complete while terminating tasks that are not only disallowed under the new policy, but which represent a security risk in the new environment.

Security

The existence of a mechanism or method of changing policies may introduce security vulnerabilities. In assessing a method of policy adaptation, one must consider the security risks that are inherent in that method. Furthermore, each type of policy transition must be assessed for the relative difficulty of providing formal assurance evidence in support of the policy transition.

Reliability

Each method of policy transition introduces a measure of complexity into the system. Changing policy may expose the system to certain risks which decrease the stability of the entire system.

Performance

The ability to change policies quickly has impact on the needs of the user for security, functionality, and reliability. A complex hand-off may allow greater flexibility between policies enforced before and after the transition, but it may also present greater security risks. A less complex hand-off may provide performance gains at the expense of functional grace or flexibility.gif



next up previous
Next: Loading A New Policy Up: Comparison of Implementations Previous: Comparison of Implementations



Brian Loe
Tue Dec 9 09:16:53 CST 1997