Modelling Policy Management

My thoughts on policies and its application.

What is policy?
Policy is a Ruling/Law which is created by a centralised ruling body. E.g 'Nobody below the age of 18 years are allowed to enter a pub'.

To whom does the policy apply?
Policy is enforced on the subjects who come under the jurisdiction of the centralised ruling body. E.g 'The centralised ruling body is the US Department Of Justice and whose jurisdiction are the subjects of USA'.

Who creates the policy?
The governing body which introduces these policies to enable them to govern effectively and satisfy the important stake holders. Who are important is a totally context oriented question and we will not go into the discussion now.

Who enforces the policy?
The policy can be enforced by people who are in a situation to enforce the policy. E,g 'A pub owner enforces the above policy by disallowing kids less than 18 years of age in his premises'.

Policy Semantics
Policies are statements with complex meaning hidden beneath the semantics of the statements.

Action and Action Application Scope
Policy Statements can be divided into Action and Action Application scope. For instance "Pay State tax' is an Action and the Action Application Scope could be 'California and Arizona'. Action Application Scope is defined based on an attribute 'Location of Residence'. This translates as subjects whose Location of Residence' attribute is California or Arizona have to pay state tax.

Application Scope Variation
The policy application scope indicated in the above example can be thought of as a static policy scope as it bases itself on a mostly static concept of residence. Though many would argue that residence is not a static attribute as one can relocate to a different location. More static and a chauvinistic attribute would be 'Gender' which except for exceptional scenarios is
mostly static. So the application of policy is strictly related to the subject's attribute and the application would be based on the current value of the attribute.

Contained Set and Application Scope
In this Tax example the policy enforcer is subject himself. Suppose a person is residing in 'los angeles' and he looks up for the action 'Pay State Tax' , and finds the action scope doesnt contain 'los angeles' can he decide that he neednt pay state tax? Obviously not. Here the concept of contained set/inheritance comes into play. The application scope is defined as 'California' and
'Arizona' and all sets contained with in. As 'los angeles' is contained with in California it inherits the policies applied to the container. Here we are using the attribute location to create our containers and placing the subject inside the losangeles , which is inside california , which is inside USA . This specific attribute is hierarchial in nature. We will deal more on application scope later in the blog.


Subject Address
In this tree the subject has a unique address (Adam Singer -Apt 21-Meadows Street-Losangeles-California-USA) to identify himself based on the hierarchial property location. In this categorisation we arent considering the homeless and new born babies with no names.

Non Hierarchial Attributes
Apart from the primary hierarchial attribute there might be additional non hierarchial attributes which would reduce/increase the scope of policy. For instance in the 'Pay State Tax' policy, an additional filter attribute would be his age. Here the attribute is an integer list attribute which typically takes values from 1-200 values. We would discuss the concept of implicit grouping based on hierarchial and non hiererachial attributes later in this blog.

Policy Association Linkage
Suppose two contradicting polcies are applied seperately in parent and grand parent containers (assuming hierarchial attribute classification), which should be applied is matter of concern in policy enforcement. By default the policy application would be based on the policy of the closest ancestor. But the policy linkage could also be provided a specific linkage strength at each level and which ever is the strongest could be applied. Total non overridable policy can be set at an ancestor level such that no child can override the policy. Certain policies can be blocked from inheritance and as a result the application scope ends at that level and is not percolated down till the leaves.

Resultant Set Of Policies
There might be multiple policies which would be enforced on the subjects and if we consider one of them if we were tasked to enumerate the set of policies which are applicable to him, that would be a non trivial execrcise of resolving all the inherited and direct policy clashes and creating a resultant set of policies.

The need for cyber policy?
We have touched briefly upond some fundamental concepts of policies and we would restate them again with a different perspective below.

The goverments ruling nations now are dealing with the greater challenge of Policy Restrictions at the national levels for dealing with increasing crime and terrorists. Similarly Cyber Policy is extremely important in this age of rampant computer terrorism and crime. The connected cyber world is filled with domains and sites containing virtual users and computers as its citizens are ruled by companies. These virtual users , computers and network resources which acts as corporate cyber citizen has to be policed with proper policies to prevent cyber crimes hapenning in their corporate country. Let us see what we need to police the cyber country.

List of cyber citizens who we need to apply Policy on:
We need to have directory or a citizen list in which each policed citizen needs to be listed with the citizen's identifier like social security number. This is reflected as directory services in the cyber world. There are different products which provide directory services.

Policy Maker
There has to be a set of policy makers who discuss and create which policy is beneficial to the country and which is not and they create a set of policies which are meaningful. Then there are local policy makers who make policies for states, clubs etc. These are reflected in the Cyber Policy world in different ways and one of them is the set of proprietary policies provided by Windows OS e.g 'Do not edit registry'. These policies only make sense to Windows applications and kernel, though they derive from a generic set of policy standards which reside in everyone's minds but not standardized. The world will sit together and do that sometime, like SOAP,XML and other such things.

Policy Categories
Then there are different sets of Policies. One set of policies catering to Road Laws, one set catering to home owners, one set catering to company owners. These also have a parallel cyber world as network security policies,desktop organisation policy, installed applications policy...

How are policies published and citizens made aware
These policies are laws which are passed as bills and acts. Some policies are part of budget and some fundamental ones are a part of the constitution. It is assumed that all citizens of a country, by the virtue of them being a part of the country needs to follow this policy. The question which arises is suppose in a country a person is illetrate and doesnt have access to all these laws and constitution does an act contrary to the policy what happens in that case? Should he be punished? These are certain fundamental questions which even now policy makers are struggling with. But cyber policies havent reached such maturity till now. The basic difference between real world and cyber world is that the cyber world necessitates some mechanism by which the cyber citizen gets to know of the policy. In most places the cyber policy is specifically pushed to the cyber citizens through policy publishing software like GPMC. A parallel is when a government passes a bill, they personally deliver the copy of the passed bill or amendment to you. This doesnt happen in the government, but it is more of pull where the citizen on need basis can pull that information from the government. So there is a bit of difference between cyber world and actual world in this case.

How does policy affect citizen's behaviour?
The citizen is not aware of a particular policy before its existence, but once the policy is passed and the citizen is made aware of the policy, how does the citizen change its behaviour to follow the policy. For instance let us take the policy of alchohol prohibition in a state. Once the policy is passed, the citizen reorients his behaviour to not to drink alchohol in that state. This is the remarkable capacity of human mind which makes us learn policies and react to it. Is there a parallel in the cyber environment.Unfortunately the applications arent super intelligent to do dynamic policy learning. The applications have hardcoded logic to modify their behaviour to a predefined set of policies. This is the case for Windows OS and Application. If I bring in a new policy would Windows have the capacity to dynamically learn it and modify the OS behaviour to reflect it? Not really.We are not yet there , but will go in the future. The first step is to create a generic policy schema and a policy standard which the global community will get together and do someday.

Policy Enforcement
This is done by observers who are in the lookout for citizens violating policies and these are police officers or cops. Once it is found that they have violated policy, these citizens are punished appropriately to train their human brains not to violate policy. These are advanced concepts which have limited parallels in the cyber policy world. We will look one by one.

Policy Violation Monitoring
This is done by police using closed circuit televisions, patrol cops, survielance and other means. The monitoring is usually done by understanding what is the aim of the policy and monitoring that aim is achieved. Mostly it is manifested in state of the objects in the world. A particular policy dictates certain desired states, while a violation would mean it has changed into an undesired state. E.g A locker unbroken with cash in it, is changed to a state to a locker broken without cash. These state changes can be monitored to see if the policy is effectively enforced and not violated. This is exactly what can be done using WMI/SNMP by subscribing to the state change events and ensuring that the states do go into an undesirable state. When such a change happens, this can be treated as a violation and appropriate alerts can be raised so that it can be looked into by the system administrators or LAPD.

Policy Violation Auditing
Any law violator's violation would be recorded in the national archives to be looked up later. This could also be used for future Policy Violation Monitoring and Enforcement. In the above section we know when a violation occurs in the cyber world and when such violation occurs we record it in our logs so that in future we can do intelligent monitoring to concentrate more on cyber citizens who have more violation records.

Policy Effectiveness
The government reviews policies to understand whether it is applicable in present circumstance and whether it is efective in getting the desired need. One popular debate is the gun possesion policy. The government wanted to reduce crime and they thought arming citizens with weapons would decrease crime and passes the gun possesion bill. Then they found that this policy has actually not been instrumental in reducing crime and wanted to see how to amend the policy to achieve the objective. Some ways would be to change the application scope of the policy. In relation to cyber world, let us say there is a policy which doesnt allow users to do registry editing as they found that the users screw up their systems by improper registry editing and precious man hours are spent in resolving such screw ups. They implemented this policy to all, but then they found lot of registry change requests from the development arm of the company as they stored thier configuration there. The administrators now ammend their policy to not apply it to the dev arm of the company. This way of measuring policy effectiveness and changing it is an important function and need.

Policy Changes
Some policies are changing due to many reasons and some of which I have detailed above and we bring out amendments and we keep track of all amendments. In cyber world we use the fancy word Policy Change Management or Policy Configuration Management keeping tracks of all policy change versions.

Policy Testing
In certain cases, to gauge the public reaction, a particular policy is enforced on avery limited set of citizens and if succesful is adopted with other citizens. This normally doesnt happen as this will bring out human inequality issues. In cyber world this is done using a test domain or a pilot domain.

Summarising cyber policy management
The virtual citizen in cyber environment, when comparing to the actual citizen is not just the name of the citizen, but his capabilities. The capabilities translates to the capability of the applications he can run on the network resource he is operating on. He runs these applications with his cyber identity. So the applications which the user is using should be aware of cyber policies. But then there is no generic set of cyber policy and also the cyber identity is also varied depending on from where the cyber identity is procured. If the cyber identity is procured from windows domain, then your cyber citizenship makes sense only to windows applications. Morover as there is no generic set of cyber policies defined for the whole of cyber world, hence we need to limit ourselves to the proprietary policies which makes sense to windows platform or any other OS platform. These policies only make sense to applications from Microsoft Area. Third party windows applications can also choose to follow these policies and code it in that manner. But now what happens if windows brings in new policies and how does our policy compliant third party applications learn to follow these new policies like how human do? These are unanswered questions. Infact windows platform itself is a not policy learning platform and the policy interpretation is hardwired and if there are new policies, then new patches needs to be installed to interpret the same. Let us leave dynamic policy learning as a technology for future.

In the present technology, one needs to make each cyber citizen aware of the policies which are applicable to the cyber citizen, and this is done using Policy Publishing software like GPMC of MS.

Then Policy Enforcement is done by the base platform itself and also by Policy compliant application.

Policy Monitoring is done by examining the state of the system the citizen is working on using WMI and other mechanisms so that when there is a change in the system which is not adhering to the policy applicable to the citizen, the policy breach is reported to the centralised policy survielence

Policy Violation Auditing can also be done by recording these violations for future reference.

Policy Effectiveness measuring is not a field which is really matured in the cyber world.

Policy Changes can be tracked through policy change management software.

Policy Testing is also undertaken through a pilot or staging environment.


Windows Implementation of the above principles

Windows Policies
The policies dictated by windows are enforced by windows operating systems and windows applications and application which are written such that they are windows policy aware.E.g 'Do not allow registry editing'

Windows Directory Services
In an organisation which has deployed ADS, the users,computers,printers and other resources are categorized into a hierarchial structure each with a unique address UserId-OrganizationalUnit-Site-Domain-Forest-Root. This hierarchial pseudo location property is extensively used for deciding policy application scope. All the above principles of generic policy management is followed in Windows Policy Management as well.

Windows Policy Application Scope Filters
Certain WMI properties of the computer are used for filtering and also certain security restrictions based on users and user groups can also be applied as a filter for restricting the application scope.

Complex Application Scoping
Windows Policies are modeled on an One Dimensional Hierarchial attribute filtering + One dimensional flat attribute(WMI) + One dimensional set attribute (Security). Suppose if this were modelled on N dimensional(Hierarchial or flat or set) attribute scheme then the application of the same would extremely complicated and challenging. This sort of policy management is needed in certain applications.

Windows Group Policy
Windows Policy Actions are seen by Windows Application and OS in the form of a) Presence of certain Registry Setting b) Secuity Options c) Installed Software Options d) Start,Shut Down,Logon,Logoff Scripts e) Folder Redirection

Third Party Windows Applications - Policy Management
Support Provision for client extensions to provide policy management support for third party user applications is also available. This is one of the key gateways which needs to be exploited by the third party application creators to provide customised policy enforcement. If this approach is taken by third part application providers, then the policy management for these applications becomes easy and gets combined with normal windows policy management. This hasnt been exploited much by any third party application provider.

Group Policy Management Software Companies
These companies have restricted themselves to Windows Policies and Management of these policies. They provide tools for management, staging, testing and migration,RSOP Calculation,Version management. What these companies do is fill the gap left my microsoft to manage their own OS and applications. The issue with such a product is Microsoft after some time will come around and close their gaps. At that time, these products would lose their need. One more major concern is how microsoft implement their policy and policy enforcement is also subject to change and would again cause a big issue for such companies.

What is the future?

Short Term:
Fill Holes and Gaps created by microsoft in their policy management:
- Through client side extensions (Policy Processing Plugins) lock down areas which Microsoft hasnt provided facility to lock down.
- Use GPM as a the primary tool for controlling sofware updates.
- Address more the Mobile and Mostly UnConnected cyber citizens to enforce something like a local offline policy which can be synchronised once in a while when they get connected.

The issue here is Microsoft how the created GPMC will come around and close these gaps and provide a holistic solution in future and when that happens the above efforts will be at risk.

LongTerm:
- Create a set of generic policy standards which can be adopted by any application and which is homegenously extendable.
- Create generic attribute based implict grouping and application scoping instead of letting the administrators create a static hierarchial structure like AD for their management as these typically mirror the organisation structure or geography and might not be the right classification or organisation for applying policies.
- Create generic policy publishing and policy enforcement frameworks on existing Windows Policy Management Framework to be used by third party applications so that it eases the jobs of administrator for administering and controlling thrid party application policy.
- Create fine tuned and intelligent Policy Monitoring and Auditing software
- Create Policy Effectiveness Gauging software using Policy Goal parameters and Policy Goal Data Mining.
- Create Dynamic Policy Learning Softwares