NJCSE - Enterprise Control

PROJECT TITLE:	Enterprise Control
PROJECT ADVISOR:	Naftaly Minsky

Back

Purpose:

An ever-increasing percentage of the activities of a modern enterprise is carried out via computer software, much of it without any direct human intervention. There is an obvious and critical need for ensuring that such activities comply with the various rules or policies, of the given enterprise. Such a policy might specify who can issues certain kinds of purchase orders, for what amount, and under what conditions. Currently such policies are often implemented by forcing all purchase order to go to some centralized agent(s). But this is clearly an unsacalable solution, particularly for widely distributed enterprises. Other relevant policies include monitoring, auditing controlling web traffic, etc. Such policies can be built implicitly into enterprise software, but only if this software is tailor-made for the particular enterprise. However, enterprise software is undergoing a rapid transition from monolithic systems, contructed according to a single overall design, into conglomerates of distributed, semi-autonomous, heterogeneous and independently designed subsystems contructed and managed by different organizations, with litttle, if any, knowledge of one another. It is obviously impossible to build the business rules of a given enterprise into the code of all the disparate components of its conglomerate software.

What is needed is a control mechanism that provides for the policies of an enterprise to be specified explicitly and formally, and to be strictly enforced. There are two additional requirements that must be satisfied by such a mechanism. First, because of the rapidly growing size of the software of many enterprises, the enforcements of enterprise policies must be scalable. Second, because of the diversity and the strucutral complexity of a typical enterprise, the mecanism must support a variety of different policies governing different activities. It is necessary to organize these policies into hierarchies, reflecting the hierarchical structure of the target enterprise. Moreover, one needs to support a process of controlled evolution of the set of poilicies of a given enterprise, throughout the evolutionary lifetime of the enterprise itself.

Approach:

The solution we propose to this problem is based on our concept of law-governed interaction (LGI), developed under three consecutive NSF grants (one of which has been co-sponsored by DARPA). LGI has been conceived as a general and scalable mechanism for the coordination and control of open distributed systems, and has been implemented by means of the moses toolkit, written in Java. Broadly speaking, LGI is a mechanism that allow an open, heterogeneous and evolving group of distributed agents to interact with one another, with confidence that an explicity specified set of rules, called the "law" of the group, is strictly enforced, on each of its members. We have already explored a wide range of applications of LGI. Our experience strongly suggest that LGI is a suitable starting point for solving the problem of enterprise-control. But much remains to be done. In particular, we plan to add the following capabilities to our LGI model:

Provide for hierarchies of laws, in order to support the hierarchy of policies that govern a given enterprise.
Provide for the composition of unrelated laws, allowing the policies of two enterprises to interoperate via a third policy, that defines the contract between them.
Provide for regulated, on-line update of laws. Such an update is necessary when the activity regulated by the law cannot be stopped.

Status:

A Scalable Mechanism for Enterprise-Wide Access Control

Conventional approach to distributed access-control (AC) is generally server-centric. It provides an individual server with the ability to regulate access to its own resources and services, but it does not address the need of an enterprise to ensure that all servers performing a common task employ and enforce a common AC policy. The need for such an enterprise-wide, or ``communal,'' AC policy can be illustrated with the following example.

Consider a large hospital that has several heterogeneous servers for patient-records, maintained by various departments, labs, and outpatient units distributed throughout the hospital. These servers are generally not free to choose their own AC policy. Rather, they are likely to be subject to a hospital-wide policy, specifying such things as the access privileges of clients playing roles such as doctors and nurses, and the types of certificates that clients need to exhibit to authenticate themselves as doctors and nurses. Analogous need for communal AC policies exists in many other applications. For example, an intra-enterprise web may be subject to an enterprise-wide policy regarding who should be allowed to see and update which information. And, as is well known, the multitude of firewalls guarding a given distributed enterprise need to observe a coherent enterprise-wide policy, if the enterprise is to be well guarded.

The goal of this work is a mechanism that can establish (formulate and enforce) a wide range of enterprise-wide policies, governing the interaction of large and heterogeneous communities of agents. This mechanism is to satisfy the following requirements:

policies need to be formulated explicitly---rather than being implicit in the code of the agents involved---and they should be enforced by means of a generic, broad spectrum mechanism;
the enforcement needs to be completely decentralized, for the sake of scalability; and
the deployment of a policy needs to be easy and incremental, exacting no cost from agents and activities not subject to it.

Related Publications: