• United States

Define ‘policy,’ Part 1

Sep 06, 20043 mins
Access ControlEnterprise Applications

* How the IETF defines ‘policy’

When last we met (in a virtual sense, that is), I had asked your help in defining “policy” so that it no longer was the ambiguous term – used by those of us in the identity management arena, those in the security camp and those with an application or service to sell who want to latch onto the latest buzzword – with so many meanings that it really had no meaning. I knew I could count on you to come through, and you did.

One suggestion which came up repeatedly resolves itself to: don’t change anything. The argument is that there are so many different people with an ax to grind that consensus is impossible. If we in identity management try to seek a consensus definition we won’t succeed because no one else will accept our consensus. Thus we lose precision with no gain in understanding.

What we risk, of course, is that others will misunderstand what we mean, to our detriment. To avoid that we would need to define the term almost every time we use it, especially to those outside the identity management discipline – those who more and more are making the identity management decisions.

While the premise, getting everyone to agree on a definition, is most likely true I’m not sure the conclusion, that we stick to our own definition, is the best answer.

Some others pointed me towards the IETF’s RFC 3198, “Terminology for Policy-Based Management”:

This RFC was co-authored by John Strassner, formerly of Cisco, who almost single-handedly created what became known as Directory-Enabled Networking (DEN). For this feat I awarded him the Wired Windows Networking MVP award for 1998. Strassner’s book, “Directory Enabled Networks,” is now, sadly, out of print but might still be found in a good used technical bookstore. More than a chapter was devoted to DEN’s policy model. This all led to the need for a vocabulary, a terminology, a taxonomy for discussing policy. The RFC was the natural outcome of this need. One of the terms the RFC defines is, of course, “policy.” This is what it says:

“‘Policy’ can be defined from two perspectives:

–  A definite goal, course or method of action to guide and determine present and future decisions. ‘Policies’ are implemented or executed within a particular context (such as policies defined within a business unit).

–  Policies as a set of rules to administer, manage, and control access to network resources [RFC3060].

Note that these two views are not contradictory since individual rules may be defined in support of business goals.”

The reference to “RFC3060” is to a document (also co-authored by Strassner) describing an object-oriented information model for representing policy information. John spent a long time at Cisco, and we can see that his thinking in terms of “policy” was heavily influenced by the security usage of that word he encountered at the network hardware company. Still, the second definition, “Policies as a set of rules,” ties in neatly with another very good response I received and which we’ll get to in the next issue.