In order to control the management, protection and distribution of sensitive information, an organization defines a security policy and implements the policy through various laws, rules and practices. A security policy has several objectives. First, a security policy strives to maintain the confidentiality of the sensitive information by protecting the information from improper disclosure to unauthorized users. Second, a security policy seeks to maintain the integrity of the information by ensuring that users do not modify data to which they are not authorized and authorized users do not corrupt the information by improper operations. Finally, the policy seeks to minimize any burden on the availability and accessibility of the information to authorized users incurred as a result of the policy.
In a computing environment, an operating system controls access to resources such as files and network devices. Often a policy engine, also referred to as a security server, is used in conjunction with the operating system and calculates permissions to the resources based on the organization's security policy. Therefore, the policy engine must reflect the policies of the organization. This is often difficult because organizational policies change over time due to unforseen events such as organizational restructuring, formation of new alliances, and the onset of emergency situations. Implementing a policy engine in a computing environment is further complicated by the fact that organization policies often change during normal operations. For example, some organizations, such as banks, have different security policies for business hours than for evenings and weekends. Conventional policy engines are static and are unable to adapt to organizational policy changes. For the reasons stated above, and for other reasons stated below which will become apparent to those skilled in the art upon reading and understanding the present specification, there is a need in the art for an adaptive security system which can readily adjust to organizational policy changes. Furthermore, there is a need for a security system which can dynamically implement new security policies and terminate out-of-date policies.