Upcoming Webinar with Intalio: Securing Agile Process-Led Applications with OpenPMF for Intalio BPMS

Organizations today need to meet increasingly demanding security and compliance requirements, while software applications and business processes get evermore complex and agile (e.g. Service Oriented Architecture, Business Process Modeling). According to industry analysts, most security products in use today focus on the network layer, while the majority of cyber attacks today exploit vulnerabilities on the application layer. Application security and a secure development process are therefore a critical element of any security strategy. However, application security is often not dealt with effectively due to time and cost pressures, especially in the current economic climate.

In this webinar, you will learn:
1) application security challenges and solutions
2) agile SOA security challenges and solutions
3) aspects and stages of the secure development lifecycle (including policy abstraction, externalization, authoring, automation, enforcement, monitoring, and verification)
4) how OpenPMF can be used to protect and monitor agile applications with minimal effort by automatically generating technical security policies for your applications and processes from intuitively captured security & compliance requirements.
5) how the newly packaged, award-winning OpenPMF 2.0 application security automation product (www.openpmf.com) version can be used in action for Intalio BPMS (www.intalio.com), the leading open-source-based Business Process Modeling (BPM) application automation vendor.

Date: Monday July 20, 2009
Time: 9:00 AM PST (12:00 PM EST, 5:00 PM GMT, 6:00 PM CET)
To Register: www.objectsecurity.com/en-contact-webinar.html

Model Driven Security Accreditation (MDSA)

Exciting news! Model Driven Security is now applied to assurance accreditation for agile IT landscapes.

Challenge

Assurance accreditation of agile, interconnected IT landscapes is a great challenge, and is currently often cited as one of the show-stoppers for the adoption of modern IT architectures (e.g. SOA) in mission critical domains.

Solution

ObjectSecurity’s patent-pending Model Driven Security Accreditation (MDSA) approach automates large parts of the compliance and assurance accreditation management processes (e.g. Common Criteria). The benefits of MDSA are most significant for agile, interconnected IT “systems of systems” that are model-driven (potentially also business process-driven). MDSA automatically analyses and documents two main aspects:

1. Does the actual security match with the stated requirements?
   
2. Do any changes impact the current accreditation?
   

Definition

Model Driven Security Accreditation (MDSA) enables “agile accreditation” in a way that is cost-effective, low-effort (i.e. partly automated), and reliable / traceable. MDSA especially enables agile accreditation for agile, interconnected IT landscapes based on model-driven, process-led application development and deployment approaches, and on standard middleware and runtime platforms (e.g. SOA). MDSA allows the automated, formalised assignment of “undistorted” Common Criteria assurance requirements to IT landscape specific technical assurance control objectives in functional system specifications. Both are expressed as formalised models and are automatically and traceably matched.Using model-driven security (MDS), the technical assurance control requirements are then automatically transformed into concrete technical IT enforcement & monitoring at runtime. In addition, the traceable correspondence between technical security implementation and the information assurance requirements is analysed and checked. MDSA also documents Common Criteria “supporting evidence” based on all available design-time system / security models, system / security artefacts, system / security model transformations, and runtime system / security incident logs.Furthermore, MDSA enables the automated analysis whether changes to or newly discovered knowledge about an agile IT landscape impact its security properties, and whether the accreditation is still valid. The goal of MDSA is to automatically check whether IT systems security meets its assurance accreditation requirements, and to check the impact of changes (incl. system, security, requirements, newly discovered vulnerabilities) on the accreditation. Based on so-called “change policies”, MDSA decides whether particular system re-configurations are within scope of the current accreditation (thus enabling a level of IT agility) or whether manual corrections and re-accreditation are required. MDSA also allows to assess the impact of newly discovered security vulnerabilities, e.g. weaknesses in crypto algorithms or buffer overflows in libraries, on one system or multiple systems as part of an Accreditation Management System (AMS), a central database of fine grained accreditation information. If manual re-accreditation is required, MDSA also acts as a decision support tool.

Current State

A ~80 page concept exploration study has been produced for UK Ministry of Defence, and a scientific paper is being submitted for publication. MDSA is currently at the prototype stage. Please contact ObjectSecurity if you are interested in further information about the OpenPMF MDSA prototype or the study.

New Analyst Coverage for Model-Driven Security

IT analyst firm Gartner, today has again raised awareness for model-driven security in Tom Scholtz's report "No More Dr. No: Developing a Strategy for Business-Aligned Information Security" (10 March 2009, ID:G00166010), which advocates that rather than simply saying no to new technology, effectively aligning information security practices with business strategy results in optimized security efforts and investments. Such business alignment requires a multifaceted strategy." The report recommends businesses to "... investigate the potential benefits of modeling-based policy automation. Such technology solutions support the development, implementation and management of security policies that are inherently integrated into the business requirements modeled during IT service solution design.". You can find further information about model-driven security (+ model-driven compliance, model-driven security accreditation,) and about ObjectSecurity's OpenPMF product at www.objectsecurity.com.

Ecosystem for model-driven security is getting ready

Many vendors provide model-driven tools today, incl. business process management (BPM), model-driven engineering/development (MDE/MDD), model-driven integration (MDI), enterprise architecture (EA) etc.
Process-let SOA orchestration and model-driven code generation or service integration is also a reality today, and big vendors such as Microsoft have announced that they will release these features in their mass-market software development tools.
This is great news for model-driven security, which ties into model-driven tools in order to automatically and traceably produce fine-grained, contextual security policies.
The fact that mainstream tools are available and in use today enables shrink-wrapped, push-of-a-button model-driven security to be added to such model-driven tools - ObjectSecurity has just produced such a shrink-wrapped security policy generator for IntalioBPMS and their OpenPMF model-driven security technology.
SOA security, and specifically security policy management for SOA are also being closely examined, and model-driven security has been identified as a great solution.
So everything is finally coming together in the mass market - watch this space!

Revisited: Aligning business and IT security

Well, ok, there are a number of useful best practice guidelines for information security management, e.g. ISO 27000 family, COBIT, ISMS, ITIL, which help communicate the processes and requirements to management, select controls, and measure success. So far, so good. However, these documents are so business-centric that IT security enforcement does not simply "fall out at the bottom".
But beware: What ultimately matters is not the documentation produced, but the actual enforcement across your information systems. Real-world attacks are obviously not thwarted with documents!
Today, mapping the requirements from the produced documents down to concrete IT enforcement (and bringing measurements back up) is typically done in a pretty ad-hoc way. The focus is primarily on what the management wants to (not) see, rather than in what matters.
Model-driven security (e.g. OpenPMF), tied into an overall security management methodology, can help close (parts of) this gap in a traceable, runtime, automatic way - therefore model-driven security should be a critical element of effective "business-driven compliance management".

Why "business process-led" model-driven security is useful

You may have seen that ObjectSecurity released a beta for OpenPMF with Intalio BPMS that supports "business process-led" model-driven security (for BPMN). This feature will form part of the new OpenPMF 3.0 release planned for Q1/2009. Why are business processes so relevant for security policies? Simply because the workflow context is a powerful contextual element of a fine-grained security policy. For example, an e-shop can block access to their bank's credit card charging facility for any access except at the specific step in the business process workflow when the access should be granted. Control is therefore much more fine-grained and contextual than for example role-based or label-based access control. Research (e.g. here) has focussed around the addition of security to business processes for a while, and this feature is now implemented (in beta) in OpenPMF for Intalio's open source BPMS.

Model-driven security needs to be cross-platform

Another observation we made over the last couple of years is that there will most likely be no "one size fits all" technology platform (e.g. middleware) in today's large, complex IT environments. A plethora of platforms (e.g. web services, JMS, CORBA, CCM, DDS) will probably be used, potentially orchestrated using some BPM technology (e.g. BPMN/BPEL) or model-driven integration (MDI) technology.
As a result, model-driven security needs to be able to ensure correct policy generation and enforcement for all these platforms.
OpenPMF supports policy enforcement for a large number of enforcement points, including web services, JMS, CORBA, CCM, DDS. XACML is also supported to ensure the emerging SOA enforcement landscape can be supported.
Push-button policy generation using model-driven security from a single place only if enforcement is supported cross-platform.