Model Driven Security Policy Automation

On this blog, ObjectSecurity co-founder and CEO Ulrich Lang discusses security policy automation and model-driven security. The aim of this blog is to advocate advance the state of the art in this area through exchange of ideas. www.modeldrivensecurity.org - www.policyautomation.org - www.objectsecurity.com

Saturday, 17 March 2007

Model driven architecture and SOA assurance

Model driven engineering and SOA seem to complement each other very well. SOA enables horizontal decoupling of services (the issues of that are discussed on our other blog www.trustedsoa.org), and MDA enables horizontal decoupling (of models from implementations). Now this is obviously an oversimplification, but a nice upcoming architectural idea.
Security plays an important role here, and it is currently still a bit unclear to many how security can be defined and enforced in a manageable way. Of course there are webservices security specifications, but those (at least the ones that work in real-world products today) only deal with the protocol layer, which is the easy bit.
The harder bit is how to define and enforce policies for agile SOA-style enviroments. We at ObjectSecurity believe that model driven security (MDS) can help here because it allows to generate security policies for agile systems from a stable model.
But securing SOA is only one application of this useful concept...