Model Driven Security Policy Automation

On this blog, ObjectSecurity co-founder and CEO Ulrich Lang discusses security policy automation and model-driven security. The aim of this blog is to advocate advance the state of the art in this area through exchange of ideas. - -

Thursday, 15 February 2007

Welcome & Introduction

On this blog we will discuss model driven security. Please feel free to comment.

Defining security policies for complex, large IT environments is a difficult, cumbersome, and error-prone task. This is in particular the case for agile IT environments such as highly distributed component based systems and Service Oriented Architecture (SOA). We have shown that model-driven security, which allows the generation of security policies from the application models, helps build and maintain secure, agile IT environments.

Today software modelling is the accepted best-practice approach for developing flexible and reusable software applications where abstract application models are turned into software using a modelling toolchain. The OMG Model Driven Architecture (MDA) is the leading standard framework for software modelling. The ObjectSecurity/Fraunhofer FOKUS SecureMiddleware includes a full MDA development toolchain.
Why not apply the same logic to security and automatically generate security policies and high assurance from the application models? This way, you can be confident that the deployed system matches the models, and that you have not forgotten any security policy aspects.
And most importantly, you can reconfigure and redeploy your (possibly distributed) applications by simple changes in the model - the underlying software and security policies will be automatically matched to your models through the automatic MDA and SecureMDA tool chains.

This approachhas been showcased by ObjectSecurity (with their SecureMiddleware partner Fraunhofer FOKUS) in their SecureMDA technology.

Any comments on model driven security are greatly appreciated.