Model Driven Security Policy Automation
Friday, 5 December 2008
Process-let SOA orchestration and model-driven code generation or service integration is also a reality today, and big vendors such as Microsoft have announced that they will release these features in their mass-market software development tools.
This is great news for model-driven security, which ties into model-driven tools in order to automatically and traceably produce fine-grained, contextual security policies.
The fact that mainstream tools are available and in use today enables shrink-wrapped, push-of-a-button model-driven security to be added to such model-driven tools - ObjectSecurity has just produced such a shrink-wrapped security policy generator for IntalioBPMS and their OpenPMF model-driven security technology.
SOA security, and specifically security policy management for SOA are also being closely examined, and model-driven security has been identified as a great solution.
So everything is finally coming together in the mass market - watch this space!
Thursday, 30 October 2008
But beware: What ultimately matters is not the documentation produced, but the actual enforcement across your information systems. Real-world attacks are obviously not thwarted with documents!
Today, mapping the requirements from the produced documents down to concrete IT enforcement (and bringing measurements back up) is typically done in a pretty ad-hoc way. The focus is primarily on what the management wants to (not) see, rather than in what matters.
Model-driven security (e.g. OpenPMF), tied into an overall security management methodology, can help close (parts of) this gap in a traceable, runtime, automatic way - therefore model-driven security should be a critical element of effective "business-driven compliance management".
Saturday, 18 October 2008
As a result, model-driven security needs to be able to ensure correct policy generation and enforcement for all these platforms.
OpenPMF supports policy enforcement for a large number of enforcement points, including web services, JMS, CORBA, CCM, DDS. XACML is also supported to ensure the emerging SOA enforcement landscape can be supported.
Push-button policy generation using model-driven security from a single place only if enforcement is supported cross-platform.
Lang U., Schreiner R., "Managing business compliance using model-driven security management", in Pohlmann N., Reimer H., Scheiner W. (editors), Proceeedings ISSE 2008 Securing Electronic Business Processes - Highlights of the Information Security Solutions Europe 2008 Conference, Vieweg + Teubner, ISBN 978-3-83480660-4, Edition 2009
Abstract: Compliance with regulatory and governance standards is rapidly becoming one of the hot topics of information security today. This is because, especially with regulatory compliance, both business and government have to expect large financial and reputational losses if compliance cannot be ensured and demonstrated. One major difficulty of implementing such regulations is caused the fact that they are captured at a high level of abstraction that is business-centric and not IT centric. This means that the abstract intent needs to be translated in a trustworthy, traceable way into compliance and security policies that the IT security infrastructure can enforce. Carrying out this mapping process manually is time consuming, maintenance-intensive, costly, and error-prone. Compliance monitoring is also critical in order to be able to demonstrate compliance at any given point in time. The problem is further complicated because of the need for business-driven IT agility, where IT policies and enforcement can change frequently, e.g. Business Process Modelling (BPM) driven Service Oriented Architecture (SOA). Model Driven Security (MDS) is an innovative technology approach that can solve these problems as an extension of identity and access management (IAM) and authorization management (also called entitlement management). In this paper we will illustrate the theory behind Model Driven Security for compliance, provide an improved and extended architecture, as well as a case study in the healthcare industry using our OpenPMF 2.0 technology.
We are pleased that the papers from the MODSEC 2008 (Modeling Security Workshop) are now also available online here (CEUR Workshop Proceedings),
Please contact us if you have any products or publications you would like to see covered in this blog.
Saturday, 20 September 2008
Please click here www.secure-soa.info to take the 5 minute survey, and get involved in the email group, wiki, and report!
Tuesday, 2 September 2008
Model-driven security is a critical aspect ofthis vision because - in line with the overall vision - it allows 1) business security requirements to be defined, 2) these requirements automatically transformed into IT-centric security rules, 3) automatically enforce the rules across the IT landscape, and 4) demonstrate compliance to the business.
The result is a closed loop from the business to IT and back to the business. The benefits include: enable IT/business agility, save cost, improve security, and of course align business and IT security.
Analyst firms forecast the mainstream for model-driven, process-led approaches within 5 years, and model-driven security is set to piggyback onto that adoption. So it is time to look into it now. Feel free to read our white paper at http://www.openpmf.com/.
Wednesday, 7 May 2008
Unfortunately security typically gets overlooked, and traditional security tools are deployed and configured (e.g. manually configured policies set in app servers, IAM systems etc.). The result is a system that is almost as stove-piped as before. ObjectSecurity calls this problem "security stove-piping".
Model driven security as a security management approach enables agility and security, and is therefore a critical ingredient in the SOA security mix. Contact ObjectSecurity if you would like to discuss this further.
Today's authorization management solutions (sometimes called "entitlement management") tackle the problem by simply putting all the complexity into a single place (the Policy Access Point, PAP). By and large the rules in the central manager are still at the same semantic level and complexity as the rules that are spread across the IT environment if no authorization management is used. This is clearly not a significant reduction of complexity.
(By the way, identity management does not actually cover this problem very well, as it is pretty much concerned with managing identities and less with the management of fine-grained, expressive, maybe context-sensitive authorization policies).
In summary, today's authorization management makes the problem evident, rather than solving it.
What today's vendors are good at is solving the policy interoperability challenge: XACML is a webservice standard for exchanging authorization policy information, and vendors include ObjectSecurity, Cisco, CA, etc.
Model driven security is concerned with solving the complexity challenge: It lets you manage simple, business-driven security policies, and generates the 100,000's of rules for the particular deployment automatically. Sounds like magic, but it is not. Contact ObjectSecurity, the leading model driven security vendor if you would like to learn more.
So in summary: authorization management is necessary but not sufficient.
Sunday, 20 April 2008
Press Release ObjectSecurity Named "Cool Vendor" by Leading Analyst Firm
(Cambridge/UK – 04 April 2008) – ObjectSecurity, the leading solutions provider for Model Driven Security Management and secure information sharing in mission-critical industries such as air traffic control, today announced that Gartner, Inc., the world's leading information technology research and advisory company, has named ObjectSecurity in its "Cool Vendors in Application Security and Authentication, 2008”. The April 04, 2008 report was written by Ray Wagner, Joseph Feiman, Neil MacDonald, Arabella Hallawell, Ant Allan, and Gregg Kreizman. According to the report, vendors selected for the "Cool Vendor Report" are innovative, impactful and intriguing.
"We are honored to be included, which we believe is recognition by the world's leading information technology research and advisory company, Gartner," said Dr. Ulrich Lang, CEO and co-founder of ObjectSecurity.
About OpenPMF 2.0 - OpenPMF 2.0's powerful, yet easy-to-use technology is the only 'model driven security management' solution in the market today. It is the most flexible, extensible, standards based, and easy-to-use enterprise security management framework on the market. The patent-pending technology is based on 9 years of solid research and development by leading experts who are currently driving international standardization of model driven security. OpenPMF 2.0 is the most thought-through solution on the market and listed as a promising high-impact technology on Gartner’s “Hype Cycle for Information Security 2007”. OpenPMF 2.0 benefits include reduced cost, improved enterprise-wide security compliance, and low-maintenance security management for agile Service Oriented Architecture (SOA). OpenPMF 2.0 lets you manage security at a business-driven, intuitive high level of abstraction close to human thinking. OpenPMF 2.0 is fully customizable so that you can define customized policies in the way you think about security in the context of your organization.
About Gartner's Cool Vendors Selection Process - Gartner's listing does not constitute an exhaustive list of vendors in any given technology area, but rather is designed to highlight interesting, new and innovative vendors, products and services. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness of a particular purpose. Gartner defines a cool vendor as a company that offers technologies or solutions that are: Innovative, enable users to do things they couldn't do before; Impactful, have, or will have, business impact (not just technology for the sake of technology); Intriguing, have caught Gartner's interest or curiosity in approximately the past six months.
ABOUT OBJECTSECURITY - ObjectSecurity Ltd. is a Cambridge (United Kingdom) and San Jose (CA, USA) based world-leader in model driven security and authorization management. The company offers the ground-breaking model-driven OpenPMF enterprise security management ecosystem and various secure middleware platforms. ObjectSecurity provides services for model driven security, middleware security, SOA security, secure information sharing (e.g. CDM). Their customer base includes Agilent Technologies, BAA Heathrow Airport, Deutsche Telekom, ESG, European General Electric, Intel, QinetiQ, Royal Bank of Scotland, Real-Time Innovations, Twinsoft/Hewlett-Packard, US Naval Research Lab and others. ObjectSecurity specializes on information security for complex IT environments in mission-critical markets.
PR CONTACT Dr. Ulrich Lang, ObjectSecurity Ltd., firstname.lastname@example.org, www.objectsecurity.com, +44 1223 420252/+1-800-898-9148
>>> PDF version: http://www.objectsecurity.com/doc/20080407_gartnercoolvendor.pdf
>>> Purchase the report: http://www.gartner.com/7_search/Search2Frame.jsp?keywords=objectsecurity
Friday, 28 March 2008
We need standards for Model Driven Security. There are primarily two reasons for this:
- we need to avoid vendor lock-ins, because they will hurt end-users and vendors alike.
- we need to avoid market fragmentation into dozens of products that have their own way of expressing security models
If industry is not commited to preventing vendor lock-ins and market fragmentation, then Model Driven Security would take much longer to become mainstream. Also, the shakeout in the market would be bloodshed, where innovation typically goes out of the window.
As a consequence, ObjectSecurity and several OMG members have come together at the Object Management Group (OMG) consortium to work towards a Model Driven Security Policy standard. This standard should specify a common vocabulary which allows policies to be transferable between different vendors' tools. An RFI has just been issued by the OMG.
Please contact us if you would like to know more about this.
Monday, 4 February 2008
The main problem is simple: SOA is about agility, and dynamically responding to change by allowing fast reconfiguration of the infrastructure "Lego blocks". Accreditation is about accrediting the assurance of a static system using some elaborative analysis process.
Unless the two are brought together, there will simply be no useful SOA in defence. Model Driven Security (MDS) can help achieve this.
IBM has recently (6/2007) published a Working Paper on the subject. It is not very dense, essentially they are saying that the challenges are due to complexity. The relevant information includes:
1) they then say "the new direction parallels the way Model Driven Architecture (MDA) and Model driven Development (MDD) have restructured the ... challenges and have provided architects ... better leverage over SOA complexity".
2) cultural and the accreditation community needs to be trained
3) support incremental change in accreditation practices
4) SOA should be deployed without agility (why would you buy SOA then at all?)
5) traditional accreditation approaches need to be adapted to match SOA better
6) security mechanisms are there and aren't really the problem
The first point echoes what ObjectSecurity has said since 2005: Model Driven Security is a highly useful concept to provide accreditable, agile SOAs with low-maintenance security policy management.
Please contact us if you would like to know more about agile SOA security and accreditation.
Thursday, 31 January 2008
Now imagine having to do such a manual process everytime you reconfigure the SOA - clearly not cost-effective and highly error-prone.
We at ObjectSecurity call this "security stove-piping".
Model driven security (as implemented in the patent-pending ObjectSecurity's OpenPMF 2.0) allows you to state your security intent in an intuitive, general, and undistorted way that remains relatively constant over time.
The semantic gap between this high-level intent and what needs to be enforced on the SOA infrastructure layer is then bridged using model driven security. The concept is related to Model Driven Architecture (MDA), and applied to security e.g. in our OpenPMF 2.0 SecureMDA sub-module.
The benefits are intuitive: As long as my high-level intent remains the same, I can reconfigure the SOA without any changes to the abstract security policy models. Contact us if you would like to know more about how this works in OpenPMF 2.0's TrustedSOA submodule.
By the way, if you happen to be in the area, then please feel free to sign up to our Peer2Peer session at the RSA Conference 2008, San Francisco, April 2008:
ObjectSecurity will present a peer-to-peer session "How can we secure SOA without losing agility?" at the RSA Conference 2008, San Francisco, CA, USA, 7-11 April 2008. Contact us to arrange a meeting.Abstract: In this Ask the Moderator session, ObjectSecurity discusses how SOA security must go beyond web services security. The core issue is how to specify and maintain consistent/effective security policies for *agile* SOA. This cannot be done manually (too complex/labor-intensive). New approaches such as Model Driven Security are needed. Session topics incl. security stove-piping, how to reduce cost/effort, architecture approaches, experiences, secure BPM SOA." (P2P-205A, 9 Apr 2008, 1:40 PM - 2:30 PM).
See you there!