ObjectSecurity published a paper at ISSE 2008 with a concrete model-driven security healthcare example where a HIPAA healthcare compliance requirement is mapped to cross-platform IT infrastructures including BPM, web services, and CCM. The presentation is here, and the detailed paper is published at:
Lang U., Schreiner R., "Managing business compliance using model-driven security management", in Pohlmann N., Reimer H., Scheiner W. (editors), Proceeedings ISSE 2008 Securing Electronic Business Processes - Highlights of the Information Security Solutions Europe 2008 Conference, Vieweg + Teubner, ISBN 978-3-83480660-4, Edition 2009
Abstract: Compliance with regulatory and governance standards is rapidly becoming one of the hot topics of information security today. This is because, especially with regulatory compliance, both business and government have to expect large financial and reputational losses if compliance cannot be ensured and demonstrated. One major difficulty of implementing such regulations is caused the fact that they are captured at a high level of abstraction that is business-centric and not IT centric. This means that the abstract intent needs to be translated in a trustworthy, traceable way into compliance and security policies that the IT security infrastructure can enforce. Carrying out this mapping process manually is time consuming, maintenance-intensive, costly, and error-prone. Compliance monitoring is also critical in order to be able to demonstrate compliance at any given point in time. The problem is further complicated because of the need for business-driven IT agility, where IT policies and enforcement can change frequently, e.g. Business Process Modelling (BPM) driven Service Oriented Architecture (SOA). Model Driven Security (MDS) is an innovative technology approach that can solve these problems as an extension of identity and access management (IAM) and authorization management (also called entitlement management). In this paper we will illustrate the theory behind Model Driven Security for compliance, provide an improved and extended architecture, as well as a case study in the healthcare industry using our OpenPMF 2.0 technology.
We are pleased that the papers from the MODSEC 2008 (Modeling Security Workshop) are now also available online here (CEUR Workshop Proceedings),
Please contact us if you have any products or publications you would like to see covered in this blog.