Model Driven Security Policy Automation
On this blog, ObjectSecurity co-founder and CEO Ulrich Lang discusses security policy automation and model-driven security. The aim of this blog is to advocate advance the state of the art in this area through exchange of ideas. www.modeldrivensecurity.org - www.policyautomation.org - www.objectsecurity.com
Thursday, 30 October 2008
Why "business process-led" model-driven security is useful
You may have seen that ObjectSecurity released a beta for OpenPMF with Intalio BPMS that supports "business process-led" model-driven security (for BPMN). This feature will form part of the new OpenPMF 3.0 release planned for Q1/2009. Why are business processes so relevant for security policies? Simply because the workflow context is a powerful contextual element of a fine-grained security policy. For example, an e-shop can block access to their bank's credit card charging facility for any access except at the specific step in the business process workflow when the access should be granted. Control is therefore much more fine-grained and contextual than for example role-based or label-based access control. Research (e.g. here) has focussed around the addition of security to business processes for a while, and this feature is now implemented (in beta) in OpenPMF for Intalio's open source BPMS.