Model Driven Security Policy Automation

On this blog, ObjectSecurity co-founder and CEO Ulrich Lang discusses security policy automation and model-driven security. The aim of this blog is to advocate advance the state of the art in this area through exchange of ideas. - -

Wednesday, 21 July 2010

Policy Automation is Critical Because Security is About Cost-Benefit

Security automation (together with configuration management automation and audit/compliance automation) should be a top priority for enterprise/government. Here is why:
We need more automation to make security cheaper and reduce the hidden costs ("externalities") related to security, such as user/administrator time wasted. A lot of security advice and technologies cost more than they save, i.e. taking the unlikely hit is cheaper than adopting them [1].
To achieve better security cost-benefit, my interest has been "security policy automation" for a long time, i.e. to automate a lot of the tasks ("externalities") that administrators face when managing security policies for applications (esp. authorization) [2].

[1] A Microsoft Research paper outlines why cost-benefit optimization is needed for security: " So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users". In fact my PhD supervisor from back in the days (Prof Ross Anderson in Cambridge) has talked about this for over 10 years, and so did Schneier and others.
OpenPMF Security Policy Automation

Tuesday, 6 July 2010

"Authorization as a Service"

"Identity as a Service" is now a buzzword pushed by big vendors sell their identity management suites. Unfortunately, identity as a service does not solve the basic challenges that managing access control is the harder - and often ignored - problem. It is somewhat disappointing to me that the Cloud Security Alliance published a very narrowly scoped docucment "Domain 12 Guidance for Identity & Access Management" back in April 2010 that covers Identity-as-a-Service, but leaves out Authorization-as-a-Service (the document is sponsored by a big identity vendor, which explains a lot...).
This blog has advocated the use of model driven security to implement "Authorization as a service", or more precisely "Security & Compliance Automation as a Service" (SCaaS), for some time. Scientific papers are being presented at various conferences over the coming months, contact us if you would like to know more.
*UPDATE*: a discussion on the Cloud Security Allicance Trusted Cloud Initiative Linkedin forum discusses the issue.