Model Driven Security Policy Automation

On this blog, ObjectSecurity co-founder and CEO Ulrich Lang discusses security policy automation and model-driven security. The aim of this blog is to advocate advance the state of the art in this area through exchange of ideas. - -

Tuesday, 22 March 2011

"Least privilege", "need to know", insider threats & WikiLeaks

We are happy to see recent increasing understanding in large enterprises and government that policies (security & compliance) need to proactively enforced, and not just monitored. To motivate my point, one of the hype topics at this year's RSA Expo hype was "continuous monitoring", which essentially tells you when you got attacked earlier than normal compliance auditing. This is necessary but not sufficient: Necessary because there is no 100% security protection. Not sufficient because you need to prevent attacks proactively. Such real prevention is difficult to manage because it requires that someone captures the security & compliance requirements in a technical policy "whitelist". However, without a whitelist of allowed actions, "least privilege" and "need to know" cannot be implemented. And it is exactly that least privilege principle that prevents insider attacks and attacks where outsiders hijack insider credentials. It would have potentially prevented the WikiLeaks leak from Navy, because if least privilege had been enforced correctly, access to all the information would have not been granted. Security policy automation and model-driven security help capture requirements and automatic enforcement. Least privilege can for example be elegantly captured by having policies related to the sequence of a workflow of a SOA orchestration: you can only access a particular web service in a particular step of a workflow for which you have been authorized, and only if you have correctly gone through the workflow up to the point where you can access the web service. Again, capturing SOA BPM workflows and security & compliance models is not easy, but easier approaches (e.g. firewalls, malware, code scanning, IDS etc.) are not able to solve the least privilege & need to know problem. Contact us at if you have any questions/comments