Today I want to clarify that model-driven security (MDS) does
not necessarily rely on model-driven development to work - even though it relies
on application, system, and interaction models (so-called “functional models”) to
achieve significant security policy automation. The traditional MDS approach is
that these functional models ideally come from manually defined application
models authored during model-driven development (e.g. UML, BPMN). But this is
not necessary. We have designed an additional solution for our OpenPMF where the
functional models are in fact obtained from an IT asset management tool that is
part of our partner’s (Promia, Inc.) intrusion detection/prevention product Raven.
This works well, and enables the use of model-driven security in environments
which do not support model-driven development or where model-driven development
is not desired.
While this may not sound like a big deal, it is in fact a
big deal, because it increases the widespread applicability of model-driven
security dramatically, and makes adoption a lot easier.