Ulrich Lang's Security Policy Automation & Model-Driven Security Blog: Model-Driven Security possible without Model-Driven Software Engineering? Of course!

Wednesday, 30 January 2013

Model-Driven Security possible without Model-Driven Software Engineering? Of course!

Today I want to clarify that model-driven security (MDS) does not necessarily rely on model-driven development to work - even though it relies on application, system, and interaction models (so-called “functional models”) to achieve significant security policy automation. The traditional MDS approach is that these functional models ideally come from manually defined application models authored during model-driven development (e.g. UML, BPMN). But this is not necessary. We have designed an additional solution for our OpenPMF where the functional models are in fact obtained from an IT asset management tool that is part of our partner’s (Promia, Inc.) intrusion detection/prevention product Raven. This works well, and enables the use of model-driven security in environments which do not support model-driven development or where model-driven development is not desired.

While this may not sound like a big deal, it is in fact a big deal, because it increases the widespread applicability of model-driven security dramatically, and makes adoption a lot easier.

3 comments:

engg models said...: Best designing of product models, product design model and model products.; 31 January 2013 at 01:25
Locksmith Bellevue said...: THANKS FOR SHARING.
THIS IS REALLY AMAZE; 27 February 2013 at 03:01
Testing training in chennai said...: Your information about software is really interesting. Also I want to know the latest new techniques which are implemented in software. Please update it in your website.; 5 May 2014 at 01:35

Post a Comment

Dr. Ulrich Lang, CEO & Co-Founder ObjectSecurity

Dr. Ulrich Lang (CEO, co-founder ObjectSecurity) received his Ph.D. from the University of Cambridge Computer Laboratory (Security Group) on conceptual aspects of middleware security in 2003 (sponsored by the UK Defence and Evaluation Research Agency (DERA), after having completed a Master's Degree (M. Sc.) in Information Security with distinction from Royal Holloway College (University of London) in 1997. On the management side, he has recently completed a Business Marketing Strategy course at the Kellogg School of Management (Northwestern University). Prior to his M. Sc. he studied computer science & management at the University of Munich and at Royal Holloway College (University of London). He has served in the German federal civil defence (technical and logistical relief) for several years. He has also previously worked as a proposal evaluator for public-funded R&D projects and as an independent information security consultant on various CORBA based banking projects. Ulrich Lang is the lead author on a book written with Rudolf Schreiner on “Developing Secure Distributed Systems with CORBA”, and published various articles in journals and many publications at international conferences and workshops. In addition to his strategic managerial activities, Ulrich Lang's current interests are organisational information security, security policy development, and security visualisation for complexity reduction. He is currently involved in several security and software projects, including ObjectSecurity's collaboration with the U.S. Naval Research Laboratory.

Rudolf Schreiner, CTO & Co-Founder, ObjectSecurity

Rudolf Schreiner (CTO, co-founder) received his Master's (Dipl-Phys.) in physics from University of Munich in 1993. After graduation he worked as an independent software engineer and consultant on various computer security projects in banking, manufacturing and telecommunications. Rudolf Schreiner is the principal architect behind MICOSec Secure CORBA and the ObjectWall IIOP firewall. He has served in the German federal civil defence (technical and logistical relief) for several years. His main interest is the modelling and development of mission critical and secure applications. Rudolf Schreiner is currently the chief architect and coordinator for our OpenPMF policy management framework. Amongst other topics, he is also involved in the development of secure distributed systems in the air traffic management domain.

Definition: Model driven security (MDS)

MDS is the tool supported process of modelling security requirements at a high level of abstraction, and using other information sources available about the system (produced by other stakeholders). These inputs, which are expressed in Domain Specific Languages (DSL), are then transformed into enforceable security rules with as little human intervention as possible. MDS explicitly also includes the run-time security management (e.g. entitlements/authorisations), i.e. run-time enforcement of the policy on the protected IT systems, dynamic policy updates and the monitoring of policy violations.

Ulrich Lang's Security Policy Automation & Model-Driven Security Blog

Model Driven Security Policy Automation

Wednesday, 30 January 2013

Model-Driven Security possible without Model-Driven Software Engineering? Of course!

3 comments:

Blog Archive

PUBLICATIONS ON MODEL-DRIVEN SECURITY