Model Driven Security Policy Automation

On this blog, ObjectSecurity co-founder and CEO Ulrich Lang discusses security policy automation and model-driven security. The aim of this blog is to advocate advance the state of the art in this area through exchange of ideas. - -

Tuesday 25 September 2007

Publications & Resources about Model-Driven Security

This blog also tries to provide a forum for publications about model driven security. Please put any abstracts into the comments of this message and we will merge them into the main message.

ObjectSecurity released a publication Model driven security for agile SOA-style environments, by Dr. Ulrich Lang & Rudolf Schreiner at ISSE 2007:

There is evidence that many IT security vulnerabilities are caused by incorrect security policies and configurations (i.e. human errors) rather than by inherent weaknesses in the attacked IT systems. Security administrators need to have an in-depth understanding of the security features and vulnerabilities of a multitude of ever-changing and different IT "silos". Moreover, in complex, large, networked IT environments such policies quickly become confusing and error-prone because administrators cannot specify and maintain the correct policy anymore. Agile service oriented architecture (SOA) style environments further complicate this scenario for a number of reasons, including: security policies may need to be reconfigured whenever the IT infrastructure gets re-orchestrated; security at the business process management layer is at a different semantic level than in the infrastructure; semantic mappings between the layers and well-adopted standardised notations are not available. This paper explores how the concepts of security policy management at a high, more intuitive (graphical) level of abstraction and model-driven security (tied in with model driven software engineering) can be used for more effective and simplified security management/enforcement for the agile IT environments that organisations are faced with today. In this paper, we illustrate in SecureMDA™ how model driven security can be applied to automatically generate security policies from abstract models. Using this approach, human errors are minimised and policy updates can be automatically generated whenever the underlying infrastructure gets re-orchestrated, updated etc. The generated security policies are consistent across the entire distributed environment using the OpenPMF policy management framework. This approach is better than having administrators go from IT system to IT system and change policies for many reasons (including security, cost, effort, error-proneness, and consistency). The paper also outlines why meta-modelling and a flexible enforcement plug-in model are useful concepts for security model flexibility.


Gartner released a study Model-Driven Security: Enabling a Real-Time, Adaptive Security Infrastructure that defines:

"Model-driven security is the use of visual models or domain specific modelling languages during application design, development and composition to represent and assign security primitives — such as confidentiality, integrity, authentication, authorisation and auditing — to application, process and information flows independent of the specific security enforcement mechanisms used at runtime."


ObjectSecurity released a study Model Driven Security - A new security management approach applied to SOA - please contact to puchase.


No comments: