Model Driven Security Policy Automation

On this blog, ObjectSecurity co-founder and CEO Ulrich Lang discusses security policy automation and model-driven security. The aim of this blog is to advocate advance the state of the art in this area through exchange of ideas. www.modeldrivensecurity.org - www.policyautomation.org - www.objectsecurity.com

Thursday 31 January 2008

"Security Stove-Piping" and Model Driven Security

It turns out that one of the main security issues related to SOA is that security is typically implemented in such a way that it cannot preserve the agility SOA (without security) promises. The reason behind this is simple: If I have a large SOA with many interactions, and I reconfigure (e.g. orchestrate) the SOA, I will need to check all the security policies and figure out whether anything changed. It is likely that a significant SOA reconfiguration changes security policies for many nodes.
Now imagine having to do such a manual process everytime you reconfigure the SOA - clearly not cost-effective and highly error-prone.
We at ObjectSecurity call this "security stove-piping".
Model driven security (as implemented in the patent-pending ObjectSecurity's OpenPMF 2.0) allows you to state your security intent in an intuitive, general, and undistorted way that remains relatively constant over time.
The semantic gap between this high-level intent and what needs to be enforced on the SOA infrastructure layer is then bridged using model driven security. The concept is related to Model Driven Architecture (MDA), and applied to security e.g. in our OpenPMF 2.0 SecureMDA sub-module.
The benefits are intuitive: As long as my high-level intent remains the same, I can reconfigure the SOA without any changes to the abstract security policy models. Contact us if you would like to know more about how this works in OpenPMF 2.0's TrustedSOA submodule.

By the way, if you happen to be in the area, then please feel free to sign up to our Peer2Peer session at the RSA Conference 2008, San Francisco, April 2008:

ObjectSecurity will present a peer-to-peer session "How can we secure SOA without losing agility?" at the RSA Conference 2008, San Francisco, CA, USA, 7-11 April 2008. Contact us to arrange a meeting.Abstract: In this Ask the Moderator session, ObjectSecurity discusses how SOA security must go beyond web services security. The core issue is how to specify and maintain consistent/effective security policies for *agile* SOA. This cannot be done manually (too complex/labor-intensive). New approaches such as Model Driven Security are needed. Session topics incl. security stove-piping, how to reduce cost/effort, architecture approaches, experiences, secure BPM SOA." (P2P-205A, 9 Apr 2008, 1:40 PM - 2:30 PM).

See you there!