Model Driven Security Policy Automation

On this blog, ObjectSecurity co-founder and CEO Ulrich Lang discusses security policy automation and model-driven security. The aim of this blog is to advocate advance the state of the art in this area through exchange of ideas. www.modeldrivensecurity.org - www.policyautomation.org - www.objectsecurity.com

Wednesday 7 May 2008

"Security stove-piping" & agility (e.g. SOA)

It is clear that end-users are trying to get away from stove-piped, hard-coded IT environments. Instead, they want agile, reconfigurable, modular IT environments, as e.g. advocated by Service Oriented Architecture (SOA). A lot of effort has been put into architecting modular, model-driven approaches to achieve system agility.

Unfortunately security typically gets overlooked, and traditional security tools are deployed and configured (e.g. manually configured policies set in app servers, IAM systems etc.). The result is a system that is almost as stove-piped as before. ObjectSecurity calls this problem "security stove-piping".

Model driven security as a security management approach enables agility and security, and is therefore a critical ingredient in the SOA security mix. Contact ObjectSecurity if you would like to discuss this further.

Management vs. interoperability: Model driven security vs. today's authorization management

It is clear that the number of fine-grained IT authorization policies that are spread across a medium-size or large-size IT environment can easily go into the 10,000's and 100,000's. Just take the rules from firewalls, databases, and single sign-on systems, and you see that the complexity has grown out of hand: Security is simply unmanageable.

Today's authorization management solutions (sometimes called "entitlement management") tackle the problem by simply putting all the complexity into a single place (the Policy Access Point, PAP). By and large the rules in the central manager are still at the same semantic level and complexity as the rules that are spread across the IT environment if no authorization management is used. This is clearly not a significant reduction of complexity.
(By the way, identity management does not actually cover this problem very well, as it is pretty much concerned with managing identities and less with the management of fine-grained, expressive, maybe context-sensitive authorization policies).
In summary, today's authorization management makes the problem evident, rather than solving it.

What today's vendors are good at is solving the policy interoperability challenge: XACML is a webservice standard for exchanging authorization policy information, and vendors include ObjectSecurity, Cisco, CA, etc.

Model driven security is concerned with solving the complexity challenge: It lets you manage simple, business-driven security policies, and generates the 100,000's of rules for the particular deployment automatically. Sounds like magic, but it is not. Contact ObjectSecurity, the leading model driven security vendor if you would like to learn more.

So in summary: authorization management is necessary but not sufficient.