Model Driven Security Policy Automation

On this blog, ObjectSecurity co-founder and CEO Ulrich Lang discusses security policy automation and model-driven security. The aim of this blog is to advocate advance the state of the art in this area through exchange of ideas. - -

Thursday 30 October 2008

Revisited: Aligning business and IT security

Well, ok, there are a number of useful best practice guidelines for information security management, e.g. ISO 27000 family, COBIT, ISMS, ITIL, which help communicate the processes and requirements to management, select controls, and measure success. So far, so good. However, these documents are so business-centric that IT security enforcement does not simply "fall out at the bottom".
But beware: What ultimately matters is not the documentation produced, but the actual enforcement across your information systems. Real-world attacks are obviously not thwarted with documents!
Today, mapping the requirements from the produced documents down to concrete IT enforcement (and bringing measurements back up) is typically done in a pretty ad-hoc way. The focus is primarily on what the management wants to (not) see, rather than in what matters.
Model-driven security (e.g. OpenPMF), tied into an overall security management methodology, can help close (parts of) this gap in a traceable, runtime, automatic way - therefore model-driven security should be a critical element of effective "business-driven compliance management".

Why "business process-led" model-driven security is useful

You may have seen that ObjectSecurity released a beta for OpenPMF with Intalio BPMS that supports "business process-led" model-driven security (for BPMN). This feature will form part of the new OpenPMF 3.0 release planned for Q1/2009. Why are business processes so relevant for security policies? Simply because the workflow context is a powerful contextual element of a fine-grained security policy. For example, an e-shop can block access to their bank's credit card charging facility for any access except at the specific step in the business process workflow when the access should be granted. Control is therefore much more fine-grained and contextual than for example role-based or label-based access control. Research (e.g. here) has focussed around the addition of security to business processes for a while, and this feature is now implemented (in beta) in OpenPMF for Intalio's open source BPMS.

Saturday 18 October 2008

Model-driven security needs to be cross-platform

Another observation we made over the last couple of years is that there will most likely be no "one size fits all" technology platform (e.g. middleware) in today's large, complex IT environments. A plethora of platforms (e.g. web services, JMS, CORBA, CCM, DDS) will probably be used, potentially orchestrated using some BPM technology (e.g. BPMN/BPEL) or model-driven integration (MDI) technology.
As a result, model-driven security needs to be able to ensure correct policy generation and enforcement for all these platforms.
OpenPMF supports policy enforcement for a large number of enforcement points, including web services, JMS, CORBA, CCM, DDS. XACML is also supported to ensure the emerging SOA enforcement landscape can be supported.
Push-button policy generation using model-driven security from a single place only if enforcement is supported cross-platform.

*New publications* about model driven security

ObjectSecurity published a paper at ISSE 2008 with a concrete model-driven security healthcare example where a HIPAA healthcare compliance requirement is mapped to cross-platform IT infrastructures including BPM, web services, and CCM. The presentation is here, and the detailed paper is published at:

Lang U., Schreiner R., "Managing business compliance using model-driven security management", in Pohlmann N., Reimer H., Scheiner W. (editors), Proceeedings ISSE 2008 Securing Electronic Business Processes - Highlights of the Information Security Solutions Europe 2008 Conference, Vieweg + Teubner, ISBN 978-3-83480660-4, Edition 2009

Abstract: Compliance with regulatory and governance standards is rapidly becoming one of the hot topics of information security today. This is because, especially with regulatory compliance, both business and government have to expect large financial and reputational losses if compliance cannot be ensured and demonstrated. One major difficulty of implementing such regulations is caused the fact that they are captured at a high level of abstraction that is business-centric and not IT centric. This means that the abstract intent needs to be translated in a trustworthy, traceable way into compliance and security policies that the IT security infrastructure can enforce. Carrying out this mapping process manually is time consuming, maintenance-intensive, costly, and error-prone. Compliance monitoring is also critical in order to be able to demonstrate compliance at any given point in time. The problem is further complicated because of the need for business-driven IT agility, where IT policies and enforcement can change frequently, e.g. Business Process Modelling (BPM) driven Service Oriented Architecture (SOA). Model Driven Security (MDS) is an innovative technology approach that can solve these problems as an extension of identity and access management (IAM) and authorization management (also called entitlement management). In this paper we will illustrate the theory behind Model Driven Security for compliance, provide an improved and extended architecture, as well as a case study in the healthcare industry using our OpenPMF 2.0 technology.

We are pleased that the papers from the MODSEC 2008 (Modeling Security Workshop) are now also available online here (CEUR Workshop Proceedings),

Please contact us if you have any products or publications you would like to see covered in this blog.