Model Driven Security Policy Automation

On this blog, ObjectSecurity co-founder and CEO Ulrich Lang discusses security policy automation and model-driven security. The aim of this blog is to advocate advance the state of the art in this area through exchange of ideas. - -

Tuesday, 6 July 2010

"Authorization as a Service"

"Identity as a Service" is now a buzzword pushed by big vendors sell their identity management suites. Unfortunately, identity as a service does not solve the basic challenges that managing access control is the harder - and often ignored - problem. It is somewhat disappointing to me that the Cloud Security Alliance published a very narrowly scoped docucment "Domain 12 Guidance for Identity & Access Management" back in April 2010 that covers Identity-as-a-Service, but leaves out Authorization-as-a-Service (the document is sponsored by a big identity vendor, which explains a lot...).
This blog has advocated the use of model driven security to implement "Authorization as a service", or more precisely "Security & Compliance Automation as a Service" (SCaaS), for some time. Scientific papers are being presented at various conferences over the coming months, contact us if you would like to know more.
*UPDATE*: a discussion on the Cloud Security Allicance Trusted Cloud Initiative Linkedin forum discusses the issue.

No comments: