Model Driven Security Policy Automation

On this blog, ObjectSecurity co-founder and CEO Ulrich Lang discusses security policy automation and model-driven security. The aim of this blog is to advocate advance the state of the art in this area through exchange of ideas. www.modeldrivensecurity.org - www.policyautomation.org - www.objectsecurity.com

Monday 21 July 2014

Externalized Authorization Management (EAM) in the "trough of disillusionment" - Model-driven security is a way out!

Gartner's "Hype Cycle for Governance, Risk and Compliance Technologies, 2014"* puts "Externalized Authorization Management" (EAM) in the "Trough of Disillusionment", stating that "Gartner clients have reported that maintaining a fine-grained access policy across a large number of custom or complex applications can be a daunting and expensive proposition". In line with this, we have discussed many times in most of our own publications for over a decade) is that authoring and maintaining a large number of fine-grained EAM access policies across many applications is expensive, difficult, time-consuming, error-prone, and non-traceable. This is especially true for attribute-based access control (ABAC), which supports extremely rich and flexible access rules.

However, it is important to note that Gartner's "Hype Cycle for Governance, Risk and Compliance, 2014" category is "Externalized Authorization Management", and not model-driven security (MDS) used with EAM. For over a decade, we have shown that MDS is an ideal candidate to resolve EAM's manageability/complexity challenges. Over the years, we have carried out many MDS deployments  (over EAM & ABAC) over the years, implementing highly complex policies. MDS works best if there is a human understanding of the policy that is general, intuitive, simple, and human-intuitive. MDS (like EAM & ABAC) requires access to a number of attribute sources (and often also attribute mappings) to turn this general human understanding of the policy into the detailed technical rules that can be technically enforced (e.g. by EAM, ABAC). This can be a challenge, however the resulting level of automation,  manageability, usability, support for system agility, and traceable compliance by far outweigh the costs.

An example we have recently designed and implemented for a customer is something we tentatively call "relationship-based access control" (RelBAC, we also call this a highly enhanced, multidimensional "proximity-based access control" model) - humans are usually great at expressing general access policies based on the relationship of themselves (or something they are associated with) with something they are trying to access (or something the accessed resource is associated with). Due to restrictions we cannot post too many details here, but please contact us if you would like to hear more about this.

* Gartner, Hype Cycle for Governance, Risk and Compliance Technologies, 17 July 2014, John A Wheeler

Friday 11 April 2014

Attribute-Based Access Control (ABAC) adoption 70% by 2020 - Model-Driven Security helps make ABAC manageable!

Gartner (Gregg Kreizmann, at the Identity and Access Summit in Nov 2013) forecasts that by 2020, 70% of all businesses will use attribute-based access control (ABAC) as the dominant mechanism to protect critical assets, up from less than 5% today ABAC is about saying which good stuff should be allowed (whitelisting). This is contrary to most of what the security industry does today, which is saying which bad stuff should not be allowed (blacklisting). Blacklisting suffers from many issues, esp. around accuracy (false positives and false negatives).

However, while whitelisting a la ABAC does not have those problems, it frequently suffers from the complexity overload related to the authoring and maintenance/update of the many, complex, changing fine-grained access rules. As a result, ABAC hasn't taken off as much as it should have by now. Another issue is related to the complexity of the ABAC infrastructure: potentially many attributes have to be aligned, and attribute sources (PIPs) have to be plugged into the ABAC system, and the enforcement end (PEP) also needs to be plugged into the information flow. All in all, this is not a minor undertaking. But it is worth the effort in the long run (the same way IdM and PKI only materialized ROI after a while).

Model-driven security (MDS) policy automation is a critically important part of the ABAC story: It allows the specification of human-intuitive, generic, undistorted policy models, and automatically turns those into the fine-grained, technical ABAC rules. Part of the "secret sauce" is that MDS feeds in other information sources into this process to figure out what rules to generate. MDS also allows the automated checking for compliance/accreditation. See the wikipedia article and our website for details.

In summary, MDS fixes some of the complexity issues that become evident when ABAC gets deployed. Oh, and by the way, we are not the only ones saying that: industry analyst firm Gartner identifies model-driven security as part of "Top 10 Strategic Technologies for 2012", and selected OpenPMF, a model-driven security product, as "Cool Vendor 2008" product.