Jump to content

Model-driven security

Add links
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by 75.61.130.18 (talk) at 19:44, 18 July 2011 (Created page with '{{subst:AFC submission/submit}} <!--- Important, do not remove this line before article has been created. ---> The general scientific concept "model-driven securit...'). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)

The general scientific concept "model-driven security" [1][2][3][4][5][6][7][8][9][10][11][12][13][14][15] applies model-driven approaches, and esp. the concepts behind model-driven software development (e.g. OMG Model Driven Architecture (MDA)[16] to security. The general concept in its earliest forms has been around since the late 1990's, and was first commercialized around 2002[17]. A more specific definition of the term specifically applies model-driven approaches to automatically generate technical security implementations from security requirements models. In particular, "Model driven security (MDS) is the tool supported process of modelling security requirements at a high level of abstraction, and using other information sources available about the system (produced by other stakeholders). These inputs, which are expressed in Domain Specific Languages (DSL), are then transformed into enforceable security rules with as little human intervention as possible. MDS explicitly also includes the run-time security management (e.g. entitlements/authorisations), i.e. run-time enforcement of the policy on the protected IT systems, dynamic policy updates and the monitoring of policy violations." [18]

Several industry analyst sources [19] [20][21] state that MDS will have a significant impact as information security infrastructure is required to become increasingly real-time, automated and adaptive to changes in the organisation and its environment. The impact will be significant for agile SOA because traditional security infrastructure will be unable to provide application and system protection while facilitating agility. MDS is therefore a key enabler for low-maintenance security for agile SOA environments. MDS applies to emerging Cloud computing platforms (Platform as a Service, PaaS) in the same way.

The benefits of MDS as a concept for security management include [22]:

  • MDS enables SOA agility
  • MDS reduces complexity (and SOA security complexity)
  • MDS increases policy flexibility
  • MDS supports rich application security policies
  • MDS supports workflow context sensitive security policies
  • MDS can auto-generate SOA infrastructure security policies
  • MDS supports reuse between SOA stakeholders
  • MDS minimises human errors
  • MDS can auto-generate domain boundary security policies
  • MDS helps enable SOA assurance accreditation (covered in ObjectSecurity’s MDSA eBook)

Apart from academic proof-of-concept developments, the only commercially available full implementations of model-driven security (for authorization management policy automation) include ObjectSecurity OpenPMF [23], which earned a listing in Gartner's "Cool Vendor" report in 2008 [24] and has been advocated by a number of organizations (e.g. U.S. Navy [25]) as a means to make authorization policy management more manageable and more automated.

References

  1. ^ Lodderstedt T., SecureUML: A UML-Based Modelling Language for Model-Driven Security. In UML 2002 – The Unified Modelling Language. Model Engineering, languages, Concepts, and Tools. 5th International Conference, Dresden, Germany, September/October 2002, Proceedings, volume 2460 of LNCS p. 426-441, Springer, 2002
  2. ^ Lodderstedt T. et al., Model Driven Security for Process-Oriented Systems, SACMAT 2003, 8th ACM Symposium on Access Control Models and Technologies, 2003, June 2003, Como, Italy, 2003
  3. ^ Jürjens J., UMLsec: Extending UML for Secure Systems Development, In UML 2002 – The Unified Modelling Language. Model Engineering, languages, Concepts, and Tools. 5th International Conference, Dresden, Germany, September/October 2002, Proceedings, volume 2460 of LNCS, pp. 412-425, Springer, 2002
  4. ^ Epstein P, Sandhu R.S. Towards a UML Based Approach to Role Engineering. In Proceedings of the 4th ACM Workshop on Role-Based Access Control, October 1999, Arlington, VA, USA, pp. 145-152, 1999
  5. ^ Lang, U.: Access Policies for Middleware. Ph.D. Thesis, Cambridge University, 2003
  6. ^ Lang, U. Model Driven Security (Policy Management Framework - PMF): Protection of Resources in Complex Distributed System. DOCSec 2003 Workshop, April 2003 (paper: Lang, U., Schreiner, R.: A Flexible, Model-Driven Security Framework for Distributed Systems: Policy Management Framework (PMF) at The IASTED International Conference on Communication, Network, and Information Security (CNIS 2003) in New York, USA, December 10-12, 2003)
  7. ^ Völter, Patterns for Handling Cross-Cutting Concerns in Model-Driven Software Development, Version 2.3, Dec 26, 2005
  8. ^ Burt, Carol C. , Barrett R. Bryant, Rajeev R. Raje, Andrew Olson, Mikhail Auguston, ‘Model Driven Security: Unification of Authorization Models for Fine-Grain Access Control,’ edoc, p. 159, Seventh International Enterprise Distributed Object Computing Conference (EDOC'03), 2003
  9. ^ Nadalin. Model Driven Security Architecture, Colorado Software Summit, 10/2005 and IBM SYSTEMS JOURNAL, VOL 44, NO 4, 2005: Business-driven application security: From modeling to managing secure applications
  10. ^ Alam, M.M.; Breu, R.; Breu, M., Model driven security for Webservices (MDS4WS), Multitopic Conference, 2004. Proceedings of INMIC 2004. 8th International Volume , Issue , 24-26 Dec. 2004 Page(s): 498 – 505
  11. ^ Alam M., Breu R., Hafner M., February 2007. Model-Driven Security Engineering for Trust Management in SECTET, Journal of Software, 02/2007
  12. ^ Wolter, Christian , Andreas Schaad, and Christoph Meinel, SAP Research, Deriving XACML Policies from Business Process Models, WISE 2007
  13. ^ IBM Tokyo Research Lab Website, Core Research Competency, Software Engineering, 09/2007
  14. ^ Lang, U., Gollmann, D., and Schreiner, R. Verifiable Identifiers in Middleware Security. 17th Annual Computer Security Applications Conference (ACSAC) Proceedings, pp. 450-459, IEEE Press, December 2001
  15. ^ Lang, Ulrich and Rudolf Schreiner, Developing Secure Distributed Systems with CORBA, 288 pages, published February 2002, Artech House Publishers, ISBN 1-58053-295-0
  16. ^ www.omg.org
  17. ^ www.objectsecurity.com
  18. ^ www.modeldrivensecurity.org
  19. ^ Gartner: "Cool Vendors in Application Security and Authentication, 2008" (G00156005) 4 April 2008, "Tear Down Application Authorization Silos With Authorization Management Solutions" (G00147801) 31 May 200, "Model-Driven Security: Enabling a Real-Time, Adaptive Security Infrastructure" (G00151498) 21 September 2007, "Hype Cycle for Information Security, 2007" (G00150728) 4 September 2007, "Hype Cycle for Identity and Access Management Technologies, 2008" (G00158499) 30 June 2008, "Hype Cycle for Context-Aware Computing, 2008" (G00158162) 1 July 2008, "Cisco Buys Securent for Policy Management, and Relevance" (G00153181), 5 Nov 2007.
  20. ^ 451 Group: "Market Insight Service Impact Report" (54313) and in the report "Policy Management for Identity - Closing the Loop Between Identity Management, Security and IT Management?".
  21. ^ Burton Group's 2008 "Entitlement Management" report.
  22. ^ www.modeldrivensecurity.org
  23. ^ www.objectsecurity.com
  24. ^ Gartner: "Cool Vendors in Application Security and Authentication, 2008" (G00156005) 4 April 2008
  25. ^ Press Release – ObjectSecurity and Promia implement XML security features for next-generation US military security technology, April 2010
Retrieved from "https://en.wikipedia.org/w/index.php?title=Model-driven_security&oldid=440175079"