This blog also tries to provide a forum for publications about SOA security. Please put any abstracts into the comments of this message and we will merge them into the main message.
Here is our publication at ISSE 2007:
Model driven security for agile SOA-style environments
Dr. Ulrich Lang & Rudolf Schreiner
There is evidence that many IT security vulnerabilities are caused by incorrect security policies and configurations (i.e. human errors) rather than by inherent weaknesses in the attacked IT systems. Security administrators need to have an in-depth understanding of the security features and vulnerabilities of a multitude of ever-changing and different IT "silos". Moreover, in complex, large, networked IT environments such policies quickly become confusing and error-prone because administrators cannot specify and maintain the correct policy anymore. Agile service oriented architecture (SOA) style environments further complicate this scenario for a number of reasons, including: security policies may need to be reconfigured whenever the IT infrastructure gets re-orchestrated; security at the business process management layer is at a different semantic level than in the infrastructure; semantic mappings between the layers and well-adopted standardised notations are not available. This paper explores how the concepts of security policy management at a high, more intuitive (graphical) level of abstraction and model-driven security (tied in with model driven software engineering) can be used for more effective and simplified security management/enforcement for the agile IT environments that organisations are faced with today. In this paper, we illustrate in SecureMDA™ how model driven security can be applied to automatically generate security policies from abstract models. Using this approach, human errors are minimised and policy updates can be automatically generated whenever the underlying infrastructure gets re-orchestrated, updated etc. The generated security policies are consistent across the entire distributed environment using the OpenPMF policy management framework. This approach is better than having administrators go from IT system to IT system and change policies for many reasons (including security, cost, effort, error-proneness, and consistency). The paper also outlines why meta-modelling and a flexible enforcement plug-in model are useful concepts for security model flexibility.
Tuesday 25 September 2007
Thursday 6 September 2007
Gartner Hype Cycle for Information Security 2007
Gartner has just released their new Hype Cycle for Information Security 2007, and model driven security is on it. ObjectSecurity's OpenPMF 2.0 (www.openpmf.com) has been identified as aleading product in this emerging area.
This shows that Gartner believes that model driven security is a critical technology approach to simplify enterprise security.
We believe that model driven security plays an important role for securing agile SOA, as illustrated at www.trustedsoa.com.
This blog is a public forum and we are welcoming any views on this.
This shows that Gartner believes that model driven security is a critical technology approach to simplify enterprise security.
We believe that model driven security plays an important role for securing agile SOA, as illustrated at www.trustedsoa.com.
This blog is a public forum and we are welcoming any views on this.
Subscribe to:
Posts (Atom)