HOME

TheInfoList



Click Here for Items Related To - Model-driven security
OR:
Model-driven security on:   [Wikipedia]   [Google]   [Amazon]

Model-driven security (MDS) means applying model-driven approaches (and especially the concepts behind
model-driven software development Model-driven engineering (MDE) is a software development methodology that focuses on creating and exploiting domain models, which are conceptual models of all the topics related to a specific problem. Hence, it highlights and aims at abstract re ...
) to
security Security is protection from, or resilience against, potential harm (or other unwanted coercive change) caused by others, by restraining the freedom of others to act. Beneficiaries (technically referents) of security may be of persons and social ...
.


Development of the concept

The general concept of Model-driven security in its earliest forms has been around since the late 1990s (mostly in university research), and was first commercialized around 2002. There is also a body of later scientific research in this area, which continues to this day. A more specific definition of Model-driven security specifically applies model-driven approaches to automatically generate technical security implementations from security requirements models. In particular, "Model driven security (MDS) is the tool supported process of modelling security requirements at a high level of abstraction, and using other information sources available about the system (produced by other stakeholders). These inputs, which are expressed in Domain Specific Languages (DSL), are then transformed into enforceable security rules with as little human intervention as possible. MDS explicitly also includes the run-time security management (e.g. entitlements/authorisations), i.e. run-time enforcement of the policy on the protected IT systems, dynamic policy updates and the monitoring of policy violations." Model-driven security is also well-suited for automated auditing, reporting, documenting, and analysis (e.g. for compliance and accreditation), because the relationships between models and technical security implementations are traceably defined through the model-transformations.


Opinions of industry analysts

Several industry analyst sources state that MDS "will have a significant impact as information security infrastructure is required to become increasingly real-time, automated and adaptive to changes in the organisation and its environment". Many information technology architectures today are built to support adaptive changes (e.g. Service Oriented Architectures (SOA) and so-called Platform-as-a-Service "mashups" in cloud computing), and information security infrastructure will need to support that adaptivity ("agility"). The term DevOpsSec (see
DevOps DevOps is a set of practices that combines software development (''Dev'') and IT operations (''Ops''). It aims to shorten the systems development life cycle and provide continuous delivery with high software quality. DevOps is complementary to a ...
) is used by some analysts equivalent to model-driven security.


Effects of MDS

Because MDS automates the generation and re-generation of technical security enforcement from generic models, it: * enables SOA agility * reduces complexity (and SOA security complexity) * increases policy flexibility * supports rich application security policies * supports workflow context sensitive security policies * can auto-generate SOA infrastructure security policies * supports reuse between SOA stakeholders * minimises human errors * can auto-generate domain boundary security policies * helps enable SOA assurance accreditation (covered in ObjectSecurity’s MDSA eBook)


Implementations of MDS

Apart from academic proof-of-concept developments, the only commercially available full implementations of model-driven security (for authorization management policy automation) include ObjectSecurity OpenPMF, which earned a listing in Gartner's "Cool Vendor" report in 2008 and has been advocated by a number of organizations (e.g. U.S. Navy Press Release – ObjectSecurity and Promia implement XML security features for next-generation US military security technology, April 2010) as a means to make authorization policy management easier and more automated.


See also

*
Model-driven architecture Model Driven Architecture (MDA) is a software design approach for the development of software systems. It provides a set of guidelines for the structuring of specifications, which are expressed as models. Model Driven Architecture is a kind of doma ...
* Data-driven security *
Authorization Authorization or authorisation (see spelling differences) is the function of specifying access rights/privileges to resources, which is related to general information security and computer security, and to access control in particular. More for ...
*
Attribute based access control Attribute-based access control (ABAC), also known as policy-based access control for IAM, defines an access control paradigm whereby a subject's authorization to perform a set of operations is determined by evaluating attributes associated with the ...
*
XACML XACML stands for "eXtensible Access Control Markup Language". The standard defines a declarative fine-grained, attribute-based access control policy language, an architecture, and a processing model describing how to evaluate access requests a ...
*
Role-based access control In computer systems security, role-based access control (RBAC) or role-based security is an approach to restricting system access to authorized users. It is an approach to implement mandatory access control (MAC) or discretionary access control ( ...
*
Mandatory access control In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system or database constrains the ability of a ''subject'' or ''initiator'' to access or generally perform some sort of operation on a ...
*
Discretionary access control In computer security, discretionary access control (DAC) is a type of access control defined by the Trusted Computer System Evaluation Criteria (TCSEC) as a means of restricting access to objects based on the identity of subjects and/or groups to w ...


References

{{reflist Computer security