Abstract
There is evidence that many IT security vulnerabilities are caused by incorrect security policies and configurations (i.e. human errors) rather than by inherent weaknesses in the attacked IT systems. Security administrators need to have an in-depth understanding of the security features and vulnerabilities of a multitude of ever-changing and different IT “silos”. Moreover, in complex, large, networked IT environments such policies quickly become confusing and error-prone because administrators cannot specify and maintain the correct policy anymore. Agile service oriented architecture (SOA) style environments further complicate this scenario for a number of reasons, including: security policies may need to be reconfigured whenever the IT infrastructure gets re-orchestrated; security at the business process management layer is at a different semantic level than in the infrastructure; semantic mappings between the layers and well-adopted standardised notations are not available. This paper explores how the concepts of security policy management at a high, more intuitive (graphical) level of abstraction and model-driven security (tied in with model driven software engineering) can be used for more effective and simplified security management/enforcement for the agile IT environments that organisations are faced with today. In this paper, we illustrate in SecureMDA™ how model driven security can be applied to automatically generate security policies from abstract models. Using this approach, human errors are minimised and policy updates can be automatically generated whenever the underlying infrastructure gets re-orchestrated, updated etc. The generated security policies are consistent across the entire distributed environment using the OpenPMF policy management framework. This approach is better than having administrators go from IT system to IT system and change policies for many reasons (including security, cost, effort, error-proneness, and consistency). The paper also outlines why meta-modelling and a flexible enforcement plug-in model are useful concepts for security model flexibility.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
AD4 Consortium, “EU FP6 R&D project AD4 — 4D Virtual Airspace Management System” web page [online], http://www.ad4-project.com/
Jan Jürjens, Security Modeling with UMLsec, Workshop regarding Security in Information Systems, SISBD2004, Málaga (Spain), Nov. 9, 2004
Lampson, B. et al Lampson, B., Abadi, M., Burrows, M., Wobber, E., “Authentication in Distributed Systems: Theory and Practice”. ACM Transactions on Computer Systems 10, 4, pp 265–310, November 1992
Lang, U., Schreiner, R., “OpenPMF Security Policy Framework for Distributed Systems”. Proceedings of the Information Security Solutions Europe (ISSE 2004) Conference, Berlin, Germany, September 2004
Lang, U., Schreiner, R., “Simplifying security management of cross-organisation collaborative decision making”. Proceedings of the 6th European Conference on Information Warfare and Security, Defence College of Management and Technology, Shrivenham, UK, 2–3 July 2007
Lang, U. et al, “TrustedSOA. SOA security and assurance” blog [online], www.trustedsoa.org, 2007
Lang, U. et al, “Model Driven Security” blog [online], www.modeldrivensecurity.org, 2007
Lang, U. et al, “Secure Air Traffic Management and CDM-A” blog [online], www.secure-airtrafficman-agement.org, 2007
Lodderstedt T., “SecureUML: AUML-Based Modelling Language for Model-Driven Security. In UML 2002 — The Unified Modelling Language. Model Engineering, Languages, Concepts, and Tools”. 5th International Conference, Dresden, Germany, September/October 2002, Proceedings, volume 2460 of LNCS p. 426–441, Springer, 2002
MICO project team, “MICO CORBA project” web page [online], www.mico.org
Object Management Group, “CORBA Component Model” [online], OMG document number formal/02-06-65, www.omg.org
Object Management Group, OMG ptc/03-09-15:“UML 2.0 Infrastructure Final Adopted Specification” [online], www.omg.org
Object Management Group, OMG ptc/04-10-02: “UML 2.0 Superstructure Revised Final Adopted Specification” [online], www.omg.org
Object Management Group, “Meta Object Facility Core Specification 2.0” [online], OMG document number, formal/2006-01-01, www.omg.org
SecureMiddleware project team, “SecureMiddleware Project” web page [online], http://www.securemiddleware.org
ObjectSecurity Ltd., “OpenPMF project” web page [online], http://www.openpmf.com (with SecureMDA, http://www.securemda.com), 2007
ObjectSecurity Ltd., “TrustedSOA” web page [online], http://www.trustedsoa.com, 2007
Qedo project team, “Qedo (Quality of Service Enabled Distributed Objects) CCM Implementation” web page [online], http://www.qedo.org/, March 2006
Ritter, T., Lang U., Schreiner R., “Integrating Security Policies via Container Portable Interceptors”, Adaptive and Reflective Middleware Workshop (ARM2005) at Middleware 2005.
Sparx Systems, “Enterprise Architect” web page [online], http://sparxsystems.com.au
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2007 Friedr. Vieweg & Sohn Verlag | GWV Fachverlage GmbH, Wiesbaden
About this chapter
Cite this chapter
Lang, U., Schreiner, R. (2007). Model Driven Security for Agile SOA-Style Environments. In: ISSE/SECURE 2007 Securing Electronic Business Processes. Vieweg. https://doi.org/10.1007/978-3-8348-9418-2_16
Download citation
DOI: https://doi.org/10.1007/978-3-8348-9418-2_16
Publisher Name: Vieweg
Print ISBN: 978-3-8348-0346-7
Online ISBN: 978-3-8348-9418-2
eBook Packages: Computer ScienceComputer Science (R0)