ObjectSecurity, an information security leader  and the company driving model-driven security policy automation globally, today announced that a second of their core patent applications has been allowed by the USPTO. This is one of a series of ObjectSecurity’s patent applications that cover OpenPMF’s core inventions. Please contact ObjectSecurity if you are interested in licensing the intellectual property.

The patent application Method and system for managing security policies” pertains to model-driven security for automatically generating machine-enforceable security policy rules from high-level security policy models, using a unique model-driven approach. This invention, and its implementation in OpenPMF, is ideally suited for making rich access control policies (e.g. Attribute-Based Access Control – ABAC, OASIS eXtensible Access Control Markup Language – XACML) more manageable, consistent and robust in interconnected, agile IT landscapes (e.g. for SOA, the industrial internet of things etc.) OpenPMF can support very complex security policies.

Model-driven security (MDS)

[1] means applying model-driven approaches (and especially the concepts behind model-driven software development) to security. The general concept of Model-driven security in its earliest forms has been around since the late 1990s (mostly in university research), and was first commercialized around 2002. There is also a body of later scientific research in this area, which continues to this day. A more specific definition of Model-driven security specifically applies model-driven approaches to automatically generate technical security implementations from security requirements models. In particular, “Model driven security (MDS) is the tool supported process of modelling security requirements at a high level of abstraction, and using other information sources available about the system (produced by other stakeholders). These inputs, which are expressed in Domain Specific Languages (DSL), are then transformed into enforceable security rules with as little human intervention as possible. MDS explicitly also includes the run-time security management (e.g. entitlements/authorisations), i.e. run-time enforcement of the policy on the protected IT systems, dynamic policy updates and the monitoring of policy violations.” Model-driven security is also well-suited for automated auditing, reporting, documenting, and analysis (e.g. for compliance and accreditation), because the relationships between models and technical security implementations are traceably defined through the model-transformations.