ObjectSecurity FAQ

Home|ObjectSecurity FAQ

OpenPMF centrally stores policy models that are automatically turned into technical access control and audit rules, which are then consistently enforced for all applications which are protected by an OpenPMF policy enforcement point (PEP).

Yes. See Supported Technologies for details. We can also enhance OpenPMF to cover any particular other technologies you need to enforce security policies for.

  1. Save time and money: Security professionals focus on security without the need to be application experts. Application professionals focus on the application without the need to be security experts. OpenPMF automatically generates & updates application security policies for them. Security & development are separated, but linked via OpenPMF’s policy automation.
  2. Adopt security easily & flexibly: OpenPMF ties into application development and runtime tools, with multiple licensing alternatives and gradual adoption options available. Developers do not need to train to become security experts, all they need to do is push a button to automatically generate policies.
  3. Align business & security, improved proactive security & agility: OpenPMF removes security silos (even with legacy technology). OpenPMF also includes comprehensive, fine-grained security monitoring & auditing.

SOA is often designed with dynamic change (agility) and reuse in mind. SOA is also often built using web applications. OpenPMF can automate policy generation, enforcement, and update for such application landscapes in such a way that technical security enforcement rules can be automatically updated whenever the interactions between web applications change. Without OpenPMF, security administrators would need to manually update technical enforcement rules whenever the application landscape changes.

See Supported Technologies. OpenPMF supports more technologies than any other authorization management product in the market.

OpenPMF policies can either be default security policy model templates, or tailor-made security policy models . Default policy model templates includes policies such as “only allow the interactions the application developer has programmed; deny and log everything else”, or “only allow access to SOA services based on the sequence of the BPM workflow used to orchestrate the SOA”. Tailor-made security policy models include aspects of compliance regulations and enterprise security policies, e.g. “doctors are only allowed to access their current patients’ health records; if anything else is accessed, access is not denied, but an audit log entry will be generated”.

  1. Configure intuitive business security requirements
  2. Generate matching technical security policies automatically
  3. Enforce technical security policies transparently
  4. Audit technical security policies transparently
  5. Update technical security policies automatically

OpenPMF is a whitelisting technology, i.e. it explicitly allows good accesses and denies everything else. This approach is more reliable than blacklisting, which explicitly blocks known bad accesses but allows everything else. Using conventional methods, whitelisting is hard because many rules have to be manually written – OpenPMF solves that challenge with its unique policy automation approach.

OpenPMF mainly focuses on application security policies for access control and auditing. This is called “authorization management”, and is a critical part of today’s application security strategy.

Industry specialists agree that over 70% of all security break-ins happen on the application layer, not on the network layer. In order to ensure that enterprise security policies and regulations are adequately addressed on the application layer, matching fine-grained access policies need to be enforced reliably and consistently. And at low cost and low maintenance. Without application access control and auditing, enterprises would leave the most important layer in their IT landscape unprotected.

Without OpenPMF, creating many fine-grained technical security (esp. for access control and auditing) rules is too costly, cumbersome and error-prone. And – even worse – without OpenPMF, updating many fine-grained technical security rules whenever the application landscape changes results in a maintenance cost explosion. OpenPMF automates much of the policy creation, and reduces the update maintenance cost close to zero.

OpenPMF’s policies are captured in generic terms (so-called “models”), rather than in technical security rules. This way, OpenPMF policies typically do not have to change when the application landscape (e.g. web application interactions) changes. OpenPMF automatically generates the technical security enforcement rules from those models by automatically analyzing the applications with all their interactions, and inferring which rules are required to enforce the requirements defined in the models.

This approach is called “model-driven security”. It applies some of the concepts from model-driven software development to security. OpenPMF’s patent-pending model-driven security feature ensures policies are manageable even if IT landscapes are large and change dynamically. Its automation also improves the correctness of the enforced security (in comparison to manual specification and continuous updating of technical rules). The result is a significant cost saving, esp. with respect to maintenance.

Unlike any other application security policy management product in the market, OpenPMF offers unique automatic technical policy generation and update from intuitive business security requirements (even for agile SOA, Cloud and virtualization application platforms). Other products and approaches do not offer this level of automation, which means developers and security administrators need to define technical security policy rules manually, and update them whenever the IT landscape changes. The result is a maintenance cost explosion. OpenPMF’s policy automation reduces the maintenance cost close to zero!