Today’s information age would have felt like out of a sci-fi movie to someone 20 years ago. More data has been created in the past two years than in the entire previous history of the human race.

1.7MB of data is created for every human per second. Within 4 years, we will have generated 44 trillion gigabytes of data, and will have 50 billion smart connected devices. And most of the data is managed by enterprise and governments. For example, a third of all data will pass through the cloud. Every angle of daily life of citizens, enterprise, and government is touched by IT. With that progress comes a great need to control access to data and IT systems. We increasingly rely critically on IT to work as expected and on data to be protected. Our physical safety, our health and well-being, our economy and business success, our national security and defense, and much more depend on it.

Conventional cybersecurity – not good enough anymore.

Unfortunately, today’s cyber security is simply not good enough to protect us, and our data and systems, from attack. This is shown by many high-profile hacks in recent times across pretty much all industries. Because security is not good enough, many organizations cannot fully leverage the benefits of IT automation, and cannot protect well from breaches of their increasingly large and interconnected IT landscapes. Incremental progress in the cybersecurity industry is not nearly fast enough to protect users and organizations from attack. To really ‘move the needle forward’, we need to change how we do security today.

Technical policy management – many challenges.

Security Policy Management is hard.

One of the key problems for enterprise (and governments) today is that it is difficult to figure out and manage security requirements. Once these so-called “enterprise security policies” are figured out, it is even harder to technically implement them so they actually protect today’s complex, interconnected IT landscapes. There is a large gap between how human security professionals think about security policies, and how technical systems implement them. This is especially true for access control policies, which lie at the heart of cybersecurity. When securing your organization, including both users and your interconnected IT systems, are you going to manually configure & maintain all security rules and configurations everywhere?

Who can write the matching technical policy rules?

In particular, it is hard to manage and implement access control that gives everyone (and every device) the access they need but no more, because this requires many complex, dynamic access rules. Historically, it has been terribly painful or just plain unmanageable. Where does the policy come from? Who can write the matching technical policy rules? Who can maintain them despite dynamic changes? Who can verify policy correctness and compliance? There are too many overlapping rules and configurations in too many places, and too many changes to do this manually.

Also, the security policies you actually want are too complex to maintain manually across many systems, and they often do not even support the implementation of the policies you wanted. For example, user identities, roles and privileges need to be configured and maintained with Identity & Access Management (IAM) systems. Additionally, firewalls rulesets and other network equipment, operating systems security, database security, application security, web security etc. all need to be configured and secured in their own right.

What’s needed: Policies for humans, and policy automation.

Humans intuitively “think policy” differently.

Access control needs to be human-manageable and adaptive, meaning decisions are based on dynamically changing context. Humans think of security policies in few concepts that are non-technical, concise, general, and rich. Machines, on the other hand, are good at processing the opposite: many
detailed, specific technical rules and configurations.

At the core of the problem is that humans intuitively “think policy” differently. When you abstract away the underlying technical complexities, the policy that you wanted isn’t usually all that complex and long if you author it in human-intuitive concepts and terms. Humans are usually better at expressing policies in intuitive, “undistorted”, non-technical concepts, in general concepts, and in rich concepts (rather than in detailed technical terms). Policies get much simplerfor humans this way.

How Humans do Policies?

Non-technical, concise concepts
Few policy rules
Imprecise
General concepts
Rich concepts

How machines do Policies?

Technical
Many rules in many places
Precise
Many details
Specific, often simple concepts

The need for security policy automation.

So what’s the solution? Wouldn’t it be logical to use an automated tool to bridge the gap between human-manageable, intuitive policies and the matching detailed technical rules and configurations. This would allow security administrators to author policies in very generic terms. The tool should then automatically fill in the technical details, and enforce the policy. For example, administrators should be able to author policies such as:

“only allow a selection of the detected information flows and block everything else”

“all analysts can access all data about any suspect they are tasked to investigate, and about all other suspects that are
within 3 hops social proximity of that suspect”.

Such a “security policy automation” solution needs to automatically bridge the gap between such human-understandable, intuitive policies and the matching detailed technical rules and configurations. It should automatically generate technically enforceable technical rules and configurations (esp. for access control policies). It should also automatically test policies, produce documentation, and monitor security activity. How would such a tool achieve security policy automation? By importing existing information sources, and using them to fill in the technical details. For example, it could import information about users, roles, applications, systems, networks, network traffic, and much more.

OpenPMF Security Policy Automation

ObjectSecurity OpenPMF security policy automation helps you achieve such powerful security policy implementation. OpenPMF is the “umbrella” for IT access control management. It allows organizations to implement powerful access policies with organization-wide consistency in a way that is easy to implement, manage, audit. It reduces risk/costs, improve security, improve compliance, and enable smarter organizations.

OpenPMF automatically bridges the semantic gap between human intuitive generic security policies and technical implementation. Author rich, generic, advanced policies. Automatically calculate the matching technical rules & configurations.