Abstract
Compliance with regulatory and governance standards is rapidly becoming one of the hot topics of information security today. This is because, especially with regulatory compliance, both business and government have to expect large financial and reputational losses if compliance cannot be ensured and demonstrated. One major difficulty of implementing such regulations is caused the fact that they are captured at a high level of abstraction that is business-centric and not IT centric. This means that the abstract intent needs to be translated in a trustworthy, traceable way into compliance and security policies that the IT security infrastructure can enforce. Carrying out this mapping process manually is time consuming, maintenance-intensive, costly, and error-prone. Compliance monitoring is also critical in order to be able to demonstrate compliance at any given point in time. The problem is further complicated because of the need for business-driven IT agility, where IT policies and enforcement can change frequently, e.g. Business Process Modelling (BPM) driven Service Oriented Architecture (SOA). Model Driven Security (MDS) is an innovative technology approach that can solve these problems as an extension of identity and access management (IAM) and authorization management (also called entitlement management). In this paper we will illustrate the theory behind Model Driven Security for compliance, provide an improved and extended architecture, as well as a case study in the healthcare industry using our OpenPMF 2.0 technology.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Common Criteria Portal website, www.commoncriteriaportal.org, 2008
Eclipse project web site, www.eclipse.org
Eclipse Modeling Framework website, www.eclipse.org/modeling/emf
Gartner: Tear Down Application Authorization Silos With Authorization Management Solutions (G00147801), 31 May 2007
Gartner: Model-Driven Security: Enabling a Real-Time, Adaptive Security Infrastructure (G00151498), 21 September 2007
Gartner: Hype Cycle for Information Security, 2007 (G00150728), 4 September 2007
Gartner: Cisco Buys Securent for Policy Management, and Relevance (G00153181), 5 November 2007
Gartner website, www.gartner.com, 2008
Gartner: Cool Vendors in Application Security and Authentication, 2008 (G00156005), 4 April 2008
Gartner: Hype Cycle for Identity and Access Management Technologies, 2008 (G00158499), 30 June 2008
Gartner: Hype Cycle for Context-Aware Computing, 2008 (G00158162), 1 July 2008
IT Governance Institute: COBIT 4.1 Excerpt, Executive Summary, 2007
Public Law 104–191: Health Insurance Portability and Accountability Act of 1996, 21. Aug 1996
Health Level Seven web site, www.hl7.org
Intalio product web site, www.intalio.com, 2008
Lang, Ulrich and Schreiner, Rudolf: Integrated IT Security: Air-Traffic Management Case Study. ISSE 2005 Conference Budapest, Springer, 2005
Model Driven Security web site, www. modeldrivensecurity.org, 2008
OASIS Consortium: Web Services Business Process Execution Language, 11 Apr 2007
OASIS Consortium: XACML 2.0 Core: eXtensible Access Control Markup Language (XACML) Version 2.0, 1 Feb 2005
Object Management Group, MDA web site, www.omg.org/mda
ObjectSecurity: OpenPMF 2.0 Model Driven Security Management product website, www.openpmf.com, 2008
ObjectSecurity website: Customer list with case studies and endorsements, www.objectsecurity.com, 2008
Schreiner, R, Lang, U, Ritter, T, Reznik, J, Building Secure and Interoperable ATC Systems, Eurocontrol INO Workshop 2006
ObjectSecurity: SecureMiddleware website, www.securemiddleware.org, 2008
House of Representatives, Sarbanes-Oxley Act of 2002, 24 Jul 2002
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2009 Vieweg+Teubner | GWV Fachverlage GmbH, Wiesbaden
About this chapter
Cite this chapter
Lang, U., Schreiner, R. (2009). Managing business compliance using model-driven security management. In: Pohlmann, N., Reimer, H., Schneider, W. (eds) ISSE 2008 Securing Electronic Business Processes. Vieweg+Teubner. https://doi.org/10.1007/978-3-8348-9283-6_24
Download citation
DOI: https://doi.org/10.1007/978-3-8348-9283-6_24
Publisher Name: Vieweg+Teubner
Print ISBN: 978-3-8348-0660-4
Online ISBN: 978-3-8348-9283-6
eBook Packages: Computer ScienceComputer Science (R0)