The Next Big Thing
Posts about next generation technologies and their effect on business.

Security Modeling for Managers

At its March meeting, the Object Management Group (OMG) issued a Request for Information (RFI) for Business Security and Authorization Policy Modeling ( ). Security, and particularly authorization management, has become increasingly complex. With Service Oriented Architecture (SOA), the number of access points to applications is expanding, access to shared services cross organizational boundaries, and the community of potential users is also expanding as companies work to optimize performance and control. In addition, government regulations are making managers personally responsible for accountability and control.

Current security mechanisms tend to be in the hands of security gurus. Policies, rules and authorizations are expressed in technical languages such as SAML (Security Assertion Markup Language) and XACML (eXtensible Access Control Markup Language). As a practical matter, it is nearly impossible for managers to specify these controls, let alone understand and validate them.

The goal of the RFI from OMG is to gather an industry perspective on the needs of users and the products or techniques that are currently available. These insights will potentially be used to develop an RFP (Request for Proposals) for development of standard modeling specifications. Standards will enable models to be specified independent of the multiplicity of security implementation products, and will enable models to be exchanged between modeling tools.

For example, Role Based Access Control (RBAC) has gained considerable attention. It allows the separation of resource access specifications from the identification of persons authorized for access. Managers of resources can specify the authorizations associated with roles. Managers of people can specify the people who perform in those roles. Current products implement such techniques, but the specifications require technical specialists. A modeling environment might express these specifications an a form more meaningful to managers, and it might provide analytical reports for review and to identify inconsistencies.

The scope of the RFI is broader than RBAC in order to address other aspects of security that might be enhanced with modeling. Responses to the RFI are not restricted to OMG members.

Showing results for 
Search instead for 
Do you mean 
Follow Us
About the Author(s)
  • Steve Simske is an HP Fellow and Director in the Printing and Content Delivery Lab in Hewlett-Packard Labs, and is the Director and Chief Technologist for the HP Labs Security Printing and Imaging program.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.