Thursday 6 September 2007

Gartner Hype Cycle for Information Security 2007

Gartner has just released their new Hype Cycle for Information Security 2007, and model driven security is on it. ObjectSecurity's OpenPMF 2.0 (www.openpmf.com) has been identified as aleading product in this emerging area.

This shows that Gartner believes that model driven security is a critical technology approach to simplify enterprise security.

We believe that model driven security plays an important role for securing middleware environments, especially where model driven engineering (or MDA) is used (see www.securemda.com).

This blog is a public forum and we are welcoming any views on this.

Friday 27 July 2007

Related blogs

There are some related blogs:

www.trustedsoa.org
www.modeldrivensecurity.org

ZDnet discussion

There is a related discussion about middleware security and central security management at:

http://talkback.zdnet.com/5208-12408-0.html?forumID=1&threadID=27594&messageID=674416&start=-9996

Middleware definition

For now, the term will be used for software that resides between an application and the inner workings of the system hosting the application, and that abstracts the complexities of the underlying technology from the application layer. In particular, middleware automatically handles all communications related to invocations between client and target applications, and supports application portability, mechanism flexibility, interoperability, and scalability.
(http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-564.pdf)

Middleware security - setting the scene

This blog is about the issues, benefits, opportunities etc. of middleware security. We assume for now that middleware is software such as Web services, CORBA/CCM, JavaEE, OSGi and others (please extend the scope of this blog as needed).

Security for middleware in largeer IT environments is often important because confidential information is sent around between users and applications. The main security issues are (in our opinion):

1. security mechanisms for message protection, client/target authentication, token transfer etc. (this is the easy bit, see CORBAsec as an example)

2. central security management

2.1. identity management: federated identity management has been proposed and is being used (this is the easier half of security management)
2.2. access management: solutions such as http://www.openpmf.com/ are available (please post other products in the comments and I will weave them in). Simplifying the management complexity is one of the main issues here.

2.3. central compliance monitoring

3. non-repudiation: this is a big questionmark I think

4. accreditation: how to accredit a middleware based system (e.g. common criteria) if you don't know the deployment scenario?

I'm sure there is more, please comment.

Thursday 26 July 2007

Secure middleware or SecureMiddleware

Hello!

Are you looking for SecureMiddleware, the secure CORBA Component Model implementation? If so, please visit:

www.securemiddleware.com

Otherwise, please stay tuned for the discussion. Postings by anyone are welcome, this is intended as an open forum.