Presentation

Integration of Security into Enterprise Architecture Frameworks: Practical Experiences

The protection of security sensitive large scale systems is difficult and error prone.  For example, as we have learned in previous projects, it is impossible to manually define correct fine grained access control and information filtering rules in complex and agile systems. Human administrators are not able to fully understand all the business and infrastructure interactions in the system. Therefore, in most cases a very coarse grained protection is applied, e.g. Virtual Private Networks and firewalls.

Using a System Wide Information Management (SWIM) prototype as a case study, we present our practical experiences in the seamless integration of security into Enterprise Architecture Frameworks (EAF) and Model Driven Engineering (MDE) tools and processes.
In our approach, called Model Driven Security, a high level security policy is added as an additional view to the EA model. From this security view and the other standard views of the EA model, the fine grained security configuration, e.g. a high number of access control rules and configurations for encryption and auditing are automatically generated. This ensures that the security enforcement is always in line both with the high level security policy and the functional behaviour of the system in a concrete deployment.

Our results showed that a seamless integration of security into EAF is most beneficial and greatly improves the development of secure distributed systems.

return to program