Business-driven application security: from modeling to managing secure applications.

INTRODUCTION

Enterprises must continually adapt to changes that occur due to business, political, or technological challenges. These on demand businesses require integration of people, information, and processes in order to conduct business in real time. Meeting the requirements of such a dynamic environment requires leveraging business-to-business (B2B) partnerships and outsourced services by enabling enhanced integration between business processes. For example, supply chain integration of manufacturers and distributors requires deeper examination of sales forecasts, production scheduling, product configuration, and inventory management.

Recently, government requirements for accountability of business practices and information management have transformed security concerns from an isolated piece of the information technology (IT) puzzle into an important and far-reaching business issue that must be addressed. It is no longer sufficient to delegate responsibility to the IT organization alone. Doing so may lead to fragmented business and IT plans along with misallocation and inefficient use of already scarce technology resources.

To satisfy the new demands of a changing marketplace, the industry must adopt a fundamental change in the way application and system integration is accomplished. This change requires an infrastructure that supports loose coupling of intra- and inter-enterprise information among widely disparate application designs, operating systems, databases, and application programming interfaces (APIs). In order to efficiently integrate the varied set of applications and platforms that make up the information technology (IT) infrastructure of these enterprises, the enterprises are beginning to realize the value of a service-oriented architecture (SOA) and to refactor their applications into loosely coupled services. For an enterprise to be a secure on demand business, the enterprise infrastructure must be flexible and customizable to reflect new requirements and regulations. To provide such flexibility, the enterprise should not hardwire (permanently fix) its policies into the infrastructure, but instead allow the security model of the enterprise to be implemented through a policy-driven infrastructure. This is no simple task.

A step-wise approach to model, design, implement, deploy, and manage secure applications by using policies to reflect the business goals and to abide by constraints imposed through regulations (industry, federal, etc.), corporate security policies, and business trust relationships allows organizations to unlock the true value of IT security. We outline the importance of using a business-driven development methodology. (1) This methodology takes advantage of a business-process-modeling and Model Driven Architecture ** (MDA **) (2,3) approach to separate the platform-independent model of the application architecture from the underlying implementation technology and platform. The value proposition of MDA is about enabling "automation and abstraction using open standards." (4) Additionally, a policy-driven approach to MDA acts as a powerful mechanism for management of security policies throughout the application life cycle.

We propose an approach to efficiently model, build, and manage secure enterprise applications in a dynamic environment. The process starts with the modeling of businesses by collecting business drivers and business requirements. The business model helps build an understanding of the business implications of application design and deployment decisions. This process encourages business analysts as well as security architects to formally explore the security aspects throughout the application life cycle. Business process modeling may be used to capture the information flow and process elements required for new applications. The business process model helps build an understanding of any additional tooling and deployment support that may be required to handle application development and management. Each enterprise and each application requires different amounts of involvement by analysts pertaining to its line of business and by architects and developers with respect to where security requirements enter the application life cycle.

Managing a secure on demand business is an ongoing learning experience. We start with an assumption that incorporating security planning into a company's overall corporate strategy and business process not only helps mitigate risks but also helps position an organization for long-term growth. Using a business-driven security-policy-management framework that starts with core business objectives allows businesses to identify suitable security mechanisms.

We begin with an overall discussion of the application life-cycle phases and a set of business roles. Individuals performing these roles perform the tasks within the life-cycle phases in order to accomplish the business goals. Then, each of the phases in the application life cycle are discussed in detail. The details for each phase include the positioning of the phase in the overall life cycle, the kind of inputs and outputs that are relevant to a tooling application in a given phase, the tools and technologies that are required to accomplish the approach, and any standardization that is necessary in relevant technical approaches. We use an example throughout that illustrates how a higher level business policy is transformed, implemented, enforced, managed, and monitored in the process.

APPLICATION LIFE CYCLE AND ROLES

To enable a business so that its processes and applications are flexible, one must start by expecting changes--both to process and application logic and to the policies associated with them. The concept of change must be part of the conceptualization of the business idea. One may start by modeling the business, including business processes, organizations, system assets, and topology. A second pass should be made to identify areas in which growth or change is anticipated.

Software applications are designed and built in new ways to enable and automate business processes. As depicted in Figure 1, the life cycle of an application built around a business-driven development methodology includes the following phases:

* Model business--Modeling the business process independent of whether the activities of which it is comprised are based on software,

* Analyze and design--Application modeling in a platform-independent manner,

* Implement--Implementing and testing applications on a chosen platform,

* Deploy--Installing an application within an infrastructure and subscribing for usage by service consumers,

* Manage and monitor--Managing application configurations and monitoring application behavior.

[FIGURE 1 OMITTED]

Such an approach involves iterative development while focusing on consistent architecture. The need to continuously ensure quality of development software and ability to manage changes and assets is to be taken into account. Applications with these qualities help build business solutions consisting of new applications as well as existing application assets. When working with existing assets, which may be deployed on different platforms and environments, an SOA architectural pattern helps to bridge platform-specific nuances and abstract out service functionality. The modeling phase identifies services that are independent of the implementation phase. A service veneer may be developed to connect to an existing implementation, or an entirely new application may be developed. The primary benefit of this approach is the agility to respond to changing business requirements while the underlying technology infrastructure evolves at its own pace.

Understanding enterprise roles and responsibilities

Individuals acting in roles within an organization take on responsibilities within that organization. They make decisions to ensure that the technology and implementation meet the business requirements, and they increasingly use tools to efficiently execute the security plan. Thus, tool support is very important to help individuals acting in various roles to efficiently fulfill their assigned responsibilities. These roles also typically represent the organizational structure of the business. A sample list of these roles is depicted in Table 1.

If the life-cycle model is to be successful, it is important to understand the roles that individuals will perform during the application life cycle and the tasks they must perform. Depending on the responsibilities assigned to each role and which part of the business they represent, the associated tasks may vary. A set of roles is defined to manage security and business policies.

As shown in Figure 1, certain roles in an organization contribute toward creating, defining, refining, or managing security policies throughout the life cycle. They include the following:

* Corporate security officers and equivalent executives defining corporate security policies and outlining regulations with which the business must comply,

* Business analysts working with security policy officers, translating corporate policies in terms of a business vocabulary and a business process during the business-process-modeling phase and providing a set of choices to he customized,

* Application architects and security architects modeling the security and access policies in the model (based on the choices provided by a business analyst) during the application-modeling phase,

* Application developers factoring in these security policies by declaring these requirements for the infrastructure to enforce, or when infrastructure support is not sufficient, implementing them in their applications; or application deployers installing the applications and working with security administrators to configure these applications and the security policies as relevant to the deployed environment,

* IT and security administrators managing the security policies throughout a set of applications and an infrastructure to meet the requirements that may continue to change over time,

* Operators monitoring the system behavior and detecting situations that are potential security threats and feeding that back to administrators to make any changes necessary for the application infrastructure to adhere to the goals; similarly, a business analyst viewing business dashboards to observe the impact to the business due to certain system security events.

It is significant to observe that security policies are specified and refined throughout the life cycle, undergoing transformations from one phase to the next. In the current state of the art, it may be realistic to expect this to happen in a unidirectional manner--from modeling to monitoring and management. In order to accommodate bidirectional flow within the life cycle, traceability support and sophisticated transformation support between arti- facts from one phase to the next phase is required. For example, for Web service development based on the Java ** platform, conversion from the Web Services Definition Language (WSDL) to Java as well as from Java to WSDL must be possible. As long as the transformations are symmetric and consistent, the potential exists for iteration in both directions; therefore, any possible iteration required from one phase to a previous phase (e.g., from implementation back to modeling) should be part of the evolution of tooling.

Authoring corporate security policies

As part of formulating a security strategy and authoring corporate security policies, the chief security officer is responsible for knowing the set of legal, business, and financial policies to which the organization must comply. It is part of the responsibility of the individual playing that role to articulate these requirements to the organization. Often this is done through the authoring of documents that contain some level of detail or directives about the requirements in natural language.

At this level, the business security policies are usually goals and guidelines and are often …