Model-driven security means applying model-driven approaches to security.
Development of the concept
The general concept of Model-driven security in its earliest forms has been around since the late 1990s, and was first commercialized around 2002. There is also a body of later scientific research in this area, which continues to this day. A more specific definition of Model-driven security specifically applies model-driven approaches to automatically generate technical security implementations from security requirements models. In particular, "Model driven security is the tool supported process of modelling security requirements at a high level of abstraction, and using other information sources available about the system. These inputs, which are expressed in Domain Specific Languages, are then transformed into enforceable security rules with as little human intervention as possible. MDS explicitly also includes the run-time security management, i.e. run-time enforcement of the policy on the protected IT systems, dynamic policy updates and the monitoring of policy violations." Model-driven security is also well-suited for automated auditing, reporting, documenting, and analysis, because the relationships between models and technical security implementations are traceably defined through the model-transformations.
Opinions of industry analysts
Several industry analyst sources state that MDS "will have a significant impact as information security infrastructure is required to become increasingly real-time, automated and adaptive to changes in the organisation and its environment". Many information technology architectures today are built to support adaptive changes, and information security infrastructure will need to support that adaptivity. The term DevOpsSec is used by some analysts equivalent to model-driven security.
Effects of MDS
Because MDS automates the generation and re-generation of technical security enforcement from generic models, it:
Apart from academic proof-of-concept developments, the only commercially available full implementations of model-driven security include ObjectSecurity OpenPMF, which earned a listing in Gartner's "Cool Vendor" report in 2008 and has been advocated by a number of organizations as a means to make authorization policy management easier and more automated.
