Summary form only given. We present an approach to integrating security into the system design process. Namely, models are made of system designs along with their security requirements, and security architectures are automatically generated from the resulting security-design models. We call the resulting approach "model driven security" as it represents a specialization of model driven development to the domain of system security. To illustrate these ideas we present SecureUML, a modeling language based on UML for modeling system designs along with their security requirements. From SecureUML models, we automatically generate security architectures, built from declarative and procedural access control mechanisms, for distributed middleware-based applications. The process has been implemented in the ArcStyler tool, which generates security infrastructures based on Sun's Enterprise Java Bean standard. We report on case studies using this tool, which illustrate the flexibility and power of our approach.