|
Currently the Technical Competency Leader for Security in the IBM Federal Software Group, Chris Daly has over twenty-nine years of experience as an analyst, consultant, architect, manager, and business development executive. He is currently responsible for security strategies, secure software solutions, and vendor ecosystem development for the IBM federal sector.
Since joining IBM, Mr. Daly has served as technical representative to several government advisory panels and internal IBM strategy teams focused on new security technologies and emerging security issues, including:
- Integrity-based computing
- Highigh Assurance Platforms
- SOA Security
- Security Policlicy Digital Identity
- Multilevel securcurity
- Homeland Security
- Security Management
- Common Criteria Product Evaluation strategy
- Linux security strategy
- Net-centric computing
- Software Protection Initiative and Anti-tamper program
|
|
|
|
Presentation
Some Thoughts Regarding Certification and Accreditation for Services-Oriented Environments and Digital Communities
Certification and accreditation of systems is a key concern of all enterprises. This concern has intensified for enterprises that are planning the migration of their missions and IT capabilities to a service-oriented environment due to increased complexities introduced by the loose coupling of services in a services-oriented environment. In the services environment, as well as in the social networking environment, interactions are no longer bounded by stovepiped systems and isolated networks. In the past, these boundaries provided a method to scope the risk environment for which certification and accreditation was performed. Since the boundaries were fairly static, the mission scope and supporting processes remained fairly constant, and certification and accreditation of a system remained valid as long as the threat profile didn't change appreciably.
In services-oriented and social networking environments, the boundaries of a “system†are also a variable, as loosely coupled services and roaming connections are composed at runtime or at provisioning time to provide an aggregated capability that is consumed by a "service consumer". Substitution or reflection of services can also occur at runtime, based on the functional, budget, and performance (QoS and QoP) needs of the consumer service, as well as the availability and fulfillment capabilities of the providing service(s).
The variability of a services-oriented environment introduces a dynamic complexity to certification and accreditation a dynamic that is difficult to address in a comprehensive way by the static approaches currently employed. This paper attempts to highlight the issues related to reinitializing certification and accreditation methods for a services-oriented environment and for digital communities, and provides some suggestions for alternative and streamlined risk management approaches.
Audience:-
security architects, system owners, security certifiers, IT architects
Key takeaways:-
- Why a dynamic assurance case framework is needed for SOA
- What are the elements of a dynamic assurance case framework for C&A
- How a dynamic assurance case framework can streamline the C&A process
return
to program
|
|
|