The Security Forum in Barcelona also held joint meetings with the Identity Management
Forum and the Jericho Forum.
Introductions, Agenda, & Actions Review
After a round of introductions, the attendees reviewed and clarified the agenda of
meeting sessions for the week, then conducted a review of actions from the previous
meeting (Houston, October 17-21, 2005), to establish the current status on our project
activities.
Work Program
The members reviewed the Security Forum members-only web page which summarizes the
current projects, recently completed projects and deliverables, notable past projects
and deliverables, and project proposals not yet started. This summary has been edited for
public information and is available at www.opengroup.org/security/planning1.htm.
Presentations: OECD; CEN/ISSS Audit
Nick Mansfield, past-Vice-Chair of the Security Forum, accepted an invitation to give
two presentations, one on information security aspects of the OECD Building Trust Online
development work, and another on the Privacy & Data protection work ongoing in
CEN/ISSS. Nick has been co-opted to be an expert consultant to the OECD work, and is Chair
of the CEN/ISSS Workshop on Privacy & Data Protection.
The OECD groups the top 30 economic nations as members, sharing a commitment to
democratic government and the market economy. With active relationships with some 70 other
countries, non-Government organizations, and civil society, it has a global reach, and its
guidelines represent significant drivers on the policies of these top 30 economic nations.
Nick noted that his presentation
expresses his own
personal views and opinions and not those of the OECD nor its members. The OECD Building
Trust Online addresses Information Security and Privacy Protection. This is continuation
for OECD work towards a Culture of Security - landmarks in this include the OECD
Guidelines for Security of Information Systems - published in 1992, and the OECD
Guidelines for Security of Information Systems and Networks: Towards a Culture of
Security - published in 2002. The motivators for this work are that System and Network
Security are generally afterthoughts, raising awareness, raising confidence in IT
dealings, providing a general frame of reference, promoting co-operation, and promoting
the development of standards. The security guidelines embrace nine principles: Awareness,
Responsibility, Response, Ethics, Democracy, Risk Assessment , Security
Design and
Implementation, Security Management, and Reassessment. In 1997 they published Cryptography
Guidelines listing the principles involved. They have or are also addressing Authentication
and eSignatures (including Declarations, Surveys, Inventories, and Identity Management).
They are now addressing terrorism and cyberterrorism, cybercrime, growing economic
dependence on critical information infrastructures, and roll-out of electronic government
services. eGovernment services will create changes in the delivery of government
services as profound and ubiquitous as the creation of the Internet itself, provided the
risk aspects can be effectively managed. Nick went on to discuss strategy and policy, risk
assessment, protection of government information systems and the common information
infrastructure (CII), incident and emergency/crisis management, and ways to strengthen the
foundations of a culture of security in IT systems. He noted that in this field there are
many more questions than answers but it is an absorbing area, and the OECD remains highly
influential in driving the agenda of the top 30 world economic nations on future
development in this field.
Nick followed this OECD presentation with another presentation
on the CEN (European Committee for Standardization) which is one of three European standards
organizations recognized by the European Commission. Its Information Society
Standardization System (CEN/ISSS) aims to provide a comprehensive and integrated range of
standards-oriented services and products that contribute to the positive development of
the information society in Europe and extending worldwide. Their outputs are CEN Workshop
Agreements (CWAs). The ISSS currently has eight technical committees, and Nick Chairs the DPP
Committee. He discussed the case for DPP activity, and the input from the
2003 IPSE report
recommendations: on management practices, on assessment and verification, on the impact of
technology on privacy, and on consumer education. The CEN/ISSS response has been a series
of Workshops delivering among other reports:
- CWA 15292 - compliance with article 17 of the Data Protection Directive 95/46/EC
- CWA 15262 - Inventory of Data Protection Auditing Practices
- An upcoming CWA on Personal Data Protection Audit Framework
Nick went on to describe other related work. In his closing slide he recommended
reviewers to visit the www.cenorm.be/isss
web site,
and in particular to read the small print.
Trust Models
(See slides.) The Trust Models project has been underway for over 12 months, and is nearing
completion as a first version, with further planned contributions being solicited from a
number of expert sources. It addresses electronic trust, specifically PKI-based, filling a
gap in the existing literature by answering the questions:
- What resources are needed?
- How do failures occur?
- How is recovery done?
- What are the liabilities?
in a consistent way that enables comparative assessments and therefore guidance towards
a specific trust model that is fit for the intended purpose. Coverage in the final draft
is planned to include:
- Simple
- Trust List
- Hierarchical
- Distributed Trust
- Fully Connected Mesh
- Partially Connected Mesh
- Peer2Peer/Network/Web-of-Trust/User-Centric
- Directed Graph
- Hub and Spoke
- Hybrid
- Extended Trust List
- Cross Certification
- Bridge
- Multi-Bridge
- Microsoft Active Directory
Presentation: Secure Mobile Architecture - Implementation Update
Richard Paine (Boeing) gave a presentation via
teleconference link from his Boeing base in Seattle, US. It is 12 months since he gave an
update to our members on his implementation of the Secure Messaging Architecture (SMA)
within Boeing. Since then their implementation has evolved significantly, so Richard
explained how, including key issues that have emerged and what they have learned from
their implementation experience, with a focus on issues with the architecture and impact
on the security of their implementation. He also outlined their plans going
forward into the final year of this development project in Boeing, including taking
material into the IETF as proposed bases for new standards in this mobile space.
Identity Management Forum
Security in Data
Bob Blakley (Chief Scientist, Security and Privacy, IBM) proposed we take a fresh look
at how we approach "security". He took the question: "How do you secure a
box of money with a hole in it? - providing the answers:
- Start with the box empty
- Count what you put into the box
- Know how much should go in or out before you open the box
- Record everything that goes in and everything that comes out each time you open the
box
- Continually update a total using the record of what went in and out
- Count at the end
- Check the end total against the end count
and then listed the security properties this involves:
- Transactionality
- Accountability
- Reconciliation
- Supervision
- Visibility (operations performed in public)
and those which it does not involve:
- Authentication - visibility, supervision used instead
- Data integrity - transactionality used instead
- Authorization - accountability used instead
- Confidentiality - not required
Bob asked the question: "Why don’t we design secure information systems like
this?" and further suggested possible answers: "Is it because we’re
computer scientists and don’t like special-purpose systems? Or we like artifacts
rather than processes? Or we love cryptography? Or we are unafraid of complexity? Or
we’ve over-generalized the security problem? Or is there not enough at stake? Or are
the problems we address not amenable to this approach?"
Bob asked: "Could our systems look more like this?", and answered: "Of
course … in fact, our customers use the artifacts we produce to design systems which
DO look like this, often working against the properties we’ve built into the
artifacts".
Bob then proposed a set of five components which would represent the basic elements of a
secure system, deliberately naming them exclusive of existing security terminology to
ensure no inferred characteristics or functions from common security terminology, and
using these he demonstrated how they would provide the essential functionality of an
accountable, reconcilable transaction. Throughout this presentation, members clarified
their understandings of the definitions for each component, and the operations being
effected in the example transaction. Bob emphasized that he did not feel the model he
presented here is complete, and he added two further components to extend
it.
Members took away an intent to work on this new approach to security between now and
the next meeting (Washington DC, April 26-28), figuring out what the design rules are, how
they relate to existing practices, what data format is required, and putting it together
in a holistic topology that defines required security.
Joint Meeting with the Jericho Forum
The Security Forum held a joint meeting with members of the Jericho Forum on Thursday
afternoon and Friday morning. In the round of introductions at the start of the meeting,
attendees identified their affiliations as members of the Security Forum, Jericho Forum,
or (for Forum Buy-Out members) both.
From 14.00-15.30 on Thursday, while Jericho Forum Board members met with The Open
Group's Governing Board, the meeting received a presentation
from Identum representatives Chris Weiss and Andy Dancer, on Email Privacy in the context
of email in a de-perimeterized (boundaryless) environment. They first looked at the
Jericho Forum challenge, the conflicting demands of privacy versus security, the misplaced
investment over three decades in technology developments and security measures that have not
met the business needs of today. They asserted that email is not private, and that
the only viable solution is to use an encryption system that is global. While modern
techniques such as AES are still valid for encrypting data, the keys-exchange problem
remains. Public Key Cryptography took a major step forward in 1984 with a proposal for
Identity-based Encryption, but this has proved to be badly named because the new
development is based on email addresses (not identity) and it's not about encryption but
about key exchange. In 2004 the maths to solve the problem was made public and
patent-free, put into the public domain, enabling a solution that requires one piece of
shared common information (your email address), a single global public key, and a private
key for each person's email address. Discussion throughout the presentation clarified
various issues, and provided feedback on usability issues, including how to cope with the
inevitable problem when a user forgets their private key, the changing of keys on a 30-day
cycle, and recovery of archived email using the correct keys.
In the 16.00-17.30 session, the objectives were to establish a general understanding
among those present of the mission/vision, activities, and priorities, of our respective
Forums, as a basis for appreciating the positioning of each Forum and so be able to take
an informed view of our common areas of interest and assess potential for
collaborative work that would best leverage the strengths of each Forum. Representatives
from the Security Forum went first - outlining the current and future plans for the work
program of the Forum:
- Security Strategy - White Paper
- Trust Models - Technical Guide
- Security in Data - Technical Guide
- Identity Management: (www.opengroup.org/projects/idm), Business Scenario published. White Paper published.
Implementation Catalog, Guide to IdM Architectures, IdM Standards Framework,
Common Core Identifiers (joint with NAC & DMTF), Design Patterns for IdM.
- Manager's Guide to Identity & Authentication, split into three
Manager's Guides: Manager's
Guide to Identity Lifecycle Management, Manager's Guide to Identity Access Management,
Manager's Guide to PKI-Based Identity Management
focusing on the objectives and outline proposal (including the web page at www.opengroup.org/projects/sec-strategy)
of the Security Strategy project, and listing past projects and significant
deliverables that are freely available as PDF downloads from The Open
Group online bookstore (www.opengroup.org/bookstore/catalog/se.htm), including:
- Distributed Security Framework (XDSF)
- Baseline Security Standard (XBSS)
- Distributed Audit Services (XDAS)
- Architecture for PKI (APKI)
- Security Design Patterns
- Framework for Control of Electronic Chattel Paper
Jericho Forum members then followed with a presentation
comprising introductory slides describing the formation of a core group of
Information Security Officers in 2003 who came together from several leading multinational
IT-dependent corporations concerned over the lack of vendor focus on developing the IT
security solutions they want to buy. Their IT environment had migrated over the last
ten years into a de-perimeterized world where information is required to be exchanged securely
but in an open, networked world over the Internet. In this new world, traditional
corporate firewall-based boundaries/perimeters have so many channels punched through
them that they are increasingly ineffective. Looking to the future, we need IT security
solutions that provide effective security and are manageable in this de-perimeterized
world, while also being cost-effective. More of the same increasingly complex solutions
will not deliver what is required. De-perimeterization has already happened - it is
inevitable - so we all need to plan for it, adopt a strategy and roadmap to address the
new challenges it represents, and press vendors to develop the solutions we really want to
invest in. The Jericho Forum is deliberately customer-driven, but is keen to engage with
IT security vendors to explain how the security solutions they want to buy will contribute
to our existing de-perimeterized environment, and challenge them to develop and market
such solutions.
The Jericho Forum representatives continued with a further presentation on their
recently-developed "Ten Commandments", briefly
explaining the underlying principles and rationale behind each one. These
"commandments" form the basis of a roadmap that Jericho Forum members are
developing, to help clarify what security solutions and existing technologies are key
enablers in terms of addressing de-perimeterization as opposed to being simply "good
security practice", and to narrow these solutions down in terms of anticipated
timescales - one year, three years, five years, and beyond.
In general discussion which followed these two presentations from each Forum, members
clarified what they mean by "trust" (trust WHO to do WHAT), and who accepts
liability at successive stages in the transaction if the transaction fails. They also
agreed that the business requirements for IT security are decided for each type of
transaction by business policy which balances risk acceptance and the value of the
transaction. In turn, policy can usefully deploy classification schemes that are
appropriate to the business involved. Further, solutions to "security" all must
involve people, processes, and technology, so while we frequently address the technology
side, acceptable solutions must include the other two components.
On Friday morning, the joint meeting revised its agenda:
- To review the Jericho Forum's "White/Black" list of technology solution areas,
as drafted in its Technology Directions working document
- To review a presentation comparing the respective roles and positioning of the Security
and Jericho Forums, and implying how they can best complement each other
- To decide if and how to work together in future
In the Technology Directions document, the Jericho Forum agreed it will revise its
terminology on White and Black lists, because "White" is intended to be up to 18
months ahead and "Black" to be 18 months and beyond - there is no intent to
imply white=good and black=bad. Items discussed in this review were:
- Wireless + public networks
- Phoning home (remote user accessing the home organization)
- Third-party connectivity, including remote support/control
- XML
- Identity and Access Management between organizations
- Inter-domain open networks (IPsec is contribution here)
-
Portability of identities and data
-
Automated policy management
- Harmonized identities
- Logging end-to-end (too many logs, size of logs, access to logs)
- Compatibility/correlation
- Real-time versus history
- Rights management
- Interoperable and application-level firewalls
- Common data definition for firewalls
-
Interoperability across vendors
In a presentation (edited from the original)
comparing the Security and Jericho Forums, the key features identified in this edited
presentation were agreed by members present from both Forums:
- How the Jericho Forum focus is on the WHAT (needs, principles, strategy)
- How both the Security and the Jericho Forums share a middle ground (white papers,
patterns, use cases) where members of both Forums can usefully expect to work together
- How the Security Forum focus is on the HOW (guides, standards, solutions)
In particular, the "lozenge" diagram neatly shows the main overlap area where
both Forums play similar roles and should therefore seek to engage in joint working to
integrate their activities. As an extension of this discussion, the members also endorsed
a graph representing the traditionally accepted Risk Control Model, and closed agreement
on a definition for the term "trust":
Trust - a definition related to information:
An adequate awareness of the level of confidence that can be placed in the relevant
components or entities in an information risk chain required to willingly put at risk
related information assets based on the potential impact - both positive and negative.
Verb: An informed (trust WHO to do WHAT) choice to accept putting an information asset
at risk.
Noun: A degree of confidence in an entity or chain of entities, that enables risk
acceptance.
The joint meeting closed on agreement to set up a Joint Steering
Committee to coordinate joint work activities between the Jericho Forum and the Security
Forum, with guidelines established by appropriate interpretation of the relative prime
focus and positioning as represented in the lozenge diagram. We will aim to maintain good
communication between respective Forums through teleconferences. A review of possible
dates for a next joint meeting confirmed that The Open Group's April 2006 Conference in
Washington DC clashes with the Jericho Forum's Annual Conference and Infosec Europe 2006
that same week - however, a teleconference link on the Friday may be possible. The Joint
Steering Committee will propose best options.
