You are here: The Open Group > Enterprise Architecture Practitioners Conference San Francisco 2008 > Proceedings
       

Security Forum & Identity Management Forum

Objective of Meeting

The main agenda highlight were as follows:

Tuesday January 29:

Wednesday January 30:

Thursday January 31/Friday February 1:

Summary

Security Track: Identity Management in a World Without Fences

Dave Edstrom, Technical Director, Chief Technologist Americas Software Practice, Sun Microsystems, gave a presentation on how identity management is changing and what it will look like in future. In the early 1980s, when John Gage of Sun Microsystems coined Sun's tag line "The Network Is The Computer", the Internet was clearly something that was outside the firewall.  Identities were held behind fences.  In 2008, businesses are taking down the Identity fences.  Dave posed the questions:

  • How do you manage and govern network identities in a world without fences? 
  • How will business take these fences down without sacrificing security?
  • Is identity the tail that wags the web services dog?

He offered his perceptions of the answers.

Security Track: Security Architectures for the Future

Adrian Seccombe, CISO & Senior Enterprise Architect, Eli Lilly (US), gave a presentation on "The Future of Information Asset Management". Adrian defined information asset management as the disciplines and capabilities encompassing Governance, Architecture, Compliance, Risk, Security, and Process; and the core foundations for enabling and protecting the value of information to customers and other key stakeholders. He identified the tensions with customers and enterprises, the increasing weight of regulations, the attack re-orientations from covert to overt and mass to targeted, and from extremists. He concluded that IT is an enabling force for good and evil, and external pressures, threats, and vulnerabilities are increasing and re-orienting.

So, are there any signposts that can help point the way – from history, nature, or other industries? From his assessment of these, he concluded that integration, transparency, education and awareness, and open standards and sound architectures can show us how to respond positively and effectively to these challenges. He called this response "collaboration-oriented architecture". He represented how The Open Group Jericho Forum and Security Forum can play pivotal roles in the necessary teamwork that is needed to deliver the required solutions, noting that the Jericho Forum is already doing its part through developing position papers on Collaboration Oriented Architecture and on "Inherently Secure Communications”. In closing, he challenged the audience – Information Asset Management is in our hands: the key components are Integration, Transparency, Education/Awareness, Standards, and Architecture, and most important of all – Teamwork!

Rich Mogull, Principal Analyst, Securosis, gave a presentation on "Security Architectures for the Future" – what are the disruptive and innovative influences which are putting the term "information" back into "information security"? He approached this topic from his history education, from which he gave examples of how innovation drives change, and disruptive innovation requires it. He illustrated these effects from the viewpoint of business disruptions, and threat disruptions. The security market has responded, as all markets do, to demand. He looked at how disruption has impacted architecture, and predicted that security architectures over the next ten years will focus on information, mobility, ubiquitousness, transparency, collaboration, and openness. Getting from here to there, the key considerations will be collapsing perimeters, advances in network security, anti-exploitation, and information-centric security. The key is to appreciate that we need "information security" rather than "data security" (information = meaningful; data= 1s and 0s). The clever bit will be when content checking and policy automatically require appropriate classification. Cross-domain checking and network intelligence are also future security mechanisms. Rich's conclusion was that secure communications, secure hosts, and self-defending data are the future of information security.

Security Track: SMA Security for SCADA and VoIP Applications

Richard Paine, Computing Technologies, Boeing, gave a presentation on Boeing's Enterprise Network Connectivity & Security for Production-critical Factory Devices, which provides a Secure Mobile Architecture (SMA) for SCADA and VoIP applications. Richard had led the project in The Open Group Mobile Management Forum back in 2003-4 to develop an SMA specification, and this was published by The Open Group in 2004 as the SMA Technical Study. Following extensive development and implementation experience, Richard now proposes that the Security Forum should develop this SMA Technical Study into a full Open Group SMA Technical Standard, and from this we can launch a certification program for interoperable compliant implementations.

Boeing has implemented and deployed SMA in a Boeing factory implementation called SCADAnet.  The deployment enables secure communications over the existing wired and wireless network infrastructure for controller to robot commands and VoIP.  Boeing and several other companies are in the negotiation stages of deploying large-scale implementations of SMA.

Subsequent review of interest took into account that SMA has potential for application in any manufacturing environment, and in SCADA environments. It offers a medium-assurance network for secure communications. In today's context, the word "mobile" in SMA is misleading, even unnecessary. Known concerns from 2004 were the use of HIP (IETF RFC) in the authentication process – we will check our archives on this. We will also need to add a Compliance Criteria section. Discussion in both the Security Forum and RT&ES Forum resulted in agreement to start a joint-Forums project to update the SMA Technical Study to a full Technical Standard. When this is achieved, we can consider the business case for creating an Open Group Certification program to prove whether implementations of it are interoperable.

Security Track: The Evolving Role of Firewalls

Brian Lazear, Director of Product Management, Juniper Networks, gave a presentation on the evolving role of firewalls in our increasingly boundaryless environment. Brian noted that his presentation takes into account some of the Jericho Forum's thinking regarding the need to respond to the challenges of the disappearing corporate perimeter. He described the role that firewalls will play as security moves closer towards the data itself. There is a common misperception that as the corporate perimeter becomes less and less definable as a functional boundary, we should remove network and other firewalls associated with the corporate perimeter, when in fact it may mean more firewalls, deployed in different ways so as to give effective protection to trust zones, and in particular deployed closer to data. Defense in depth remains an important strategy.

Security Forum and Identity Management Forum Members Meeting

After a round of introductions, the Forum Director presented the Security & IdM Agenda for the week of meeting sessions and asked members to approve it. A new item on Trust Models and Frameworks was inserted, and the proposed joint meeting on MILS & Security was cancelled in view of the lack of response from the RT&/ES Forum. With these modifications the agenda was approved.

Introduction of New Members from the NAC

The Forum Director welcomed members from the Network Applications Consortium (NAC) who have transitioned into the Security Forum to date. The Security Forum public home page includes an announcement covering this event. It includes links to:

  • Joint Press Release, December 12 2007, from the Network Applications Consortium (NAC) and The Open Group
  • New NAC Resources web page where the publications, resources, and achievements agreed to be transferred from the NAC are available
Development Plan for Security & Identity Management Forums

Jim Hietala gave a presentation he had prepared for Press and Analysts on the Security Forum, as part of The Open Group's investment in marketing the Forum, based on our renewed direction as set out in our Information Security Strategy White Paper, published October 2007 (available here). This summarized past achievements, current projects, and future plans as currently envisaged.

The Forum Director followed up by showing the Security and Identity Management Forums' Roadmap as prepared according to the Members Councils template for Roadmaps across all Open Group Forums and Working Groups, and available to members here.

Looking at potential future projects, members reviewed a proposal for developing a set of collaborative RFPs. Members will review this proposal and vote on adopting it as a new work item following their review.

Members considered adopting a meeting format used in the NAC where they prepare pre-conference materials on a topic and relevant use-cases for it which bring out key issues and questions they want answered, then invite expert speakers to respond in a themed meeting session. We could adopt this approach to staging Security tracks in future meetings.

Update XDSA, and CEE as Competing Standard

The meeting welcomed Dr. Anton Chuvakin, Chief Logging Evangelist with LogLogic. Anton is an active contributor to Mitre's Common Event Expression (CEE) standard, which has overlap with the XDAS logging format, and it is a key objective of our XDAS update project that we avoid divergent industry standards on logging formats, otherwise our goal for a robust interoperable standard in this space will not be achieved. The Security Forum welcomed Anton as an expert on the as-yet unavailable draft CEE standard, with a view to understanding correctly the areas of conflict between CEE and XDAS, and looking for how these conflicts can be resolved. This session included participation by two members via teleconference.

Anton's presentation gave much valuable information which clarified many areas of concern, and proposed how known areas of conflict between XDAS and CEE might be resolved. It is clear that progress on XDAS will be constrained by the continued unavailability of the draft CEE specification, so we will press the CEE Project Manager in Mitre for early availability of their CEE specification.

Security Strategy White Paper and Enterprise Security Architecture Document

We have interest in aligning our Information Security Strategy White Paper with the NAC documents which address the same subject space. Examination of the NAC Enterprise Security Architecture document (available here) quickly concluded that it is a substantial work, on a very different scale and depth of coverage than the White Paper. Even so, there is a Governance area in ESA which we can look at with a view to harmonizing both documents. The ESA document includes material licensed from the British Standards Institute, for its replication of a substantial extract from BS17799 in its Governance chapter. This license requires quarterly submission of number of downloads of the ESA document, and payment of a license fee to BSI for each download. One update might be to revise this section of ESA so as to remove the need for this licensed extract. This could be done as part of a revision to the latest standard (BS27002). ESA is a tutorial as well as a reference document, so we should review it as having two potential uses. Other update opportunities could be to separate out different parts (e.g., on policy, guidelines, procedures) for specific audiences. 

Members agreed to undertake a reading assignment to assess how best to revise the ESA document, taking into consideration existing publications on this subject area from other major sources, including ISF (benchmarking), ITIL )management), NIST (800-14 and 800-53), CoBIT (Audit), COSO, ISO (27002), and the Burton Group report (October 2007) on Enterprise Security & Risk Management: Framework for Assessing Control Standards. Key objectives include deciding who is the audience for which parts, how then should it be separated out, and who will use/benefit from each part. We will arrange a conference call on February 18  to review members' findings.

FAIR (Factor Analysis of Information Risk)

The meeting held two sessions on this topic. In the first session, members reviewed a presentation by Jack Jones (Risk Management Insight) on their FAIR taxonomy, and then reviewed the base draft specification for specifying the FAIR taxonomy. The resulting mark-up copy will be revised to a new draft, which is expected to be close to being acceptable as a final draft for formal review to become the Risk Taxonomy Technical Standard.

In the second session, members considered the next step in our FAIR project – to develop a Risk Assessment Methodology standard. Recognizing that there are many risk assessment methodologies available – all claiming to produce better results than the others – our goal is to be all-inclusive in characterizing the essential components in any credible risk assessment method, and to set these down as criteria, then demonstrate how the FAIR methodology satisfies these criteria. Clearly there is scope to then evaluate how other methodologies similarly satisfy these common criteria. A further next step is to map to the requirements of BS27002 and other standards.

As a valuable contribution to understanding other demonstrated success stories on risk assessment, members welcomed Michele Edson (Santa Fe Group) and Niall Brown (Director of Information Security, Yodlee), who gave a presentation on the "BITS approach to risk assessment and the business requirements for standardization". Members are recommended to browse the BITS web site to appreciate the "do it once" approach which delivers real value to their financial institution clients, and to review their freely available Agreed Upon Procedures (AUP) and Standardized Information Gathering (SIG) documents, which is a very substantial and industry-recognized thorough information gathering scheme. Michele pointed out the recent launch of BITS-Lite – comprising 54 questions, compared to the 1000s of questions in the standard SIG. While it was designed for the financial institutions, much of it is sufficiently generic to be used in other vertical sectors, and there is a move to "go horizontal" – interest from Telcos is already emerging. Their Financial Institution Shared Assessments program is a new process for financial institutions to evaluate the security controls of their IT service providers.

Jack noted that he is very familiar with using BITS from his previous employments, and we should appreciate it is a controls assessment approach rather than a risk management approach. We should make this clear in our inclusion of BITs in our Risk Assessment Methodology document. Members reviewed an outline draft Jack had prepared for the essential elements in any risk assessment methodology, which concluded that this draft was taking the right direction and should be developed to produce a new draft for review.

Identity Management

The Forum Director reported on his presentation to ISO SC27 WG5 in their meeting in October 2007, where under The Open Group's category C liaison status he represented the Identity Management Forum's successful delivery of documents which we wish to contribute to their development of two ISO standards: one on a Framework for Identity Management, and another on a Framework for Data Privacy. He is continuing to liaise with SC27 to follow up these contributions, including with ITU-T on submitting review comments on their FP reports.

Jericho Forum: Business Collaboration Architectures & Secure Communication

Members received two presentations from two Jericho Forum members – one describing the Jericho Forum's recently developed position paper on Collaboration Oriented Architecture, and the other describing its requirements for use of Inherently Secure Communications.

The presentation on COA began with a brief background on the origins and objectives of the Jericho Forum, noted the existence of the Jericho Forum "commandments", which are principles for evaluating whether a solution is fit-for-purpose in a de-perimeterized environment, then explained that the Jericho Forum members had seen the need to provide more details around the solution, so evolved the concept of architecture which enabled global business collaboration. The position paper – draft v0.9 of which has been made available to Security Forum members – describes the nature and key components of COA. The paper only sketches out the skeleton, and states that we need to refine and develop the standards, tools, and services underpinning it, in more detailed papers ... many of which can be taken up as work items by the Security Forum. For example, the need to develop an Inherently Secure Communications standard. 

The presentation on Inherently Secure Communications gave a brief review of inherently secure protocols, and the predicted future of access controls (network and application controls will reduce as data controls become dominant), then examined the reality of controls at today's perimeter firewalls, and how they are compromised by business demands for VPN tunnels, etc. He then described the characteristics of inherently secure communication: it is a property of a service; it is typically an application-level protocol; it provides confidentiality, integrity, and authentication; and it establishes a true end-to-end security association between the client and service. The Inherently Secure Communications position paper is available from the Jericho Forum publications page.

Trust Models & Frameworks

The members received a presentation on Trust Models, within the framework of the Jericho Forum's Collaboration Architecture (COA), with Information Asset Management as the context (see the Jericho Forum COA above). The presentation begins with a definition of "trust" which serves for use through the rest of the presentation. Can we develop a Trust/Information Risk Taxonomy? A suggested set of architectural components are:

  • Assessment – business impact levels
  • Classification – information sensitivity levels
  • Trust Stratification – trust levels
  • Trust Categorization – confidentiality, integrity, audit, plus identity
  • Bound by Architectural Segmentation

Each one of these components is evaluated at a sufficient level to appreciate its functional role in the model, and they are then brought together in a generic architecture segment model in which each level is functionally described. Finally, the G8 countries "Traffic Light Protocol" philosophy is used to map to business control segments, with business impact levels added.

As usual in the Security Forum, the word "trust" made many members wary, so we translated it to mean "confidence", which made most much happier. After significant discussion, members agreed that this approach has value in explaining architectures for "confidence levels" so it was agreed we will start a new project to develop a "Confidence Model", which will comprise a set of terms and definitions along the lines described in the presentation, and use the "Traffic Light Protocol" concept.

SOA and Security

The Security Forum was joined by members from the SOA Working Group. Members received a presentation giving the current status of this project. It was noted that since the previous meeting, IBM has published an updated Redbook on "Understanding SOA Security Design and Implementation" (November 2007), which is available as a free download. A brief review of this document indicated that it has much of directly relevant value to offer to members of the SOA-Security project, though it was also appreciated that we need to separate the IBM business scenarios from the security content. Since our avowed intention in The Open Group is to avoid duplicating existing work, three members took an action to review this IBM Redbook, with the specific aim to compare the coverage of the IBM Redbook and our Guide to SOA Security. Additionally, actions were agreed to complete integrating of contributions to the "Characteristics" White Paper; to follow-up delivery of our intended "SOA Security Services" White Paper; and to coordinate with our Guide editor to update the Guide with existing material not yet added.

Outputs

As summarized above.

Next Steps

Actions arising will be coordinated by the Security Forum director.

Links

See above.


   
   |   Legal Notices & Terms of Use   |   Privacy Statement   |   Top of Page   Return to Top of Page