Security Track: Identity Management in a
World Without Fences
Dave Edstrom, Technical Director, Chief Technologist Americas Software
Practice, Sun Microsystems, gave a presentation
on how identity management is changing and what it will look like in
future. In the early 1980s, when John Gage of Sun Microsystems
coined Sun's tag line "The Network Is The Computer", the
Internet was clearly something that was outside the firewall.
Identities were held behind fences. In 2008, businesses
are taking down the Identity fences. Dave posed the questions:
- How do you manage and govern network identities in a world
without fences?
- How will business take these fences down without sacrificing
security?
- Is identity the tail that wags the web services dog?
He offered his perceptions of the answers.
Security Track: Security Architectures for the Future
Adrian Seccombe, CISO & Senior Enterprise Architect, Eli Lilly
(US),
gave a presentation on "The
Future of Information Asset Management". Adrian defined
information asset management as the disciplines and capabilities
encompassing Governance, Architecture, Compliance, Risk, Security, and
Process; and the core foundations for enabling and protecting the value of
information to customers and other key stakeholders. He identified the tensions with customers and enterprises, the increasing weight of regulations, the attack re-orientations from covert to overt and mass to
targeted, and from extremists. He concluded that IT is an enabling force for good and evil, and external pressures, threats, and vulnerabilities are increasing and re-orienting.
So, are there any signposts that can help point the way – from history, nature, or other industries?
From his assessment of these, he concluded that integration, transparency, education
and awareness, and open standards and sound
architectures can show us how to respond positively and effectively to these challenges. He called this response "collaboration-oriented architecture". He represented how The Open
Group Jericho Forum and Security Forum can play pivotal roles in the necessary teamwork that is needed to deliver the required solutions, noting that the Jericho Forum is already doing its part through developing position papers on Collaboration Oriented Architecture and on "Inherently Secure Communications”. In closing, he challenged the
audience – Information Asset Management is in our hands: the key components are Integration, Transparency, Education/Awareness, Standards, and Architecture, and most important of all – Teamwork!
Rich Mogull, Principal Analyst, Securosis, gave a presentation
on "Security Architectures for the Future" – what are the disruptive
and innovative influences which are putting the term "information"
back into "information security"? He approached this topic
from his history education, from which he gave examples of how innovation
drives change, and disruptive innovation requires it. He illustrated
these effects from the viewpoint of business disruptions, and threat disruptions. The security market
has responded, as all markets do, to demand. He looked at how
disruption has impacted architecture, and predicted that security architectures over the
next ten years will focus on information, mobility, ubiquitousness, transparency,
collaboration, and openness. Getting from here to there, the key
considerations will be collapsing perimeters, advances in network
security, anti-exploitation, and information-centric security. The
key is to appreciate that we need "information security"
rather than "data security" (information = meaningful;
data= 1s and 0s). The clever bit will be when content checking and
policy automatically require appropriate classification.
Cross-domain checking and network intelligence are also future
security mechanisms. Rich's conclusion was that secure communications, secure
hosts, and self-defending data are the future of information security.
Security Track: SMA Security for SCADA and
VoIP Applications
Richard Paine, Computing Technologies, Boeing, gave a presentation
on Boeing's Enterprise Network Connectivity & Security for Production-critical Factory Devices,
which provides a Secure Mobile Architecture (SMA) for SCADA and VoIP
applications. Richard had led the project in The Open Group Mobile
Management Forum back in 2003-4 to develop an SMA specification, and
this was published by The Open Group in 2004 as the SMA Technical
Study. Following extensive development and implementation
experience, Richard now proposes that the Security Forum should
develop this SMA Technical Study into a full Open Group SMA
Technical Standard, and from this we can launch a certification
program for interoperable compliant implementations.
Boeing has implemented and deployed SMA in a Boeing factory
implementation called SCADAnet. The deployment enables secure
communications over the existing wired and wireless network
infrastructure for controller to robot commands and VoIP. Boeing
and several other companies are in the negotiation stages of
deploying large-scale implementations of SMA.
Subsequent review of interest took into account that SMA has
potential for application in any manufacturing environment, and in
SCADA environments. It offers a medium-assurance network for secure
communications. In today's context, the word "mobile" in
SMA is misleading, even unnecessary. Known concerns from 2004 were the
use of HIP (IETF RFC) in the authentication process – we will check
our archives on this. We will also need to add a Compliance Criteria
section. Discussion in both the Security Forum and RT&ES Forum
resulted in agreement to start a joint-Forums project to update the
SMA Technical Study to a full Technical Standard. When this is
achieved, we can consider the business case for creating an Open
Group Certification program to prove whether implementations of it
are interoperable.
Security Track: The Evolving Role of Firewalls
Brian Lazear, Director of Product Management, Juniper Networks,
gave a presentation on the evolving role of firewalls
in our increasingly
boundaryless environment. Brian noted that his presentation
takes into account some of the Jericho Forum's thinking regarding
the need to respond to the challenges of the disappearing corporate
perimeter. He described the role that firewalls will play as
security moves closer towards the data itself. There is a common
misperception that as the corporate perimeter becomes less and less
definable as a functional boundary, we should remove network and
other firewalls associated with the corporate perimeter, when in
fact it may mean more firewalls, deployed in different ways so as to
give effective protection to trust zones, and in particular deployed
closer to data. Defense in depth remains an important strategy.
Security Forum and Identity Management Forum Members Meeting
After a round of introductions, the Forum Director presented the Security
& IdM Agenda for the week of meeting sessions and asked
members to approve it. A new item on Trust Models and Frameworks was
inserted, and the proposed joint meeting on MILS & Security was
cancelled in view of the lack of response from the RT&/ES Forum.
With these modifications the agenda was approved.
Introduction of New Members from the NAC
The Forum Director welcomed members from the Network Applications
Consortium (NAC) who have
transitioned into the Security Forum to date. The Security Forum
public home page includes an announcement covering this event. It includes
links to:
- Joint Press Release, December 12 2007, from the Network
Applications Consortium (NAC) and The Open Group
- New NAC Resources
web page where the
publications, resources, and achievements agreed to be
transferred from the NAC are available
Development Plan for Security & Identity Management Forums
Jim Hietala gave a presentation
he had prepared for Press and Analysts on the Security Forum, as
part of The Open Group's investment in marketing the Forum, based on
our renewed direction as set out in our Information Security
Strategy White Paper, published October 2007 (available here).
This summarized past achievements, current projects, and future
plans as currently envisaged.
The Forum Director followed up by showing the Security and
Identity Management Forums' Roadmap as prepared according to the
Members Councils template for Roadmaps across all Open Group Forums
and Working Groups, and available to members here.
Looking at potential future projects, members reviewed a proposal
for developing a set of collaborative RFPs. Members will review
this proposal and vote on adopting it as a new work item following
their review.
Members considered adopting a meeting format used in the NAC
where they prepare pre-conference materials on a topic and relevant
use-cases for it which bring out key issues and questions they want answered, then
invite expert speakers to respond in a themed
meeting session. We could adopt this approach to staging Security
tracks in future meetings.
Update XDSA, and CEE as Competing Standard
The meeting welcomed Dr. Anton Chuvakin, Chief Logging Evangelist with
LogLogic. Anton is an active contributor to Mitre's Common Event
Expression (CEE) standard, which has overlap with the XDAS logging
format, and it is a key objective of our XDAS update project that we
avoid divergent industry standards on logging formats, otherwise our
goal for a robust interoperable standard in this space will not be
achieved. The Security Forum welcomed Anton as an expert on the
as-yet unavailable draft CEE standard, with a view to understanding
correctly the areas of conflict between CEE and XDAS, and looking
for how these conflicts can be resolved. This session included
participation by two members via teleconference.
Anton's presentation gave much
valuable information which clarified many areas of concern, and
proposed how known areas of conflict between XDAS and CEE might be
resolved. It is clear that progress on XDAS will be constrained by
the continued unavailability of the draft CEE specification, so we
will press the CEE Project Manager in Mitre for early availability
of their CEE specification.
Security Strategy White Paper and Enterprise Security Architecture
Document
We have interest in aligning our Information Security Strategy
White Paper with the NAC documents which address the same subject
space. Examination of the NAC Enterprise Security Architecture
document (available here)
quickly concluded that it is a substantial work, on a very different
scale and depth of coverage than the White Paper. Even so, there is a
Governance area in ESA which we can look at with a view to
harmonizing both documents. The ESA document includes material
licensed from the British Standards Institute, for its replication
of a substantial extract from BS17799 in its Governance chapter.
This license requires quarterly submission of number of downloads of
the ESA document, and payment of a license fee to BSI for each
download. One update might be to revise this section of ESA so as
to remove the need for this licensed extract. This could be done as
part of a revision to the latest standard (BS27002). ESA is a
tutorial as well as a reference document, so we should review it as
having two potential uses. Other update opportunities could be to
separate out different parts (e.g., on policy, guidelines,
procedures) for specific audiences.
Members agreed to undertake a reading assignment to assess how
best to revise the ESA document, taking into consideration existing
publications on this subject area from other major sources, including ISF (benchmarking), ITIL )management), NIST (800-14 and
800-53), CoBIT (Audit), COSO, ISO (27002), and the Burton Group
report (October 2007) on Enterprise Security & Risk Management: Framework for Assessing Control Standards. Key objectives include
deciding who is the audience for which parts, how then should it be
separated out, and who will use/benefit from each part. We will
arrange a conference call on February 18 to review members' findings.
FAIR (Factor Analysis of Information Risk)
The meeting held two sessions on this topic. In the first session,
members reviewed a presentation by Jack Jones (Risk
Management
Insight) on their FAIR taxonomy, and then reviewed the base draft
specification for specifying the FAIR taxonomy. The resulting
mark-up copy will be revised to a new draft, which is expected to be
close to being acceptable as a final draft for formal review to
become the Risk Taxonomy Technical Standard.
In the second session, members considered the next step in our
FAIR project – to develop a Risk Assessment Methodology standard.
Recognizing that there are many risk assessment methodologies
available – all claiming to produce better results than the others –
our goal is to be all-inclusive in characterizing the essential
components in any credible risk assessment method, and to set these
down as criteria, then demonstrate how the FAIR methodology
satisfies these criteria. Clearly there is scope to then evaluate
how other methodologies similarly satisfy these common criteria. A
further next step is to map to the requirements of BS27002 and other
standards.
As a valuable contribution to understanding other demonstrated
success stories on risk assessment, members welcomed Michele Edson (Santa Fe Group)
and Niall Brown (Director of Information Security, Yodlee), who gave
a presentation on the "BITS approach to risk assessment and the business requirements for
standardization". Members are recommended to browse the BITS
web site to appreciate the "do it once" approach which delivers
real value to their financial institution clients, and to review
their freely available Agreed Upon Procedures (AUP) and Standardized
Information Gathering (SIG) documents, which is a very substantial
and industry-recognized thorough information gathering scheme.
Michele pointed out the recent launch of BITS-Lite – comprising 54
questions, compared to the 1000s of questions in the standard SIG.
While it was designed for the financial institutions, much of it is
sufficiently generic to be used in other vertical sectors, and there
is a move to "go horizontal" – interest from Telcos is
already emerging. Their Financial Institution Shared Assessments program is a new process for financial institutions to evaluate the security controls of their IT service providers.
Jack noted that he is very familiar with using BITS from his
previous employments, and we should appreciate it is a controls
assessment approach rather than a risk management approach. We
should make this clear in our inclusion of BITs in our Risk
Assessment Methodology document. Members reviewed an outline draft
Jack had prepared for the essential elements in any risk assessment
methodology, which concluded that this draft was taking the right
direction and should be developed to produce a new draft for review.
The Forum Director reported on his presentation
to ISO SC27 WG5 in their meeting in October 2007, where under The Open
Group's category C liaison status he represented the Identity Management
Forum's successful delivery of documents which we wish to contribute to
their development of two ISO standards: one on a Framework for Identity
Management, and another on a Framework for Data Privacy. He is
continuing to liaise with SC27 to follow up these contributions,
including with ITU-T on submitting review comments on their FP reports.
Jericho Forum: Business Collaboration
Architectures & Secure
Communication
Members received two presentations from two Jericho Forum members – one
describing the Jericho Forum's recently developed position paper on
Collaboration Oriented Architecture, and the other describing its
requirements for use of Inherently Secure Communications.
The presentation on COA began
with a brief background on the origins and objectives of the Jericho
Forum, noted the existence of the Jericho Forum
"commandments", which are principles for evaluating
whether a solution is fit-for-purpose in a de-perimeterized
environment, then explained that the Jericho Forum members had seen
the need to provide more details around the solution, so evolved the
concept of architecture which enabled global business collaboration.
The position paper – draft v0.9 of which has been made available to
Security Forum members – describes the nature and key components of
COA. The paper only sketches out the skeleton, and states that we need to refine
and develop the standards, tools, and services underpinning it, in more detailed papers
... many of which can be taken up as work items by the Security Forum.
For example, the need to develop an Inherently Secure Communications
standard.
The presentation on Inherently
Secure Communications gave a brief review of inherently secure
protocols, and the predicted future of access controls (network and
application controls will reduce as data controls become dominant),
then examined the reality of controls at today's perimeter
firewalls, and how they are compromised by business demands
for VPN tunnels, etc. He then described the characteristics of
inherently secure communication: it is a property of a service; it
is typically an application-level protocol; it provides confidentiality, integrity,
and authentication; and it establishes a true end-to-end security association between
the client and service. The Inherently Secure Communications
position paper is available from the Jericho Forum publications page.
Trust Models & Frameworks
The members received a presentation
on Trust Models, within the framework of the Jericho Forum's
Collaboration Architecture (COA), with Information Asset Management
as the context (see the Jericho Forum COA above). The presentation begins with a definition of "trust"
which serves for use through the rest of the presentation. Can we develop a Trust/Information Risk Taxonomy? A suggested set of
architectural components are:
- Assessment – business impact levels
- Classification – information sensitivity levels
- Trust Stratification – trust levels
- Trust Categorization – confidentiality, integrity, audit, plus identity
- Bound by Architectural Segmentation
Each one of these components is evaluated at a sufficient level to
appreciate its functional role in the model, and they are then
brought together in a generic architecture segment model in which
each level is functionally described. Finally, the G8 countries
"Traffic Light Protocol" philosophy is used to map to
business control segments, with business impact levels added.
As usual in the Security Forum, the word "trust" made
many members wary, so we translated it to mean
"confidence", which made most much happier. After
significant discussion, members agreed that this approach has value
in explaining architectures for "confidence levels" so it
was agreed we will start a new project to develop a "Confidence
Model", which will comprise a set of terms and definitions
along the lines described in the presentation, and use the
"Traffic Light Protocol" concept.
SOA and Security
The Security Forum was joined by members from the SOA Working
Group. Members
received a presentation giving the
current status of this project. It was noted that since the previous
meeting, IBM has published an updated Redbook on "Understanding
SOA Security Design and Implementation" (November 2007), which is
available as a free download. A brief review of this document indicated that it has much of
directly relevant value to offer to members of the SOA-Security
project, though it was also appreciated that we need to separate the
IBM business scenarios from the security content. Since our avowed
intention in The Open Group is to avoid duplicating existing work,
three members took an action to review this IBM Redbook, with the specific
aim to compare the coverage of the IBM Redbook and our Guide to SOA
Security. Additionally, actions were agreed to complete integrating
of contributions to the "Characteristics" White Paper; to
follow-up delivery of our intended "SOA Security Services"
White Paper; and to coordinate with our Guide editor to update the
Guide with existing material not yet added.
