Security Practitioners Conference
Day 1 began with a keynote presentation on the Jericho Forum's new direction:
"Securing Enterprise Collaboration in the Cloud". This was followed by presentations from experienced security practitioners on securing services and storage in the
Cloud, and business inhibitors to adoption of Cloud Computing. The "focus session" which followed addressed how major
Cloud services suppliers provide secure services today, and how their security measures are continuing to evolve to meet the high expectations of their rapidly increasing numbers of customers. This focus session concluded with a panel session in which the
Cloud services suppliers answered challenging questions and comments from the audience, in a refreshingly welcome open spirit.
Day 2 provided presentations on hot topics in the information security world, including identity management, risk management, secure coding, securing Web 2.0 for the enterprise, audit & logging, compliance and how it can be automated, and securing
SOA. All of these topics have associated activities underway in our Open Group Security Program.
The presentations and panel sessions were delivered by security professional practitioners from both vendor and customer organizations, and provided experience-based insights into the approaches and methods that are currently in use and under development in the information security industry.
All the SPC presentations are freely available to members of The Open Group and conference attendees, and can be accessed from the links
in the separate SPC report.
The SPC was preceded by a one-day special conference on
"Enterprise Cloud Computing"
which provided a good introduction to the Wednesday SPC on securing
services in the cloud.
The next Security Practitioners Conference will be held in London,
Monday April 27 2009, when the theme will be "Identity in the
Cloud".
Security Forum Members Meeting
Security in TOGAF (joint session with the Architecture Forum
The Security Forum accepted an invitation from the Architecture Forum
to present the Security Forum's view on the future development of
security in architectures. The Security Forum presented their views in a
short slide presentation:
- Appreciate TOGAF 9 includes coverage of security, including Chapter
21 ...
- But coverage of security is still less than is needed.
- This is the right time – now that TOGAF 9 has just been launched – for
the Security Forum to engage with the next phase of TOGAF
development, with a view to contributing to the plans for what that
development aims to deliver, including more integrated security.
The Security Forum is keen to contribute to this, including making
security a more integrated aspect of the training courses for TOGAF
9.
- The Security program has a Collaboration Oriented Architectures
(COA) Framework for architecting security – can we form a joint
Working Group
to develop a reference security architecture within TOGAF? The
Security Forum is willing to provide the necessary security
resources for this.
- The Jericho Forum published in 2006 its "commandments"
(design principles) for evaluating whether a security architecture meets
its criteria for secure operations in de-perimeterized
(boundaryless) globally networked environments. Does TOGAF have
similar criteria for evaluating the effectiveness of architectures
developed using its ADM? If not, can we also collaborate to develop
TOGAF commandments as a significant value-add to the overall TOGAF
deliverable?
- The Security Forum would like to complement our present tactical
thinking on architecture frameworks with more strategic thinking on
the consequences of our current development direction, including
consideration of social cost of architectures, foreseeable
unanticipated consequences, post-functional requirements, and the
role of the architect.
Discussion concluded on agreement that TOGAF 9 training will indeed
include an integrated rather than "bolt-on" approach to
architecting security within the ADM. Also the Security Forum will
liaise with three volunteer representatives from the Architecture Forum who
are supportive of the Security Forum's proposals (above) in principle,
to evaluate how best to develop better integration of security in TOGAF.
Automated Compliance Expert (ACE)
The ACE Working Group project leader (Shawn Mullen, IBM) gave an update on the
progress and future direction for developing the deliverables from this
project. The current focus is on developing the ACE Markup Language (ACEML) descriptions for the PCI DSS compliance standard. Work is
progressing well in two-weekly conference calls. Feedback from a Novell
member representative is that their Sentinel product has direct
implementation relevance to the proposed ACE standard, so we will follow
up to appreciate the extent of this relevance. Discussion around this
also provided better understanding on how the ACE deliverables will
require supporting infrastructure in order to make it an effective
product implementation; we need to add explanation of this
infrastructure to our ACE Charter, so members can understand the context
and use-case issues.
Risk Assessment Methodology & Cookbook
We have delivered the Risk Taxonomy standard and the Risk Assessment
Methodologies technical guide. The third deliverable in our initial list
is a Cookbook – to demonstrate how the FAIR (Factor Analysis for
Information Risk) complements other less rigorous enterprise risk
assessment methodologies – with the aim of producing more valuable
results. Project leader Alex Hutton (Risk Management Insight) gave an
update on
the progress with developing this first cookbook, which addresses
ISO27005 (June 2008). Further cookbooks he proposes will
address OCTAVE (from CERT) and NIST's 800-53. Each cookbook will:
- Reconcile definitions
- Describe The Open Group risk model in 27005 “terms”
- Develop “step by step” for performing risk estimation in The
Open Group risk model manner using 27005 terms
- Develop documentation for public consumption
The high-level structure and approach has been mapped out, and they
have found new resources in a graduate student who will enable them to
deliver a near-final draft of this first cookbook by June 2009. Once
this first cookbook is completed, the pattern to repeat the exercise for
OCTAVE and NIST 800-53 will take much less time. We will add these
deliverables to our Security Forum roadmap. In discussion,
Alex explained current challenges he is leading work on
addressing.
Ecosystem for Security (New Working
Group)
We refer to the security ecosystem as the general state of the
security of IT systems and their constituent components. In a review of
this general state - see
summary slides - the Security Forum members concluded that our
defenses are becoming increasingly fragmented, while attackers are
rampant. We can expect that if we succeed in establishing an industry
standard for securing our IT ecosystem, we will enable all users of IT
systems, from small and medium businesses (SMBs) to large corporations,
to significantly improve their information security. We especially
acknowledge that small and medium IT-dependent businesses cannot afford
to employ major information security resources, and also recognize that
these businesses represent a major economic force in the developed
world, so a standard to help SMBs raise their security level in
cost-effective ways will represent especially high value.
Accordingly, it was agreed we will set up a new working group whose
initial remit is to outline a project to show how our security ecosystem
can be significantly improved through a coordinated development program,
whose primary approaches involve:
- Better awareness and education (of people)
- Best practices (process)
- More effective deployment of technology
We agreed to set up an email list and web site to facilitate
interested members working on this new Working Group.
On the Monday of the San Diego conference, members who were available
met with Richard Paine, who was the leader of the project which
published the SMA Technical Study (catalog number E041) in February 2004.
Since then, Richard has gained significant implementation experience
with SMA, and he presented this to the Security Forum members in January
2008. Richard retired from Boeing in March 2008, but has now written a
book on SMA (Beyond HIP: The End to Hacking as We Know It) which
supports his contention that SMA should be published as a standard. The
object of the meeting was to clarify those parts of the SMA
infrastructure which are candidates for standardization. Following
the discussion on Monday, Richard continued discussions with the current
SMA project leader, who later reported their progress to the Security
Forum. The outcome is that they have identified a framework for SMA
which they propose will resolve how to structure a successful SMA
standard:
- Identity/Authentication
- Mobility/Rendezvous
- Distributed Directory
- Encryption/Privacy/Integrity
- Authorization/Policy
- Digital Rights Management
We will evaluate this proposal, along with a SCADAnet use-case which
Richard will write, in the hope of finding an acceptable solution to the
problem we have not yet solved – how to structure and define a standard
for SMA. We recognize interest in this project from members of the Real
Time & Embedded Systems Forum.
Common Event Reporting & Logging (XDAS)
[Not covered in the meeting – see Outputs] Our XDAS
draft now covers the essentials of an event and logging
standard, excluding the API which was in the published 2004 standard. It
now covers:
- An event record format (logline, JSON, and XML)
- An event taxonomy (for the event type as well as outcome)
- Event filtering (which probably needs to be reworked as well)
- Audit service requirements (some overlap with CEE here)
and recently we issued two new introductory chapters to explain the scope and purpose
and the data model for this standard.
We will continue to coordinate project activities with The Open Group XDAS project and members of the MITRE-led Common Event
Expression (CEE) Group, plus the Burton Group and other interested parties, to reconcile areas of known difference which
are material to assuring interoperability between XDAS and CEE.
Confidence Model: Trust Management/Classification
[Not covered in the meeting – see Outputs] Following up from our Chicago (July 2008) meeting, our
Trust Management & Classification
(tmc) web page provides members with access to all the Trust
Management/Classification project materials assembled to
date. A presentation
reflecting review feedback from the discussion in the July 2008 meeting
validated the concepts and definitions as a
necessary basis for creating a trust taxonomy upon which we can build a
trust/confidence management model. Ongoing actions include the need to write a formal Charter to
define the deliverables and timeline for this project, which has been
introduced into the Security Forum from the Jericho Forum.
COA Framework
[Not covered in the meeting – see Outputs] The Jericho
Forum has developed a
Collaborative Oriented Architectures (COA) security framework for establishing secure
collaborative B2B operations between enterprises over an insecure
network (e.g., the Internet). It is now publicly available at www.jerichoforum.org/publications.htm.
Members in
both the Jericho Forum and the Security Forum have agreed to bring this COA
Framework into the Security Forum to develop it as a new standard. As in
the case of the Trust Management/Classification project, we need to write a formal
Charter to define the deliverables and timeline for this COA Framework
project. The real task in developing this COA Framework standard will
be to:
- Validate the COA Framework, using appropriate analysis methods
- Review its existing requirements-style materials and convert these
into adequate specifications for each component in the framework
- Integrate these components into a coherent framework such that it
is implementable
[Not covered in the meeting – see Outputs] From the July 2008 meeting, we established
interest in updating the NAC Enterprise Security Architecture document,
with a lead editor who was closely involved writing the original ESA
document, with support from a team of member contributors. The ESA document is a
substantial work. It includes coverage on Governance which reproduces
material licensed from the British Standards Institute's BS17799; this
license requires quarterly submission of number of downloads of the ESA
document, and payment of a license fee to BSI for each download. A
set of proposed revisions has been submitted, but the project leader's
availability has been delayed. We anticipate work will commence in
December 2008.
