Please note that slide presentations are only available to members and San Diego conference attendees.
ISM3 – Development of Maturity Model
The Information Security Management Maturity Model (ISM3) standard was approved for publication during this San Diego meeting. On this basis, the ISM3 project leader Vicente Aceituno (ISM3 Consortium) introduced the proposed next phase for ISM3 development – guidance on how to build a Maturity Model for any enterprise business using the ISM3 Processes defined in the ISM3 standard. Vicente gave a slide presentation in which he first summarized the key concepts in ISM3 which underlie building an ISM3 maturity model.
Automated Compliance Expert (ACEML) – Next Steps
The ACEML standard was approved for publication during this San Diego meeting. On this basis, the ACEML project leader Shawn Mullen (IBM) proposed the next phase for ACEML development. Shawn will draft this using our new Project Proposal form, for review by the Security Forum steering committee and follow-up submission to the Security Forum members.
Shawn Mullen (IBM) outlined a proposal for a new project for mapping admin commands in different UNIX® implementations to a common admin command. He will draft this using our new Project Proposal form, for review by the Security Forum steering committee and follow-up submission to the Security Forum members.
Trusted Technology Forum (OTTF)
Security Forum members clearly have interest whenever the term “trust” arises in an Open Group forum, so were encouraged to attend the Tuesday Open Session introduction to this new Forum, which was presented by OTTF chair, Andras Szakal (IBM).
Security Forum members also attended the following Wednesday planning session in which the Forum members established three committees for managing the objectives of the OTTF:
- Steering Committee
- Global Outreach Committee
- Marketing Committee
To find out more about the OTTF Forum, visit www.opengroup.org/ottf.
Review of Security Forum Projects
Forum Director Ian Dobson (The Open Group) led a review of the current Security Forum list of projects, and their alignment with Security Forum strategy. The list of projects is publicly available from the Security Forum web site home page (www.opengroup.org/security).
Cloud Computing – Security Track
We enjoyed two presentations in this track on Wednesday afternoon.
Paul Simmonds (Jericho Forum) gave a presentation on Identity & Access Management for De-perimeterized Working. Identity & Access Management (IAM) is one of the Jericho Forum’s core projects targeted at enabling enterprises to collaborate securely in de-parameterized/boundaryless environments over open networks, including using Cloud Computing. He explained the Jericho Forum’s approach:
- To risk management in Cloud Computing, using the Jericho Forum’s Cloud Cube Model to explain the risks in different parts of the cube.
- To why the Cloud will not take off fully without appropriate Identity Management and Access Management (The Cloud Identity Crisis). While Private Clouds will be able to take advantage of the well established old perimeterized Identity & Entitlement & Access Management models, business collaboration clouds will need a significant shift from enterprise-centric security to user-centric security. In addition, Clouds also will benefit greatly from the shift from access by lists (Role-Based Access Control) to access by assertions (Claims – Rules-based Access Control)
- To risk-based access – Current access methods do not support business needs/granularity. While basic trust models for devices & users do exist, how do you verify environments you do not own? And how do you verify that environments you do not own are cleaned up after use?
Andres Kohn (Proofpoint) then gave a presentation providing his answers to the question: “Can data be more secure in the Cloud?” Andres asserted that the security approach and role depends on your delivery model, and introduced an S-P-I model where:
He illustrated this approach with several use-case examples, concluding that data in the Cloud should be not only more secure but also more reliable, and that organizations like his (Proofpoint) are well-positioned to provide this as a service through their expertise and experience on operational expertise, controlled environment, data encryption architecture, and redundant infrastructure, to deliver this. Cloud users should approach this through:
- Identifying Cloud opportunities to reduce cost and add functionality
- Reviewing use of Cloud Services across your organization
- Being cynical – asking the tough questions
- Requesting details on security practices and operational controls
- Setting a higher but also realistic bar on the security they expect from their Cloud provider
Identity & Access Management
Paul Simmonds (Jericho Forum) explained that the Jericho Forum members are currently developing Jericho commandments for Identity – i.e., the principles that underlie “identity”. These will enable any Identity Management solution to be evaluated for its completeness and adequacy for deployment in de-parimeterized environments, including Cloud Computing. Paul noted that federation of identities does not scale so is not suited to the solutions we need. He asked: “Do we want Government controlling our root identity?” – the answer was a resounding “No”. There are a number of current contenders offering Identity Management solutions – Verizon, Facebook, OpenId2, Google, to name a few. Governments want to be able to positively identify its citizens, and uses a variety of solutions for this – passport, social security number, health service number, driving licence number, biometric (fingerprint, iris-scan – all this proves is that the eyeball is positively identified, not the body it belonged to). The Jericho Forum wants to first get the identity principles correct – where a root identity (unique identity) is owned by a person and allows that person to create any number of “personas” as a set of digital identities which match selected roles in that person’s life. In doing this we should aim to mirror how human behavior works, not how technology solutions want to operate. In identity there are six primary objects requiring identity: data, code, machines/devices, organizations, biological entities, autonomous agents.
Steve Whitlock took a view on identity authentication and authorization based on the ISO 10181-2/3 standard. He considered the standard’s terminology and definitions, noting these were critical to understanding Identity & Access Management, and then went on to highlight key considerations on identifier rules, human versus computer concept of a principal, and a number of related issues that affect “identity”. He then considered administration controls for IAM, and how these impact authentication and associated rules leading to claims of entitlements implying authorization to access resources. This led to authorization rules and design rules for building authorization systems. In turn, this led to considering how data protection has evolved to give mechanisms today which enable data to carry with it its own protection to allow only access it authorizes.
All these IAM considerations are currently being developed by the Jericho Forum membership.
This meeting session was a joint workshop between the Cloud Computing Security Work Group and the Security Forum. It addressed recent progress with developing the CC-Security Work Group's project deliverables (Stuart Boardman, Getronics and Omkhar Asaratnam, IBM) – specifically their Security Principles.
Omkhar set the context for this session by explaining that these security principles will enable us to all share the same understandings on a comprehensive set of security threats and vulnerabilities that we need to address in Cloud Computing and SOA environments. The CC-Security/SOA Work Group will produce a White Paper that will be integrated into a Cloud Computing White Paper approved by all the Cloud Computing Work Group members. Omkhar noted that security does not have a static model, and it needs an architecture for handling threats, risk assessments, and integrity controls. The Cloud Security Alliance (CSA) guidelines are prescriptive; in contrast, our CC-Security Work Group approach is about method. We plan to complete our draft Security Use-Cases paper in time for the 2Q11 (London) conference, and our Cloud Security Reference Architecture in 3Q11 (Austin). As part of the reference architecture work we plan to run an “Architecture Decisions” rodeo.
Stuart then steered the meeting through the current draft of these security principles, which are available to members on the Cloud/SOA Security web site. In an interactive discussion, attendees agreed updates which were captured by Stuart and Omkhar for them to take to the active Work Group members and apply in creating a new draft.
It was noted that these security principles mix principle with rationale and use-cases and impact. It would be helpful to separate these components so as to:
- Give a plain-language statement of the principle – independent of technology or anything else
- Give background rationale, use-cases, and context, and tests for how to measure/evaluate it
- Provide assessment on impact/implications, including on other principles, perhaps by grouping them into logical sets
This was accepted as a further action for the active Work Group members in creating the next draft.
Secure Mobile Architecture (SMA)
This was a joint Real-Time & Embedded Systems (RT&ES) Forum and Security Forum development workshop.
Richard Paine gave a brief overview of the updates to the previous SMA draft, which addressed what would make SMA interoperable, including work on the HIP protocol in IETF; additions to the sections on Overlay Planes; updates on how the example Boeing implementation works; updates to the Operational Issues sections; and updates to the Policy definitions.
Project leader Steve Venema (Boeing) noted that if SMA is going to include a reference implementation this will be Section 6 of the current SMA draft. The reference implementation needs a component from the Trusted Computing Group which is not planned for completion until the end of 2011. This would delay our target completion date, so should we plan this reference implementation as a separate publication from the existing SMA draft? There are also other related dependencies, including IETF work on RFC 802bg and 802.3 (relies on Ethernet protocol) so the impact of these also needs to be assessed. The decision at this time is to take no decision now but retain this option for when a decision is necessary. In the meantime, Ian Dobson will check the current acceptability of The Open Group “Snapshot” publication category, in case we decide to publish SMA as a guide - without the reference implementation (which would make it a publishable as standard).
To draw out the essential components in an SMA implementation, Richard had created with help from others an example SMA Medical Implementation (see presentation). In discussion, specific points arising included:
- Which identities are essential in each transaction in this use-case? How do we communicate these securely? Who (identity) is using the device? Who (identity) is the target patient? How should we make these association bindings? How do we authenticate the endpoint(s) of the mobile association(s)?
- There are specific requirements that need different security levels.
- This SMA draft is addressing around 70% commonality across a wide range of use-cases, so we need to explain this adequately to position SMA correctly.
New Risk Management Project:
Managing Risk in Complex Interdependent Systems
In the context of managing risk, Ian Dobson noted the Security Forum’s Risk Management publications, including its Risk Taxonomy standard, and also its proposed Trust Management guide (derived from Jericho Forum work) which is now with Security Forum members for initial review and proposed development.
Jeremy Hilton and Pete Burnap (Intradependency/Cardiff University) gave a presentation on the problem space this project is addressing.
- What do we need to know about dependencies on third parties?
- Need to negotiate what requirements are necessary – brings in Service Level Agreements, and trust levels
- In geographically distributed systems, what events could impact our risk assessment/management? – e.g., Buncefield explosion in the UK (referenced in slide presentation)
- So what information do you need from collaborating organizations that you depend on in order to assess what is critical to your organization, and what tolerance you can accept?
Questions included the willingness of any organization to share risk information with third parties, and what incentive they will have for doing so. This project is for high-trust collaborations where there is mutual imperative to ensure that shared information and transactions are secure and handled with the expected agreed levels of trust. Each collaborating organization would place itself at the center of their own risk map, and so by agreement would be willing to expose their risk controls information to their partner collaborators. This is not like an ISO 27001 certification or a once per year assessment – it needs to be as close to real-time as is realistically achievable to reflect the current trust profile of an organization. It was noted that BITs has done much work in the finance sector on standards information gathering (SIG) for establishing security posture – it was originally called a Standard Assessment Program and did produce a standard set of questions, so we will look into this. The term “black swan event” was also mentioned – where an event happens that is outside your field of understanding – the context being “how do you know what things you don’t already know about are material?” – e.g., the Buncefield incident; you need to know what matters in order to draw out inter-dependencies. A further comment was that the Common Assurance Maturity Model (CAMM) has some relevance here.
Audit & Logging – Event Reporting Standard (XDAS v2)
Project leader David Corlette (Novell) presented a review on the current status of this development and the related coordination work we’re doing with DMTF (on Common Information Model [CIM] objects) and also with Mitre (on their Common Event Expression [CEE] standard). The problem we are addressing is how to consume events from many diverse sources such that the consumer can make sense of them. This Audit and Logging community wants only one industry standard to follow here. In this regard, DASv2 is intended to ensure compatibility with the output from CEE.
Our need is for a consistent high-level event model to which we can map event information. David described the DSA v2 domain model that achieves this – Initiator, Target, Observer, in which the Observer could also be the Initiator and/or the Target. We now need an object model that will describe the resources in this domain model. The solution we believe will meet our needs here is to adopt the DMTF’s CIM objects – DMTF has already done a lot of work to describe all “manageable” resources in IT, including inheritance, classes, and references; however, the CIM model is large and contains much data that is irrelevant to our (DAS) needs so we need to scope it down to what we need for DAS. As an alliance partner with the DMTF, we are now well advanced on forming a CloudAudit Work Group in the DMTF. David went on to address questions on “What event am I?, “What things am I related to?”, and Where am I?”, before listing the work now to be done to complete this DAS v2 standard.
We will follow up a query on how DASv2 might relate to the Automated Compliance Expert (ACEML) standard in respect of raising con-compliance alerts as events.