Jericho Forum Annual Conference 2005 Report
The Jericho Forum Annual conference 2005 took place on April 26th in
London. The meeting reviewed a selection of slides
presented in that event, and discussed its relevance and directions in
the context of the interests and goals of the Security Forum members. It
was agreed that when the Jericho Forum produces its technical roadmap we
should seek a joint meeting with them to share mutual interests and seek
ways to work together on mutually beneficial security solutions.
NIST-PKI Conference Report
A PKI-issues conference was hosted by NIST in the week April 17th in
Washington DC, US. Several presentations were highlighted as of
significance to Security Forum members who work with PKI. The NIST web
site provides access to all the presentations given in that conference.
ACCU Conference Report
The ACCU
conference held in England in the week commencing April 17th
included a session on security
patterns. This presentation was disappointing in that it did not
bring out why security design patterns are special, and also the work it
referred to is unfinished so there were many unanswered questions. Of
particular interest is a book on Security Patterns that is being
authored by Yoder and Fernandez - two significant people in the design
patterns community. Early views indicate that their book contains lots
of expertise on design patterns but less coverage of security patterns
than that published by the Security Forum in April 2004. We will
continue to maintain contact with this community to promote our security
design patterns work.
Integrating Security into TOGAF
This work was initiated in the previous meeting (San Francisco,
January 2005), when David Jackson led a workshop, and from that formed a
working group which has held three meetings and three teleconferences up
to this Dublin meeting. As part of the Architecture Practitioners'
Conference, David presented the results to date in the Architectonic
Security stream on Wednesday morning. Refer to David's presentation Integrating
Security into TOGAF to see what he reported.
Arising from that presentation, some concerns were raised by Security
Forum members over the approach to architecting security that seemed to
be imposed by TOGAF and which some experienced security experts
felt missed key starting points that are crucial to taking the right
approach. Accordingly, an additional meeting was held to address
these concerns so that all involved reached agreement on the right
direction and how to move this work forward.
The area of most concern affected TOGAF ADM phases A-D, and
particularly A & B. The thought process that experienced
security-architects/subject-experts take involves a specific disciplined
approach that starts from formulating a set of "big rules"
according to the nature of the business area (e.g., banking &
military would require different big rules), which are then used at key
"way points" in the architecture development process, and
after that we start on creating policy. The key point is that for good
security architecture, "business operations" is the driver,
and control of the business so that it operates securely is the required
goal. This was illustrated in a single diagram named Enterprise
Security Simple Model. With due acknowledgement to the IEEE
1471-2000 Architecture Description standard, the experienced security
architect will place accountability, auditability, and business control
at the top of the list of objectives, and an approach which does not
recognize this is effectively putting "architecture" above the
business view of reality.
It was agreed that the concerns here are more about how to describe
security architecture in the context of TOGAF than the objectives that
TOGAF aims to achieve in these early phases. A four-point next-steps
action plan was agreed to move this work forward in an agreed direction,
with the first three points targeted to be delivered by the next meeting
(July 2005 in New York).
Identity Management
Chris Harding, Director of the Directory Interoperability Forum, led
the Identity Management items on the agenda.
There were four meeting sessions devoted to the joint-Forums program
on Identity Management:
- Guide to IdM Architectures
- Common Core Identifiers
- Design Patterns for Identity Management
- Identity Management Framework standard
All these IdM meeting sessions are covered in a separate meeting
report.
Control of Electronic Chattel Paper
This joint work with the American Bar Association's Cyberlaw
Committee was initiated in Q4/04 and through a successful joint meeting
during the San Francisco conference, it has led to a joint working group
holding a series of teleconferences between January 2005 and this Dublin
conference. These have yielded good progress with linking the legal
understanding of the requirements for the US Uniform Commercial Code
UCC9-105 on control of electronic chattel paper with what the technical
requirements are for what "control" really means and how it
can be demonstrated as effective to lawyers and judges in a court of
law.
Members reviewed the presentation
delivered to the ABA Cyberlaw Committee on the technical control
requirements to demonstrate how technology exerts "control".
This was acknowledged as perhaps well-known and basic command and
control knowledge to technical members, but it has proved revelatory to
the lawyers in the ABA Cyberlaw Committee. They have expressed great
gratitude for the new insights this has given them in their quest. They
are now revising their list of evidential questions that will advance
their ability to demonstrate the necessary control over ECP in a court
of law. They will be requesting Security Forum members to review their
revised questions from the technical viewpoint, to continue this work to
its successful conclusion.
Trust Models
Work on developing this technical guide has suffered some delays due
to slow delivery of key contributions to the lead author. However, there
has been a recent small upsurge which has enabled preparation of a
revised draft. Members reviewed the existing draft and contributed
further answers to queries, which resulted in a new draft version 8.
This will be uploaded to the Security
Guides web page.
Certain members undertook to submit further contributions to the lead
author, who will integrate them into the existing draft version 8. An
additional source for collaboration on this work was also recommended
and will be followed up. We will then assess the remaining gaps and how
to fill them to complete this deliverable. One suggestion was to include
a new section on how to select a trust model for your business need.
Security in Data
This work item was proposed some 18 months ago but resources to take
it up have been too limited this far. Bob Blakley gave a presentation
that is relevant to this at The Open Group conference in New Orleans.
A further relevant presentation was given in this Dublin conference,
by Mark O'Neil, Vordel, in the Web Services stream of the Architecture
Practitioners' Conference. This presentation described characteristics
similar to those relevant to "security in data" as regards
store and forward configurations, provision of services, and following a
message throughout the enterprise. We anticipate possible new
developments between now and the next conference (July 2005 in New York)
which will add significant new material to this work item and may enable
us to launch it as a new Security Forum working group.
Digital Rights Management
The DRM technical guide has been held from completion for several
months as a result of a concern over the relationship of DRM with
Mandatory Access Control (MAC), and unavailability of time for the
required experts to work together to resolve it. Discussion in this
Dublin meeting helped considerably to clarify the problem space and the
issues that need to be resolved. As a result, the lead author expects to
complete a final draft for sanity check by the Security Forum members by
mid-May.
Security Forum Roadmap
The existing list of Security Forum work groups and projects was
reviewed and updates were agreed. The resulting revised list will be
uploaded to the Security Forum web
site.
