The Security Forum meeting in Washington DC ran from Wednesday through Friday, April
26-28. The first day was a joint meeting with the Identity Management Forum in
which we covered our shared program of activities. The Thursday and Friday provided
a full agenda on Security Forum activities. The activities covered included:
Security Strategy White Paper
Trust Models Guide
Identity Management (joint with the Identity Management Forum):
Framework for Identity Management (joint with INCITS & ISO JTC1 SC27)
Architectures for Identity Management
IdM Design Patterns Workshop
Identity Management Catalog
Common Core Identifiers (joint with NAC and DMTF)
Best Practice Guide for Directory in IdM
IdM Standards for TOG Standards Information Base
Security in Data
Collaboration with the Jericho Forum:
Security Strategy White Paper and Jericho Forum Roadmap
Collaboration with the American Bar Association Cyberspace Law Section:
Security Strategy White Paper
Summary
The Security Forum agenda and activities status was presented in a set of summary
slides which are available here.
Liaisons & Industry Update
A regular part of Security Forum meetings that members place high value on
is hearing reports from other members on significant IT security events, activities, and
new developments/directions they have encountered since the previous meeting. This meeting
was no exception - with reports and ensuing lively discussions on Homeland Security,
changes in ISO JTC1 SC27 IT security standards working groups, NIST April 2006 workshop on
PKI, developments in the Jericho Forum, Network Centric Operations Industry
Consortium (NCOIC), and several other newsworthy items. These exchanges of news and
opinion are available only to members.
Security Strategy White Paper
Prior to their Friday joint meeting with members of the ABA Cyberspace Law group, Security
Forum members reviewed comments on the latest draft outline and synopsis for this
White Paper. This review and discussion resulted in agreed updates to clarify and expand the
proposal, and improve understanding of our future direction for this work. Specific
decisions include to bring out as a major theme the notion of "control" as
fundamental to security, and to add a legal/regulatory view into the enterprise
architecture. See the follow-on discussion reported below under Collaboration
with the American Bar Association Cyberspace Law Section.
Trust Models Guide
This project has suffered from scarce resources over the past six months, due to higher work
priorities elsewhere. The intended use for it remains valid, though less urgent than was
believed at the start, and its content remains relevant and useful, and is unique in that
it evaluates failure modes - what happens and what are the business consequences when a
given trust model fails in any one of several different ways. Members agreed that we will
make an effort between now and the next meeting (Miami, July 17-21) to gather the missing
contributions needed to complete this document, and will also share it with the Jericho
Forum members who are also working on their Trust & Transivity positioning paper.
Identity Management (joint meeting with the IdM Forum)
Framework for Identity Management: This is a joint
project with international standards bodies INCITS CS1 and ISO JTC1 SC27; we
are awaiting formal notification that we have been granted category C liaison status with
ISO JTC1 SC27, which will entitle us to make direct review representations to their
drafting the ISO Standard on this topic. SC27 is currently revising its working groups
structure into five working groups. This restructuring activity is delaying their progress on
project
work, including on this framework Standard. ISO JTC1 SC27 Working Groups are meeting in
Madrid Spain, May 8-12. We may expect a pre-Madrid meeting draft next week, and may
submit comments on it before their May 8-12 meeting if we so wish. We look forward to
progress from their Madrid meeting, although we understand they have allocated only
one hour
to developing this IdM Standards framework document.
Architectures for Identity Management:
Due to other work priorities, little progress has been made on this document since the
previous meeting in Barcelona. The situation remains that the co-editors have yet to
decide whether to develop new material to fit into the revised structure so it presents a
balanced view, or to revise the structure (yet again) to fit the material that they
currently have. They are looking for additional resources to complete this project.
Noting that there is significant value in the existing draft, we will make the latest
draft available to all members on our IdM web page and invite renewed review to establish
exactly what additional contributions are needed, and establish a realistic plan for
completing it.
IdM Design Patterns: The revisions for our 3rd Party Identification and 2nd Party Identification design
patterns are captured in notes from the design patterns workshop session held in
Barcelona, but are not yet available in revised pattern definitions. Work will continue to
complete this activity, which is expected to result in almost final patterns. We are also
interested in developing an authenticator design pattern, and have hopes of developing a
draft for it for review in the next conference (Miami, July 17-21). Members also noted
that several new books on security design patterns have been published recently. Members
agreed to take our design patterns work forward by reviewing our current work in the light
of these new publications, and shifting our focus between now and the next meeting to
considering applying existing design patterns to specific security problems - such as are
being proposed in the Jericho Forum's de-perimeterization space - to demonstrate the value
of using a design patterns approach to solving today's IT security problems.
Identity Management Catalog:
We have now resolved the final issues on updating our questions in the IdM Catalog
template, so will update the template as soon as possible, and then invite those
with existing entries in the Catalog to revisit their responses in the light of the
clarifications the revised questions provided. Work is progressing well on development of
an advanced web page display system for our Identity Management Catalog, and
we will drive this through to completion as rapidly as time permits. It was agreed that we
will aim for launch of our IdM catalog at the July Conference in Miami - this will require
a deadline of June 30 for close of entries by vendors, allowing time for approval by our
Editorial Advisory Board, and preparation of a press release involving the vendors who
have provided entries.
Common Core Identifiers (joint with NAC and DMTF):
The Company Review of the CCI Business Scenario and the CCI Framework (comprising the
framework document, and the framework matrix spreadsheet) closed on April
11, and the
ballot on change requests closed on the day of this meeting (April
26). Members of the
IdM Forum were the prime review and balloting constituency in The Open Group. The NAC are
running their review of this document concurrently and we are coordinating their feedback
so as to close on mutually agreeable solutions. The DMTF has not participated in the CCI
work in recent months and has indicated that they have copyright problems with joint
publication, so publication of the approved document my not include them. There is also
liaison activity underway with W3C to explain why their URN does not serve the requirement
for a CCI (the reason is because URN is tied to a protocol), and with OASIS to follow up
on evolving their XRI standard so it meets the requirements that have been identified for
CCI. The resulting published CCI documents are expected to provide high value to those
engaged in the area of shared identifier usage across organizational boundaries - a very
difficult area because of problems migrating from the many legacy systems that currently
exist, business reluctance to invest in moving from solutions that currently provide
adequate solutions for today (though probably not tomorrow), and the purist problem of
agreeing what is a "final" solution for an enduring (permanent) universal unique
identifier scheme in an industry that is characterized by adaptability and change.
Best Practice Guide for IdM:
Members received a presentation proposing this new project - to develop a best practices
guide for Identity and Access Management Framework (IAMF), covering what IT needs from the
infrastructure and why. The presenter declared willingness to lead this project. The
outline structure proposed addressed this under several key headings: high availability,
serviceability, leveraging mature & established industry standards, performance,
security, compliance with legislation & regulations, hardware, and case studies.
All members were invited to review this proposal, provide their feedback, and indicate
their interest in being an active contributor/participant.
IdM Standards Entry in Standards Information Base:
Members reviewed the final draft preparatory to submitting it for Company Review, made
further additions to include standards called out in the CCI matrix, and deleted some that
were viewed as peripheral or not current. The resulting draft will be submitted for
Company Review directly following this meeting.
Security in Data
Members had a refresh of the presentation given in the previous meeting (Barcelona, January
2006), in which he proposed a set of five precisely defined security components which would
represent the basic elements of a secure system. In this presentation, these components
were deliberately named exclusive of existing security terminology to ensure they carried
no inferred characteristics or functions from existing common security terminology. In
that presentation, these components were used to demonstrate how they would provide the
essential functionality of an accountable, reconcilable transaction. Also in the Barcelona
presentation, recognizing that this new view requires extensions to cater for secure operation
in more complex transactions, two further components were added to make
seven in all, with
an understanding that more may be needed as we acquire experience of applying them.
Members took away from Barcelona an appreciation and intent to work on this new approach
to security, to figure out what the design rules are, how they relate to existing
practices, what data format is required, and putting it together in a holistic topology.
In this Washington DC meeting, members recalled their earlier discussion on Identity
Management design patterns, in which they agreed to review the de-perimeterization work
underway in the Jericho Forum and look for a Jericho Forum problem that they would like to
address using both security design patterns to demonstrate the effectiveness of applying
design patterns to analyzing and solving real IT security problems. They also decided that
a good way to test this "security in data" approach would be to apply the
seven components thus far defined to the same Jericho Forum problem and see what outcomes this
approach produces. This represents a second substantive outcome arising from the intent
agreed in our joint meeting with Jericho Forum members in Barcelona (January 2006) to
collaborate on areas of common interest in IT security.
Collaboration with the Jericho Forum
Arising from the intent agreed in our joint meeting with Jericho Forum members in
Barcelona (January 2006) to collaborate on areas of common interest in IT security, the
outcomes from the members' discussion on "design patterns" and on "security
in data" have resulted in two substantive areas where the IdM and Security Forum
members aim to collaborate with the Jericho Forum to work on specific de-perimeterization
problem areas. A third area is taking the Jericho Forum commandments into the Security
strategy project. A fourth area is evaluating the Jericho Forum Positioning Papers - the
first four were published electronically on April 25 and announced during the Jericho
Forum's Annual Conference that day. It was noted that a conclusion in the Voice over IP
paper is that standards groups need to work together on providing an open standard in this
area - this represents a fourth challenge that the Security Forum will evaluate. A
fifth collaboration is sharing the Security Forum's Trust Models draft document with the Jericho
Forum members who are developing their Trust & Transivity positioning paper.
Collaboration with the American Bar Association Cyberspace Law Section
On Friday April 28 the Security Forum held a joint meeting with the American Bar
Association's Cyberspace Law Section's group that is addressing
Connectivity, Storage, and Computing Infrastructure, at the World Bank HQ in
downtown Washington DC. This was at the invitation of an ABA member who is leading this
ABA group. They are keen to leverage the past successful collaboration with the Security
Forum on the Framework for Electronic Chattel Paper, to work with us on developing our
Security Strategy White Paper, which they see represents a significant contribution to
their group's goals. After initial introductions and positioning representations,
attendees reviewed the Jericho Commandments, and the impact of de-perimeterization on
secure IT operations, as a vital contribution to the White Paper, and also as a valuable
level-setting discussion to steer our further discussion. The discussion then moved on to
detailed review of the Security Strategy synopsis and structure for the
White Paper.
Valuable new contributions were captured from this wide-ranging discussion, and these will
be consolidated into a revised document that will form the basis for further development
between now and the next meeting.
Outputs
Agreement on a set of actions to progress the work discussed in this
meeting.
Next Steps
Issue and progress completion of the agreed set of actions arising from the meeting.
