Introductions & Agenda Review
Ian Dobson (The Open Group staff Director of the Security Forum) welcomed
attendees to the meeting, and after a round of introductions he
presented the proposed agenda, which was
approved.
He then gave a brief overview of the past and present activities of
the Security Forum by reviewing the Security Forum web site - aided by the only
attendee in our Paris meeting who had managed to capture an IP address. In the process he
noted a few updates to the web page which he will apply.
Several members had picked up from the Security Program table in the
exhibitors area the leaflets describing the four areas of activity on
information security which fall under the direction of Ian Dobson:
- Security Forum
- Identity Management Forum
- Jericho Forum
- Critical Infrastructure Enterprise Architectures Work Group
These leaflets are available from The Open Group Online Bookstore at www.opengroup.org/bookstore/catalog/t_is.htm.
Arising from this, Ian and other members explained to the
new attendees the charters and developing interworking relationships
between these areas of "security". Particular points arising
in the ensuing discussion were:
- How particular industries like oil and gas have 24-hour instant
response teams at strategic command centers, who already have necessary
communications standard wireless links which other 1st responder
services, so the objectives set out in the CI-EA leaflet merit further
thought and revision. Ian will respond to this useful feedback.
- The natural synergy between the Security Forum and the Jericho Forum,
in that the Security Forum's emerging strategy was towards boundaryless
(de-perimeterized) information security, and whereas the Jericho Forum
is primarily a requirements-setting forum, the Security Forum is both a
requirements and standards/guides group. One member described how a
Microsoft presenter recently represented the Microsoft view of the
future for information security - which is exactly the Jericho and Security Forums'
approach:
- Protection of the network reducing
- Protection of the applications increasing
- Protection of the data (information) increasing the highest
Ian also presented his "2007 key objectives" for his
Security Program. Discussion brought out clearly that members are
against introducing the word "architecture" into the
Security Forum's title, though of course the members are keen to develop
security architectures.
Additionally these "key objectives" mentioned that due to
dwindling support from the previously active members of the Messaging
Forum, during Q107 its activity has ceased, its work - including its web
site - has been archived, and it is now closed as an available Forum of The Open
Group. It left a "message
retention" project that was started but is uncompleted. In this Paris meeting,
one Security Forum member expressed interest in this work, so Ian will
extract the progress on this project from the Messaging Forum archive
and present it for evaluation and expressions of interest from all
Security Forum members.
Identity Management
This was a joint meeting of the Identity Management Forum and the
Security Forum. See the separate meeting report.
Security Strategy White Paper
The Security Forum chairman - Mike Jerbic - joined the meeting by
teleconference for the first 30 minutes of this item. The latest draft
is available to members only at www.opengroup.org/projects/security/protected/.
Initial discussion
clarified that this White Paper is aimed at two main audiences: the
Security Forum members, and the public. The intent is to provide both of
these audiences with a clear declaration of the Security Forum's future
direction and goals, the context being that the Security
Forum members' aims are to clearly differentiate our objectives from
other security standards groups, and to explain how our Security Forum's
activities are focused on making a real difference in our contribution towards delivering effective
information security.
We have been waiting for the ABA Cyberlaw group to provide their
feedback on this White Paper, ever since they discussed it and declared
they would contribute a few items of feedback following their in-depth
review of it in their Winter Meeting in the 3rd week of January 2007.
Regrettably their designated contact has been unable to find the time to
do so over the past three months, and neither is he able to give us an
expected date when we might receive it. Therefore, we have agreed that
since their feedback would not include any major normative material, we
will proceed to publication now, and update it as a living document as
the need arises.
Part of this update will be in using it as our overall vision of what
we do, to include commentaries on our activities as we do them, and
thereby to show how they fit into our strategy. The FAIR project will
likely be the first addition in this category - addressing the key
elements of risk and showing how to quantify risk based on these
elements - for example, if legal compliance requires a risk management-based solution, then a risk management framework is needed to demonstrate
this, and FAIR will provide this.
Further discussion brought out a few issues which Ian will add to our
usual sanity-check activity - through The Open Group's editorial checks
- to improve quality prior to publication. One significant addition will
be an Executive Summary.
Privacy through Domains of Identity
In our previous meeting (San Diego, January 2007) we had a
well-supported discussion on this topic - see the San Diego Security
Forum meeting report available at www.opengroup.org/public/member/proceedings/q107/30IM.htm for a summary of the issues and discussion. This
item was included in our Paris meeting agenda as a placeholder to
facilitate members continuing the discussion, and
perhaps exploring opportunities for developing a project based on it. In
the event, the member who proposed and presented this topic in San Diego
was unable to join the Security Forum meeting. Accordingly, Ian will follow up
to establish interest from the original proposing member in playing a
lead role in any new project based on this topic, and then invite
declarations of support for contributing to it from the members of the
Identity Management Forum and Security Forum.
FAIR (Factor Analysis for Information Risk)
Members first reviewed the actions taken away from the previous meeting
in San Diego (January 2007) - see www.opengroup.org/public/member/proceedings/q107/30SF.htm -
to assess progress and modify our next steps
accordingly. It was established that the key actions have been taken or
are underway, including taking the "risk management" message
to members of the Jericho Forum to invite their support for this
project.
One significant question which we must answer - and which is
not covered in the FAIR White Paper - is the business value
that FAIR contributes. It does provide a taxonomy for analyzing risk, and a
mechanism for applying that taxonomy to specific threats and
vulnerabilities in an organization. Assuming it achieves these
objectives successfully, the next step in the business context is to
have some process to use the results of the FAIR analysis to manage the risk
that FAIR has revealed, to lower the exposure
of the business to that risk. The value of using FAIR - or any other risk management
assessment process - needs to be demonstrable as a business
cost/benefit. The result(s) that FAIR produces to measure the risk(s) must
therefore be usable in some effective management process that translates
into measurable business value return, to show how it contributes to reducing the
business' threat profile or vulnerabilities or exposure
to loss. We will investigate this key business requirement as a
high priority, using our well-proven approach:
- What problem are we trying to solve?
- Why should my business care; what are the likely consequences of
not caring?
- What are our recommendations? Impact on people, process, and
technology.
- What added value and business benefits will be achieved by following these
recommendations?
- How will we demonstrate that these recommendations will
deliver an acceptable solution?
The draft White Paper - available from Risk Management Insight (RMI
at www.riskmanagementinsight.com)
and also available on our web site (see www.opengroup.org/projects/security/)
- explains the
taxonomy of the FAIR approach to analyzing risk, and the method used in
measuring risk. It does not include any part of the computational engine,
or the simulation model, and neither does it include any software/tools
to support implementing the methodology. Additionally, the RMI principals provide
training courses as part of their revenue stream. The proposal from RMI
is to offer their taxonomy and framework for adoption as the basis for a
standard on FAIR, to promote its adoption as a global standard for
measurement of risk.
In this meeting, members worked through the RMI White Paper, with the
help of a set of summary working slides to facilitate maintaining
members' awareness of the context of the detail in their review, but
without the benefit of the RMI sponsors to resolve questions which
inevitably arose. The objectives of this first detailed review
were to assess acceptability of the FAIR taxonomy as a basis for
analyzing risk, and of the framework it uses to evaluate risk. Good
progress was made, resulting in a number of queries which Ian will take
up with the RMI principals. The responses from RMI will be shared with
the members, and we expect to follow up in subsequent teleconferences
between now and the next meeting (Austin, TX, July 23-27), so we can
review a mature draft of the taxonomy as part of assessing the overall
plan for this FAIR project.
A further consideration proposed by the Security Forum's Chair is
to invite the RMI principals to run a one-day tutorial on FAIR as part of
our meeting in Austin, to enable members to become sufficiently informed
on what FAIR provides and how effective they believe it is, sufficient
to make informed contributions and judgments on its development towards
becoming acceptable as an Open Group standard. All
present in the Paris meeting supported this proposal, and during the
meeting the RMI principals emailed their agreement in principle. The
Tuesday of the Austin meeting was preferred by the members present. Ian
will work out a mutually agreeable day.
SOA-Security (Joint Project with SOA WG)
Interested members of the Service Oriented Architectures Working Group
joined the Security Forum members in a
review of the current direction and progress of this project. The
Security Forum's objectives are to raise awareness of the information
security issues that arise in distributed networked systems where
applications call on services from systems which they have no control
over and which therefore have to perform some kind of federated trust
and share delegated assertions on authentication and access control.
With none of the current members of this joint project present in the
Paris meeting, this meeting session provided an opportunity for
non-members of the joint project to offer their
assessments.
The attendees in Paris first reviewed a few progress-to-date
slides summarizing the
outcomes of the three teleconferences held since formation of the SOA-Security project in
our January 2007 meeting, which included a list of the initial set of project objectives
and deliverables. A key part of these deliverables is the need for an
infrastructure and business scenarios on which we can map the problem
issues that project members are raising, so we can be clear on what
issues are of highest priority and concern, and what gaps we must cover
to ensure we create a complete model that will respond to the essential
requirements in SOA enterprise architectures.
Two members from the SOA WG provided valuable contributions to
understanding the SOA environments that we need to ensure are enabled to
operate
securely.
One of these contributions presented a slide showing an example of an
SOA reference
model, in which four "safe SOA
categories of issue" were identified. The presenter challenged the security members to agree if
these would be the actionable attributes for security in SOA. As
co-director of the joint SOA-Security project, Ian will liaise with his
counterpart from the SOA WG (Chris Harding) to bring this question into
the joint SOA-Security project team for evaluation. Comments from the Security
members were that the infrastructure as presented was complex and
appeared at first sight to include some implementation-specifics rather
than technology-neutral components which would need further
understanding, and also that we should not forget that a similar
challenge should be raised on what are the actionable attributes for manageability
of the SOA environment.
The other contribution was the IBM Red Book on SOA
Architecture. This book is generally recognized as have significant
authority, providing much accumulated expert guidance in some 428 pages.
It includes three - possibly four - significant scenarios which are likely to be of value
to the SOA-Security joint project members, and is a free download. (See
www.redbooks.ibm.com/abstracts/sg247310.html?Open.)
A further source for relevant scenarios is the slides
first presented by a member of the Security Forum in our January 2007
joint meeting, showing two access scenarios
A and B, each presenting basic issues on access control requirements for
achieving secure access to the service they control.
The discussion on these items was so vigorous that it overflowed the normal
90-minute session by a further 27 minutes before the chair for the
meeting brought it to an arbitrary halt - to be continued by those who
wished to do so outside the formal meeting. It actually did continue through
the following meeting break time.
Ian will co-ordinate actions to bring these three resources
into the joint project team.
Jericho Forum Requirements
An action from the previous meeting (San Diego, January 2007) was
taken by five members to each extract from two Jericho Forum position papers the real security requirements that
the Jericho Forum's published position papers contain. These papers are
available from the Jericho Forum's public web site at www.opengroup.org/jericho/publications.htm.
The Security Forum members used a common template for this review, the objective being to
provide a consistent presentation of results. To date we have the
results for eight of these ten Jericho Forum position papers, and await the
results for the remaining two papers.
Preliminary results on six of these papers were presented to the
Jericho Forum in their members' meeting on March 16th. We aim to present the final
results on all ten papers in their next Jericho Forum members' meeting on May 25th. Ian will
co-ordinate pulling together this presentation, and report back to the
Security Forum members.
Future Plans
Members of The Open Group staff conference team joined the Security
Forum meeting for this item.
The next meeting is scheduled for July 23-27, co-located with The
Open Group conference that same week, where the Monday plenary theme is
"Architecting your Service Oriented Enterprise". Security
Forum members are requested to recommend one or two plenary speakers
with relevant experience to contribute a presentation on the security
considerations that IT architects need to include in their work.
The following Q407 co0nference is in Budapest, Hungary, on October
22-26, 2007, where the plenary theme is "Secure Architectures".
Security Forum members are requested to contribute to the planning of
this plenary (6 to 8 speakers, including a keynote) on the Monday, plus
two Architecture Practitioners Conference tracks (up to 8 speakers in each
track) on the Tuesday and Wednesday. Ian had drafted a proposed
publicity flyer for this conference, which was reviewed by the members.
It will be used to provide the content on the Budapest Conference home
page. Discussion focused initially on gathering a list of potential
speakers who we would like to invite to give presentations in the Monday
plenary. For the APC tracks we should aim to keep as many of our Monday
plenary speakers as possible as contributors to our Tuesday APC track,
as well as encourage members to give presentations. An action plan was
agreed to follow up on the suggested list of speakers gathered in this
discussion.
