Jim Hietala has been appointed as VP, Security Programs in The Open
Group. In this role, Jim will lead development of the Security side of
The Open Group's membership and related business activities, aimed at
making The Open Group a force in both Enterprise Architecture and
Information Security. Over the past few years, the focus of information
security has changed significantly, moving from infrastructure involving
the UNIX vendors, towards applications and now data. There are more and
more organizations ready to invest in standards-based security
solutions, and to be successful in serving the ambitions of these
organizations we need to identify with their needs, and offer a Security
Forum whose programs of activities respond to delivering what they need.
In this new organization the role of the Forum Director will of course
continue, with the VP role developing the programs so as to bring in
greater involvement from existing members and attract new members.
Jim gave a presentation summarizing past achievements,
current projects, and future plans as currently envisaged. New areas for
potential development as work items include Enterprise Rights
Management, Secure Web 2.0, Virtualization Security, Platform/MILS
(existing work in the Real-Time Forum), Privacy, and Public Policy
influence. He proposes to conduct a survey of members, perhaps one for
Customer Members and another for Supplier Members, to solicit their
major work area interests and priorities. We also plan to develop
Security Practitioners Conferences starting in 2009, to run alongside The
Open Group Architecture Practitioners Conferences.
Representatives from The Open Group IT Specialist Certification (ITSC)
program, led by James de Raeve (VP Certification, The Open Group)
requested Security Forum members' feedback on their outline proposal for
a new stream – Security Specialists – to be added to the ITSC program. A
useful wide-ranging review of the considerations followed, concluding
with agreement that the discussion has raised significant issues which
merit further thought, and we will work together on these with a view to
scheduling a further more in-depth review in our next meeting (Chicago,
July 21-25).
In our January 2008 meeting (San Francisco) we reviewed the NAC
Enterprise Security Architecture document (available at www.opengroup.org/bookstore/catalog/h071.htm)
and concluded that it is a substantial work, on a very different scale
and depth of coverage than our Information-Centric Security Strategy
White Paper, and we agreed to undertake a reading assignment to assess
how best to revise the ESA document, taking into consideration existing
publications on this subject area from other major sources, including
ISF (benchmarking), ITIL (management), NIST (800-14 and 800-53), CoBIT
(Audit), COSO, ISO (27002), and the Burton Group report (October 2007) on
Enterprise Security & Risk Management: Framework for Assessing
Control Standards. Key objectives in making this assessment include
deciding who is the audience for which parts, how then should it be
separated out, and who will use/benefit from each part. We will
coordinate progress on this through conference call and email discussion
to gather members' findings and bring clear proposals and drafts to our
next meeting (Chicago, July 21-25).
Audit & Logging Project:
Update XDAS (Distributed Audit Services)
Since our previous meeting in January 2008, when with the help of Dr.
Anton Chuvakin (Chief Logging Evangelist with LogLogic, and an active
contributor to Mitre's Common Event Expression (CEE) standard), there has
been significant email discussion between the participants in XDAS and
CEE which has clarified a number of issues but has some way to go to
resolve the CEE objectives and then reconcile them with the existing
XDAS standard. Our objective is to arrive at a single audit and logging
standard which the industry can adopt, and specifically to avoid having
competing standards in this important space. We now have strong support
from The Burton Group to hold an Audit & Logging SIG at their next
Catalyst Conference in San Diego (w/c June 23). The SIG is on the
afternoon of June 24, and we are inviting interested parties from The
Open Group XDAS, Mitre CEE, and also Trusted Network Connect (TNC), along with key security information management vendors. The
three groups and the attendees of the SIG will share information on
existing common event standards efforts, and discuss ways to converge efforts and
ensure a single standard.
Risk Management Project: FAIR (Factor Analysis of Information Risk)
Since the previous meeting (San Francisco, January 2008), we have
progressed via significant email discussion through two more members'
reviews of successive drafts of our FAIR Risk Taxonomy, to the point where we now need to verify with all
our members whether they consider it ready for submission into our
Company Review process, leading to recommending it for publication as an
Open Group Technical Standard. Actions were agreed in this Glasgow
meeting to establish this course of action.
We have also received an outline draft for the next phase of our Risk
Management project – to develop a Risk Assessment Methodology (RAM)
standard. Recognizing that there are many risk assessment methodologies
available – all claiming to produce better results than the others – our
goal is to be all-inclusive in characterizing the essential components
in any credible risk assessment method, and to set these down as
criteria. A follow-on third phase can then be to demonstrate how the FAIR
methodology satisfies these criteria, and perhaps to map other risk
assessment methodologies to this RAM standard. We agreed actions to
flesh out the RAM draft outline, with the aim of delivering a reasonably
complete draft by mid-June 2008, for member review leading to a significant discussion and perhaps approval in
our next meeting (Chicago, July 21-25) to move that to Company Review.
This session was a joint meeting between the Security Forum and the SOA
Working Group to review progress in the SOA-Security Working Group on securing SOA
environments. This Working Group has held regular (2-weekly) conference calls over
the past nine months, and in line with its Charter it has has now produced
a significant volume of content for its SOA-Security Guide. Recent
discussion in the Working Group raised the question of who is our intended
audience. Feedback in this Glasgow meeting was that our intended
audience is enterprise architects, security architects, application architects, service modelers, and
designers, and that everyone associated with the security continuum
should be aware of these guidelines.
Review of the current draft of the Guide produced the following
comments, which were marked up in the draft and will be provided to the
Working Group for consideration in the next SOA-Security conference call:
- The Guide should have an opening section on General Guidelines for security, covering security aspects of Consumer and Service Provider (principals in ISO 10181-3), to set the context for the following structure of the guide.
In this regard, the Guide should refer to and recommend existing
sources of relevant information, not repeat what is already
published.
- The Scope should include dynamic (run-time composition) content assembly of applications. Also propagating identity such that you can detect inappropriate
activity – associate identity with role with action and correlate.
- The Threats section needs to include analysis of solutions x
threats, and capabilities of solutions – integrity (transactional), authentication.
Threats are in this section, but no solutions; no differentiation of infrastructures
(WS/ESB/etc.); some areas not covered; e.g., dynamic discovery.
- Also in the Threats section, consider additional threats arising from mash-ups where the payload might not be poisoned but
contaminated/altered so the information doesn’t damage anything but indicates incorrect conclusions.
- Additionally, the Threats section should also capture information
on responses; attacks, and countermeasures.
- The inclusion of Patterns is good, but this needs expanding to
include the strengths and limitations of technologies and patterns.
- Integrity in SOA is complex, so the Guide should explore
transactional aspects and capabilities of integrity, and how it
needs to work to be effective.
- The structure of the Guide would benefit from improvement. We will
propose a revised structure to the Working Group.
Following up the presentation in our previous conference on SMA
- Security for SCADA and VoIP Applications, we have received a revised
draft of the Secure Mobile Architectures Technical Study as a base
document for developing SMA as an Open Group SMA Technical Standard.
This new draft is based on the SMA Technical Guide (E041), which was published
by The Open Group Mobile Management Forum in February 2004. The discussion
focused on clarifying understanding over what problems SMA is
addressing, what aspects of SMA need to be made into a generic standard
to deliver interoperability, and why SMA is useful in which application
areas. Extended discussion concluded that to make this work accessible
and understandable to the security constituencies who should be involved
in developing and adopting an SMA standard, we will take action to
develop a paper (2-10 pages) sufficient to describe:
- What is the problem being addressed
- What is the technical architecture that will solve it (include
diagrams as appropriate to enable reviewers to understand their view
of where their enterprise is positioned within this architecture)
- What in this architecture is common and therefore needs to be
standardized to make it interoperable in a generic environment. Also,
what are the underlying assumptions
- Present at least one use-case to illustrate the potential value
The Forum Director reported on his liaison with ISO SC27 WG5, which
continues
under The Open Group's category C liaison status, on a Framework for
Identity Management, and on a Framework for Data Privacy.
Jericho Forum Liaison (Business
Collaboration Architectures, Enterprise Rights Management)
The Forum Director reported on the success of the Jericho Forum
conferences at RSA & Infosec. Summary reports and the presentation
slides are available from the Jericho Forum web site, linked from the
Forum Notices box on their home page at www.jerichoforum.org.
A particular focus in these conferences is their Architectures for Secure Business Collaboration
(COA) position paper. A new work item which emerged from development of
this COA is our Trust Management & Classification project. A new web
page for this project is almost ready for use by the project members and
will be announced by mid-May. A further new work item we are interested
in taking up is Enterprise Rights Management, arising from the Jericho
Forum's Enterprise Information Protection & Control position paper.
Al Jericho Forum position papers are freely available from links on
their web home page.
