The 2nd Security Practitioners Conference (SPC) is summarized in a separate
report, which includes links to the presentations.
All current Security Forum projects were reviewed and progressed, as
summarized below
SOA and Security Guide
Two members of the SOA and Security Working Group have developed an "SOA and
Security" chapter that they propose should be added to the SOA
Working Group's
"SOA Source" book, which was published earlier in 2009. One of
the authors of this SOA and Security chapter joined the Security Forum
to present and explain specific features in the content of this new
security chapter. It was agreed that we should compare the coverage in
this new chapter with the draft SOA & Security Guide that has been
developed by the joint SOA Working Group/Security Forum group, to verify
that all valid
content has been included, prior to this new chapter proceeding to
formal review leading to publication. In undertaking this action,
members appreciated the desire to promote good progress towards
achieving successful completion of the new Source Book chapter review
process before the next conference in July 2009.
Risk Management (FAIR) Cookbook Standards
Refer to the Risk Management
web page for this project. The two project leaders are
continuing their work on developing a Cookbook to demonstrate how to
apply our published Risk Taxonomy standard to the ISO 27005 standard –
to show how our Risk Taxonomy enhances the accuracy and consistency of
the risk assessment results. Delivery of the first draft of this Cookbook
is planned for end-June 2009, and is expected to be available to members
for review and development in our next meeting (Toronto, July 2009).
Enterprise Security Architecture (update to NAC ESA) Guide
Refer to the Risk Management
web page for this project. The charter for this Working Group is
awaiting approval by the Working Group members, at which point the Working
Group will commence
revising the ESA Guide as agreed in the charter.
Automated Compliance Expert (ACE) Standard
Refer to the Risk Management
web page for this project. The objective of ACE is to
automate the modeling, reporting, and execution of applicable compliance
requirements across a complex system environment, alerting to any
component falling out of compliance. The project leaders (from IBM) are
in discussion with NIST over the issue of alignment with the
requirements of NIST's SCAP (System Management Compliance
Implementation) and XCCDF; the SCAP requirements are a US Government
requirement, and they are proving to be difficult to implement in IBM's
pilot. IBM presented their fact sheet on their pilot implementation,
which comprises three main components: policy; target compliance
requirements; and conflict resolution. We will request the project leaders
to share the non-proprietary parts of this fact sheet with our ACE Working
Group
members, to provide description of the necessary components in any
implementation that conforms to the target ACE standard. We will also
maintain progress in further ACE conference calls leading up to our next
meeting (Toronto, July 2009).
Events and Logging (XDAS/CEE) Standard
Refer to the Risk Management
web page for this project. Slow progress is being made,
primarily due to our desire to maintain good understandings with the
Mitre CEE (Common Event Expression) project members on aligning our
proposed updated XDAS standard with their proposals for what CEE will
look like. We now have shared with the CEE steering group members the
first four chapters of our updated XDAS standard and asked for their review
and feedback as to whether it provides an acceptable alignment with
their intended direction for CEE. We will persevere with seeking
alignment with the Mitre CEE members, to ensure we and they end up
delivering a single standard for event recording, reporting, and logging.
Collaboration-Oriented Architectures (COA) Framework Standard
The COA Framework is currently published on the Jericho Forum web
site as a set of 23 position papers, one of which describes the COA
concepts, another describes the framework components, and the rest
describe each component in more detail sufficient to understand the
requirements for that component. This presentation is not easy to
consume and is time-consuming to download. While it addresses a
framework for secure architectures in de-perimeterized environments and
these include de-perimeterized Cloud Computing environments, the COA
framework does not mention Cloud Computing. We agreed we should create a
single COA Framework standard with a structure which
- Introduces the business case for de-perimeterization
- Includes the commandments as our measure for effective security in
de-perimeterized environments
- Presents the COA concepts and the COA Framework components
- Includes the COA component support papers as include files in the
build of the single document, in a format which results in a
consistent presentation
Secure Mobile Architecture Standard
Refer to the SMA
web page for this project. The SMA project leader has
proposed that we evaluate the latest proposed content for the SMA
standard for mapping onto the Jericho Forum's COA Framework, and
possibly use TOGAF to validate it. The active SMA Working Group members are
evaluating this proposal.
Eco-System for Security Standard
Refer to the Eco-System
for Security web page for this project. The charter for this Working
Group is
agreed, and the Working Group leader will initiate the development work following
this London meeting.
Security Forum Strategy Paper (Update to include COA)
The Security Strategy paper published in 2007 merits an update to
include the COA Framework as a direction for architecting secure systems
for de-perimeterized/boundaryless environments. We should also consider
including reference to the Enterprise Security Architecture publication
and the associated ESA update project.
Trust Management Standard
Refer to the Trust
Management web page for this project. The objective of this standard
is to define the three primary trust taxonomy components:
- Impact of failure
- Classification of data
- Level of trust (impact sensitivity)
which enable derivation of a control stratification scheme – i.e., the
controls that are appropriate to achieve the desired outcome – for
management of trust. The Jericho Forum has published a set of trust
management papers as part of its COA Framework (papers available at www.opengroup,org/jericho/publications.htm)
and an associated slide presentation summary of what was agreed in the Q308
Security Forum meeting. We will use these source materials, plus refer
to an existing NIST standard on this topic, to draft a Trust Management
standard for members to review and develop.
Enterprise Web 2.0 Security
Refer to the Enterprise
Web 2.0 web page for this project. The Web 2.0 Security Threats
draft document is awaiting two further contributions before being made
available to the project Working Group members for review and development. The Case
Studies document is available on the web site (members-only) for review
and development. The other two deliverables will be initiated when these
first two items are nearing completion. The project leaders will run
conference calls to progress review and development of these first two deliverables.
Members' Review & Feedback from RSA (San Francisco) and Infosecurity (London)
The Jericho Forum conference on Wednesday April 22 was
attended by about 40 delegates. Speakers were excellent, and attendees
offered complimentary feedback. The blogger speakers were appreciative
that the Jericho Forum was keen to invite them to give their
constructive criticism. A learning point from review with Bateman and
the Jericho Forum after the event concluded that we would have much
greater impact if we located our event inside the RSA event rather than
offsite in The Open Group office; we knew this from the previous year
but the cost of an RSA theatre is higher than we are comfortable to fund.
The Externalization Panel in Infosecurity's Keynote theatre (Thursday
April 30) was also attended by some 40 people, and again
feedback from attendees seemed good. The relatively low attendance could
be due to lack of recognition of the "Externalization" title,
and may also not be helped by being on the last afternoon of the event.
Cloud Security Alliance – Collaboration Proposals
Discussion included review of the discussions held so far between The
Open Group representing the Jericho and Security Forum interests, and
the leaders of the CSA. These discussions started prior to the RSA event
and have been ongoing during RSA, in a CSA Introduction in the SPC
Plenary on Monday April 27, in a CSA-UK reception on Wednesday
April 29, and in the Friday May 1 joint meeting. The discussion
confirmed the desire on both sides to set up a mutually beneficial
collaboration agreement with the CSA. Earlier discussion in the Security
Forum had compared where overlaps exist to varying extents between the
Jericho Forum's COA Framework papers and the CSA's 83-page Guide (see
slides), and this is seen as one useful area for collaboration – to
add value by sharing understandings at the Jericho Forum position
papers/CSA domains level. Another level up from this is the
infrastructure, where the Jericho Forum's COA Framework provides a
security component structure and now a Cloud Cube business model which
has been noted from discussion in our RSA event compares well with the
CSA Guide's infrastructure approach. A further level is evident in that
the Jericho Forum is primarily a thought-leadership group focused on
future needs, whereas the CSA has its focus on more immediate
pain-points which need addressing, and the Security Forum has a role to
play somewhere in between. It was agreed that we should formalize the
basis of setting up a collaboration agreement in a Memorandum of
Understanding (MoU), so follow-up actions were agreed aimed at drafting
collaboration agreements between the CSA & Jericho Forum, and CSA
& Security Forum. A further aim will be to harmonize the resulting
CSA collaboration objectives on The Open Group side.
Cloud Cube Model – Feedback; Use-Cases Review
The agenda intended to include new risks to and from the Cloud, as
well as a focus on use-cases review for each sub-cube area in our Cloud
Cube model, but shortage of time prevented addressing this new risks
issue in this meeting. After a review on the dimension definitions in
our Cloud Cube model, in which discussion focused on the real meaning
of Perimeterized & De-perimeterized, the attendees focused on
identifying existing substantive examples of use-cases in each of the
eight sub-cube areas. These were captured in the meeting and will be
circulated to the membership for review.
Reference Architecture for COA, Mapped to the TOGAF 9 ADM
Refer to the COA
Reference Architecture web page for this project. The Charter defining the
objectives and deliverables for this project is available on the web
page. Significant discussion took place on clarifying what the reference
architecture would deliver in terms of value to whom, and on how much
the project members needed to understand about the TOGAF ADM. It was agreed
that we will organize at least one conference call where the
Architecture Forum representatives in this project will explain the
minimum TOGAF ADM understanding that all project members will need to
have in order to proceed with developing a COA reference architecture.
We expect that the understanding we gain on the TOGAF ADM will provide
acceptable answers on the value and nature of the deliverable reference
architecture, and equip the project members to proceed with developing
it.
Self-Assessment Guide – Progress
We will plan one further conference call on the Jericho Forum
commandments Self-Assessment Guide, which we hope will enable us to
complete the first draft of this Guide my end-May, for review by the
membership during June.
Security Incident Database – New Project Proposal
This proposal arose from a Webex in February 2009 on the Security Forum's
Risk Taxonomy which was published in January 2009. Discussion concluded that
this is not an activity that interests members of the Jericho Forum, and
that collecting valid data on security incidents is error-prone and
requires resources we do not readily have available. The Security Forum
members remain interested, so we will create a draft charter defining the objectives, value, and plan
for this proposal, for evaluation and expressions of interest from
Security Forum members.
Involvement in Relevant Conferences
The Jericho Forum often receives invitations to provide speakers at conferences world-wide. Two of specific interest are the SC World
Congress in October 2009, and RSA-Europe. It will be useful to compile a list
of these conferences and events so as to consider submitting proposals
for Jericho Forum panel sessions, where we can draw the actual panelists
from whoever is available at the time of each event.
