The Open Group Conference, London
2nd Security Practitioners Conference

Highlights of the Plenary, Day 1
(Monday April 27)

The Open Group’s 2nd Security Practitioners Conference (SPC) kicked off on Monday April 27 in London at the Central Hall Westminster. As in San Diego, the SPC was a co-located meeting to the 22nd Enterprise Architecture Practitioners Conference. The full-day event gathered security subject matter experts to discuss a range of security issues primarily focused around the future of identity management and security.

The event began with a welcome from Allen Brown, President & CEO, The Open Group, who reinforced that security spending remains a top priority amongst CIOs and other decision-makers. He then turned over the microphone to Jim Hietala, VP Security, The Open Group, who also welcomed guests and served as moderator of the event.

The first presentation of the morning, The Future of Identity in the Clouds – A Pro-Sumer's Perspective, was given by Adrian Seccombe, CISO and Senior Enterprise Information Architect, Eli Lilly. Adrian shared Eli Lilly’s plan for using the cloud to achieve collaboration with professionals. He used a graph to demonstrate where organizations currently are with the cloud: at the point in which current technologies’ returns are diminishing, so they are jumping to the new technology (the cloud) and are in a period of turmoil as they try to use it effectively. Ultimately, however, they will see benefits. He went on to define a term from the presentation’s title – the "pro-sumer" – as a professional consumer who will be the first breed of individuals to benefit from the cloud. This term is important in the realm of what he called "the cloud sweet spot", the goal of which should be to connect enterprises and their customers. The "sweet spot" is the middle point between how companies have articulated the benefits of being able to connect with other organizations via the cloud, and how the consumer is interacting with the cloud (e.g., Google, Hotmail) and forming various identities. The problem is setting up the right services that can connect these two groups together. Eli Lilly’s biggest shift is thinking in terms of providing to their customers, and Adrian encouraged attendees to think similarly in terms of customer needs and ensuring trust between all parties.

Next Steve Whitlock, Chief Security Architect for The Boeing Company, gave a quick presentation on The Open Group Security Forum’s current activities. The Toronto Security Practitioners Conference, being held July 22-23, will focus on evolving security architectures and trends in managing risk and compliance.

Following the break, Jeffrey M. Bradshaw, Senior Research Scientist at the Florida Institute for Human and Machine Cognition (IHMC), gave his presentation Order through KAoS: New Trends in Policy-Based Privilege and Responsibility Management. Within privilege and responsibility management (the management of permissions and obligations), it is important to break down stove pipes and move from a "need to know" to "responsibility to share" basis. Jeffrey detailed the IHMC’s framework for policy and domain services – KAoS – which uses the OWL web ontology language to represent policy, application components, and the real world. He spoke about the advantages of moving from policy representation in standard XML to OWL because of new trends that require richer policy semantics that go beyond traditional XML-based approaches. He also gave examples of advanced Department of Defense and advanced space applications that the IHMC is working with. OWL, he said, provides a mature standards-based migration pathway for the future, and he encouraged attendees to think about its use.

A Spotlight on the SOA Work Group delivered by Heather Kreger, Lead Architect for Web Services and Management in the emerging technologies area at IBM, followed, spotlighting activities on current and completed projects such as the SOA Source Book, which will be launched on Wednesday.

The Case Study: Information Security Management System and ISO 27001 Certification was presented by Neil Hare-Brown, CEO of QCC Information Security Ltd. He gave a history of ISO 27001, the information security management system (ISMS) standard, and reviewed its strategic benefits, such as general improved effectiveness of IT security, better senior management buy-in, improved corporate governance and compliance, increased risk awareness, and global acceptance of the standard. The standard’s business benefits include being able to manage risk down and having a better root cause analysis of incidents and events to improve controls. Neil then reviewed a case study of a leading UK law firm who wanted to become ISO 27001 certified so that they could more easily respond to client questionnaires on information security and distinguish themselves from the competition. Some of the law firm’s challenges included a missing information security officer, a lack of documented security-related IT processes, and only very basic policies in place. The law firm, a QCC client, was ultimately able to use a virtual information security officer from QCC as well as establish security policies and document them effectively.

Joe Bergmann, Director of the Real-Time & Embedded Systems Forum, then delivered the Forum spotlight, explaining the RTES vision and mission and scope of work.

After lunch Mark O’Neill, CTO of Vordel, presented on Security for Web 2.0. His presentation covered a definition of Web 2.0, how to apply security to Web 2.0, and how XML security is relevant for Web 2.0. Mash-ups, in particular, pose many security vulnerabilities, including spying vulnerabilities in which one Web 2.0 application "spies" on another. Mark recommended that, if using dashboard-style mash-ups, practitioners ensure that users can only choose trusted widgets to add to their dashboards. In his presentation he also discussed how to prevent data harvesting, which is important because Web 2.0 makes use of the web services on the server side to send data asynchronously to the client. He recommended implementing policies that ensure that only authenticated users can access the back-end web services. Overall, Web 2.0 applications need to have both secure code and secure data. He recommended validating XML data sent between the client and the server, particularly if the data is very important to the organization.

Andrew Yeomans, member of the Jericho Forum Board of Managers, gave his presentation Clouds Forecast – Doing Business beyond the Perimeter. He began by giving some cost comparisons that demonstrated that clouds can indeed be cost-saving. They might very well also be faster and greener than current technology. Clouds can also function as risk mitigation by serving as off-site backup. However, currently missing from cloud security are: an open format for data protection, key management standards, open authentication, and data zones. Andrew then explained the Jericho Forum’s cloud cube model, a basis for questions to consider in order to ensure secure, interoperable cloud computing services. He concluded by saying that the Jericho Forum sees big potential benefits for moving into the cloud, but he and Jericho caution users not to jump into the cloud before understanding the risks, security issues, interoperability issues, and business rationales.

The next presentation was given by Jim Reavis and Nils Puhlmann, who presented on Cloud Security Alliance (CSA): Security Guidance for Critical Areas of Focus in Cloud Computing. Jim told the audience that he believes cloud computing is real, not just a fad, and is reminiscent of the beginning of the Internet. He gave an overview of the CSA, a non-for-profit organization whose goal is to be the voice of cloud security practitioners. The CSA is looking at what cloud computing brings to different domains that security practitioners need to be involved in, such as governance, risk management, legal, audit, application security, and identity management. He also went over the 83-page guidance book that the CSA recently produced, which is divided into "governing in the cloud" and "operating in the cloud". Going forward, the CSA would like to harmonize their efforts with those of the Jericho Forum.

Stuart Boardman, Director of Consulting, CGI, then gave his presentation Identity in the Fog, in which he first spoke of how GCI sees the cloud, which is as an extended enterprise. Identity, he said, is a fundamental enabler of the cloud but also a potential threat. It’s important to get identity in the cloud right for not only security and privacy reasons, but for usability and agility reasons too. The effect of the extended enterprise on identity and access management is, primarily, the need for federation. Stuart advocated for standards supporting dynamic trust relationships and a network of recognized, trusted providers of identities. The cloud is forcing more and more organizations to view how they use identity and ensure privacy and regulatory compliance as business issues rather than strictly "security" concerns in a non-functional, infrastructure domain.

Wrapping up the day was Marco Casassa Mont, Senior Researcher at Hewlett-Packard Labs, UK, who presented on User Requirements: The Future of Identity in the Cloud – Requirements, Risks, and Opportunities. Organizations, he said, are moving from a model of enterprise identity and access management (IAM) to IAM being a part of a larger IT security strategy. In addition, IAM capabilities and services can now be outsourced in the cloud. This of course carries risks, such as the potential proliferation of required identities and credentials to access services, the complexity in correctly enabling information flows across boundaries, and the propagation of identity information across multiple clouds. There are also trust issues; that is, why should organizers trust cloud providers with private information? The requirements that emerge from all of these issues are:

• Simplified management of identities and credentials
• Need for assurance and transparency
• Compliance to regulation, policies, and best practices
• Accountability
• Privacy and reputation management

The following business and technology drivers will help move forward identity in the cloud by creating new needs and opportunities:

• The need for effective compliance
• More assurance for all parties involved: enterprises, service providers, and end-users
• More transparency about IAM processes and data management in the clouds
• Privacy management

Marco concluded with an overview of some HP Labs research areas, including trusted infrastructure and cloud computing, identity assurance, and identity analytics to provide strategic decision support.