Integrating Security into TOGAF: TOGAF & SABSA Integration
Project Proposal
(Joint with Architecture Forum)
This meeting was a joint ad hoc working group session addressing alignment of The Open
Group Architecture Framework (TOGAF) with the Sherwood Applied Business Security Architecture
(SABSA) framework.
It was attended by interested members from The Open Group Architecture Forum and Security Forum, and representatives from the
SABSA framework, including the originator of SABSA, John Sherwood.
The session was led by members from the Architecture Forum who are keen
to promote this alignment opportunity, with the support of John
Sherwood. Following a presentation by lead proposer Pascal
de Koning (Getronics), discussion resulted in drawing a single slide available
to members only here.
This slide captured the core proposal for a project Charter, outlining the
goals and objectives, scope, key deliverables, critical success factors, and
dependencies.
Later in the meeting, the Architecture Forum approved proceeding with
this project, and agreed to plan running a two-day members' tutorial
session on the Saturday and Sunday (July 17-18) preceding the Boston
conference – one day for SABSA people to learn the essentials about
TOGAF,
and the other day for TOGAF people to learn the essentials about SABSA,
so that those members interested in working on this TOGAF-SABSA
Integration Project can begin the work appropriately
informed.
The Security Forum Director (Ian Dobson) will check on Security Forum
member approval to participate in this project as the approach we should
adopt to ensure our goals for integrating security into TOGAF are
achieved.
Security Forum Director, Ian Dobson (i.dobson@opengroup.org),
presented
a summary review of the current projects that are underway in the
Security Forum.
Forum Conduct Procedure (from Member Councils)
A message from the Members Councils to all Open Group Forums and Working Groups was delivered to the Security Forum in their Rome meeting. This message
was a reminder that participation in The Open Group has always been governed by standard procedures – now known as “The Open Group Standards Process”.
However, to date there has been no "Code of Conduct" defining
acceptable member behavior in meetings, and defining a process of
sanctions against any member who demonstrates unacceptable behavior. A recent incident
(not in the Security Forum) has highlighted the need to put in place a
formal procedure for this. Accordingly one is now
established. It is available here. It is largely common sense – the focus being that all members
should demonstrate respect – i.e., avoid being hostile or insulting, or using offensive language,
etc. – but defining a process involving specific sanctions against any
member who offends.
The web page for this project is here. The overall goal is to explain the basic information security
measures that users of IT systems in Small, Medium, & Government
Businesses (SMGBs) with no in-house professionally trained security
specialists can cost-effectively set up their IT systems in ways that
make them acceptably secure for business collaborations with larger
enterprises, and so make them more acceptable as business
partners.
A base draft document has been generated. Members reviewed it,
and their feedback will be incorporated in the next draft, which will
then be shared with the wider Security Forum membership.
Significant feedback items included:
- Would outsourcing rather than trying to "do security"
in-house using non-security professionals be more
cost-effective? How are costs and benefits best
evaluated?
- Risk assessment of an IT system is a fundamental necessity to
identify a business's exposure to risk of loss, regardless of the
size of the business. Assessing risk is a skill that not many non-security professionals have.
- After the initial basic essential security measures have been
applied, the priorities for further security measures can be
different for different businesses
- In addition to the list of intended readers for this Guide, it can
be useful as a checklist for the SMGB business manager to use when
assessing contractor bids for outsourcing their security
- Classifying types of security measures are currently listed as
People, Process, and Technology; a further important type should be
Information (e.g., for log/audit, for protection of data piracy,
etc.).
- The Appendix list of further security measures should include
Business Continuity and Disaster Recovery processes.
- Promoting this SMGB guide in a market with many guides already
published in this space will require not only clear differential to
bring out the added value, but also demonstrating a synergistic link
with existing recognized standards in this space; e.g., ISO 27002
controls.
Enterprise Security Architecture (ESA) Guide, Version 2
The web page for this project, including the project Charter
specifying background information, objectives and deliverables, and the
latest ESA draft1.0 update, are all available from
the project web
site. Our consultant editor Gunnar Peterson joined this meeting
session via conference call to guide the meeting through his proposed
updates and gather members' feedback on them as well as on areas where
further updating is desirable. Significant feedback included:
- In Event Management, mention ITIL and check this section aligns
with it.
- Data Leakage should be added.
- Virtualization Security should be added.
- Examples bring documents like this to life, so where the
opportunity arises to insert examples without too much effort, then
do so. Gunnar fully agreed, saying "for example" are his
two favorite words in documents of this nature, so he will try to
ensure he includes examples in key areas.
- In the Testing section it will be helpful to add references to
open source test facilities. Also, to add reference to security
application testing; e.g., OWASP top 10, PCI vulnerability testing,
NESSUS, METASPLOIT.
Secure Mobile Architecture (SMA) Standard
(Joint with RT&ES Forum)
This was a joint meeting with the Real Time & Embedded Systems (RT&ES) Forum,
whose members share a joint interest in developing a Secure Mobile Architecture
(SMA) standard,
based on developing the SMA Technical Study which was published in February
2004. In a joint RT&ES-Security Forums meeting on November 16-18 2009,
members of these two Forums began joint work on a project aimed at
analyzing the real requirements and audience(s) for an SMA standard,
with Steve Venema (Boeing) as the project leader. The draft
Charter, along with key descriptive presentations outlining the project
objectives, is available to members on the SMA project
web page.
Actions from the previous meeting at The Open Group conference in
Seattle, February 2010 were for nine members to complete a Use-Case template (available
from the web page) for their own real-life mobile applications areas,
from which we aim to gather a set of common use requirements for all
these mobile application areas, and then expect to derive a set of
common requirements that an SMA standard has to meet. Steve provided
the template, and added completed example one a week before this meeting in
Rome so that others could appreciate the expected nature and depth of the desired
content.
Steve joined the Rome meeting via a conference link using a Webinar
to show slides and an audio link via a laptop. We confirmed updates to the project Charter which the
Security Forum Director (Ian Dobson – i.dobson@opengroup.org)
will upload to the project web page. We also reviewed a proposed
outline structure for the SMA standard:
- Executive Summary
- Motivation & Goals
- Use-Cases:
- Mobile Communications
- Embedded Systems
- Mobile Applications
- Common Requirements
- Reference Architecture
- Reference Implementation:
- Related External Standards (e.g., IETF)
- Interfaces & Protocols
- Interoperability Considerations
- Operational Considerations:
- Deployment, PKI Management, etc.
Follow-up actions are for the Forum Directors to encourage return of
completed use-cases, so members can review and derive common
requirements across these use-cases and from that work out how to
organize our architectural objectives. We will also check on
options to add further relevant use-cases to this study. We will
plan to run a project conference call every two weeks (Steve will advise
the best day/time for these calls) to progress return and review of
use-cases and assure shared understandings on deriving common
requirements. We will also plan to run a half-day SMA project workshop in our
next conference (in Boston).
Challenges to Entering Cloud – Guide to Risks
Steve Whitlock (Boeing) gave a presentation highlighting the major
risk areas in Cloud Computing. Steve's slides are available to
members only here.
He categorized the risk areas as Information Security Services,
Service Availability, and Service Interoperability. He also
mentioned Regulatory Compliance (especially on location of data in the
Cloud) as a significant concern, but did not include this in his
presentation.
Steve identified a six-layer taxonomy model for Cloud Services:
- Hosting
- Storage and Computing, marketed as Infrastructure as a Service
(IaaS)
- Development, marketed as Platform as a Service (PaaS)
- Application, marketed as Software as a Service (SaaS)
- Services
He evaluated their characteristics in terms of how mature or
otherwise they are. He then reviewed each of the risk areas
identified at the start of the presentation – Information Security
Services, Service Availability, and Service Interoperability – and
illustrated these in the context of the Jericho Forum Cloud Cube
business usage model. Steve closed by highlighting some recent
examples of serious Cloud Service failures in these three risk areas.
Notably, Steve did not include Identity Management and Access Control
Management in his view of the major risk areas in the Cloud; he
considered that these areas already have workable solutions for the
enterprise.
Security Forum Director, Ian Dobson presented a review of the current progress in the Jericho Forum and elsewhere on
addressing requirements for future business/enterprise-level Identity Management and Access Control Management in the Cloud
and other de-perimeterized environments. His presentation
slides are available to members only here.
The following presentations – also all available to Security Forum
members here
– given by Jericho Forum members in recent conferences and meetings were
also shown to explain the Jericho Forum's current direction:
- Manager’s Guide to Identity & Access Control
- Granular Access Control
- The Future of Identity & Access Management
- Future Direction for IAM
Also, we are taking interest in a new Technical Committee in OASIS,
addressing “Identity in the
Cloud”, and we did contribute to the Cloud Security Alliance (CSA) in their
development of the December 2009 CSA Guidelines v2.1 – domain 13: Identity & Access Management.
The current proposal for progressing this work is to:
- Resolve the contentious issues in these presentations, and validate them with
members
- Proceed with publishing position papers capturing the high-level concepts and proposed direction for defining the requirements
- From that, identify functional components required
- Map these to existing standards which provide the required functionality, and identify where gaps exist which are suited to developing open
standards
SOA & Security: Security Services for SOA and Cloud
(Joint
with SOA-WG and CC-SWG)
This meeting session was a joint workshop involving members of the SOA
& Security Work Group,
the Cloud Computing Security Work Group, and the Security Forum.
Ian Dobson (Security Forum Director, i.dobson@opengroup.org)
presented a summary set of slides (available to members only here).
Bearing in mind that this project has been inactive for several months
pending development work in the SOA Work Group and the Cloud Computing Security
Work Group, Ian presented the goals for this session as:
- To establish common understanding on shared objectives for this project
- To re-validate the added-value the proposed deliverable(s) will represent
- To establish how to collaborate to achieve best results
He then listed the currently relevant resource materials that are
available for taking this project forward:
- Presentation in Seattle meeting, from Tony Carrato (IBM)
- Draft Security Chapter intended as an addition (Chapter 10) to the
SOA Source Book published in Q209, and review comments on that draft from informal review in July
2009
- Draft SOA Security Guide
- Charter agreed in September 2007
- Rough draft exists from July 2009
- CC Security Work Group materials gathering SOA-security information, including building blocks, using base contributions from IBM
- Cloud-SOA Security Reference Architecture
- Security Principles – generic plus
Cloud/SOA-specific
One of the two authors of the "Chapter 10" item (Stuart
Boardman, CGI) and others led a discussion through this Chapter 10
draft, to illustrate the considerations and approaches that have been
adopted in the past. Comments included that identity is a missing
item throughout, and the terminology used is not consistent with either
the rest of the SOA Source Book or the relevant ISO Standard (10181-3),
plus the importance of context, governance, and provisioning needs to be
added. Overall, Stuart's recommendation is that the good material
in this Chapter 10 draft is best pulled into more balanced and
better-structured work that is currently underway in the Cloud Computing
Security Working Group (CC-SWG).
CC-SWG co-chair Omkhar Arasaratnam also summarized the progress in
the CC-SWG, including a brief review of the Security Principles. A
comment arising from the ensuing discussion is that a security principle
now added to the Enterprise Security Architecture project draft is one
addressing "design for malice". Ian will share this with
Omkhar and the lead author of the Cloud/SOA security principles.
Follow-up discussion on the new work that is underway and making good
progress in the CC-SWG, and on how the SOA WG and CC-SWG members have
agreed that the security issues and requirements for solutions for SOA
and Cloud are closely aligned, led to members present in the meeting
agreeing that the best way forward is to merge our SOA-Security project
group objectives into those of the CC-SWG.
Accordingly, Ian Dobson will verify
Security Forum member approval to switch their SOA & Security effort
into supporting the development work in the CC-SWG, and if so approved
will submit a request to the CC-WG Steering Committee to update their
Charter to formally do so, noting that any member in good standing is
eligible to participate in any CC-WG sub-group, including the CC-SWG.
