Security Track (Monday)
(See also the Plenary report.)
The Fundamental Failures of End-point Security
Stefan Frei, Research Analyst Director, Secunia, Denmark
Tools developed by experts are migrating to less skilled attackers. Attackers are creating undetectable variations, QA'd against popular A/V agents. Significant %'s of malware are undetectable by popular A/V products. Vulnerability exposure increased 3.25x over three years, to over 700/typical system. Third-party programs are the source of most of the increase. Third-party programs are much more likely to have gaps/exposure in the field; i.e., unpatched vulnerabilities on systems.
Patching at the end of the day is more important to overall security posture than A/V signature updates.
The Open Group Trusted Technology Forum – Best Practices and Accreditation for a Secure Global Supply Chain
Andras Szakal, CSSLP, IBM DE, Vice President, Chief Technology Officer, IBM US Federal IMT
Andras provided an overview of the evolution of the OTTF, vision and mission, membership, organization, and a view of the first deliverables from the group.
Architecture Enforcement: The Mils™ Framework
Rance DeLong, Staff Scientist, LynuxWorks
Rance introduced common concepts for enforcement of a MILS architecture, including design principles, examples, and architectural & design risks. He overviewed the Mils framework components, and some common Mils planes (configuration, monitoring, operational, and foundational).
Jericho Forum Conference (Tuesday)
(See also the Plenary report.)
Why the Need for an Effective Digital Ecosystem for Cyberspace/Cloud/Critical Infrastructures – Why should we care?
James Whyte, Head of IT Service Delivery, UK Foreign & Commonwealth Office
James discussed the challenges of managing IT security in the financial sector. His presentation raised issues around how ready businesses are with respect to integrating consumer IT devices into enterprises. His presentation placed identity ("who") as a core issue to be addressed.
Jim Hietala, The Open Group, and Shawn Mullen, IBM, provided a spotlight on the Security Forum, Jericho Forum, and specifics on ACEML.
How is the Jericho Forum Addressing them? (Identity Commandments, Identity Management, Entitlement Management, Access Management, and what to expect from the rest of the conference
Paul Simmonds, Jericho Forum
Paul described the evolution of connectivity and de-perimiterization, and the impacts upon IT. He addressed the question on why to focus on identity for the Jericho Forum. Identity issues include: passwords are broken, federation has scale issues, trust outside of your locus of control, spam issues, replication of IDs/passwords for many sites, and consumers not being able to be security experts.
Andras Szkal, IBM, gave a spotlight presentation on the Trusted Technology Forum.
The UK Government's Aspirations for Managing Identity
The Earl of Erroll
Lord Erroll provided a presentation outlining identity issues and his views on the role of governments with respect to identity. He talked about the balance needed between citizens' rights to privacy, and government interests in identity, and the dynamic tension that exists around privacy. He described the need to separate identifiers from attributes.
The Consumerization Industry View from Paypal
Andrew Nash, Senor Director of Identity Services, PayPal
Andrew's presentation described identity assurance levels and identity trust. He described a need for risk-based evaluation of claims and identity. OIX frameworks are useful.
The Jericho Forum’s Identity Commandments – a Deeper Dive into how they Advance the Identity Ecosystem Debate
Jericho Forum speakers: Adrian Seccombe, John Arnold, Andrew Yeomans, Steve Whitlock
Adrian Seccombe, Surrey University, and Steve Whitlock, Boeing, provided a deep dive into the following identity topics: provisioning and entitlement management. To manage entitlements, resource owners must define entitlement/access rules resources. Access decisions must be relevant, valid, and bi-directional. Also discussed were access decisions.
Andrew Yeomans, John Arnold, and Adrian Seccombe continued a deep dive on the Identity Commandments. Andrew's discussion described the taxonomy of terms associated with the Identity Commandments, including defining personas, delegation, and trust issues. John Arnold's presentation looked at identity issues and challenges in government. John measured the older UK Government ID Cards Scheme and the new Identity Assurance Framework against the Jericho Identity Commandments, and found that the ID Cards Scheme was lacking, while the Identity Assurance Framework lined up well with, and was much closer to the Commandments.
Independent External Assessment
Robin Wilton, Identity Management Expert
Robin Wilton, Gartner Research, provided an analyst view on the Identity Commandments. Robin was generally very complimentary towards the identity commandments. Roger Clarke's (Australia) identity definitions are worth looking at. Areas where the commandments need to be sharpened include identity ownership (data rights might be a better way to describe identity data relationships), and privacy and control (rights-based may be useful here as well).
Moderated by Stuart Okin, CEO, Comsec Consulting
The day concluded with a hybrid panel/round table session, moderated by Stuart Okin. Many issues and challenges with respect to identity were raised, and good suggestions for adoption were brought forward.
Security Forum Meeting (Wednesday)
The first session of the day was a joint meeting with the OTTF. The Outreach committee presented their current plans and activities. Global outreach is targeted at major countries, and will require a lead vendor from the OTTF vendor members to drive contacts and outreach.
At 11:00 Wednesday, the Security Forum meeting began (Steve Whitlock, Dennis Taylor, Vicente Aceituno, Jim Hietala in attendance). We spent the first hour reviewing outcomes from the Jericho conference (Tuesday) and collecting feedback on the Identity Commandments. Specific concerns (primarily from Steve) around the 1.0 Identity Commandments document include:
- Dynamic versus static access control information, need to be able to accommodate both.
- Mixed/inconsistent use of identity and persona terms – they are used interchangeably, and cited inconsistently in the document.
- Core identifiers are an issue.
- Usage of the term "entitlement" is confusing/conflicts with common definitions.
At 13:30, the Security Forum joined the TOGAF/SABSA project to discuss O-ISM3 relationship to the project. Vicente and Francois led the discussion, and they see a path to relate strategic processes to SABSA outputs, or for practitioners of SABSA, to use SABSA artifacts in lieu of O-ISM3 strategic processes.
For the afternoon, we were joined by Pete Burknap and Martin Smith, Reply, Ltd.
At 14:00, we discussed O-ISM3 maturity levels and certification for O-ISM3 as next steps in the project.
At 15:00, the group moved the discussion to the Interdependency/risk measurement project. Commonalities were seen between O-ISM3, risk from cloud computing, and an opportunity to focus the Interdependency project on measuring cloud service provider risk inheritance using the O-ISM3 metrics approach. The Interdependency project is considering focusing their work in this area, adding value to O-ISM3, and providing a cloud trust/risk management approach.