- Significant number of members who do come to meetings indicate that their motivation to
do so stems from their personal enjoyment of what they get out of our meetings.
- Regular meeting attendees say that if the Security Forum did not exist they would seek
to meet in some other way, to continue to receive the same networking benefits.
- There is no other consortium where they can meet to get the same benefits.
- All want to attract more members and have them attend our meetings.
- Many members recognize that this means we all – members as well as Open Group staff
– should actively support initiatives to recruit more members. We can assist each
other in this by empowering members to invite their personal contacts in non-member
organizations to come to a meeting to sample for themselves the benefits of membership. We
should also encourage outreach to other consortia and interest groups, to share
complimentary strengths and avoid duplication of effort. Increased visibility is important
– and we should use speaking opportunities to raise our visibility.
- Benefits of membership lie not only in producing useful document deliverables, but also
in networking and sharing knowledge and experience, and engaging in vigorous debate to
bring out the key issues in a "safe" non-disclosure environment.
- Members need to be able to show to their management tangible evidence of the value they
get from membership. We should work out how to do this effectively.
- Our main strength is members' competence in information security technologies and
understanding of the underlying business drivers, and enabling Security Forum members to
listen to them argue and consort in their company.
- Our main problem is selling this as high value to prospective members’management.
- Work areas scoring highly across the surveyed members include Risk Management, Identity
Management, quantifying effectiveness and return-on-investment of security solutions, cost
management of security, "trust" - perhaps the most problematic issue in
security.
Strategy Review
Mike Jerbic presented a set of slides summarizing his assessment of the Strategic Positioning of the Security Forum and invited
feedback to develop and establish awareness and visibility of our strategy. He asked
reviewers to consider the questions who, why, and what they think the Security Forum is
now and should aim to become in the future.
Mike first described where he sees us and our security interests in the "Security
Space" compared with other major secirity consortia - suggesting we are in the
prevention category rather than the detection or correction areas. This immediately
stimulated debate on its value and what it really represents. It was noted that the
physical side of security is not within our usual scope. Eliot felt that this
representation makes it very difficult for business to relate to, and does not show how we
address the broad view of what information security is and what appropriate responses are
in the context of business policies. Also timescales do not feature in this
representation. Mike suggested business relates to the administration and logical views.
Bob mentioned we should include the Open Security Exchange. Craig said we should add the
Open Mobile Alliance. Steve Whitlock suggested the ISF should be moved down. The OMG
should also be added.
Mike went on to show how he sees the Security Forum's competitive positioning against
other security consortia, in terms of the lifecycle of security solutions (starting from
concept and progressing through requirements, high-level design, low-level design,
implementation, test/certification and integration, operation and maintenance, and
obsolescence) and what we and competing security consortia are now doing. Again this
stimulated some strong comments. Mike countered that it is important to recognoze the
concept that we compete for members' time - if there are more compelling reasons for
members to go elsewhere then we should understand why and focus on the right challenges
that will persuade them that their time is best spent in our Security Forum. Mike
persevered with a slide which maps our recent deliverables and current projects onto the
IS lifecycle he had presented in prior slides, illustrating that we fit into the logical
level, and asking "Is this the space we want to occupy?", "Are we
satisfied with this positioning and contribution to the industry?", and "How do
we differentiate ourselves to show we make a unique contribution?"
Mike proposed that to manage the group effectively we need to:
- Position ourselves more clearly (by doing some appropriate degree of market research and
competitive analysis)
- Define new projects that are so crucial to the information security space that they
compel members to attend and contribute and attract new customer members who want our
solutions - vendors will inevitably follow and also become members
- Target member recruitment and growth in specific industry sectors, in individual
companies, in customers and vendors we feel we will benefit from engaging with, and with
individuals known for their expertise and interest in information security
In further discussion, Bob suggested we need to add something in this representation
that shows how we analyze and evaluate requirements to establish their likely value to the
industry. Eliot added that a lot of what we do addresses integratioin, education, is
informative, and is not limited by any vertical portfolio of offereings and deliverables.
He contended that this is our right positioning.
Mike emphasized that we - the members - decide our direction and we should make
considered decisions which we then follow. He proposed we adopt some strategic goals, to
expand industries represented in our Security Forum; to define clear areas of interest
with respect to "competitive" consortia, non-profit organizations; to
stay/become relevant so we become recognized as world class thought leaders in our area of
interest; and to develop a project portfolio clearly focused on our market segment; that
is, contributive, diverse, useful, and visible/attractive.
The conclusion was that this review has been useful in raising appropriate awareness of
our need to evaluate, appreciate, and establish our individual member satisfaction with
our relative competitive and differentiating positioning compared with other Security
Consortia. If our members are broadly content then we can conclude we are doing things
right. We then need to communicate this effectively in our public presentation material
(Web, brochure, presentations, etc.). He will continue working with Ian to develop this
value proposition into effective marketing communications.
New Project Proposals
ALPINE
Ian gave a summary of his ALPINE Workshop presentation
delivered on 25 June. The ALPINE (Active Loss Prevention for ICT eNabled Enterprise)
project receives financial support from the European Commission. ALPINE project partners
are The Open Group, ETIS (Electronic and Telecommunications Information Services), and ESI
(European Software Institute). The partners are completing a Market Study, and have
defined and drafted three of five project deliverables:
- ESI - Security Policy Management for Small & Medium Enterprises SIG
- ETIS - Liability in Mobile Transactions SIG
- The Open Group - Trust Services Mapping SIG
ESI and The Open Group have identified the remaining two project deliverables:
- ESI will lead a SIG on "Trustmarks".
- The Open Group will lead a SIG on ""Dependable Embedded Systems"; Dave
Lounsbury and the RT&ES Forum will produce this deliverable.
A full report on the second ALPINE Workshop held in Brussels on 25 June 2003 is
available from the ALPINE Web page at www.opengroup.org/alpine/.
The Business Goal for ALPINE is to promote the growth of e-Commerce by establishing
business and public confidence in conducting transactions electronically. Critical factors
holding back growth are seen as management of risk, and trust – public confidence.
The approach to addressing these inhibitors is a business-oriented approach to understand
risks and integrate into overall risk management, combined with technically-oriented
activities to provide necessary levels of trust.
Digital Rights Management
Craig Heath said he is interested in leading work on DRM to produce a Guide tthat
updates his paper published in October 2002, to bring out the major business issues and
technical challenges in this rapidly increasing area of interest that affects electronic
publishing. He will take this project up after the technical issues he is currently
working on with Bob Blakley to complete the Security Design Patterns Guide, Version 1 are
resolved. All present supported working on this project.
Identity Theft
Bob Blakley has submitted a project proposal - http://www.opengroup.org/mem_only/councils/ogsecurity/plans.htm
- which was reviewed in this meeting. He proposes writing a "Manager's Guide to
Identity Theft and Identity Assumption", this being a hot topic at the present time.
His proposal splits this topic into obtaining identity information on other persons, and
using that information to assume someone else's identity to commit fraud. All except one
person supported working on this project. Bob will take this project up after the
technical issues he is currently working through on the Security Design Patterns Guide,
Version 1 are resolved.
Security in Data
Bob Blakley has submitted a project proposal - http://www.opengroup.org/mem_only/councils/ogsecurity/plans.htm -
which was reviewed in this meeting. He proposes writing a Guide on protecting data, in the
context that information (data) is being moved around networks and between information
systems in rapidly increasing volumes and rates, and with the advent of Web Services and
Grid computing technologies, this data moement will become even greater. The intent of
this Guide will be to bring out the risks to integrity of such data movement and how these
risks can be mitigated and managed by depolyment of sound cost-effective security
measures. Bob sees this as a relatively specific artchitecturally-oriented project that
has high relevance to IT business management and decision-making. All supported working on
this project. Bob will take this project up after the technical issues he is currently
working through on the Security Design Patterns Guide, Version 1 are resolved.
PKI Trust Models
Earlier in the Boston meeting (on Tuesday afternoon) Steve Whitlock had presented a
template for capturing the characteristics of different trust models, and this was
reviewed and developed. A separate meeting report for the Tuesday meeting covers the
discussion, decisions, and links to related documents. Therefore, on this new projects
review, this project was formally adopted as a current project.
Regulator's Guide to Information Security
After discussion, this project proposal - http://www.opengroup.org/mem_only/councils/ogsecurity/plans.htm
- was agreed to be retained on record but not taken up at the present time.
PAM
A Pluggable Authentication Module is seen by The Open Group's Program Manager for UNIX
certification as a potential value-add for a new UNIX profile, since he has noticed that
this is increasingly appearing in vendor implementations. Investigation with the Linux
community and the Open Source community indicates that there is some divergence in PAM
implementations, and Gary Winiger has done a preliminary review of the technical work that
would be required to update the existing PAM API definition that is contained in the
published 1999 XSSO Preliminary Specification. This includes the business proposition for
existing vendors who have certified products that include a PAM inplementation and the
potential for rework that is likely if PAM becomes a recognized standard included in a
UNIX profile. It also requires consideration of IPR issues regarding copyrighted or
unlicensed PAM code that appears in existing implementations - CDE included PAM so we are
aware that this aspect also needs to be checked. Ian has put together a draft project
proposal summarizing the exploratory discussion to date - http://www.opengroup.org/mem_only/councils/ogsecurity/plans.htm
- and he will investigate these issues further and report back to Gary, Bob, and other
interested members.
Enterprise Vulnerability Management
During the Thursday afternoon meeting, Mike Jerbic and Steve Whitlock participated in a
by-invitation-only parallel meeting on EVM - for preliminary information; see http://www.opengroup.org/mem_only/councils/ogsecurity/plans.htm.
This was an exploratory meeting, to determine whether there is enough interest with those
that may be involved in moving forward, and to provide a level set on the initiative
and gather names of those that may be interested in helping to set up a broader session in
the next Open Group meeting in Washington, DC (October 2003). Those involved in these
exploratory discussions include DISA, NIST, STDC, DHS, FAA, NCSC, NSA, and OMB. The EVM
initiative has much synergy with the Security Forum's interest in doing risk management
projects that involve dependability and safety as well as security - to share best
practices with the intent of improving the management of vulnerability in the context of
critical IT infrastructures. NIST has done significant work to explore the issues
involved, so they are offering their work for review and feedback of comments from other
expert groups interested in EVM. There is potential for the Security Forum to lead an EVM
open forum to work on developing the existing NIST recommendations from a security point
of view, and to evaluate opportunities to create certification programs for people,
processes, and/or technology in accordance with the recommendations. Mike reported that
there is good potential to have a half-day meeting in Washington to move EVM forward. He
and Ian will work with others involved to take this forward, and will report back to the
Security Forum on progress.
