This report covers the Security Forum and Jericho Forum members'
meeting sessions which took place on Monday and Tuesday, July 20-21.
The SPC (July 22-23) is covered in a separate
conference report.
Security Forum Members' Meeting
Welcome, Introductions, & Agenda
Members introduced themselves as they arrived throughout the Monday
and Tuesday of the members' meeting. The meeting agenda for the members
meeting and SPC was then reviewed and approved.
Industry News Updates
- Electric Power Smart Grid: Management initiatives to conserve
energy use appear to be not well informed on the security issues
involved. Specific examples of initiatives are intelligent meter
charging at peak times, using existing power distribution resources
more efficiently, and intelligent use of appliances at off-peak
times. There is a clear need to secure this part of national
critical infrastructure.
- Can we do anything effective to help combat Distributed Denial of
Service (DDOS) attacks, such as the recent incident which caused
collapse of targeted sites, and the Ghostnet attack on the Dalai
Lama on embassies of India, Germany, etc. There are well-known steps
to prevent such DDOS attacks from being successful. Perhaps we
should include this issue in our Ecosystem for Security project.
- A hot topic is needed to improve effective security in Healthcare,
at both the local doctor-practitioner level and in hospitals, where
HIPAA requirements apply, yet the real needs of patients, doctors,
healthcare administrators, and medical health insurance companies
continue not to be met. Many of the doctor-practitioner businesses
and small businesses need basic guidance on how to make their IT
support systems secure. We will evaluate this opportunity, with a
view to including it on our Ecosystem for Security project.
Security Program Strategy: Preliminary Survey Results
The preliminary results offer interesting perspectives and some
innovative ideas on how we should formulate our Security Program
Strategy going forward. An additional consideration in this exercise is
that the experience of the Architecture Forum in conducting a similar
survey has been that significantly greater value can be derived from
taking a longer time to gather member feedback as well as Open Group
observer feedback so as to form a more balanced assessment and so draw
more valuable conclusions. Taking on this longer view:
- Attendees at this Security Forum meeting reviewed each of the 10
questions in the survey and contributed further feedback.
- We will set up a Security Strategy Plato web page to make the
security survey and associated documents readily available, and
encourage further review and comments, and additional new feedback,
via email exchanges.
Security Forum Projects Review
The complete set of currently active Security Forum projects/working
groups was briefly reviewed and checked to confirm that each
project/working group has its own web site linked to the Security
Projects web area.
- SOA and Security Guide
- Enterprise Web 2.0 Security Guides
- Risk Management (FAIR) Cookbook Standards
- Enterprise Security Architecture Guide (update to NAC ESA Guide)
- Automated Compliance Expert (ACE) Standard
- Event Record Format (XDAS) Standard
- Trust Management & Classification Standard
- Collaboration Oriented Architectures (COA) Framework Standard
- Secure Mobile Architecture (SMA) Standard
- Security Reference Architecture, based on COA using TOGAF
- Securing the Ecosystem Standard
The Risk Management, SMA, and Trust Management standards were not
addressed during this meeting.
Secure Web 2.0
The latest draft of the first Web 2.0 deliverable – a
catalog of security threats and vulnerabilities that use as attack
vectors what are commonly described as Web 2.0 technologies and services
– needs to be uploaded to the Secure Web 2.0
web page.
Also, the working group membership resources need to be reviewed to
establish support for completing this first deliverable and also for
developing the draft use-cases for the second deliverable.
Security Forum & SOA Work Group Joint Members' Meeting – SOA &
Security Guide
The outcomes from informal review held between June 19 and July 10 were
gathered into a summary report and reviewed in a conference call held on
July 14. The report on the outcomes of that review call is available here. The outputs were presented as the starting point for discussion in this Toronto
joint meeting between the SOA Work Group and Security Forum members. A
prerequisite to evaluating the July 14 outcomes report was almost
immediately identified as: "In the light of the feedback received
during the informal review, what is the most effective way to use it in
our future deliverables?" Without knowing the answer to this, it
was impossible to decide the scale of the responses required to the
review feedback. The conclusion here was that:
- The original proposal to publish the 13-page SOA-Security document
as an additional chapter to the existing SOA Source Book is not now
an acceptable goal.
- The SOA Work Group's intention is to expand their existing SOA Source Book
and deliver a more comprehensive version by April 2009, and this
13-page SOA-Security chapter should be expanded as part of this
exercise to be incorporated as a chapter of max. 50 pages in the SOA
Source Book, Version 2.
- The SOA-Security Guide probably remains viable as providing a more
comprehensive coverage of the information that will make up the SOA-Security,
Version 2 chapter. This has yet to be validated as a sufficiently
value-add work item, but can only be decided once the coverage in
the SOA-Security, Version 2 Source Book is known. Meanwhile we
should encourage all members interested in SOA-Security to
contribute to the Version 2 Source Book.
Attention then turned to the review feedback report from the July 14 conference call, which is available to members-only
here. Detailed discussion arrived at agreed actions which will be
available to members on this same web site by July 31 2009. The
authors undertook to address these actions, in the proposed max. 50-page
security chapter to be included in the second edition of the SOA Source
Book, and in the more substantial existing draft of the SOA-Security
Guide.
Automated Compliance Expert (ACE)
The project leader has written a white
paper explaining the goals of this standard – to enable products to
be developed which can apply a security configuration policy to a broad
range of IT systems (from general-purpose computers to routers and
firewalls) – and provide continual monitoring to raise an alert if any
component/device in the system falls out of the prescribed compliant
state. The paper also describes how to use the ACE template and
naming scheme, and the extensibility built into the standard. The ACE
xml Mark-Up Language (ACEML) template is now completed and the Naming
Scheme will follow in a few weeks. We will make the completed ACEML
template and White Paper available for members to review as soon as they
are in a ready state, so that members can perform a preliminary review
on them, with an understanding of the role and use of the associated
Naming Scheme. When the Naming Scheme is ready, we will submit the ACE
specification to Company Review as an Open Group Technical Standard.
We noted that the next NIST Security Automation conference is on September
23-24, and the associated Workshop runs on September 25-26, in Gaithersburg,
Maryland, US. This is too soon to be ready to launch the ACE standard,
but is an important pre-launch opportunity for announcing its features
and forthcoming publication.
Securing the Ecosystem
The project leader and others joined the meeting by conference call. Members reviewed the Charter (available here)
for this project, the general objective being to provide guidance on
how to set up and configure IT system components so as to enable their
security features in ways which will significantly improve their
operational security. While this goal applies to all IT systems,
the need for this deliverable is especially acute in Small & Medium
Businesses (SMB) which have no qualified professional IT expertise on
how to secure their systems. Among the several issues discussed was the
notion that when looked at from a societal/community perspective, many
SMBs are unaware of cyber attacks yet are frequently unwittingly used by
cyber attackers to contribute to spread spam/viruses, etc. and so
contribute to cyber-societal breakdown. If we only published a
set of our top-10 things to do to secure your computer terminal and
network connection, this would significantly raise the security bar and
stop a huge number of attacks from being successful. Members
accepted actions to recommend updates to the Charter to make it more
robust and definitive. Also the project leader and supportive members
will open the development activity by identifying a top-10 list of
issues for set-up/configuration on a networked small office 3-terminal
system, and draft content for these top-10 issues as opening proposals. We will use conference calls to review the proposals, and expect to
develop the understanding and complexity as we progress to consider
larger systems for more complex business use-cases and operations. We
will also make contact with the National Cyber Security Alliance
to explore how we may leverage mutual value from our Securing the
Ecosystem project.
Enterprise Security Architecture (ESA) Update
The project leader reviewed the original objectives of the NAC in generating the ESA
Guide, and checked that no similar efforts have been published since ESA
was published in 2004. Update sections already identified are:
- Opening section: compare the opening approach with that used in
the TOGAF documentation, with a view to leveraging/aligning with
TOGAF's Enterprise Architecture style. Request our Architecture
Forum liaison contacts to help on this.
- Consider mention of John Alexander's design patterns approach.
- Consider including the implications of two or more enterprises
working together.
- Governance: Principles: (perhaps include the Jericho Forum's
commandments in this section), Policies and Standards, Guidelines
and Procedures, Regulation & Compliance (GRC), and Enforcement.
- Identify security technologies.
- Review additional sections to determine additional updates.
- Normalize Glossary of Terms.
- Check opportunities for developing an associated ESA certification
scheme.
- Include relevant contributions from the COA framework.
- Market demand for certification: check with available
sources.
It was agreed that we will use a draft ESA Review spreadsheet (available
to members only under Design Documents here)
to structure our review of the existing ESA 2004 Guide, and submit our
estimates on what needs updating, and what priorities, knowledge skills,
and effort/time each update item will require, so we can establish and
confirm a roadmap for completing this project. As a rough
estimate, we hope to target completion by end of Q1/2010. To
achieve this we estimate project members should hold bi-weekly 1-hour
conference calls to review successive drafts of new/revised material. We
also should expect to call on appropriately expert members to prepare
draft updates where necessary. It is likely we should plan to have
a face-to-face meeting around January 2010 to validate achievements to
date, and confirm future direction leading to completion.
XDAS Update Review, and xdasj4 Demonstration
Joël Winteregg (NetGuardians) presented a review of the problem that the update to XDAS is
addressing, explaining why a standard format for expressing an Event
Report is an essential requirement for consumers of event reports to be
able to efficiently parse event information from multiple sources. He also showed how this XDAS standard will fit well into the Mitre
Common Event Expression (CEE) standards work, noting that he and other
active XDAS project participants are also closely involved in the CEE
standards work.
Additionally, he and Ian Dobson did a podcast which Dana Gardner will
broadcast in the near future. We hope this will stimulate new interest
in contributing to writing and reviewing the detailed specification, and
promoting its acceptance as part of the CEE standard.
Joël included a demonstration of how his open source Java
implementation of an Event Report achieves the intended objective.
Ecosystem for Software Assurance, with RTES Forum
The following presentations were given:
- ARFL Work on the Software Assurance Ecosystem (Djenana Campara, CEO,
KDM Analytics)
- The OMG SwA MetaModel and Claims Argument (Nick Mansourov, CTO,
KDM Analytics)
The messages in these presentations were that Software Assurance (SwA) is hampered by the lack of
common definitions of weaknesses and vulnerabilities, and objective,
technically efficient methods for linking weaknesses and
vulnerabilities, and the lack of unified processes for identifying and
measuring vulnerabilities across defense components and commercial
industry. Although much work has been done by multiple groups,
these efforts have not been integrated, and divergent frameworks impede
effective vulnerability identification and mitigation. The study here
utilizes a SwA Ecosystem to unify the diverse frameworks, and establish
a traceable automated vulnerability identification and mitigation
process, leading to assurance results that are comprehensive, objective,
and generated with high automation. The future for this approach could
significantly reduce the cost of achieving certification at high
assurance levels.
Security & Jericho Forum Members' Meeting
Partnership with Cloud Security Alliance
The Memorandum of Understanding (MoU) between the CSA and Jericho
Forum is now in place and Jericho Forum members have been alerted to the
opportunity for them to register to join CSA development Working Groups.
The
list of CSA Working Groups and joining information is available on the CSA
web site. Any member wishing to contribute to a Cloud Security Alliance
Working Group should visit the web site and
contact Ian Dobson to ensure they are connected and enabled to do so.
COA Framework Standard
Ian Dobson is leading this project. He presented the Working Group Charter
and the web site for this project is here.
The structure for the COA Framework standard is:
- Introduce the business case for why a COA-style security architecture
is needed
- Explain the commandments as measures of effective security in open
systems
- Present the COA concepts, and the COA Framework components
- Add descriptions for each COA component, from existing Jericho Forum
publications
Ian will complete the draft COA Framework standard and make it available
for review by Security Forum and Jericho Forum members.
Security Reference Architecture using TOGAF
Following on from the outcomes of the previous meeting
(London, April 2009), project members should by now have completed
the TOGAF online tutorial provided by Armstrong Process Group.
The COA Security Reference Architecture using TOGAF 9 project is using COA as its base input, and using the TOGAF ADM
to develop the reference architecture. Project members
currently have access to a TOGAF tutorial kindly made available by
the Armstrong Process Group to enable our Working Group members to appreciate
how to use TOGAF to develop this COA Reference Architecture. The next step is to encourage members to identify their relevant
areas of COA security expertise and commence populating the existing
TOGAF wireframe template (available on the Working Group web page) provided by
project leader John Arnold (accessible here)
with requisite security reference architecture contributions.
Members received a presentation
on SABSA (Sherwood Applied Business Security Architecture) by Bob
Weisman, which generated significant interest, sufficient to
warrant following up with SABSA leader David Lynas and the next SABSA
conference (COSAC, September 20-24). The presentation was given as
background to appreciating how the SABSA model sits alongside TOGAF.
The
current leader of SABSA, David Lynas, has agreed to the
circulation of a White Paper on SABSA to members of the Security
Forum, to add to understanding of what SABSA has to offer. This
White Paper is available to Security Forum members here.
Bob also alerted members to the 16th International Computer
Security Symposium (COSAC) featuring the 1st SABSA World Congress
event on September 20-24 at Killashee House Hotel in Naas, Republic of
Ireland – see details including agenda and speakers here. Ian Dobson will contact the COSAC 2009 & SABSA World Congress
chairman, David Lynas to establish appropriate links.
Security Design Principles – Self-Assessment Scheme
The Jericho Forum has now completed an initial draft of a
self-assessment scheme for all 11 Jericho Forum Commandments. These are
characterized as
those “nasty questions that bring out the true effectiveness of
security products and solutions”. In this context,
“nasty” means difficult, searching, awkward, and exposing flaws. This self-assessment scheme is now being prepared as a draft suitable
for review by members, following which it will be submitted to formal
Company Review, leading to publication. Comments were that vendors of
products which fail to score well are very unlikely to participate in
the scheme; the answer to this is that they will be distinctive in not
doing so if a customer asks them for their scorecard, and in any case
the nasty/hard/revealing questions posed in the scheme are just as
easily asked by the customer of the vendor when evaluating what to buy,
so the scheme still has substantial value. A significant
improvement point is to allow adding "n/a" against questions
which are not applicable to a product, in which case the scoring
mechanism needs to accommodate "n/a" responses. Ian
Dobson will arrange preparation of the self-assessment scheme draft
document for member review, inviting comments to improve the definitions
of the criteria for self-assessment of the degree of compliance to the
requirements of each Jericho Forum Commandment (reference the Jericho
Forum Commandments paper freely downloadable from the Jericho Forum
publications page).
Cloud Cube Model – Use-Cases Review/Feedback
Ian Dobson presented on Cloud
Cube Use-Cases which captures outcomes from the discussion in the
joint Security-Jericho Forum workshop in the previous meeting (May 1, London, UK), plus further review comments. Recent further
review comments for the Jericho Forum's July 10 members' meeting
provided feedback which will be used to update our Cloud Cube Use-Case
review comments:
- VMWare is not really part of Cloud so should not be used as an
example of cloud use.
- In use-case Internal/Open/Perimeterized, a good example is an
external WIKI.
- In use-case Internal/Proprietary/De-perimeterized, you can control
the access to your data.
- In use-case External/Proprietary/De-perimeterized, this is where
vendors would like to take you because it represents vendor lock-in.
