The Open Group Conference,
Toronto
3rd Security Practitioners Conference
Highlights of the Plenary,
Day 1
(Wednesday July 22)
The Open Group’s 3rd Security
Practitioners Conference kicked off on Wednesday, July 22 in Toronto at
the Eaton Center Marriot. Nearly 100 Chief Security Officers, Security
Architects, and other industry leaders from around the world met to
explore issues related to Security Architectures, Virtualization and Cloud
Computing, and trends in Governance, Risk, & Compliance.
Murray Rosenthal, Senior
Policy Analyst, City of Toronto
kicked off the “Architecting Information Security” plenary session
with his keynote address: “The Disciplines of Information Security and
Security Architecture: Two Complementary Ambits”. Murray prefaced
that information security and security architecture are usually considered
synonymous and interchangeable when describing each discipline. He argued,
however, that the two terms describe different, albeit complementary,
areas of focus. His presentation framed the different disciplines of
information security and security architecture, and highlighted their
complementary natures.
Following
the keynote, Manu
Namboodiri, Vice President of Marketing at BitArmor
debunked what he dubbed a doomed approach to Virtualization Security.
According to Manu, virtualization security solutions today primarily focus
on protecting the virtual OS, virtual networks, or the hypervisor software
itself. However, he argued that protecting the data is by far the single
most important aspect of virtualization security. As a result, he
explained that virtualization security needs to be rethought. His proposed
solution is an “information-centric” approach to persistently
protecting the data itself, which he believes is the only way to really
benefit from virtualization and keep the data truly secure at the same
time.
After the coffee break, Alex
Woda, Practice Director, Security &
Risk Management for Avient Solutions
Group delivered a presentation on how to develop and sustain an
enterprise security architecture. Alex covered a range of topics,
including the integration of security models in enterprise architecture,
how popular architecture frameworks like TOGAF™
and Zachman are addressing security, and available tools for analyzing
risk during systems under development. He also emphasized the importance
of “security building blocks” such as policy, standards, and security
processes.
Following
Alex’s presentation, Steve Whitlock, Chief
Information Security Architect at Boeing shared his vision for “A New Approach to Architecting Security”. Steve
started off his presentation with an overview of the changing IT
security challenges landscape at Boeing as they sell more and more
services over the web. He argued that security architects need to
focus on shrinking the size of the attack surface, which he believes might
be possible to achieve via virtual machines. He also advocated the
standardization of information access protection in order to enable secure
collaboration. Steve concluded with a quick refresher of the Jericho
Forum 11 Commandments,
which can be found here.
Before the lunch break, Bob
Steadman, Senior Director, IT
Security, Privacy,
&
Compliance for Loblaw Companies Limited and
Predrag
Zivic, Senior Risk Architect for Loblaw
shared their experience of building a security reference architecture at
Canada’s leading national grocery retailer. The presentation
specifically looked at how to connect information security, guiding
principles for privacy and compliance, and a security framework – all
with IT. The presentation also showed how the company leveraged the
security and privacy architecture guidelines from TOGAF to standardize all
future implementations of security within any project in the enterprise.
After lunch, Tim Brown, Vice
President & Chief Architect, Security Management at CA presented
about “Cloud Computing Privacy and
Security Issues”. While the business drivers for cloud computing are
compelling (e.g., efficiency and cost reduction, improved customer service,
etc.), the increased reliance on outsourced services available in the
cloud brings a growing obligation to adequately assess new business
interdependency and trust-related risks. In this new trust environment,
according to Tim, confidentiality, data integrity, and availability must
be managed with great care by multiple organizations, even as the company
whose services are outsourced still bears primary visibility and
responsibility for ensuring the privacy and security of sensitive
information.
Following
Tim’s
presentation, Chris Hoff, Cloud Security Alliance, and Director of
Cloud & Virtualization Solutions, Data Center Solutions Group at Cisco,
shared the Cloud Security
Alliance view of cloud architectures and security. Chris noted that
a lot of the industry confusion surrounding the cloud right now stems from
the conflicting lexicon and the fact that there are many different nuanced
definitions depending on the audience. Chris and other members of the
Cloud Computing Alliance are currently collaborating on the development of
best practices for providing security assurance within cloud computing,
and educate the industry on the uses of cloud computing to help secure all
other forms of computing.
To close out day one of the SPC, Dana
Gardner, Principal Analyst at
Interarbor Solutions, and ZDNet
Blogger moderated a lively panel discussion on the security implications of
enterprise cloud computing. Panelists included Glenn Brunette,
Distinguished Engineer & Chief Security Architect at Sun Microsystems;
Doug Howard, Chief Strategy Officer, Perimeter eSecurity & President,
USA.NET; Chris Hoff,
Director of Cloud & Virtualization Solutions, Cisco; Dr. Richard Reiner,
CEO, Enomaly; and Tim Grant of NIST. Much of the discussion focused on
what should and shouldn’t be deployed to the cloud. Panelists also
tackled several other topics, most notably the need for standards and best
practices for interoperability, integration, portability, and audit
practices.
