Automated Compliance Expert (ACE)
The project leader gave a detailed run-through on the latest draft of the proposed ACE Technical Standard, and a number of queries were resolved which enabled members to approve preparation of the draft for company review.
Assuming that the company review will result in approval to publish the ACE standard, members then considered preparations for launching this ACE standard so as to promote its visibility and high value to our primary target user community. A number of target user groups were identified. We will review and refine these in engaging support from The Open Group marketing department, in parallel with the company review.
Identity and Access Management (IAM)
We reviewed the requirements recently evolved in the Jericho Forum and being developed by interested IAM members in the Security Forum. Two key presentations were given:
These were used to exemplify the core issues being developed, which include extending the ISO Model to represent finer-grained controls as "entitlement", and to introduce access controls attached to the “resource" (target) in the form of "resource labels" and "access rules”.
Also, we are taking interest in a new technical Committee in OASIS, addressing “Identity in the Cloud”, and we are connected into the Cloud Security Alliance (CSA) in their development of the December 2009 CSA Guidelines v2.1 – domain 13: Identity & Access Management.
Further, members noted the recent release of the US (Howard Schmidt) document on National Strategy for Trusted Identities in Cyberspace (NSTIC), which we recognize as a landmark paper on “identity”.
Our core IAM developer members are continuing their work on refining their concepts, to resolve the contentious issues in these presentations, and will validate them with members as the work progresses, to produce a White Paper capturing these concepts in a manner which uses defined terminology in a consistent manner, and so sets a standard for defining effective IAM requirements that meet the needs for IAM in the Cloud and open-network (de-perimeterized) environments. We aim for the resulting White Paper to be a stable platform from which effective Identity Management and Access Management solutions can be developed, and call in adoption of applicable existing standards as well as identify gaps in coverage by standards of common components of the solution space.
ISM3 Technical Standard
The ISM3 draft standard is now available for company review. The review period starts on July 26 and closes on August 22. Members reviewed the recent changes (those made over the past two months) to the document, in particular the addition of the Implementing ISM3 chapter and the commentary Appendix on how ISM3 and ISO 27000 coexist.
Thoughts on promoting ISM3 when we launch it as our ISM3 standard (assuming it successfully completes company review) include involving Open Group marketing, IPR from the ISM3 Consortium, and a program of Webcasts running ISM3 tutorials and related user-experience broadcasts. An action was accepted to draw up a marketing strawman for review and development in preparation for the launch of ISM3.
In parallel with the company review, we will also consider best-value follow-up project development work to support adoption and growth of ISM3 in the marketplace.
Architecting for Uncertainty
Following up a request for a workshop with the RT&ES Forum to explore in detail the underlying concepts of a proposal aired by a member of the Security Forum for a new direction termed “Architecting for Uncertainty and Variance”, that member led a workshop (joint with the RT&ES Forum) in which he presented the concepts, which were appropriately aired and debated. Members left the workshop with a better understanding of the concepts and a willingness to evaluate its proposals, with a view to arriving at a conclusion on their view of it as a valid approach for architecting security. The outcome from this conclusion will influence how we take this concept forward.
Cloud/SOA Security
In a joint meeting session with the Cloud Computing “Cloud/SOA Security” Work Group, two members from this Work Group reviewed a presentation summarizing the goals, planned deliverables, and progress on developing this Work Group's deliverables. The outcomes contributed to members' awareness of progress in this joint project and added interest in participating.
Enterprise Security Architecture (ESA) Guide
The web page for this project, including the project Charter specifying background information, objectives and deliverables, and the latest ESA draft document, are all available from the project web site. Our consultant editor Gunnar Peterson and our Open Group member project manager joined this meeting session via conference call. They conducted members through all the updated areas of the base document, noting areas for further change and update that will result in an ESA Update draft that is acceptable for submission to formal review leading to approval for publication as a Technical Guide. The target for progressing this updated ESA Guide to completion is to finalize the draft within two weeks, perform the formal review over the required three-week period, and so aim to be in a position to request approval to publish by mid-September 2010.
Secure Mobile Architecture
This was a joint meeting with the RT&ES Forum, whose members share a joint interest in developing a Secure Mobile Architecture standard, based on developing the SMA Technical Study which was published in February 2004. In a joint RT&ES-Security Forums meeting on November 16-18, 2009, members of these two forums began joint work on a project aimed at analyzing the real requirements and audience(s) for an SMA standard. The draft Charter, key descriptive presentations outlining the project objectives, and latest draft standard, are all available to members from the SMA project web page.
Members reviewed the latest SMA v0.6 draft standard – available to members from our project web site - and feedback was noted for updating it.
A number of members then volunteered action to contribute further work and write-ups for incorporation into the SMA draft. The project leader and Open Group Security Forum director will coordinate these actions, with the aim of compiling an SMA draft standard that is 90% populated by the start of the next Open Group conference in Amsterdam (October 18-22, 2010).
