The Open Group Conference Boston 2010 began Monday, July 19 in Boston at the Hyatt Harborside Hotel.
The conference gathered to discuss three key themes along three primary
tracks:
- Security Architecture – The Intentional Enterprise in an
Uncertain World
- Enterprise Architecture – Evolving EA from IT to the Business
- Cloud Computing – The Business Impact of Cloud Computing
Allen Brown, President & CEO of The Open Group, welcomed over 340 members from 20 countries
to the Boston conference. He provided a brief overview of The
Open Group and its vision of Boundaryless Information Flow™. He
introduced the day’s Secure Architecture track by underscoring the
importance of creating secure architectures and products that not only
break down silos, but that also have secure, permeable boundaries that
meet that vision.
The morning plenary session kicked off with a keynote presentation
by Lt. General Harry Raduege, Jr. (USAF, Ret.), Chairman, Deloitte
Center for Cyber Innovation, speaking on the topic Succeeding in a
Cyber World. He began by addressing just how much the
word "cyber" has changed our world over the past few years and how it’s
bringing the international community together in positive ways, but also
in terms of cyber threats. Because cyber threats are borderless, they
require a continued and focused effort both by governments and business.
According to Lt. Gen. Radeuge, the cyber threats facing the nation are
numerous, encapsulating everything from identity and information threat
to crime, espionage, and terrorism targeted at governments, industry, and
individuals. In fact, the average cost to clean up a virus attack is
$6.3 million and the estimated threat just to industry was $1 trillion
in 2009.
Lt. Gen. Raduege also discussed the proliferation of new types of
vulnerabilities that enterprise architects will need to address moving
forward, including those posed by mobile devices, cloud computing, social
networking, payment cards, spam, phishing, peripheral devices (including
printers and security cameras), new operating systems, and “fake”
antivirus products and scareware.
As co-chair of the Center for Strategic and International Study’s
(CSIS’s) Commission on Cybersecurity for the 44th Presidency, Lt. Gen.
Raduege finished by discussing some of the findings of the Commission’s
first report, released in December 2008, which included three primary
findings and 25 recommendations for President Obama to consider,
including a national strategy for securing cyberspace. The Commission’s
findings included the conclusion that cybersecurity is a major national
security problem for the US, that any decisions or actions taken must
respect privacy and civil liberties, and that only a comprehensive
national security strategy that is both domestic and international will
make us more secure. He also stressed that the President is making
cybersecurity a national priority that reaches across federal agencies,
encompassing economic and defense issues. He concluded by stressing
that the Commission has made recommendations for initiatives that
address authentication issues, dynamic defense, international
engagement, privacy and civil liberties, and workforce policies.
Following the keynote address, Larry Clinton, President, Internet
Security Alliance (ISA), presented on the Financial Management of
Cyber Risk: An Implementation Framework for CFOs. He began
his presentation with a brief video that addressed the issue of cyber
loss and the financial threat it poses to both governments and private
business. After the video introduction,Larry started by taking a
step back to remind everyone that the Internet has changed everything
and how the notions of privacy and self, national defense, and economics
are all undergoing a process of radical transformation. Because of
these changes we need to be aware of just how much cybersecurity is an
economic and strategic issue for governments and businesses, not just an
operational and technical issue. Therefore, the economics of
cybersecurity must be focused on the question of “why” attacks are
occurring, not just “how”, because today enterprises are not properly
structured to analyze cyber risk.
Unfortunately, the current economics of
attacks favor attackers much more than those they are attacking. Many
organizations are not as aware of how much loss they are incurring
annually as they should be and are not investing enough in planning or
implementing security initiatives. Larry says that security
problems must be attacked at the economic level and brought to the
attention of CFOs to help bring economic incentives into cybersecurity
initiatives. CFOs must be part of a cross-organizational effort to
develop risk management plans for the entire organization. ISA
recommends that industry create a new cybersecurity social contract in
which government and industry work together to address the problems that
cybersecurity poses and properly implement initiatives. Finally, he reminded attendees that addressing cybersecurity issues will
require a lot of creative thinking, much of which will come from the
private sector.
After a brief morning coffee break, representatives from the Defense
Research and Engineering department posed the important question: How
do we build with integrity and buy with confidence? The speakers,
both of whom spoke on behalf of the Department of Defense, were Kristen
Baldwin, Director, Systems Analysis; Systems Engineering Directorate
with Office of the Director, Defense Research and Engineering, who gave
the primary address, and E. Kenneth Hong Fong, Sr. Systems Engineering
Analyst, with Office of the Director, Defense Research and Engineering, who
joined Kristen for the Q&A session.
Kristen began by discussing the complex and uncertain environment
that currently faces both the Department of Defense (DoD) and the nation
in terms of security threats throughout the world. Key issues include
reforming the Department to better support needs of the warfighters,
ensuring weapons work as intended and that taxpayer dollars are spent
wisely, and maintaining disciplined systems engineering approaches to
address and handle vulnerabilities as needed. The DoD Systems
Engineering group helps by exploring innovative, responsive solutions to
the new problems the DoD is facing, which includes working with vendors
to identify the current best practices and processes that contribute to
the secure and trusted development, manufacture, delivery, and ongoing
operation of commercial products.
To address these issues, the DoD turned to The Open Group to put
together a working group that could work with DoD partners to discuss
security concerns and create standards for secure commercial
products. Challenged by the fact that market drivers often far outweigh
security issues that are DoD driven, The Open Group's Acquisition
Cybersecurity (ACS) Initiative, is working on standardization efforts
for procurement regulation and commercial products that mitigate supply
chain risks with industry. In addition they have set up a criticality
analysis group, systems security research roadmap, and assurance
guidebook that will be adopted by the NATO Standardization
Agency. Together these initiatives are geared toward allowing the DoD
to build systems that meet their standards for integrity while also
providing confidence that vendor products won’t compromise or cause
significant degradation of systems.
In the afternoon, attendees had three separate conference tracks to
choose from – a continuation of the morning’s Security track and two
separate tutorial tracks focused on SOA and TOGAF™.
In the first Security track session of the afternoon, Peter Coldicott,
Distinguised Engineer, Leading the Advanced Technology Team,
IBM, addressed the problems that occur when Security for the Physical
World Meets the Digital World. What does it mean when the physical
world meets the digital world? In IT and security, it means that
architects much consider physical components (computers and networks)
and also all the interconnected digital layers that now extend those
networks. Security threats are now prominent in endpoint systems, and
are often much more severe than many traditional IT/security problems, a
problem that dramatically changes the landscape of what needs to be
secured. To underscore the importance of the kind of systems that
provide critical points where digital meets the physical, Peter
discussed examples of controlling sewage systems and manholes, the
ability to track equipment in hospitals to make sure assets are used
properly, and the need to monitor the electrical grid.
Peter then turned the podium over to Tony Carrato, Executive IT
Architect, Advanced Technology Team, IBM, to continue the
discussion. Tony stressed that security needs and capabilities
are different at every level of manufacturing processes and that
potential problems must be considered at every level to keep machines,
such as automobiles, both secure and safe. One problem that architects
face is that there are currently many different types of standards that
regulate manufacturing across multiple different industries, but there
is little commonality or convergence among these at this time. To make
any deployment secure, security must be considered from the outset and
it must also be implemented correctly. Standards should also be
considered and developed by organizations such as The Open Group and the
Jericho Forum to lead the way in bringing security issues into the
design of physical systems.
Next up on the agenda was Forrester Research analyst Usman Sindhu speaking on Security in the Smart Critical Infrastructure Ecosystem. According to Usman, smart cities and smart grid
infrastructures are increasingly impacting people, processes, and
technology. Currently inefficiencies in infrastructure systems cause
$15 trillion in losses per year. If these inefficiencies were addressed
properly, the savings would be $4 trillion/year. To address these
problems, the concept of “smart city” infrastructures are emerging with “smart computing” at their core. But because connected systems breed
more risks, secure architectures are needed since attacks are becoming
more prevalent and diverse. According to Usman, smart
infrastructures and grids must consist of a public/private partnership
to secure those infrastructures in the long term. Combining approaches
from the public and private sectors, across industries, will result in
creating an IT risk baseline, or risk profile, that can be the basis of
best practices and comprehensive policies and strategies. Enterprise
architects will be critical for the planning and implementation phases
and can help train, educate, and promote collaboration among their peers
to solve the issues of smart infrastructures.
Following a short afternoon coffee break, the final individual security
panelist of the day was MITRE’s Harriet Goldman speaking on the topic
of Mission Assurance and the Art of Cyber Defense. Harriet, who is
Director of Cyber Mission Assurance, talked about the need to design
security systems with the assumption that you can’t keep attackers
out—rather you can plan for attacks and make their job more difficult
for them by creating systems that are dynamic, diverse, and resilient
rather than static. Deploying pervasive defenses--such as building OS
agnostic systems, returning to thin clients, employing randomness, and
creating specific processes and methodologies by doing threat
analysis--will help architects understand the inter-dependencies that are
critical for keeping systems secure. Companies should also work to
ensure continuity of critical operations if systems come under
attack. Lastly, Harriet suggested that solving the problem will not
be a solo effort, but that companies, vendors, governments, and end users
will need to work together to address threats.
In the last tracked session of the day, panelists who had spoken in the
Security track earlier in the day gathered together to sum up the day’s
sessions by tackling the question: Cybersecurity and CyberRisk: OK, Now
what do we do about it? Panelists included Larry Clinton, Harriet Goldman,
Tony Carrato, and Usman Sindhu, who moderated the panel. Also joining
them for the panel was Steve Whitlock, Chief Security Architect for
Boeing. Usman Sindhu began by posing the question: How is cyber
security different than regular IT security and what do enterprise
architects need to know to address them? Tony Carrato defined “cyber”
security systems as those that sit beyond the traditional data
center. The panel also discussed the need to have both architectures
and tools available to address security problems. Harriet Goldman
emphasized the need for interoperability and working together across
companies and across borders to share more information. Agreeing, Larry Clinton added that there needs to be much more work done in partnership
between the public and private sectors and that the private sector must
take more initiative to demonstrate leadership and prove its successes
to the government. The topic of legislation was also addressed with Harriet
Goldman suggesting that legislation may be necessary on international
levels, and Larry Clinton countering that the public sector will not be
able to address attacks on their own and that excessive legislation
isn’t necessary. The role of standards was also discussed with the panel
weighing in on the side of continued standards development and
compliance to help provide best practices for industry
guidance. Finally, Larry Clinton reminded the panel that there will
always be trade-offs between users that want utility and the need for
security. To combat that, security architects will need to think
differently and address the economic impact of the issue in order to really
move the needle.
The day concluded with the first ever TOGAF™ Camp hosted by Scott
Mattoon, Architect, Oracle, Jason Uppal, Chief Architect, QRS, and
Steve Nunn, COO, The Open Group. After a short introduction and
explanation of the format, the “unconference” got underway with
attendees choosing to address a number of issues regarding the practical
use of TOGAF™ in six breakout sessions, including:
- EA/TOGAF as a transformation framework: how to go from
EA as a stovepipe to architecture in transformation projects
- What are the quick wins by doing EA (how can EA become a norm in
an enterprise?)
- For business process modeling, are there any common approaches
to provide process diagrams at different levels (i.e., a level for CXO, a
level for directors, etc.)?
- How to introduce EA with an enterprise
- How to adopt the TOGAF ADM to develop solution architecture
- How to attract business analyst communities
Don’t forget to join The Open Group’s social media network and get the inside scoop on Open Group milestones
related to various standards and certification initiatives, thought
leadership webinars, conferences, and regional networking events.
