The agenda for this meeting was arranged to meet the needs of new
representatives (from member organizations) who were registered to
attend the Security Forum meeting for the first time, the intention
being to provide sufficient introductory and background information to
enable them to participate in the main agenda discussion topics.
In the event, few of the registered new representatives attended the meeting. Accordingly
those present revised the agenda to address the direct interests of the members attending the meeting.
Industry News Update
Attendees shared news on a selection of conferences and meetings they
had participated in, and items of mutual interest from the previous
three-month period leading up to this meeting.
Planning the Security Open Meeting, January 2007
Plans are underway to run a one-day Security "Chain of
Compliance" open meeting in San Diego. Current plans for this open
meeting are well advanced regarding speakers. The coverage aims to
include:
- Pro-active Compliance Strategy
- Data-Centric Security
- Common Criteria Version 3 issues
- Framework for Analyzing Information Risk (FAIR)
- Security Strategy White Paper
- IdM Framework Standard development work with INCITS & ISO JTC1
SC27
Security Strategy White Paper
Attendees reviewed the latest draft 2 white paper. Later discussion
on this topic included an additional participant by teleconference link. The
feeling of the attendees was that they could see the direction of
this draft document might be interesting to non-IT-security people; it
certainly holds little interest for the IT security professionals
attending this meeting. Their view was that while it may well attract
the interest of lawyers, regulators, and auditors, it is very unlikely
to add value or benefit to existing IT security technologist members
because it is difficult to relate it to real enterprise, or even
understand the target audience. It was appreciated that the approach
this paper takes is not the traditional
Confidentiality/Integrity/Availability one. Rather it starts with a
high-level view on data protection and aims to relate the concepts
involved to a social structure where instead of the
- people - process(governance) - technology
approach, we have a:
- government - enterprise - citizen
approach, which represents three different types of consumer (end user)
as the focus rather than as each being an integrated part of the
"people" and (in part) the "process" of the more
common approach. While a common thread centric to both approaches is
risk management, the focus for most security professionals is on the
enterprise, and consideration of government as another
"enterprise", with both viewing the citizen as part of the
end-user community. A particular feature of the draft paper is the
emphasis on advocating the Security Architect as a central figure whose
role is to mediate between what government regulators say that
enterprise business must do and what is the right thing to do to protect
the consumer. In fact, the legal/regulatory side of most
enterprises is often handled quite separately from the IT security
strategy side, so security technologists are rarely involved in
legal/regulatory issues. We should ask the Architecture Forum for their
view on this.
Looking at another aspect of the paper, there are clearly issues
relating to control of information that are very relevant to information
security, especially those externality aspects relating to exercising
ownership, and exerting controlling influence/power on information once
it leaves your domain; Digital Rights Management schemes can be used for
commercial advantage - both in good (justifiable) and bad (not easily
justifiable) ways - and these "value chain" aspects are of
considerable developing interest.
Attendees in the Lisbon meeting then took time to review the current
state of the more traditional information security strategy approach. In
doing so they noted:
- ISO 17799, which gives a commonly accepted security strategy. It
stops at the point where you have to find the appropriate technology
to implement each strategic element.
- Ross Anderson's book titled "Security
Engineering". This book is published by Wiley, but is
freely available from Ross Anderson's website. It is a widely
recognized authoritative source of information on security
technologies that helps anyone developing a security strategy.
Other well-known sources of information on this subject include Bruce
Schneier's "Secrets and Lies" (discussing risk and threat
analysis), and "Beyond Fear" (a more discussive book on the
effectiveness of security measures).
Identity Management
- Guide to IdM Architectures
Members reviewed the latest feedback on this document, and arrived at a
final draft which they approved as satisfactory for formal review by
all Forum members, with a view to recommending its publication.
- Common Core Identifiers
This project is a partnership activity between the Network
Applications Consortium (NAC), the Distributed Management Task Force
(DMTF), and The Open Group Identity Management Forum (IMF). The
CCI Task Group has approved the CCI Business Scenario for
publication, and are finalizing a Press Release for its launch. The Framework document is also completed, as is
the Matrix which presents the list of candidate identifiers, the
comparative evaluation of them, and the analysis and conclusions
that resulted. These will be published soon, at which time the CCI
project will close, having completed its objectives and decided not
to continue with follow-on work. Instead we aim to pass the
deliverables to ISO JTC1 SC27, with whom we have Category C Liaison
status, for them to exploit in their standards work on Identifiers.
- IdM Design Patterns
The planned final review of updated definitions for our 2nd &
3rd party identity patterns was deferred due to unavailability of
the updates for these definitions, which had proved to involve
greater complexity and impact on other material in the definitions
than had hitherto been realized.
Likewise, progress has been delayed on developing a draft definition
for an authenticator pattern, so this was also deferred. Those
interested in an authenticator design pattern may like to review the
definition for an authenticator pattern contributed by Ed Fernandez
which is published in Marcus Schumacher's compendium of design
patterns. While this definition is not incorrect, it does not in the
view of the Security Forum's experts explain adequately the key
security features which we would consider essential
to highlight in our definition.
- IdM Standards Framework (joint with INCITS & ISO JTC1 SC27)
Due to a communications problem with our
expert contributor in the USA, we were unable to proceed with the
detailed review of the latest draft of this document. We will
progress this in the weeks following this meeting.
- Best Practice Guide for Identity & Access Management
Due to a communications problem with our
expert contributor in the USA, we were unable to proceed with the
evaluation detailed review of the latest draft of this document. We
will progress this in the weeks following this meeting.
Collaboration with Jericho Forum
In place of the more specific review of the three project areas where the
Security Forum intends to collaborate with the Jericho Forum:
- Security Strategy White Paper & Jericho Forum Commandments
- Anti-establishment security design patterns for de-perimeterized
environments
- "Security in Data" components to Jericho Forum security
problem
we discussed the concern that currently there exists a significant gap
between the publication of the Jericho Forum's high-level position paper
"requirements" on the one hand, and proper understanding of
those requirements by solutions technologists. Much is assumed, and it
is vital to push these requirements towards the vendor community in ways
which are more readily understandable and "do-able". This is a
role where the Security Forum with its more technological base of
members can take the lead. We will review this proposed approach and
decide how to move forward.Joint Security Forum & SOA
Working Group Review, (Led by the Security Forum)
The Security Forum met with the Service Oriented architectures (SOA)
Working Group to explore interest in them participating in a joint SOA-security task
group. Two particular areas were presented
by
the Security Forum for the SOA Working Group's consideration:
- Inherently Secure Protocols
- Architectures for de-perimeterization
In discussion, it was agreed that we will follow up
further to verify the value-add we may expect from collaborating here.
