Many members attended the Secure Architectures plenary on Monday,
and the security-related APC tracks on Tuesday and Wednesday of the
conference. The members
meeting for the Security Forum was held on Thursday through to Friday
noon.
Review of Secure Architectures Plenary and Security-Related APC
Tracks
Members first did a round of introductions, then reviewed the meeting
agenda to verify that we had included all items of importance to members
present.
We then reviewed the Monday plenary presentations and
Tuesday-Wednesday security-related APC tracks and presentations to
identify issues, lessons learned, matters arising, proposed new work
items which may have emerged, and any other outcomes members had
detected.
The plenary IPv6 presentation (Merike Keao) was very useful,
and linked well with Tony Haan's presentation on this same topic two years
ago in New Orleans. The plenary presentations were felt to be a
mixture of security topics lacking a common security thread - which was
what was planned, but which perhaps on hindsight could have been better
arranged into a more coherent thread.
The security-related APC tracks on
Tuesday and Wednesday were similarly varied in their content.
One gap in our
coverage was suggested as lack of understanding of assurance of security
properties; verification of security properties could be done using
emerging software property verification techniques, so this is an area
worth exploring.
The Trust APC track attracted special mention as a
highlight of the APC for security-oriented attendees - the possibility
of developing an interoperable standard for common levels of sensitivity
and classification of data, and building responsive protection
mechanisms for this, is a high-value vision. There is potential for a Common
Language paper here.
The proceedings of the Plenary and API Tracks are available in the Plenary
report.
Identity Management Forum
Ian reminded members about our Category C Liaison
status with ISO JTC1 SC27, and reported back about his attendance at the
SC27 WG5 workshop in Lucerne on September 30, where he gave a presentation
on the Identity Management Forum's work and deliverables on this area,
including:
and repeated The Open Group's hopes that the SC27 WG5
members will accept these Open Group publications as significant
contributions towards the content for their related standards
development work on Framework for Identity Management, and a
Privacy Framework, plus any standards work in SC27 on Identifiers.
Ian also noted that the ITU-T Focus Group on Identity Management (FG
IdM) is also a major contributor to the SC27 WG5 work. They attended the
influential Internet Identity Workshop meeting in May, where they made
some interesting headway. The ITU-T has now sent the Identity Management
Forum a liaison statement (dated October 19 2007) requesting we review
their technical output - six papers, five of which are complete. Ian will
organize our review - they requested our response by December 9.
Discussion brought out that effective liaison with
SC27 WG5 necessitates attending their meetings to push our contributions
and engage with the lead editors of their standards to promote our
contributions and ensure they are correctly represented and included in
the resulting ISO standards. Unfortunately, the financial costs to do
this are significant so we have to make careful judgments on when and how
to do it.
SOA-Security Task Group
Rakesh Dhamala (IBM India), Dennis Attinger (Philips), and Stuart
Boardman (CGI) joined the Security Forum members for this session. The
joint project between the Security Forum and the SOA Working Group is aimed at
addressing best practices on how to secure SOA environments. Taking into
account the attendees in this session, we checked the web site
for the target deliverables
in this project as listed in the Charter for the project: a guide for
enterprise architects on how to address security in Service-Oriented
Architectures (lead editor: Anil Rode), including material from three
White Papers:
- A white paper that describes the characteristics which define SOA
security services, and identifies and elaborates the core Security
and Information Assurance services required to deliver a
non-industry-specific Service Oriented Architecture (lead editor:
Fred Etemadieh)
- A white paper that makes recommendations for the definition of new
service types (where none exist), identifies gaps in the existing
standards needed to support security for SOA, proposes extensions to
those services which may be required to deliver appropriate levels
of assurance, considers the technologies which may exist to deliver
these services, and from this identifies the extent to which a
service may currently be realized conceptually, logically, or
physically (lead editor: Owen Sayers)
- A white paper that gives a set of use-case descriptions and an SOA
threat profile that is based on them (lead editor: Shawn Smolsky)
We have a skeleton draft from Anil for the Guide, and a draft for
the use-case descriptions and SOA threat profile based on them. We await
initial drafts for the other two white papers. In the meeting we reviewed
the Guide, and recommend our definition for SOA is included up-front, to
ensure a clear understanding on this (bearing in mind the variety and
scope of definitions for SOA that exist in our industry). Ian gathered a
few more comments and will feed these back to the project list. Stuart
volunteered to provide a use-case for the Guide (Section 1.1.1.5) which
explains that there is more to authentication than SSL.
Members agreed we should propose our next developers conference call
for this SOA-Security project on November 7.
Development of the Security Forum
The publication of our White Paper entitled "Information Security
Strategy" has stimulated new thinking on new directions for the
Security Forum, and we have The Open Group management's backing to work
out how best to develop this new direction in ways that will attract
existing and new members to participate in developing the strategies in
the White Paper. Marketing consultant Jim Hietala has been invited to
help us put together an effective set of messages and action plan to
launch our future direction.
To set expectations for this session, members in Budapest held a
working lunch on Monday, where Jim presented a short introduction to
the task, invited members to think about this topic as preparation for
the Thursday meeting session, and welcomed suggestions that members may
like to offer right away. The lunch session attracted 15 attendees, and
produced a variety of suggestions, which Jim and Ian pulled together in
a presentation in the Thursday meeting session.
Mike Jerbic (Chair of the Security Forum) joined the Thursday meeting
session by conference phone. Jim conducted the session (see presentation),
noting that we don't expect to achieve all of our objectives in the 90
minutes available, but the key components we need to consider and
follow-up include:
- Define a new value proposition for the Security Forum
- Evaluate a new security architecture standards
focus
- Brainstorm key messages for the Security Forum
- Develop compelling business drivers for Customer members and Vendor members
- Develop key messages for outreach, including for Journalists and for Analysts
Jim and Ian collected members' feedback, and Jim will
use it to prepare a report giving his recommendations on how to market
the Security Forum in the context of the newly published White Paper.
Risk Analysis (FAIR) Standard
Alex Hutton (Information Risk Insight) joined the
meeting by conference phone to give an update
report presentation on progress with our FAIR (Factor Analysis of
Information Risk) project. This report included response to his key
action arising from our previous focus meeting on FAIR to define where and how standardizing FAIR will add value, and
who is our target audience. Members are recommended to read the
presentation for details.
During the review, a new viewpoint was raised that
risk is usually only taken if there is an upside benefit with a downside
possibility, so how does FAIR address this benefit side? Discussion on this
clarified that this is a business decision, not a risk evaluation of an
IT system.
Jericho Forum Liaison Update
Ian reported back on the feedback on the Security Forum's evaluation
of published position papers:
- Trust: Mike Jerbic had not only completed the
review template but also added his own discussion paper pointing out
concerns which he considered needed to be included in the
Trust paper. The Jericho Forum agreed that they will revise
the Trust paper to included three major issues - detection, retribution,
and consequences - and accommodate other good feedback in Mike's
comments.
- Wireless: While Fred Etemadieh had done an
excellent survey of wireless standards which are relevant to
wireless operation in a perimeterized environment, the Jericho Forum
focus is to position wireless issues for operation in a de-perimeterized environment, so no update to the Wireless paper is
required.
- VoIP: Fred's comments are good and should be added
to other conclusions on VoIP as presented in our September 11 2007 New
York Conference, as contributions towards revising the Wireless
position paper.
Ian and other members who are also members of the Jericho Forum also
advised that they are working on two important new position papers:
- Collaborative Oriented Architecture (a name not yet agreed as
final) - a paper defining the basic components for the Jericho
Forum's vision of its collaborative business framework, describing how the key components of the solution space should work together - to provide a reference for checking completeness of proposed architectures.
- Secure Communications Position Paper, which merges our existing Inherently Secure Protocols and Encryption & Encapsulation
papers into a single coherent explanation of what we mean by the
need for secure protocols.
The Jericho Forum is also interested in updating its paper on Trust,
based on the stimulating presentations in our Architecting Trust track
in the Budapest APC.
Update-XDAS Project
In the absence of any members who are active in the Update-XDAS project, Ian presented a summary on progress to date,
pointing out:
- Its web site
- mentioning the apparently overlapping new standard
(Common Event Expression - CEE) being developed under management of
Mitre
- The extent and detailed proposals for the planned
updates to XDAS, which include updates to the record format, and to
the taxonomy, plus a number of additional detailed enhancements
A new draft incorporating the current list of updates is being
drafted now, and we anticipate having this new draft by the end of
November, for review by the project group and all members of the
Security Forum.
