Allen Brown, President & CEO, The Open Group, gave opening
remarks – touching on The Open Group’s history with security dating
back to the 1980s. In particular, Allen highlighted the work of The Open
Group Security Forum, which has been focusing on industry security
concerns for a number of years, supporting The Open Group’s vision of
Boundaryless Information Flow™.
Delivering the keynote was Stephen T. Whitlock, Chief Security
Architect, Information Security, The Boeing Company. Stephen has
also been a leader within the Security Forum since its inception in the
mid 1990s. His presentation, "Striking at the Root", covered
new approaches to infrastructure for secure computing. Specifically, he
identified several key issues within today’s enterprise – namely,
shifts in value, employee and non-employee populations who are granted
access to an organization's systems, the definition of principles, a
global regulations proliferation, and technology gaps, among others. He
then presented a snapshot of where The Boeing Company is going when it
comes to security – pointing out future infrastructure security
services, and the information-centric future of access control. He also
shared an industry security technology scorecard, broken down by
information protection services, privilege management infrastructure,
and infrastructure protection services. He also shared "Whitlock’s
Laws for Access", namely, access laws that are policy-driven,
automated, disintermediated, standardized, and integrated.
Andras Szakal, Distinguished Engineer, Software Group at IBM,
then spoke about the need for developing architectural capabilities to
design secure systems in a rapidly changing world. Highlights included
IT challenges and market drivers, global security challenges, and
awareness and operational security challenges, among others. He also
spoke about the fact that IT product assurance is directly linked to
supplier assurance – and that, without a secure supply chain, an
organization’s reputation is quickly put at risk. Supply chain
security challenges can also escalate customer safety concerns and the
potential for revenue loss; Andras illustrated this position by
providing recent examples of Mattel’s toy recall, the misperception
that Lenovo provided less secure products than its predecessor, and
Starbucks' focus on guarding supply chain from narcotics trafficking. He
also asserted that the hacking community has "grown up",
evolving to target individuals and governments alike; and discussed the
growing security community, the security lexicon, and a variety of
attack vectors.
The Open Group then took the opportunity to announce
the formation of a new franchise in France to be spearheaded by Eric
Boulay, Président Directeur Général, Arismore.
Allen Brown introduced Eric, who then discussed the opportunities to
share The Open Group’s vision of Boundaryless Information Flow™ with
the French community. For more information on this new franchise, please
visit The Open Group website.
Later in the afternoon, The Open Group also formally welcomed and
introduced Chris Woods of HSBC, the third largest bank in the
world, and announced their new platinum membership status within The
Open Group.
Following this, Stephen Farrell, Research Fellow & Lecturer,
Dublin, Ireland’s Trinity College, educated the audience on
security boundaries and surfaces. Specifically, speaking on side
channels, virtualization, and host security – including the once
common assumption that when attempting to secure a network, end systems
were "secure", and software updates or what is actually
(supposed to be) running on a particular box. Stephen commented that,
even with excellent, controlled software updates, there are still
potential side-effects, and he used a Skype incident as an example. He
also discussed the security boundary when dealing with "middleboxes,"
and protocol oddities including UDP-Lite and delay – and
disruption-tolerant networking (DTN), which aims to ensure that data
flows even if there is never any end-to-end connection. Stephen also
reminded the audience that DTN works when transmission control protocol
(TCP) breaks. He also touched on how security boundaries become much
more broadly used in a Web 2.0 environment or organization, and
discussed a number of specific Web 2.0 security issues including malware
distribution via server compromise, JavaScript vulnerabilities, and the
security of "mashups".
Allen Brown and Phil Stauskas, Distinguished Engineer &
Worldwide IT Specialist Profession Executive at IBM, provided the
audience with an overview of the recently announced IT Specialist
Certification (ITSC) program. Phil also discussed the importance of
consistency within the IT Specialist profession – especially when it
comes to IT implementations – and how this certification program will
ensure that those certified cannot only write code, but that they also
possess appropriate professional skills, such as communications.
Kicking off the afternoon’s plenary was Merike Kaeo, Consultant,
Double Shot Security and IPv6 Forum Fellow. Merike spoke in detail
about new networking paradigms for Internet Protocol version 6 (IPv6)
architectures. She highlighted fundamental issues including
understanding the term of "securing the network", designing
security into IPv6 networks that don’t blindly mimic the current IPv4
(the current system of distributing IP addresses) architectures; putting
thought into security policies, and understanding that security policies
will dictate which security measures to implement. She also discussed a
sample IPv6 architecture, as well as architecture considerations
including addressing/naming, native routing versus tunnels,
management, and security. Merike also delved into SeND (Secure Neighbor
Discovery) and how it protects against spoofed messages, neighbor
unreachability detection failure, duplicated address detection, as well
as attacks on DoS, router solicitation and advertisement, replay, and
neighbor discovery DoS.
Adrian Seccombe, CISO & Senior Enterprise Architect at Eli Lilly,
then discussed the evolution from reactive information security to
integrated information security. Honing in on three key questions,
Adrian addressed what is driving the change of traditional information
security towards more integrated information quality management systems;
if there are any signposts that can help point the way from history,
nature, or other industries; and given these pointers, how people should
respond to this changing environment. He also identified a series of
change drivers such as radicalizations and changing tensions. Adrian
also highlighted some pointers, using historical examples such as the
Great Wall of China, and also examples of leading indicators found in
the banking, pharmaceutical, and petroleum industries. Responses to
those questions included a discussion of standards and architecture,
teamwork, and a desired future information quality state.
Guy Bunker, Chief Scientist at Symantec, discussed the
ever-evolving role of the Security Architect – but, first, he
highlighted the evolution of security by illustrating the proliferation
of systems and their associated risks, such as fax machines, copiers,
and discarded CPUs. Also discussing the risks associated with data,
especially as it is now decentralized, unstructured, and essentially
everywhere, Guy went on to provide statistics associated with at-risk
data. For example, around six million laptops per year are lost, and
mobile devices are 22 times more likely to be lost. He also emphasized
that information is the business and that it is essential to protect
this information. He summed up the presentation by outlining new
required skills for secure architects, including understanding the
business, business functions, legal aspects, financial aspects,
implications of decisions, consequences of no decision, and the impact
of new technology. Contrary to the popular belief, "Ignorance is
Not Bliss" in the world of security.
Carl Ellison, Architect for Microsoft Windows, presented on
ceremony flaws in otherwise secure protocols: "Ceremony Design and
Analysis". The definition of "ceremony" was defined and
broken down, along with several examples of how root keys are able to
infiltrate using a sample ceremony diagram as an example. He also
deconstructed common email messages – and how easy it is for an
attacker to send emails, impersonating another person. He also discussed
how to create a secure UI design and illustrating the typical UI design
process, Carl reminded the audience that typical UI designers tend to
concentrate on beauty and special effects; and that protocol designers,
system programmers, and, especially, cryptographers tend to be very poor
UI designers. For ceremonies, however, UI must be part of the design and
analysis. As a result, an interdisciplinary team for UI is a
requirement. He also delved into the characteristics of ceremonies, the
need for meaningful IDs, and recommendations for better ceremony
designs.
Chris Forde, VP Technology Integrator at American Express & Chair
of The Open Group Architecture Forum, then discussed the latest
Architecture Forum work. Chris also gave an example of the benefits of
membership and involvement in this forum; in particular with American
Express’ identification of best practices that were used by other Open
Group member companies, and the value this provided his organization. He
also gave conference attendees a glimpse into the Architecture Forum’s
work on updating the current architecture framework specification and a
snapshot of their focus in 2008. He also called for white papers from
The Open Group members on the best way to implement a secure
architecture. His comments also reiterated the important point that
security is an integral part of the architecture process – and should
not be treated as an afterthought, but be made a priority.
Day 1 of The Open Group Architecture Practitioners Conference wrapped
up with closing remarks from Lauren States, Vice President, Client
Value Initiative at IBM, where she discussed how many companies are
focused on meeting business growth needs, how the need for certification
is a critical component to the further development of multi-disciplinary
individuals, and is also an inherent component of meeting an
organization’s growth goals. People are part of the value proposition
in transforming the business – regardless of what the business is;
secure architectures must be driven by the business needs.
