The Open Group Conference, Munich
20th Enterprise Architecture Practitioners Conference

Highlights of the Plenary, Day 1
(Monday October 20)

The Open Group’s 20th Enterprise Architecture Practitioners Conference began Monday, October 20 in Munich, Germany at the ArabellaSheraton Grand Hotel München. The conference convened bright and early in the hotel ballroom with a few hundred members gathered to discuss the conference theme, "Secure Architectures". Tracks at the conference this week were focused on delivering safe and secure enterprise architectures and effective information security infrastructures that match the increasing business demand for secure IT operations in an open, globally networked world.

An Enterprise Architecture Survey was conducted by The Open Group following each session. The results are available here.

Allen Brown, President & CEO, The Open Group offered a hearty welcome spoken in German to the members to start off the day’s sessions on Secure Architecture. In his opening remarks, Allen conducted a brief survey that revealed the majority of attendees for this week’s conference have traveled from throughout Europe and the UK to attend. In addition, approximately 77% of attendees came from Open Group member organizations.

Following Allen’s opening remarks, the morning plenary sessions began with a presentation by Gartner Research Director Carsten Casper entitled "The Emergence of an Adaptive Security Infrastructure in a Web 2.0 World". According to Carsten, information security has traditionally been too reactive in nature. Today, security measures must not only be proactive, but also adaptive in order to accommodate the changing threats and needs that businesses are facing. Both vendors and users can be blamed for the problem because both are trapped in antiquated ways of approaching security. Today, IT infrastructures have too many components that are becoming increasingly silo'ed within organizations and are therefore difficult to control. Rather than focusing on an "us" versus "them" mentality that attempts to control "threats" from the outside, organizations should focus on adapting their security infrastructure to include a layered, adaptive approach. The ideal approach is one in which the security levels are "learned", combining both new approaches, such as using contextual behaviors, with legacy systems that learn to work together (much like the human immune system) to fight off threats. Recommendations for improved security include: looking forward to tomorrow’s threats rather than focusing on yesterday’s; being more aggressive with vendors to demand better solutions and products; and changing how risk is dealt with by learning to manage it rather than unrealistically believing that it is possible to completely eliminate risk.

In the next session, Aaldert Hofman, Security Architect at Capgemini presented on the topic of "Building the Trust Framework with Multi-Level Trust Models". Aaldert defined trust as the result of a decision to put at risk a specific asset (i.e., information) with a specific principle, based on specific attributes. Given that trust will always change over time, secure trust levels must be established initially and adapted over time based on behavior. So, how does trust become established in the first place? Building identity trust can be based on specific credentials, the type of relationship between the parties involved, the trustworthiness of the identity store, and, finally, specific registration mechanisms and processes. Although defining trust levels tends to be fairly easy, putting trust levels into practice is a complex issue that requires business knowledge and input in order to decide whether an entity is trusted to perform a specific action. Multi-level trust models are recommended for managing trust levels, as well as only allowing entities to perform actions if a trust level has been established. In order to regulate trust, Aaldert recommended using Trust Domains that contain common trust policies that are defined and enforced by specific trust authorities.

The final morning session was presented by Steve Whitlock, Chief Information Security Architect for Boeing. Creatively entitled "Gemini Dream: Can the Twins Save Our Data?", Whitlock addressed the issue of information risk. As defined by Steve, the "twin" information issues are digital rights management and meta information management. Providing a brief historical perspective on data protection from hieroglyphs through the introduction of print to encryption and computer automation, he asserted that the value of information is now becoming more valuable than physical objects, which in turn lays information open for increased theft and also makes threats and breeches difficult to detect. Because data is most at risk when it changes from being at-rest to in-motion, the perimeters surrounding the information are increasingly vulnerable. In order to address these vulnerabilities, standards for both digital rights management and meta information should be established. Recommendations included: beginning rights management with protected private keys; creating rights management standards; and creating meta-information models that support collaboration and that are stable, scalable, and follow the workflow life cycle.

Afternoon sessions were divided into three separate tracks: Academia & EA, EA Life Cycle, and Security.

In the EA Life Cycle track, Jason Uppal, Chief Architect, QRS hosted discussions and presentations centering on two major themes: (1) how to create enterprise architecture that can be implemented; and (2) how to engage other disciplines such as Portfolio Management, Project Management, ITSM and Organization Effectiveness, and Change Management.

Jason Uppal spoke on how TOGAF creates a common vocabulary for all disciplines to work together. He also addressed how to leverage deep competencies within disciplines, such as Project Management driven by PMI and Prince 2, ITSM with ITIL, and others.

Alex Schoijett from Rogers Communications shared his experience on how Rogers defined enterprise architecture as part of business transformation.

Kell G e Kvist from DONG Energy discussed his organization’s experience in creating an enterprise architecture practice and how they handled organization change management aspects as they worked to mature their enterprise architecture practice.

Klaus Niemann from act! Consulting shared his experience on building an enterprise architecture practice and how to leverage enterprise architecture meta-data to create architectural views to communicate architectural artifacts.

The session discussion closed with a discussion about how important it is for enterprise architecture practitioners to continue to discuss and share what they learn among other disciplines. It was agreed that without engaging other disciplines, enterprise architecture in practice with not be a sustainable activity.

As part of the Academia & EA track, Eric Boulay, President Directeur General & CEO of Arismore moderated two panels that addressed how universities and industry can work together to promote enterprise architecture as a discipline. The discussion centered on questions such as: Is EA a science, a way of doing business, or a discipline? The group also discussed whether there is as much motivation for sharing information and intellectual property within academia as there is within corporations. In the second stream of this track entitled "Round Table on Academic Organizations & The Open Group", Len Fehskens, VP & Global Profession Lead, The Open Group joined Eric Boulay to further discuss how to foster enterprise architecture education and training within university settings. According to Len, there is more need for architects with business skills in the enterprise architecture community than for architects who only have computing skills. A number of questions were posed to the group regarding whether enterprise architecture is something that can be taught in university settings. Although universities may be able to provide education and theoretical knowledge, there was consensus that in order to really become an Enterprise Architect, candidates need both practical knowledge gained in real-world professional situations and an innate proclivity for the profession. Like medicine, training can be provided in university settings, but the path to enterprise architecture takes years of experience, desire, hard work, and an aptitude for the profession.

In the Security track, Sabine Buckl and Christian Schweda, both of the Technische Universität München, Institut für Informatik addressed the issue of how well risk management is understood within different contexts. Their presentation, entitled "Modeling and Visualizing Enterprise-Wide Operational Risks", asked how enterprises can manage regulation from both within and outside the enterprise while still considering business continuity. Today risk management is often isolated within silos in organizations, but what is needed is a more iterative and holistic approach to risk management that includes four steps: plan, do, check, act. One approach to better documentation and communication within enterprises is to use software maps that visualize both current and future landscapes to help in planning for risk management processes. Metrics should also be used to help provide additional decision support for managing application landscapes. Using the example of a case study performed on an IT system at a Swiss Bank, Buckl and Schweda determined that by combining metrics with visual definitions of both the business process and business application levels, simulations can also be used to provide better decision support for better risk management.