Welcome
The Open Group meeting hosts:
- Jim Hietala, VP Security
- Ian Dobson, Director, Security and Jericho Forums
- Joe Bergmann, Director, Real-Time & Embedded Systems Forum
welcomed attendees to this Security Forum meeting in Hong Kong.
Review of Malware Industry & Threat Landscape in China
In a follow-up to his presentation
in the Security Track of the Plenary,
guest speaker Wei Zhao (CTO, Known Security) gave attendees an online
guided tour through the main malware web sites currently operating in
China, demonstrating how they operate and how his Known Security company
detects and raises alerts to the threats that these sites and their
operators pose to the rapidly growing numbers of Internet users in
China. Much of Wei Zhao's guided tour involved visits to his
company's privileged-access web sites.
Ian Dobson gave a presentation
explaining the origins, achievements, current activities, and future
plans of members of the Jericho Forum.
Jim Hietala then gave a presentation
on the Security Forum, covering similar ground.
Joe Bergmann then followed with an in-depth presentation
on the current focus of development work in High Assurance and Multiple
Independent Levels of Security (MILS) that is underway in the Real-Time
and Embedded Systems Forum.
Digital Access Management (DAM)
Security Forum Vice-Chair Stephen Whitlock (Boeing) gave a presentation
on the value of information, how it can be stolen with relative ease
unless it is properly protected, what protection methods exist, why
rights management is the direction he believes we need to follow, and
how this can be achieved through developing a rights management standard
along with a standard defining meta-information for access control and
information descriptors. His conclusions are that we need to:
- Develop DAM standards that include an Information Container, Programming
Interfaces, and Rights Management Protocols
- Create an enterprise-to-enterprise information meta-model that is
usable and scalable, supports business collaboration, and follows a
complete information workflow lifecycle
Secure Cloud Computing
Ian Dobson gave a presentation
on the Jericho Forum's approach to security Cloud Computing, including
why their members consider this a high-value area to make secure for
business collaborations, and describing the Cloud Cube Model to explain
the different security considerations that apply to different types of
Cloud Computing. Jericho Forum members have made contributions to
the Cloud Security Alliance's working groups which are developing a CSA
Guide Version 2, due to be published before the end of 2009.
Jim Hietala then gave a presentation
explaining The Open Group member's interest in Cloud Computing, their
coverage of this topic in our Conferences in April and July 2009, The
Open Group Board's Cloud Strategy paper, and the formation in July 2009
of The Open Group Cloud Computing Working Group (CCWG), which is now
being consolidated into a focused program of work. Members of the
CCWG have also made informal contributions to the Cloud Security
Alliance's working groups.
Ian Dobson gave a presentation
describing the objectives of this Security Forum project, to explain the
basic information security measures that users of IT systems with no
professionally trained security specialists – particularly in small and medium
business enterprises – can use to set up their IT systems in ways that make
them acceptably secure for business collaborations with larger enterprises,
and so make them more acceptable as business partners.
Governance, Risk, Compliance, and Audit (GRCA)
Jim Hietala gave a presentation reviewing current Security Forum work activities in these areas.
He listed the main challenges in each of these areas, then explained our
projects addressing:
- Risk Management – publication of our Risk Taxonomy standard, and
our Risk Assessment Methodologies Guide, and our forthcoming Risk
Assessment Cookbook for all methodologies
- Compliance – our Automated Compliance Expert standard, which uses
an XML-based mark-up language (ACEML) to establish compliance
requirements in systems and then monitors the system to alert for
any item which drifts outside the required compliance
- Audit – our update to our earlier Open Group Audit & Logging (XDAS)
publication; this update will provide a standard event format
and make audit records more descriptive and easier to consume; we are also working with MITRE on development of their Common Events Expression
(CEE) project, our aim being to align XDAS with and complement CEE
