Member Newsletter

November/December 2004

Welcome to a new edition of The Open Group Member Newsletter! We hope it will be a valuable resource for our members, and a tool as useful as The Open Group website.

Please let us know if there is anything you would like to see in this newsletter, or on our website, by e-mailing us. We look forward to hearing your feedback.

In This Issue:

FEATURES

• Bob Blakley, Chief Scientist, IBM Software Group, talks to The Open Group
• The Forgotten IPR? – Steve Nunn, The Open Group’s COO and Legal Counsel

• The Open Group in the Media
• Certification News
• A new certification level added to LDAP Certified program
• Update to TETware now available
• OpenPegasus 2.4 version released
• Spotlight on Recent Publications - Manager’s Guide: Introduction to Security Design Patterns

• Upcoming Conference - San Francisco in January 2005: Boundaryless Information Flow™: Architecting Identity Management
• Look ahead to Dublin in April 2005: Enterprise ArchITecture Europe 2005

• Industry Events Calendar

• Top Downloads from the Web

• Final Thoughts
• Issue index
• Comments

A: Viruses, of course, would be the number one concern. Number two would be confidentiality and privacy. If you are exchanging information that has any business sensitivity or privacy sensitivity, you have to consider that the communication can be intercepted on the wire, and also that the information might be stored at many different places along the way. For example, if you are sending an email, the message is stored at the various intermediate mail transfer agent servers. You either have to do something for protection or you have to understand what policies and protections the intermediate servers have in place.

The other problem that you might have to worry about if you are exchanging business information is the issue of timeliness. If you have anything that is time-critical, for example, a contract with a fixed deadline, you have to be careful about timely delivery of the information. In the e-mail context, you don’t exactly know how long the delivery of information will take: it depends on how much traffic there is, how the servers are feeling, and on the connectivity path. For session-oriented communications, when you are doing direct transfers, ftp, relay chat or something like that, you don’t have to worry so much about unpredictable latency, but you do have to worry about the machines themselves not being available. So, if you are getting ready to have some critical communication, you need to make sure that your infrastructure is capable of supporting availability, and that the services are online.

Q: How do you see this changing in the future?

A: In the near future, the most important change in person-to-person communication will be that more and more is going to be carried over IP networks: think voice over IP, streaming video for video conferencing, and other similar technologies. Moving all of those on an IP-based infrastructure aggregates risk. Today, risk to the IP routing backbone, for example, could disrupt email, web access and a number of other protocols. But it normally doesn’t cause a lot of disruption in television reception, in telecommunications over telephone, or in wireless communications to your handheld devices. If we move more and more of these services for even a part of their travel onto the IP backbone network, then suddenly any major outage in the IP network will create significantly more disruption than it does now. So we ought to think about either having parallel backbones for those services or building enough redundancy into the system to give us confidence that we are not going to get very wide-spread outages.

Q: So you don’t foresee any big problems with wireless …

A: We already have big problems with wireless! Wireless number spoofing already happens - it’s more difficult now than it used to be because the GSM standards are more difficult to hack than the old analog phones used to be, but you can still do that. It’s easier to do if you can get your hands on somebody’s chip, the SIM. But really the more serious concerns in the wireless environment right now are related to the security of the communication itself; being able to listen in on communications, for example. This is a particular problem for the 802.1X family of protocols. It is logistically difficult to intercept a targeted voice communication from a cell phone because you have to be close enough to the person with a handset, to be within transmission range of that handset. People are relatively mobile, they tend to move around. So listening in on a business executive’s cell phone conversations might require you to follow him with an antenna, which is hard. On the other hand, it is not difficult to listen around office buildings, they tend to stay in one place - so in the short term, the wireless technology is a much more serious concern than cell phone handset security. But that equation will change as more and more functions get aggregated on to the handset, and as more of the computing and text and data communications move from desktops to wireless handsets.

Q: We spoke about challenges to communications at present and in the future; what do you see as the biggest security challenge to The Open Group’s concept of Boundaryless Information Flow™?

A: The concept of Boundaryless Information Flow™ is itself the biggest security challenge. The reason the boundaries were there in the first place is to preserve organizational integrity and to make sure that information doesn’t get to people or organizations that are not supposed to have it. So the boundaries are fences, and the fences are designed to protect what is inside. Moving information freely across boundaries means that we are subjecting the information to types of risk that it has not been subjected to in the past. The reason that we didn’t subject it to those risks was largely that we didn’t know how to protect it against those risks. So, in order to achieve the goal of moving information around more freely, we are going to have to be more creative in developing appropriate security mechanisms to make that happen.

Q: How should we go about it? What would be your suggestion?

A: There are basically two approaches that hold out some promise. One of them is the approach that Phil Venables, CTO for Goldman Sachs, talks about under the title of ‘emptying security architecture’. Essentially, his argument is that security is going to become something like an emergent property of networks. So, when you put the components of networks together, the pool of the network and the characteristics of the information artifacts, which travel over the network, will be designed in such a way that either people will have incentives not to cheat or damage information, or it will essentially be impossible, or very, very difficult, to cheat in any way. That’s a plausible argument. We know about ways to design networks of autonomous entities with rules designed to make sure that people respect them - for economic reasons or other kinds of reasons. So that’s one possibility.

Possibility number two is that we’ll end up designing networks differently than we do today. Today networks consist mostly of a) networking hardware itself, which is typically what you think of as routers that are responsible almost exclusively for moving traffic; and b) very high function end points, which do processing and presentation and interact with units and all that sort of stuff. I think that networks will consist of three kinds of components instead of only two kinds. There will be a) the network infrastructure components, which are responsible for moving the traffic around; b) the high function end points for the clients and servers; and c) a set of dedicated special purpose security devices, which sit around the network, and without which the network itself would be unimaginable. Every time you design a network there would be a population of these things living in it and they would be doing security things.

Q: You co-authored a book on security design patterns that was recently published. Understanding your expertise in technology and security, do you think the security design patterns approach could be broadened from technology into business?

A: Yes, and we are already doing that at IBM. IBM has a set of business security patterns that were developed based on interviews of more than thirty of our largest enterprise customers. We examined what these customers were doing both functionally and in respect to protecting information, and we boiled it down to five business security patterns. That was an analytical exercise; we were essentially doing data mining on the customer set. We have subsequently used the business security patterns in a couple of customer occasions through IBM Global Services. I’ve been involved in some of those engagements and I’ve continued refining the business security patterns. So in the future I believe that we will publish them in some form; a more polished form than what exists today. I think that what we as an industry will naturally end up with is a set of business patterns and a set of architectural patterns at high level that refine them, which is more or less what we’ve been working on in The Open Group. Then we’ll also develop more detailed implementation patterns that will show people how to transform the architectural elements that they’ve selected into individual devices or product choices or code that they generate.

Q: You are an active member of The Open Group’s Security Forum. What are your future plans, on what do you want to focus your work within the Forum?

A: We want to continue to work on the security design patterns. The Open Group has recently published the first edition of the Security Design Patterns guide, and the book explicitly says that we anticipate that additional work will take place and revisions will be made in the light of experience. We have gone to the Design Patterns community and reviewed with them one set of our patterns - we learned a lot. We expect to revise not only the pattern that we reviewed but also some of the other ones based on that feedback. We plan to go to other pattern community conferences to review the other patterns. We are also aware that there are functional security areas that are not covered by the existing patterns catalog, and so we’ve got some more work to do there in terms of adding elements to the toolkit. So, Security Patterns is activity number one.

Activity number two that I am hoping to work on is along the lines of your earlier question: I would like to involve the Security Forum in working on architectures based on these special purpose security devices that we talked about earlier. We’ll have the first session on that topic and we will discuss with the membership if that is a project that they wish to take on.

Thank you very much.

Top of Page


The Forgotten IPR?

By Steve Nunn, The Open Group’s COO and Legal Counsel

Over the last year or so, one of the key talking points in the world of consortia and standards has been the relationship between standards and intellectual property rights (IPR). There have been Congressional Hearings, Department of Justice / Federal Trade Commission enquiries, widespread press coverage, and even litigation. Much of this has centered on patents; specifically, the appropriateness or otherwise of consortia IPR policies allowing a patent owner to retain licensing rights to those patents where those patents are relevant to a standard/specification. That issue has proven to be highly controversial, with points of view and perspectives often being quite polarized. However, you’ll hopefully be pleased to hear that patents and their role in standards is not the principal subject of this piece – although if you would like a follow-up article on that subject, let me know and I will happily oblige!

This contribution is about a different intellectual property right. One that I, personally, feel has been somewhat overlooked in the furor about patents. One that is, and has always been, fundamental to the successful adoption of open standards. I am referring to copyright.

First, a very short introduction to copyright – with apologies to those of you who are already experts. Copyright is the legal right obtained by the creator of a “work” –typically in our context a written report, training materials, a line of software code, operator manuals or other documentation and, of course, specifications/standards. The creator of this “work” will be the legal owner, although this right can be assigned (transferred) to another party – often the creator’s employing organization.

Copyright provides the owner of the copyright work with the exclusive right to (among other things) publish, reproduce and distribute that work. This explains its importance to consortia and standards bodies, which will obviously need to have appropriate rights in the output of their organizations – i.e. their specifications and/or standards. This is why, for example, in all specifications published by The Open Group, it is The Open Group which owns the copyright. Owning the copyright provides the consortium with the right to not just permit, but to encourage the widespread take-up of our specifications. We publish our specifications and guides on our website, and anyone is free to download them and use them – without the need to seek permission from all the different member organizations who had contributed to the specifications and guides.

Copyright ownership in our specifications also enables us to control the reproduction of all or part of our specifications, so as to ensure that there is no confusion as to what the genuine, consensus-based specification really is. This does not mean that we constrain unduly the reproduction of parts of our specifications; it just means that we can ensure that this is done in a way that will not mislead would-be implementers of the specs. In fact, we are often asked for permission to reproduce parts of our specifications in, for example, books and training materials, or to reference a whole specification in a standard being adopted by another consortium. Our approach to this is always to grant permission, provided that the requested use is not detrimental to the specification in question, and provided that The Open Group is acknowledged as the original source of the genuine specification or guide. This is standard practice in the standards world, and allows us to achieve the double purpose of encouraging the adoption of the work that our members produce – thus helping us towards achieving our vision of Boundaryless Information Flow™ - whilst, at the same time, protecting the integrity of that work, and ensuring that appropriate acknowledgement of the source material is given.

Another highly topical area in which copyright has, over the last few years, gone largely unnoticed is in the Open Source arena. It is a fairly widespread misconception that there are no controls imposed over the use of Open Source software. As members of The Open Group I am sure that most of you will already know that that is simply not the case. However, had you realized that at the very foundation of Open Source licensing is copyright? It is not surprising that all of the approved Open Source licenses include the grant of a copyright license – not to do so would be fundamentally incompatible with the whole concept of Open Source. Less obvious, perhaps, is the fact that even the most basic and least restrictive of approved Open Source licenses contain a requirement to preserve and reproduce a copyright statement. As with standards and specifications, this is the Open Source developer’s vehicle for protecting the integrity of his or her code, and ensuring that this code is used in accordance with Open Source principles.

So, although the next time that you read about IPR in standards it is likely to be about the merits or evils of patents (depending on which side of the fence you sit), please spare a thought for the unsung hero of intellectual property rights – copyright.

For more information, please contact Steve Nunn at: s.nunn@opengroup.org

Top of Page

NEWS

The Open Group in the Media

• November 15, 2004 - FTP Online: A Common Framework for IT and Business
• November 15, 2004 - ZDNET UK: Jericho Forum tears down walls to outsiders
• November 12, 2004 - Certification Magazine: Novell Announces LSB 2.0 Certification for Linux
• November 11, 2004 - Business Wire: INBOX EAST 2004, The Email Event, to Make East Coast Debut Next Week at Cobb Galleria Centre in Atlanta, Nov. 17-19
• November 9, 2004 - Computer Weekly: Manning the breaches
• October 28, 2004 - LinuxDevCenter: A Firm Foundation for the Linux Desktop
• October 25 , 2004 - ebizQ: Making Sense Of Today’s Information Glut
• October 19, 2004 - Lycos Quote.com: Zix Corporation Receives The Open Group's S/MIME Gateway Certification; Compatible Add-on to Be a Feature of ZixVPM Version 2.3
• October 19, 2004 - Yahoo Finance: Zix Corporation Receives The Open Group's S/MIME Gateway Certification

• 11/10/04 - The Open Group Announces the Availability of the First Operating System Certified to the UNIX 03 Product Standard - http://www.opengroup.org/press/10nov04.htm

• Krish Ayyar (Maples ESM Technologies (Aust) P/L)
• Vish Viswanathan (CCANDC Solutions Pty Ltd)
• Vladimir Zawalinski (IT Infrastructure Services Pty Ltd)

• SUSE LINUX AG has registered SUSE LINUX 9.2 as conforming to the LSB Runtime Environment for IA32 version 2.0 product standard.
• National University of Defense Technology (NUDT) has registered kylin 1.0 as conforming to the LSB Runtime Environment for IA32 version 1.3 product standard.

• Notification Technologies, Inc.- Connect-ED(tm) 1.0 with NTISIF 1.0 as conforming to the SIF-enabled Application Product Standard 1.0
• SunGard Pentamation - PLUS Series 5.x with SunGard Pentamation SIF Agent 1.5 as conforming to the SIF-enabled Application Product Standard 1.5

• We are very pleased to announce that IBM registered z/OS V1R2 or later with: Security Server and z/OS V1R2 or later C/C++ Compiler on IBM zSeries Processors that support z/OS Version 1 Release 2 or later as conforming to the UNIX 95 Product Standard.

To read the Conformance Statements please refer to http://www.opengroup.org/csq/
For the latest official list of registered products, please refer to: http://www.opengroup.org/csq/

Top of Page


A new certification level added to LDAP Certified program

The Open Group's Directory Interoperability Forum announced the addition of a new STANDARD level to the LDAP Certified program, a certification program for servers of the Lightweight Directory Access Protocol. The new STANDARD level expands the existing BASE level and adds additional features that are widely supported by LDAP servers.

Read more: http://www.opengroup.org/directory/

Top of Page


Update to TETware now available

We're pleased to announce the availability of Patch A to TETware 3.7, the supported version of the Test Environment Toolkit, and a new release of the Open Source version, TET3.6b-lite. This latest update includes a number of minor bugfixes, and the addition of platform support for Mac OS X.

The Open Source version is available at http://tetworks.opengroup.org/tet/

Support subscribers can download the software from the Support Login pages at the same site.

Top of Page


OpenPegasus 2.4 version released

The OpenPegasus project is pleased to announce the availability of Release 2.4 of its open source implementation of the DMTF CIM/WBEM standards. For the first time both source and binary RPMs are available for selected Linux distributions, and can be downloaded at: http://www.openpegasus.org/pr

Snapshots of the source can be downloaded at: http://www.openpegasus.org/page.tpl?ggid=392

Top of Page


Spotlight on Recent Publications - Manager’s Guide: Introduction to Security Design Patterns

The Open Group's Manager’s Guide: Introduction to Security Design Patterns is now available from the on-line bookstore. The document introduces the pattern-based security design methodology and approach to software architecture, explains how patterns are created and documented, how to use patterns to design security into a system, and what is The Open Group’s system of security design patterns.

Download the document: http://www.opengroup.org/bookstore/catalog/g044.htm

Top of Page

CONFERENCES

Upcoming Conference - Boundaryless Information Flow™: Architecting Identity Management

The January 24-28, 2005 conference will take place at the Hyatt at Fisherman’s Wharf in San Francisco, CA, USA.

The event will spotlight the progress made on enabling interoperable identity management solutions, and introduce key concepts of architecting identity management including trust, identity management and authentication; provisioning; permissions management and authorization; and directories and their roles. It will discuss the business value of identity management, the most effective measures for cost/benefit assessment, limiting legal liability, and how to make informed decisions.

• Keynote Address: Jamie Lewis, CEO & Research Chair, Burton Group

• Dr. Gene Schultz , Principal Engineer, Lawrence Berkeley National Laboratory
• Justin Taylor , Chief Strategist, Digital Identity, Office of the CTO, Novell Inc.
• Steve Neville , Senior Manager, Identity Management, Entrust

• Presentations on the practice and profession of enterprise architecture
• Highly practical workshops on the relationships of enterprise architecture to technology, to business transformation, and to ROI
• Study of enterprise architecture development, its integration and necessary infrastructure support
• Hands-on workshop on how to set up and run an Enterprise Architecture practice
• Review of in-depth case studies

• The Single UNIX Specification, Version 3
• TOGAF, Version 8 'Enterprise Edition'
• Security Design Patterns
• X/Open Single Sign-On Service (XSSO) - Pluggable Authentication
• Distributed TP: The XA Specification
• DCE 1.1: Remote Procedure Call
• Single UNIX Specification, Version 2 - 6 Vol. Set for UNIX 98 Hardcopy
• Identity Management
• UNIX 03
• Common Security: CDSA and CSSM, Version 2 (with corrigenda)

Top 10 page views in October 2004

• The Open Group home
• The Open Brand – Register of Certified Products: IBM Corporation - UNIX
• The Base Specifications, Issue 6
• Open Motif home
• The Single UNIX® Specification, Version 2: Keyword search page
• A-Z Index
• CDE home
• Contacts
• TOGAF 8 welcome page
• Open Motif Downloads

Top of Page