Jericho Forum
Members Meeting

May 23rd, 2008
hosted by HSBC, Canary Wharf, London, UK

Report for Public review

Actions Summary

Action 0805-6: Ian to invite ALL Members to review the outcomes from the May 23rd meeting on 
- Mapping position papers to COA structure, noting gaps
- COA Process - People Lifecycle Management
- COA Service - Identity Management & Federation
- COA Technology - Endpoint Security
- COA Process - Device Lifecycle Management
and invite members feedback and offers to contribute to writing missing position papers and expand descriptions in all these areas

Discussion

Mapping Position Papers to COA Structure

This discussion structured our existing position papers to reflect their contributions to COA, and added titles we need to develop new papers (in red) for gaps in our coverage of requirements and definitions:

• Principles
  • Commandments v 1.2 (Design Principles, measures for Jericho Forum blueprint)
  • Collaboration Oriented Architectures
  • Business Case for De-perimeterisation
  • Architectures for de-perimeterisation
• Technologies
  • Endpoint Security
  • Secure Communication
    • Secure Protocols
      • Wireless
      • Voice over IP
      • Internet Filtering and Reporting
    • Mobile Management
  • Secure Data
    • Enterprise Information Control and Protection (DRM)
• Processes
  • People Lifecycle Management
  • Risk Management
  • Information Lifecycle Management - Data/Information Management
  • Device Lifecycle Management
  • Enterprise Lifecycle Management
• Services
  • Identity Management and Federation - Federated Identity
  • Policy Management
    • Privacy
  • Information Classification
  • Information Asset Management
  • IT Audit
  • Trust & Co-operation (not in list in COA paper?)

COA Process - People Lifecycle Management

• Process – People Lifecycle Management
  • Primary source reference – proposed as ITIL ISO 2/002 (Section 8?)
  • Key issues for COA
    • Choice – federate or manage direct
    • Data master? (within the organisation)
    • Integrate with national identity scheme
    • Need to manage post employment (e.g. pensions, share schemes)
    • Vetting
    • Unused IDs – re-use
    • Lockout … re-authorisation

COA Service - Identity Management & Federation

• Services  – IdM and Federation
  • Access management – physical & logical)
  • Roles + facets + persona
  • Person in “one place” – employee vs. customer vs. segregation of duties (multiple roles)
  • Person working in multiple roles: 
    • is this just federation?
    • How do you detect duplicates? (same person in multiple roles)
  • Trust vs. contract vs. federated identity
  • Ability to register with a common ID (Open ID)
  • Ability to match and register IDs

COA Technology - Endpoint Security

• Endpoint Security – validation issues
  • What triggers checking?
    • Able to connect?
    • Fit to connect?
  • Engineer it out
  • Need to be risk-based
    • Fit to gain access
    • Fit to gain different levels of access
    • Location
    • Patch status
    • Operating system status
    • Safe to hold data
    • Safe to communicate
  • Ability to communicate status (including risk profile)

COA Process - Device Lifecycle Management

• Device Lifecycle Management
  • Need for consistent intranet/extranet/Internet
  • Provision: fixes, suitable software, patches
  • On-boarding – registration
  • Off-boarding
  • Recovery of data, & key repudiation
  • Need to federate devices, & applications/services
  • Endpoint Security configuration management
    • Out of patch --> change personal firewall (lockout)

Priorities for Future Development

Process Lifecycle Management issues are identified above

Identity Management & Federation issues covered above

Endpoint Security issues are addressed above

Device Lifecycle Management issues are identified above

Information Management is a huge topic, involving consideration of many issues including 

• secure DRM
• Information Lifecycle Management
• Information Classification
• Information Asset Management 

so we agreed to dedicate a whole day workshop to it. 

We will address: 

• Enterprise Lifecycle Management
• Policy management
• Trust Architecture

in our Members Meeting on July 11th.

Summary

The key intended outcomes of the meeting were achieved. Members present:

• shaped all our existing position papers and concepts into the top-level structure described in our Collaborative Oriented Architecture (COA)
• identified key characteristics for each of COA's main components, and a plan for delivering these
• set the core agenda for our next members meeting (July 11th) - Enterprise Lifecycle Management, Policy management, Trust Architecture
• agreed a further 1-day members workshop in September to address the complex issues involved in Information Management.