The Open Group Conference San Diego 2011 began on Monday, February 7 at the Marriot San Diego Mission Valley. The conference gathered to discuss themes along three primary tracks:
- Architecting cybersecurity
- Enterprise architecture and business transformation
- The business and financial impact of Cloud Computing
The theme for Day One was cybersecurity — a theme that created a huge amount of debate and discussion. Plenary session presentations in the morning brought together some of the thought leaders in Cybersecurity to broadly explore trust, frameworks, and their impact upon the security of critical infrastructure systems.
DHS Cyber Security Standards
Bruce W. McConnell, Cybersecurity Counselor, National Protection and Programs Directorate (NPPD), US Department of Homeland Security
Following a brief introduction from Allen Brown, President and CEO, The Open Group, Bruce addressed the conference.
The Department of Homeland Security (DHS) protects the federal executive branch, and works with critical infrastructure to help them better protect themselves (gas, oil, electricity, telecom, etc.). DHS is currently working on a cybersecurity awareness campaign. Last year, DHS launched the “Stop, Think, Connect” campaign, which is directed at teens, young adults, and parents of teens. With increased awareness, DHS believes that the threat of cybersecurity attacks will be lessened. For more information on the campaign, click here.
Bruce mentioned that President Obama spoke on the importance of private sector innovation this morning. He also stated that cyberspace is a new domain that is vital to our way of life; therefore, it needs to be made more secure. Of course government must play an important role in this process, but since cybersecurity is a civilian space, no one actor can secure it alone. Given the global market of cyberspace, Bruce argued that the US should continue to lead the security effort working together with consumers to achieve security. He then went on to suggest that an open broad interoperability regime online would be able to validate attributes for online systems, but also emphasized that anonymity must be preserved.
He concluded his keynote by speaking about a future White Paper on the health of the cyber ecosystem, which will be based on the premise of a more secure cyberspace where participants can work together in real time to work against attacks. This cyber ecosystem would require automation, authentication, and interoperability, enabling participating devices at any edge of a network to communicate with each other by policy established by the system owner. The ultimate purpose of the White Paper is to encourage discussion and participation in an ecosystem that is more secure.
Holes in the Whole: Crafting Security for the Pervasive Web
James A. Stikeleather, Chief Innovation Officer, Dell
James, Chief Innovation Officer at Dell Services, gave an engrossing talk on the future of security. The consequences of the web’s evolution are actually a co-evolution, he said, wherein people are becoming more co-dependent on technology and we are restructuring how we see data (augmented reality); while technology is becoming contextual, dependent on who is making the request, how and when they are making it, and what their intentions are in making it.
In such a fluid environment trust is essential, but can there realistically be trust? We have created an untrustworthy environment, he said, and the tipping point will be smart phones in the enterprise. This technology in particular is creating greater cracks in a complex environment that exhibits a model that is destined to ultimately fail. Additionally, government and enterprise can’t agree on what the world should look like from a security perspective due to differing cultural concepts in cyberspace. What’s needed is a “Law of the Commons”: We’ve created rules for shared international usage of the world’s oceans and for outer space, and cyberspace should be no different.
At the end of the day, everything is an economic survival issue,James said. The real value of the web has been network effects. If we were to lose trust in privacy and security, we would lose the currency of that global network exchange and the associated economic model, which in turn could actually mean the collapse of the global economy, he said. And a catastrophic event is likely to happen, he predicted. What will the world without trust look like? A Feudal Cyber World: white lists, locked clients, fixed communication routes, locked and bound desktops, limited transactions, pre-established trading partners, information hoarders, towers of Babel.
We have a unique opportunity with Cloud to get it right early and put thought into what the underlying structure of Cloud needs to look like, and how to conduct the contextual nature of evolving technology. Meantime, people should own the right to their own identity and control their information; and we need to secure data by protecting it within content.
An Introduction to Trusted Software Development
Dr. Ben Calloni, Lockheed Martin Fellow, Software Security, Lockheed Martin Corporation
Ben began the plenary discussing the importance of security. He stated that given human nature’s tendency to use technology to engineer ways to make our life easier, better, more functional, etc., we increase the risk by increasing exposure. Drawing a comparison to a Ford Pinto, he stated that if organizations can purely focus on security, their probability of success would increase exponentially. However, when we add functionalities where focus will be more distributed, security will decrease as the attack surface increases.
He outlined key questions that each organization should ask when determining security:
Security is expensive, so the need to reduce an organization’s attack surface is critical when establishing a security policy. In order to build a security policy that will protect your organization, he argued that you must be able to look at what area or parts of your system/network are available for an assailant to compromise. Five key areas that must be looked at include:
- Who has access?
- What are the criteria for gaining access/clearance?
- Who has controls?
- What function is most important? Is being balanced key?
- What type of security do you need?
Ben concluded by stating that organizations need to look at the broader cycle of how a threat agent can give rise to a threat, urging organizations to properly build in security, instead of relying on “bolt-ons".
- Vulnerability – to have it, an attacker must be able to access it.
- Threats – any potential hazard of harm to the data, systems, or environment by leveraging a vulnerability; individual taking advantage of a vulnerability.
- Risk – the probability of the threats using the vulnerabilities; higher risks come with more vulnerabilities and increased threats.
- Exposure – the damage done through a threat taking advantage of a vulnerability.
- Countermeasures – processes and standards that are used to combat and mitigate the risks.
Following the plenary sessions, attendees had the opportunity to attend track sessions. Tracks focused on:
- EA in Practice
- EA as a Business Discipline
- Business Architecture
- Complex Cloud Environments
- Service-Oriented Architecture
Infosys 2010 Annual EA Survey Findings and Comparisons
Nicholas Hill, Principal Enterprise Architect, Infosys Technologies, US
Nicholas began the session by reviewing the findings from the Fifth Annual Infosys Technologies Enterprise Architecture Survey. The final survey will be published on March 1, 2011 via the Infosys website. Survey responses came from organizations of all sizes, with a majority of the responses coming from North America. This year, the survey also included a “hot topics” section, one of which was Cloud Computing.
Key survey questions included:
After he presented the findings of the survey, questions as well as discussions included frequent enterprise architecture topics such as how involved enterprise architecture should be in business, defining enterprise architecture versus business architecture, and how are other parts of the organization being brought under the enterprise architecture umbrella.
- What is the background of the enterprise architecture team in your organization?
- Who does enterprise architecture report to?
- What does the business side think of that relationship?
- What has been the impact of the economic pressures over the previous two years on the enterprise architecture-linked initiatives in your organizations?
- How is the enterprise architecture group involved in strategic business planning?
- What role does your enterprise architecture team play in large strategic change initiatives?
Applying Capability-Based Business Architecture to Build "EA in a Box"
Aleks Buterman, Principal, SenseAgility Group, US
Aleks started off the session by postulating one of the most commonly asked questions in IT: How much do you spend on technology? He went on to discuss how the correct question that should be asked is: How much should you spend on technology?
Architects have been burdened with the stigma of failing to deliver on their intended purpose/promise. In a study presented by Aleks, it was revealed that 68% of all initiatives and 89% of major technology initiatives failed to deliver on their promises. One of the main causes of this failure was that 84% of companies either do not perform business cases for IT projects or perform only analysis of a select few key projects.
Organizations have long had trouble managing dependencies at higher levels of scale due to complexity. Aleks went on to describe complexity as a natural result of group interactions, but pointed out that in order to address complexity, you must first define directness.
He urged attendees to avoid paralysis by analysis and described four external viewpoints that should be applied when assessing your organization – capability maps, communications presentations, education and training, and metrics platform selection. He also laid out five critical viewpoints that should also be taken into account, which included capability-based business architecture, architecture blueprint method, architecture governance method, risk management assessment method, and total cost of ownership management.
Using TOGAF® 9 Capability-Based Planning to Deliver Tangible Business Value from your EA Discipline
Jason Uppal, QRS, Canada
Jason dedicated his session to reviewing principles of capability-based planning (CBP), defining capabilities from an enterprise architect’s point of view, and discussing the explicit link between capabilities and architecture requirements.
He argued the value of CBP by stressing the need to change architecture focus from replacing a system to delivering a capability. This can be accomplished by defining capabilities and obstacles that are inhibiting the desired capability. “Not everything has to be new in order to architect,” he stated.
To conclude the session, emphasis was placed on translating intent into capabilities. Jason discussed how anyone could develop a capabilities map, which essentially analyzes your current budget and figures out what capabilities it supports. Capability studies provide architects with a solid foundation of where you are now, and where you want to go.
Business Architecture Trends and Methods
Andrew Guitarte, AVP/Business Architect of Internet Services, Wells Fargo Bank
Andrew can be quoted saying: “Melding business and technology does a lot for your sanity.” He is a true mix of IT and business, boasting a solid IT background with is currently being supplemented by his studies to obtain an MBA.
Andrew began his session by touching on the trends in business architecture. He confessed that the definition and value proposition of business architecture are still in a state of flux, and because of this, it’s hard to develop the discipline. However, he stated that the Business Architecture Guild is currently working on a handbook that should be completed in the next 12 months. He did share his view that business architecture creates a blueprint of the enterprise, and that it should serve as a business foundation of the enterprise to enhance accountability and improve decision-making. He concluded the session by lauding Jeff Scott of Forrester for his “revolutionary” thinking as one of the leaders in this space, and encouraging an active discussion of business architecture and its definitions during and after the conference.
Demystifying Business Architecture and its Place within the TOGAF® ADM
Proteus Duxbury, PA Consulting, US
Proteus began with the quintessential business architecture question – what is business architecture and why do I need to do this?
He then went on to discuss why so many programs are failing to deliver. At the core of this pain point is the need for people to know business architecture ’s expected value. He stated that business architecture is the hardest domain to model, so it’s hard to project the outcome of the project. He also pointed out that enterprise architecture teams have been known to struggle when implementing business architecture.
In order to address the question “How do I get business architecture right?” Proteus stated that organizations need to:
He concluded by saying that business architecture only makes sense when there is a compelling and real reason for change. He stressed the need for clear communication with management because “you only get one chance”, and also encouraged communication among the business architecture team by defining clear roles within the team.
- Understand your maturity and not overreach
- Learn from the mistakes of previous failures in business architecture
- Try not to centralize business architecture activity
- Get support from management, at least the support of the CIO
- Design effective governance for your program
- Communicate well
Join The Open Group on social media to get the inside scoop on milestones related to various standards and certification initiatives, thought leadership webinars, conferences, and regional networking events.
Coming together with fellow members of The Open Group not only provides opportunities to exchange information but also to have a voice in shaping the future of IT.