You are here: The Open Group > The Open Group Conference, Cannes 2012 > Proceedings

Security Forum

Objective of Meeting

The objectives were to achieve expected progress and outcomes on the following agenda items:


  • Trusted Technology Track
  • Learning Lab


  • Security Track: Cybersecurity
    • Advance Virtual Open Systems (AVOS)
    • Role of Enterprise Architecture in Information Security
  • Security Track: Cloud Security
    • Where We’re At in the Hype Curve
    • The Open Group Driving Cloud Computing Security


  • Security Management – ISM3
  • Identity Management – IdEA
  • Event Management – DASv2
  • Advance Virtual Open Systems (AVOS)
  • Cloud Computing Security
  • TOGAF-Next Security – Development Workshop


  • Dependency Modeling Standard
  • Current Projects & Future Plans Review
  • Secure Mobile Architecture (SMA)
  • TOGAF-Next Security – Review with Architecture Forum


Trusted Technology Track

Andras Szakal (CTO, IBM US Federal IMT) gave a presentation on the Global Supply Chain and The Open Group Trusted Technology Forum Challenges on Protecting Products Against Counterfeit and Tampering.

Sally Long (Open Group Director for the O-TTF) then gave a presentation on the conformance criteria that technology providers and their component suppliers need to meet in order to be considered as Trusted Technology Providers.

Learning Lab

On the Monday evening, Jim Hietala (Open Group VP Security) and Ian Dobson (Open Group Director, Security and Jericho Forums) were available for informal discussions with interested attendees to this Cannes conference.

Security Track: Cybersecurity

Shawn Mullen (Software Security Architect, Power Systems, IBM) gave a presentation titled Advance Virtual Open Systems (AVOS), describing their approach to specifying a mechanism for enabling a virtualized platform to communicate efficiently with a virtualization layer to provision and configure the resources required.

Eric Cohen (Systems Architect, Thales) gave a presentation titled Role of Enterprise Architecture in Information Security, in which he considered the distribution of activities between Enterprise Architects and Security Specialists, and assessed the adjustments that are needed to address security specificities and the mutual benefits that Enterprise Architecture brings to information security specialists. Attendees noted that the new TOGAF-Next joint Open Group Architecture-Security Forums project is addressing this space so this is the place to participate in to address these specificities and integrate the specialist skills of security architects into Enterprise Architecture.

Security Track: Cloud Security

In his two-part presentation on Cloud Security – Where We're At in the Hype Curve, Jim Hietala (Open Group VP Security) first explored lessons learned from the evolution of the security industry and, by looking at cloud security through the lens of what's best for cloud customers, suggested how we might make some sense of how cloud security technologies will or should evolve over time. He then went on to discuss current cloud security standards initiatives, and opportunities for future standards work.

Shawn Mullen (Software Security Architect, Power Systems, IBM) gave a presentation titled The Open Group Driving Cloud Computing Security, giving his perspective on how The Open Group building a reference architecture for Cloud Security is driving industry to deliver the technology solutions that are needed, particularly in administration for networks, storage, operating systems, and in virtualization. Comments from attendees included that there is an audit gap for Authentication & Authorization, and also for provisioning and de-provisioning as a batch process to enable corporates to more easily move between cloud providers. Also, the USA Federal Risk & Authorization Program (FedRAMP) allows for security providers to pre-certify use of approved cloud providers.

Security Management – ISM3

See status report.

The Optimizing ISO 27001 using O-ISM3 Guide is expected to complete its Company Review by May 4, for approval to publish by mid-May.

A draft White Paper on Use of O-ISM3 with SABSA is being drafted and is expected to be available for members to review by the end of May.

Regarding promotion of adoption of the O-ISM3 standard, we have a feature article due for publication in ISSA magazine in June 2012, and we plan to publish an O-ISM3 Use-Case paper by end June 2012.

We have outlined three Maturity Levels for implementation of the O-ISM3 standard – Basic, Advanced (best RoI), and Full (e.g., for Defense users) – and will test these with existing users and also with potential new users, including through our liaison with BITS and with PCI DSS, to assess the market for developing an ISM3 Maturity Certification program.

We are also assessing the market for an ISM3 Professional Certification program for ISM3 practitioners.

Identity Management – IdEA

When the Jericho Forum published and launched its Identity Commandments in May 2011, they already recognized that they needed to explain the underlying concepts on which these Identity Commandments are based, to make them more accessible as critical requirements that Identity & Access Management (IAM) solutions must satisfy. So they began developing an “Identity Training Pack”, which has now evolved into:

  • A set of five short (3-4 minute) animated cartoon-style videos
  • A more comprehensive IAM Guide

These five IAM Concept videos will be made freely viewable on The Open Group web site and on YouTube, to convey the IAM key concepts in the easiest and quickest way. The accompanying Guide will expand on these key IAM requirements for effective global trusted identities in open systems – i.e., in Cyberspace.

The Jericho Forum is engaged with the US Govt N-STIC (National Strategies for Trusted Identities in Cyberspace) initiative, which is a two-year US Government funded program, announced in February 2012 with approximately $14M. A major part of this funding is assigned to financing up to 12 N-STIC Pilot projects that will be selected for their potential to demonstrate proof-of-concept for interoperable, trusted identity schemes. The NSTIC Guiding Principles for these pilot projects are that identity solutions proposed for these pilots must be:

  • Privacy-enhancing and voluntary
  • Secure and resilient
  • Gobally interoperable
  • Cost-effective and easy-to-use

Under these guiding principles, NIST will fund pilot projects that are intended to test or demonstrate new solutions, models, or frameworks that do not exist in the marketplace today. See here for more details.

Under this NSTIC Pilot program, the NSTIC leaders received 186 initial four-page summary proposals by their March 7 deadline.  The Jericho Forum partnered with MIT Media Labs on a Core Identity and Persona Open Architecture Pilot proposal, based on the Jericho Forum's Identity Commandments. These 186 proposals have been “down-selected” to 27 finalists – our proposal was not selected – and detailed proposals from these 27 finalists are due by May 10, following which the NSTIC leaders aim in August to announce funded awards for five to eight Pilot Projects. Although our proposal was not selected, we are continuing our engagement with MIT Media Labs to explore how best to pursue our joint proposal anyway.

Event Management – DASv2

The work in the DMTF Cloud Audit Data Federation Working Group is continuing steady progress, and we aim to use their CIM (Common Information Model) objects as the basis for our event reporting scheme in our Distributed Audit Services (DAS) Version 2 standard.

Advance Virtual Open Systems (AVOS)

From the follow-up discussion on the Cybersecurity Track presentation on AVOS (see above), there is interest in taking up a new project to specify mechanisms for enabling a virtualized platform to communicate efficiently with a virtualization layer to provision and configure system services and resources. To take this interest further, we will produce a use-case explaining the problem space, the approach we propose for solving it, and the benefits it will provide to Cloud providers, Cloud users, regulatory activities, and others, in managing usage of Cloud – in particular for configuration, identity and service provisioning and de-provisioning, and auditing.  It was agreed that we should take this proposal to the Open Virtualization Format (OVF) community to invite their interest and support.

Cloud Computing Security

The Cloud Computing Work Group has a Security sub-group which has published two White Papers – both freely downloadable from The Open Group bookstore:

and is in process of developing a third White Paper, on Data Protection. This group is checking on member interest and opportunities for future value-add work on Cloud security, as a joint activity with the Security Forum. 

Suggested topics include “Hardening the Cloud”, and “Architectural Views for Cloud” to address security issues in establishing that in the virtual world, your Cloud provider assures the same minimum specified security levels for your operations, wherever they are being processed. During this discussion, members reviewed a presentation titled Security Scenarios for Cloud Computing which clarified the approach used when developing the security architecture building blocks used in the first White Paper. Outcomes from this review included that there is synergy with the Architectural Views for Cloud and our TOGAF-Next-Security (TNS) project, and with realization of these views in our proposed AVOS project. These potential opportunities will be reviewed by our members to inform further discussion on defining future collaborative Cloud Security activities.

TOGAF-Next Security – Development Workshop

The public web site for this project, including the project Charter, is here. The objective of the project is to integrate security into TOGAF-Next. 

In this Workshop we:

  • Raised greater awareness of the Security Forum activities that support TOGAF-Next
  • Validated understanding of the scope, depth, and schedule with key stakeholders from the Architecture Forum’s TOGAF-Next project
  • Started reviewing the Security Content we propose for integration into TOGAF-Next Part 1: ADM and fundamentals
  • Validated our understandings on the organization and depth of content required for TOGAF-Next Part 2 Security content: Security Domain Guidance, and for TOGAF-next Part 3 Security content: Security Tools & Techniques
  • Outlined our action plan to involve TNS project members on developing the required content for Part 1, and by implication also for Parts 2 and 3

We also proposed a collaboration plan for our TNS to work closely with the Architecture Forum’s TOGAF-Next team on reviewing and integrating at acceptable levels our Security Architecture content for Parts 1, 2, and 3. The initial focus should be on Parts 1 and 2. This collaboration will involve regular conference calls over the next three months leading to our next meeting (Washington DC, July 16-19) to establish integration of information security into TOGAF-Next Part 1.

In the Joint Review meeting with the Architecture Forum, all these items were summarized in a presentation, clarified in discussion on specific issues, and agreed. Actions were assigned to ensure that timely progress will be achieved in accordance with the stated objectives.

Dependency Modeling Standard

Members reviewed the draft standard that started its four-week Company Review on April 19 and closes on May 16. This standard creates a data model for organizational inter-dependencies between external enterprises (and also inter-departmental within an enterprise), to enable quantitative assessment of exposure to risk from dependencies you do not control. It enables you to assign quantitative risk sensitivities for each dependency component in the data model, to identify where greatest exposure to external risk exists and how it will impact other organizational components in the enterprise, so informing business decision-makers where greatest return on investment in security mitigation will be achieved. This standard represents a significant addition to our Open Group Risk Management standards, aligned with our strategy on Security Management.

Feedback in the meeting suggested that the business case presented in the opening chapter of this standard could benefit from including business use-cases demonstrating inter-dependencies between enterprises. Also, the process to create the required organizational data model could benefit from guidance on using a structured methodology. This feedback will be fed into appropriate Company Review change requests.

Current Projects & Future Plans Review

Members reviewed proposals for topics, presentations and panels, and candidate speakers to invite to our next conference – Washington DC, July 16-20, 2012 – and agreed actions to issue announcements inviting presentation proposals for two Cybersecurity keynote plenary speakers, a Cybersecurity track, an Identity Management track, and a Security Architecture track.

Members have several Company Reviews to process over the period May-August 2012:

    • Dependency Modeling standard – April 19-May 16
    • Trust Management Guide – May 28-June 11
    • Guide to Identity Management – June 12-25
    • Secure Collaboration-Oriented Architectures Guide – June 25–July 09
    • Secure Mobile Architectures Snapshot – August

We also have a major commitment to develop information security content for integration into TOGAF-Next, as well as on continuation of ISM3, on Event Management (DASv2), and on Secure Mobile Architecture (SMA).

In addition, we are considering several new project proposals:

  • Advanced Virtual Open Systems – see Cybersecurity Track above
  • Authorization Framework, including part of the AVOS proposal and also development on Cloud Security building blocks
  • Common Criteria Protection Profile for Java 2 Enterprise Edition
  • Professional Certification program for Risk Analysts, based on The Open Group Risk Taxonomy standard
  • Automation Framework for all aspects of information security
  • Cloud Security: “Hardening the Cloud”
  • Cloud Security: “Architectural Views for Cloud”.

Secure Mobile Architecture (SMA)

Members reviewed the newly re-structured draft SMA specification, including checking the status of two external dependencies that are necessary to enable full interoperable implementation of the architecture. These dependencies are on standards work specifying key components in the secure mobile architecture – this work being underway in the Trusted Computing Group (TCG), and in the International Society of Automation (ISA). Current estimates are that these dependencies will both be published as industry standards by Q3 2012. We therefore plan to put our SMA specification forward for publication in August, as an Open Group Snapshot, to give industry visibility to our unique approach on how to secure the mobile environment in a wide range of application areas as described in the use-cases section of our SMA draft specification. We will then follow up within six months with a fully implementable SMA standard.


All the agenda items were addressed and actions agreed to progress the Security and Jericho Forum projects, and progress plans for the next Open Group conference in Washington DC, July 16-20, 2012.

Next Steps

Progress all actions agreed in this Cannes conference/members meeting sessions, and prepare for the next conference and members meeting in Washington DC, July 16-20, 2012.


See above.

   |   Legal Notices & Terms of Use   |   Privacy Statement   |   Top of Page   Return to Top of Page