Trusted Technology Track
Andras Szakal (CTO, IBM US Federal IMT) gave a presentation on the Global Supply Chain and The Open Group Trusted Technology Forum Challenges on Protecting Products Against Counterfeit and Tampering.
Sally Long (Open Group Director for the O-TTF) then gave a presentation on the conformance criteria that technology providers and their component suppliers need to meet in order to be considered as Trusted Technology Providers.
On the Monday evening, Jim Hietala (Open Group VP Security) and Ian Dobson (Open Group Director, Security and Jericho Forums) were available for informal discussions with interested attendees to this Cannes conference.
Security Track: Cybersecurity
Shawn Mullen (Software Security Architect, Power Systems, IBM) gave a presentation titled Advance Virtual Open Systems (AVOS), describing their approach to specifying a mechanism for enabling a virtualized platform to communicate efficiently with a virtualization layer to provision and configure the resources required.
Eric Cohen (Systems Architect, Thales) gave a presentation titled Role of Enterprise Architecture in Information Security, in which he considered the distribution of activities between Enterprise Architects and Security Specialists, and assessed the adjustments that are needed to address security specificities and the mutual benefits that Enterprise Architecture brings to information security specialists. Attendees noted that the new TOGAF-Next joint Open Group Architecture-Security Forums project is addressing this space so this is the place to participate in to address these specificities and integrate the specialist skills of security architects into Enterprise Architecture.
Security Track: Cloud Security
In his two-part presentation on Cloud Security – Where We're At in the Hype Curve, Jim Hietala (Open Group VP Security) first explored lessons learned from the evolution of the security industry and, by looking at cloud security through the lens of what's best for cloud customers, suggested how we might make some sense of how cloud security technologies will or should evolve over time. He then went on to discuss current cloud security standards initiatives, and opportunities for future standards work.
Shawn Mullen (Software Security Architect, Power Systems, IBM) gave a presentation titled The Open Group Driving Cloud Computing Security, giving his perspective on how The Open Group building a reference architecture for Cloud Security is driving industry to deliver the technology solutions that are needed, particularly in administration for networks, storage, operating systems, and in virtualization. Comments from attendees included that there is an audit gap for Authentication & Authorization, and also for provisioning and de-provisioning as a batch process to enable corporates to more easily move between cloud providers. Also, the USA Federal Risk & Authorization Program (FedRAMP) allows for security providers to pre-certify use of approved cloud providers.
Security Management – ISM3
See status report.
The Optimizing ISO 27001 using O-ISM3 Guide is expected to complete its Company Review by May 4, for approval to publish by mid-May.
A draft White Paper on Use of O-ISM3 with SABSA is being drafted and is expected to be available for members to review by the end of May.
Regarding promotion of adoption of the O-ISM3 standard, we have a feature article due for publication in ISSA magazine in June 2012, and we plan to publish an O-ISM3 Use-Case paper by end June 2012.
We have outlined three Maturity Levels for implementation of the O-ISM3 standard – Basic, Advanced (best RoI), and Full (e.g., for Defense users) – and will test these with existing users and also with potential new users, including through our liaison with BITS and with PCI DSS, to assess the market for developing an ISM3 Maturity Certification program.
We are also assessing the market for an ISM3 Professional Certification program for ISM3 practitioners.
Identity Management – IdEA
When the Jericho Forum published and launched its Identity Commandments in May 2011, they already recognized that they needed to explain the underlying concepts on which these Identity Commandments are based, to make them more accessible as critical requirements that Identity & Access Management (IAM) solutions must satisfy. So they began developing an “Identity Training Pack”, which has now evolved into:
- A set of five short (3-4 minute) animated cartoon-style videos
- A more comprehensive IAM Guide
These five IAM Concept videos will be made freely viewable on The Open Group web site and on YouTube, to convey the IAM key concepts in the easiest and quickest way. The accompanying Guide will expand on these key IAM requirements for effective global trusted identities in open systems – i.e., in Cyberspace.
The Jericho Forum is engaged with the US Govt N-STIC (National Strategies for Trusted Identities in Cyberspace) initiative, which is a two-year US Government funded program, announced in February 2012 with approximately $14M. A major part of this funding is assigned to financing up to 12 N-STIC Pilot projects that will be selected for their potential to demonstrate proof-of-concept for interoperable, trusted identity schemes. The NSTIC Guiding Principles for these pilot projects are that identity solutions proposed for these pilots must be:
- Privacy-enhancing and voluntary
- Secure and resilient
- Gobally interoperable
- Cost-effective and easy-to-use
Under these guiding principles, NIST will fund pilot projects that are intended to test or demonstrate new solutions, models, or frameworks that do not exist in the marketplace today. See here for more details.
Under this NSTIC Pilot program, the NSTIC leaders received 186 initial four-page summary proposals by their March 7 deadline. The Jericho Forum partnered with MIT Media Labs on a Core Identity and Persona Open Architecture Pilot proposal, based on the Jericho Forum's Identity Commandments. These 186 proposals have been “down-selected” to 27 finalists – our proposal was not selected – and detailed proposals from these 27 finalists are due by May 10, following which the NSTIC leaders aim in August to announce funded awards for five to eight Pilot Projects. Although our proposal was not selected, we are continuing our engagement with MIT Media Labs to explore how best to pursue our joint proposal anyway.
Event Management – DASv2
The work in the DMTF Cloud Audit Data Federation Working Group is continuing steady progress, and we aim to use their CIM (Common Information Model) objects as the basis for our event reporting scheme in our Distributed Audit Services (DAS) Version 2 standard.
Advance Virtual Open Systems (AVOS)
From the follow-up discussion on the Cybersecurity Track presentation on AVOS (see above), there is interest in taking up a new project to specify mechanisms for enabling a virtualized platform to communicate efficiently with a virtualization layer to provision and configure system services and resources. To take this interest further, we will produce a use-case explaining the problem space, the approach we propose for solving it, and the benefits it will provide to Cloud providers, Cloud users, regulatory activities, and others, in managing usage of Cloud – in particular for configuration, identity and service provisioning and de-provisioning, and auditing. It was agreed that we should take this proposal to the Open Virtualization Format (OVF) community to invite their interest and support.
Cloud Computing Security
The Cloud Computing Work Group has a Security sub-group which has published two White Papers – both freely downloadable from The Open Group bookstore:
and is in process of developing a third White Paper, on Data Protection. This group is checking on member interest and opportunities for future value-add work on Cloud security, as a joint activity with the Security Forum.
Suggested topics include “Hardening the Cloud”, and “Architectural Views for Cloud” to address security issues in establishing that in the virtual world, your Cloud provider assures the same minimum specified security levels for your operations, wherever they are being processed. During this discussion, members reviewed a presentation titled Security Scenarios for Cloud Computing which clarified the approach used when developing the security architecture building blocks used in the first White Paper. Outcomes from this review included that there is synergy with the Architectural Views for Cloud and our TOGAF-Next-Security (TNS) project, and with realization of these views in our proposed AVOS project. These potential opportunities will be reviewed by our members to inform further discussion on defining future collaborative Cloud Security activities.
TOGAF-Next Security – Development Workshop
The public web site for this project, including the project Charter, is here.
The objective of the project is to integrate security into TOGAF-Next.
In this Workshop we:
- Raised greater awareness of the Security Forum activities that support TOGAF-Next
- Validated understanding of the scope, depth, and schedule with key stakeholders from the Architecture Forum’s TOGAF-Next project
- Started reviewing the Security Content we propose for integration into TOGAF-Next Part 1: ADM and fundamentals
- Validated our understandings on the organization and depth of content required for TOGAF-Next Part 2 Security content: Security Domain Guidance, and for TOGAF-next Part 3 Security content: Security Tools & Techniques
- Outlined our action plan to involve TNS project members on developing the required content for Part 1, and by implication also for Parts 2 and 3
We also proposed a collaboration plan for our TNS to work closely with the Architecture Forum’s TOGAF-Next team on reviewing and integrating at acceptable levels our Security Architecture content for Parts 1, 2, and 3. The initial focus should be on Parts 1 and 2. This collaboration will involve regular conference calls over the next three months leading to our next meeting (Washington DC, July 16-19) to establish integration of information security into TOGAF-Next Part 1.
In the Joint Review meeting with the Architecture Forum, all these items were summarized in a presentation, clarified in discussion on specific issues, and agreed. Actions were assigned to ensure that timely progress will be achieved in accordance with the stated objectives.