Home · About · A-Z Index · Search · Contacts · Press · Register · Login

Security Forum


Return to Security home page
Current work:

- Managers Guides

- MGIS

- Data Privacy

- PKI

- Guide to PKI

- Identity Mgt

- Access Control

- Security Patterns

- Secure Messaging

Strategy/Roadmap

Useful links:

Security topics

Info sources

Liaisons

How we work

Open Group Security Standards/Guides

Strategy & Roadmap

2002-2003 Deliverables At-a-Glance

  • Technical Guide to Security Design Patterns - May 2003.
  • Managers Guide to Data Privacy - May 2003.
  • Managers Guide to Identity/Authentication (what PKI & Other Technologies do) - May 2003
  • Access Control white paper - draft by April 2003
  • Managers Guide on Secure Email, based on Secure Messaging Challenge - draft by April 2003
  • Extended Identity Management business scenario - April 2003
  • Intrusion Attack & Response "Saving Private Data" Workshop Scenario: white paper & CD-ROM package - May 2003.

Approach to Future Work Planning

The Security Forum seeks to maintain a rolling 12-month view ahead for its work activities, by continually reviewing current requirements, trends, new developments and emerging technologies. We hold a formal review every quarter to confirm our activities and balance our priorities and available resources. We update this plan following each formal review,

Our Strategy

In line with the Vision of The Open Group - Boundaryless Information Flow, achieved through global interoperability in a secure, reliable and timely manner.

To achieve effective boundaryless information flow it is essential that we maintain the security and confidentiality of information. Before distributed networked computing systems became the norm, information security used to be simply described as the 3 A’s – Authentication, Authorization, and Accounting - applied to a bounded (enclosed) system. However, as it evolved into a networked system within a corporate boundary (intranet), and from there to global networking over the Internet as well as other private networks, the requirements have broadened significantly, and now are commonly characterized as embracing Confidentiality, Integrity, Availability, & Audit.

Today's requirement is to make information and applications secure in a Web Services environment. This gives rise to a much more complex set of business requirements in which the business user has to decide what levels of security are optimum for specific areas in their overall business operations.

  • Business today is led by managers who more often than not are trained in business management, not in IT. These managers have to understand sufficient about IT to make decisions on what computing technologies to buy and what it does (and does not) buy for their business.

    The aim of our non-technical business guides is to introduce the key concepts and questions a business manager can ask to cut through the technical jargon and understand what to look for and what to expect when they buy.

    We maintain that proper understanding of IT security issues for information flow across networks and domains is crucial to creating widest business support for boundaryless information flow.

  • Software architects and designers need to be enabled to design their own information security architectures. As the proverb says: 'It's better to teach a man how to fish than to give him fish'.

    In this context it is best to explain to security software architects and designers how to use a proven methodology - design patterns - to design sound security architectures suited to their own businesses than to publish a selection of security architectures that they then have to adapt to fit their needs.

    Again, a sound security architecture is vital in a boundaryless information flow environment. See also the new "Security Architectures" project, below.

An increasing amount of our resources are now expended on:

  • analyzing and understanding the complex information security  requirements
  • seeking to match requirements to solutions that are available in the marketplace
  • promoting use of new and emerging technologies that offer open systems security solutions, and facilitate integrating them so they interoperate
  • seeking to promote use of solutions based on Standards because these will always ease interoperability and integration problems.

2002-2003 Deliverables

  • Managers Guides to add to the Managers Guide to Information Security, to form a series of guides for non-technical business managers that present information security topics in a common informal, informative, narrative style. See www.opengroup.org/projects/sec-guides/
    • The next guide will address Data Privacy.
    • The following guide is on Identity/Authentication (what PKI & other technologies do). This guide will also support our Identity Management project. See also www.opengroup.org/projects/pki-gm
    • A Guide to Implementing Secure Email, based on the outputs from the Messaging Forum's Secure Messaging Challenge Toolkit.
    • A Guide on how to do Security Basics for non-IT professionals in vertical market sectors (biotech, law, etc). This Guide would bridge the understanding gap between MGIS and the next level addressing basic IT security business needs
  • a Technical Guide to Security Design Patterns.
    An initial review draft was delivered in in April 2002 for restricted public review, and peer review feedback from that exercise will be incorporated into the document - see www.opengroup.org/projects/sec-des-pat/
    Arrangements are now in place to complete this document.
  • Digital Rights Management white paper.
    Delivered Oct 2002 - see www.opengroup.org/projects/sec-guides/
    Immediate ongoing work in this area is likely to focus on a Digital Copyright requirements approach, and work in the OMA consortium.
  • Identity Management project - the Security Forum is an active contributor, together with the DIF, MMF and Messaging Forum. Our extensions to the published Identity Management business scenario will be a significant contribution to moving this project forward.
  • Access Control business scenario. This work is complementary to the Identity Management joint project.  www.opengroup.org/projects/access/
  • Intrusion Attack & Response Workshop, joint with the Active Loss Prevention Initiative. In the San Francisco plenary meeting (Feb 2003) we presented a workshop that demonstrated the significance of an intrusion attack on a corporate business. A white paper and DVD recording of the plenary event in San Francisco will deliver the immediate outcomes, by end Feb 2003. See the Web page at www.opengroup.org/projects/intack/

New Work Items - 2003 & Beyond

  • Potential new Business Guides:
    • A Guide to Perimeter Security - VPNs and Firewalls has been proposed. Security Countermeasures is an alternative title. Two expert authors have been proposed and will be approached to see if they will write a draft.
    • A Guide to Authorization has been proposed. A basis for this could be the joint Microsoft/IBM collaboration on Web Services, and in particular WS-authorization
    • A Guide to Access Control has been proposed. This could arise from the Access Control white paper that is under development. See www.opengroup.org/projects/access/
    • A Guide to Security Policy in Principle & Practice has been proposed. A paper is being prepared to assess the scope and coverage that a suitable guide would provide.
    • A Guide to Digital Rights Management & Electronic Copyright could arise from the DRM White Paper - see www.opengroup.org/projects/sec-guides/
    • A Guide to Incident Response, could be derived from the report that will come out of a joint project with the Active Loss Prevention Initiative on an Intrusion Attack Workshop for delivery at the Q103 meeting plenary. The report would not appear until mid-2003.
  • Security Architectures for Boundaryless Information Flow: This project is the Security Forum's response to The Open Group's CIO initiative presented to the San Francisco plenary (Feb 2003) to encourage an architected approach by all Forums towards contributing solutions for Boundaryless Information Flow.
  • Identity Management: Develop requirements and understanding of the issues surrounding Identity Management, building on the published business scenario. For further information, see www.opengroup.org/projects/idm/
  • Real Time Security: protection profiles - joint interest with the Real Time & Embedded Systems (RTES) program group.
  • Secure Mobile Architecture (SMA) - joint interest with the Mobile Management Forum (MMF) in solutions for secure mobile computing
  • Federation Credentials: Investigate opportunities to exploit "federation credentials" - the intermediate space between authentication and authorization, where loose coupling enables introduction of additional attributes that are useful for security purposes.
  • Security Standards: seek opportunities to develop new security standards where gaps exist and to encourage adoption by including open source implementation code.
  • Open Source & Integration: Support work on integrating solutions to practical security problems experienced by customers, particularly through promoting availability of open source.
  • Consultancy: Provide security expertise to other Forums, Programs and Projects within The Open Group, to support their work on including acceptable levels of information security in their deliverables. To date, this resource has been provided to:
    • the Real-Time Group for developing protection profiles that meet the US Common Criteria requirements.
    • the Messaging Forum, in their Secure Messaging Challenge
    • the joint Forums work on Identity Management and on Access Control
  • Expert Briefings: Widen the area of interest in the Security Forum by including varied Security Briefing sessions in which invited experts from selected vertical market sectors give presentations, as part of an outreach effort to grow our membership. This includes providing tutorials explaining security issues from both technology and business perspectives, particularly for legal/regulatory issues, vertical industry sectors, certification schemes, AES, PKI, Real Time operating systems, intrusion detection, evidence collecting (forensics), Privacy, Public Infrastructure (converting Intranets to Internet), and Security Economics (risk versus cost).

Liaisons

The Security Forum has liaisons with other consortia who are active in information security.

It also maintains close working with other Open Group Forums to ensure cross-discipline issues are properly addressed.

See the Liaisons link for more information about these liaisons.

Events

Next meeting
Past meetings

Other Conferences and Shows

Members Only

Enter Here

Who to Contact

Enter Here


Home · Contacts · Legal · Copyright · Members · News
© The Open Group 1995-2012  Updated on Tuesday, 22 April 2003