- Managers Guides
- Data Privacy
- Guide to PKI
- Identity Mgt
- Access Control
- Security Patterns
- Secure Messaging
How we work
Open Group Security Standards/Guides
Strategy & Roadmap
2002-2003 Deliverables At-a-Glance
- Technical Guide to Security Design Patterns - May 2003.
- Managers Guide to Data Privacy - May 2003.
- Managers Guide to Identity/Authentication (what PKI & Other Technologies do) - May
- Access Control white paper - draft by April 2003
- Managers Guide on Secure Email, based on Secure Messaging Challenge - draft by April
- Extended Identity Management business scenario - April 2003
- Intrusion Attack & Response "Saving Private Data" Workshop Scenario: white
paper & CD-ROM package - May 2003.
Approach to Future Work Planning
The Security Forum seeks to maintain a rolling 12-month view ahead for its work
activities, by continually reviewing current requirements, trends, new developments and
emerging technologies. We hold a formal review every quarter to confirm our activities and
balance our priorities and available resources. We update this plan following each formal
In line with the Vision of The Open Group - Boundaryless Information Flow, achieved
through global interoperability in a secure, reliable and timely manner.
To achieve effective boundaryless information flow it is essential that we maintain the
security and confidentiality of information. Before distributed networked computing
systems became the norm, information security used to be simply described as the 3
As Authentication, Authorization, and Accounting - applied to a bounded
(enclosed) system. However, as it evolved into a networked system within a corporate
boundary (intranet), and from there to global networking over the Internet as well as
other private networks, the requirements have broadened significantly, and now are
commonly characterized as embracing Confidentiality, Integrity, Availability, & Audit.
Today's requirement is to make information and applications secure in a Web Services
environment. This gives rise to a much more complex set of business requirements in which
the business user has to decide what levels of security are optimum for specific areas in
their overall business operations.
- Business today is led by managers who more often than not are trained in business
management, not in IT. These managers have to understand sufficient about IT to make
decisions on what computing technologies to buy and what it does (and does not) buy for
The aim of our non-technical business guides is to introduce the key concepts and
questions a business manager can ask to cut through the technical jargon and understand
what to look for and what to expect when they buy.
We maintain that proper understanding of IT security issues for information flow across
networks and domains is crucial to creating widest business support for boundaryless
- Software architects and designers need to be enabled to design their own information
security architectures. As the proverb says: 'It's better to teach a man how to fish than
to give him fish'.
In this context it is best to explain to security software architects and designers how to
use a proven methodology - design patterns - to design sound security architectures suited
to their own businesses than to publish a selection of security architectures that they
then have to adapt to fit their needs.
Again, a sound security architecture is vital in a boundaryless information flow
environment. See also the new "Security Architectures" project,
An increasing amount of our resources are now expended on:
- analyzing and understanding the complex information security requirements
- seeking to match requirements to solutions that are available in the marketplace
- promoting use of new and emerging technologies that offer open systems security
solutions, and facilitate integrating them so they interoperate
- seeking to promote use of solutions based on Standards because these will always ease
interoperability and integration problems.
- Managers Guides to add to the Managers Guide to
Information Security, to form a series of guides for non-technical business managers
that present information security topics in a common informal, informative, narrative
style. See www.opengroup.org/projects/sec-guides/
- The next guide will address Data Privacy.
- The following guide is on Identity/Authentication (what PKI & other
technologies do). This guide will also support our Identity Management project. See also www.opengroup.org/projects/pki-gm
- A Guide to Implementing Secure Email, based on the outputs from the
Messaging Forum's Secure Messaging Challenge Toolkit.
- A Guide on how to do Security Basics for non-IT professionals in
vertical market sectors (biotech, law, etc). This Guide would bridge the understanding gap
between MGIS and the next level addressing basic IT security business needs
- a Technical Guide to Security Design Patterns.
An initial review draft was delivered in in April 2002 for restricted public review, and
peer review feedback from that exercise will be incorporated into the document - see www.opengroup.org/projects/sec-des-pat/
Arrangements are now in place to complete this document.
- Digital Rights Management white paper.
Delivered Oct 2002 - see www.opengroup.org/projects/sec-guides/
Immediate ongoing work in this area is likely to focus on a Digital Copyright
requirements approach, and work in the OMA consortium.
- Identity Management project - the Security Forum is an active
contributor, together with the DIF, MMF and Messaging Forum. Our extensions to the
published Identity Management business scenario will be a significant contribution to
moving this project forward.
- Access Control business scenario. This work is complementary to the
Identity Management joint project. www.opengroup.org/projects/access/
- Intrusion Attack & Response Workshop, joint with the Active Loss
Prevention Initiative. In the San Francisco plenary meeting (Feb 2003) we presented a
workshop that demonstrated the significance of an intrusion attack on a corporate
business. A white paper and DVD recording of the plenary event in San Francisco will
deliver the immediate outcomes, by end Feb 2003. See the Web page at www.opengroup.org/projects/intack/
New Work Items - 2003 & Beyond
- Potential new Business Guides:
- A Guide to Perimeter Security - VPNs and Firewalls has been proposed.
Security Countermeasures is an alternative title. Two expert authors have been proposed
and will be approached to see if they will write a draft.
- A Guide to Authorization has been proposed. A basis for this could be
the joint Microsoft/IBM collaboration on Web Services, and in particular WS-authorization
- A Guide to Access Control has been proposed. This could arise from the
Access Control white paper that is under development. See
- A Guide to Security Policy in Principle & Practice has been
proposed. A paper is being prepared to assess the scope and coverage that a suitable guide
- A Guide to Digital Rights Management & Electronic Copyright could
arise from the DRM White Paper - see www.opengroup.org/projects/sec-guides/
- A Guide to Incident Response, could be derived from the report that
will come out of a joint project with the Active Loss Prevention Initiative on an
Intrusion Attack Workshop for delivery at the Q103 meeting plenary. The report would not
appear until mid-2003.
- Security Architectures for Boundaryless Information Flow: This project
is the Security Forum's response to The Open Group's CIO initiative presented to the San
Francisco plenary (Feb 2003) to encourage an architected approach by all Forums towards
contributing solutions for Boundaryless Information Flow.
- Identity Management: Develop requirements and understanding of the
issues surrounding Identity Management, building on the published business scenario. For
further information, see www.opengroup.org/projects/idm/
- Real Time Security: protection profiles - joint interest with the Real
Time & Embedded Systems (RTES) program group.
- Secure Mobile Architecture (SMA) - joint interest with the Mobile
Management Forum (MMF) in solutions for secure mobile computing
- Federation Credentials: Investigate opportunities to exploit
"federation credentials" - the intermediate space between authentication and
authorization, where loose coupling enables introduction of additional attributes that are
useful for security purposes.
- Security Standards: seek opportunities to develop new security
standards where gaps exist and to encourage adoption by including open source
- Open Source & Integration: Support work on integrating solutions to
practical security problems experienced by customers, particularly through promoting
availability of open source.
- Consultancy: Provide security expertise to other Forums, Programs and
Projects within The Open Group, to support their work on including acceptable levels of
information security in their deliverables. To date, this resource has been provided to:
- the Real-Time Group for developing protection profiles that meet the US Common Criteria
- the Messaging Forum, in their Secure Messaging Challenge
- the joint Forums work on Identity Management and on Access Control
- Expert Briefings: Widen the area of interest in the Security Forum by
including varied Security Briefing sessions in which invited experts from selected
vertical market sectors give presentations, as part of an outreach effort to grow our
membership. This includes providing tutorials explaining security issues from both
technology and business perspectives, particularly for legal/regulatory issues, vertical
industry sectors, certification schemes, AES, PKI, Real Time operating systems, intrusion
detection, evidence collecting (forensics), Privacy, Public Infrastructure (converting
Intranets to Internet), and Security Economics (risk versus cost).
The Security Forum has liaisons with other consortia who are active in information
It also maintains close working with other Open Group Forums to ensure cross-discipline
issues are properly addressed.
See the Liaisons link for more information about these
Other Conferences and Shows
Who to Contact