Security Track: Secure Architecture
Refer to the main Plenary report for speakers and links to the presentations.
Cloud Security Track: Cybersecurity
Refer to the main Plenary report for speakers and links to the presentations.
Security Automation Workshop
Ian Dobson introduced this workshop. Automating security in large, heterogeneous environments is an essential step forward to managing consistent configuration of information systems. It is key to maintaining compliance to security policy, assuring regulatory/standards compliance, and assuring system health. Cloud computing and virtualization heighten the importance of making security automation a reality. Work is currently underway on protocols and approaches to enable automation of IT security functions. This workshop aimed to assess the security automation big picture, highlight key challenges to be addressed, suggest approaches to solutions, identify current standards impacting security automation, and identify opportunities to add value, with particular interest in highlighting where existing standards exist and might be developed, or where new standards should be developed.
Refer to the main Plenary report for links to the presentations.
The Big Picture
Steve Whitlock, Chief Strategist for IT Security, Boeing
Steve explained his view of the current situation, and his vision for how security could and needs to be more automated. He does not want automated security to add more processes that will slow IT systems down, and neither can one business require its partners/customers to add specific security automation measures to their systems. But having open standards which promote sound security automation measures will be a significant contribution to moving towards improved IT system health. A valuable start will be to position existing standards into a machine health framework and thereby present a map showing where our focus will best be the most productive.
Managed Incident Lightweight Exchange (MILE)
Kathleen M. Moriarty, CISSP, GRC Strategy, Office of CTO, EMC Corporation
Kathleen explained that MILE encompasses a common and scalable format and method needed to share incident and indicator information, covering exchanges within large organizations, and with external partners or entities. Core to this is the ability to track incidents and indicators, generate metrics, and share this information securely. She introduced the Incident Object Description and Exchange Format (IODEF), and the Real-time Inter-network Defense (RID) activity for exchanging or sharing incident information. She showed a mapping of MITRE protocols and techniques encompassed in CYBEX and now in IODEF. There is ongoing, internationally supported work on all of this in the IETF and ITU.
Security Automation with TNC Standards
Steve Hanna, Distinguished Engineer, Juniper Networks
Steve is chair of the Trusted Network Computing (TNC) Working Group in the Trusted Computing Group (TCG). The TNC approach is based on building for Trusted Clients – security built-in via its Trusted Platform Module (TPM) and Mobile Trusted Module (MTM), the features of which provide authentication, encryption, and attestation. The "trust" involved provides co-ordinated security covering servers, storage, and networks – all through open standards. The TNC is working with NIST's SCAP, and is also active in the IETF NEA WG (its goal is Universal Agreement on NAC Client-Server Protocols), and has published several TNC protocols as IETF RFCs. TNC is widely deployed in many sectors to provide flexible, co-ordinated automated interoperable security for clients, servers, storage, and networks.
Audit and Compliance Management – How SCAP is being Looked at Internationally
John Banghart, Information Security Specialist, NIST
The Security Content Automation Protocol (SCAP) set of NIST standards is gaining international appeal as other countries are recognizing its value, including how it can be used to advance security automation. International interest is currently underway in IETF, ISO, and ITU-T. In the IETF this is being progressed under the Security Automation & Continuous Monitoring (SACM) banner, to complete the job that SCAP began while also laying a foundation for future use-cases and operations. Meanwhile in ISO SC27, the SCAP XCCDF (Extensible Configuration Checklist Description Format) component of SCAP is being fast-tracked as an ISO IT Security Techniques standard. If it is accepted, it is expected to be published in August 2012. Also, supporting the evolving integration of security automation and TNC efforts, SCAP messages for IF-Map are anticipated to be available for public review in October 2012.
CAESARS-FE: An Enterprise Continuous Monitoring Technical Reference Model
John Banghart, Information Security Specialist, NIST
John explained that the Continuous Asset Evaluation, Situational Awareness, and Risk Scoring Framework Extension (CAESARS-FE) is based on SCAP, and is intended to provide for Continuous Monitoring (ConMon). It is a joint project involving NSA, DHS, NIST, MITRE, and Booze Allen Hamilton. He presented its key goals, and its outline technical reference model, then drilled down into its subsystems, and its five layers. The goal of the reference model is to enable organizations to:
- Collect and aggregate data from across a diverse set of security and systems management tools
- Analyze that data
- Perform scoring
- Facilitate user queries
- Provide overall situational awareness in support of risk-based decision-making
- Provide a foundation to enable future automation in response to human decision-making
Alignment of US Government and Industry Compliance Automation
Shawn Mullen, Security Architect, IBM
Shawn presented Ponemon statistics on average compliance and non-compliance costs in the USA, to demonstrate how economically important compliance is. He then presented the Automated Compliance Expert Markup Language (ACEML) standard's ease of general process flow deployment, to illustrate how easily it enables customers to configure their systems and then monitor them for continued compliance to the set configuration. It provides a single policy and single xml file for all devices; it simplifies monitoring for non-compliance alerts, audits reports; and it provides ease-of-use, central management, is scalable to large enterprises with multiple compliance requirements, and is equally suitable for small single systems. Shawn closed with a slide showing the high-level Security Automation Standards Map which Steve Whitlock (Boeing) proposed in October 2011, with NIST SCAP driving the standards for machine configuration, SCAP and ACEML driving the standards for Policy Compliance, and the IETF and TCG driving the standards for Machine Health.
Security Scenarios for Cloud Computing
Stuart Boardman, Senior Business Consultant, KPN Consulting
Stuart reviewed past work done in The Open Group Cloud Computing Work Group security sub-group, on security architecture building blocks – specifically considering security policy management in the context of identity, entitlement, and access management to illustrate the complexities of the components that must be taken into account, the existing applicable standards which apply in specific areas of the architecture, the policy decision and enforcement points, and the players involved.
AVOS for Virtualization Management
Shawn Mullen, Security Architect, IBM
Shawn explained that the heart of the problem AVOS is addressing is more social than technical. For decades IT organizations have had clearly defined training, expertise, roles, and responsibilities:
- Hardware Admin would provide the initial hardware set-up and connections.
- OS Admin would install the OS and provide the security hardening.
- Network Admin would configure the system into the intranet, firewall, and host protection systems.
- Storage Admin would make the LUNs available to the OS.
Then, along comes the Virtual Admin, who cuts across everyone’s boundaries and steps on everyone’s toes. AVOS aims to simplify Service and Security-Level Agreements through automation and by defining authorization and responsibility boundaries. AVOS is a new project development activity in The Open Group Security Forum, and all interetsd in participating are invited to do so (by contacting him or Ian Dobson (Director, Security Forum).
At the end of the Workshop, Steve Hanna shared the SACM use-cases shown in IETF with the attendees in this Security Automation Workshop, and we will invite Security Forum members to review them to invite their involvement in the IETF SACM development activity. Also, we see a clear opportunity to explore opportunities to engage with the SACM activity in the upcoming IETF meeting in Vancouver during the week commencing July 30, when several of the attendees in this Security Automation Workshop will be present – so we will review the conclusions of these IETF attendees the week after that (w/c August 6).
Security Projects Summary Update
Ian Dobson, Director, Security & Jericho Forums, reviewed with members present the current list of projects in the Security Forum. Feedback on these projects will be used to update the regular Security Forum Projects Status/Actions Report.
A particular focus was on the proposal for a new project: Advanced Virtual Open Systems (AVOS). Members of the Security Forum may review the AVOS business case paper available here and if they are interested in working on this project they are invited to declare (to the Security Forum Director – Ian Dobson, i.dobson@opengroup.org) their support for working on developing it – either as leading contributor, subject-expert advisor, or as active reviewer of development draft documents. Observer members are also welcome, in the hope that they may subsequently contribute in some more substantial capacity.
TOGAF® next Security (TNS) Workshop: Integrating Security into TOGAF next
This is a key project in the Security Forum. The project charter is publicly available here.
It aims to restructure the TOGAF standard to be more modular to enable it to be used more efficiently and to integrate architecting security into it. Other parallel work is underway to integrate architecting Real-Time & Embedded Systems and SOA into TOGAF. The high-level new modular structure to integrate security architecture into TOGAF is:
- Integrate “architecting security” into TOGAF next Part 1: ADM and Fundamentals
- Confirm work plan for TOGAF next Part 2: Security Content: Security Domain Guidance
- Confirm work plan for TOGAF next Part 3: Security Content: Security Tools & Techniques
On Monday afternoon of the conference, several Security Forum members led by project leader Geoff Besko joined a working session of the Architecture Forum to progress development of shared areas of interest, and the outcomes from this session were fed into a Security Forum TNS workshop on the Wednesday afternoon. The outcomes of this workshop were then shared (see presentation) with the Architecture Forum in a joint status review meeting, to confirm shared understandings and agreement on the outcomes from the working sessions during this Conference, and also to confirm our plans for continued collaborative working over the period up to the next Open Group conference (Barcelona, October 22-25, 2012).
BoF: Security for the Cloud and SOA, and in Related Environments
A separate meeting report on this BoF is available in the Washington DC Conference proceedings. The outcomes were:
- The Security for the Cloud and SOA project should ensure that the excellent work that it has done is properly packaged and available, but the project is not expected to engage in further activities.
- The Security and Jericho Forums will continue their work on Security, and the Cloud Work Group will continue its work on Cloud. These bodies will communicate and co-operate on Cloud Security.
Information Security Management Maturity Model (ISM3)
Project leader Vicente Aceituno lead a review (see presentation) of current status and forward plans.
- Guide to
Optimizing ISO/IEC 27001 using O-ISM3: This guide is now published and available from The Open Group bookstore. It takes a process and metrics-oriented approach, which complements the ISO standard.
- Using O-ISM3 Effectively with SABSA: This will be a White Paper, which is planned for publication in Sep.-Oct. 2012. There are strong links between ISM3 and SABSA, and little overlap, with mostly language barriers to resolve. There is also valuable linkage with the SABSA+TOGAF integration, which in turn will result in a useful contribution to the TOGAF next security integration project.
- Promoting Adoption of O-ISM3: An upcoming article is planned for publication in the ISSA Journal. Also, there are regular training courses available, and some significant adoption in several businesses, but few adopters are coming forward with use-case experiences to encourage wider adoption. We will continue to encourage adopters to share their use-cases and benefits.
- Certification for O-ISM3 Maturity Models, and for ISM3 Professionals: We first need to have a sufficient body of adopters before being ready to propose an ISM3 certification programs, although we do have an outline plan defining four ISM3 Maturity Model levels.
Secure Mobile Architecture (SMA)
Project leader Darren Lissimore lead a review of the latest draft SMA Snapshot, highlighting the areas in the draft where further development contributions are needed. Action going forward is to list those areas and invite Security Forum members to get engaged in contributing to completing them.
