Standards Are For The Guidance Of The Wise 1 December, 2018 Standards Are For The Guidance Of The Wise I-4 Forum 49, Dublin, 23 June 2003 Ian D Dobson Director – Security Forum Office: +44 (0)118 902 3041 Mobile +44 (0)7764 905748 i.dobson@opengroup.org www.opengroup.org (C) The Open Group 2003

1 December, 2018 The Open Group is . . . A global consortium committed to delivering greater business efficiency by bringing together buyers and suppliers of information technology to lower the time, cost and risk associated with integrating new technology across the enterprise. The Open Group is a global consortium of buyers and suppliers of IT products and services, who are dedicated to enabling the delivery and procurement of IT products that interoperate. We call this interoperation “boundaryless information flow ™”. 1 December, 2018 (C) The Open Group 2003 (C) The Open Group 2003

What We Used to Do Security Standards Development Work on PKI X/Open Basic Security Services (XBSS) Common Data Security Architecture (CDSA) With reference implementation Authorization API (AZN API) Work on PKI Architecture (APKI) DCE/PKI Integration 1 December, 2018 (C) The Open Group 2003

Why We Don’t Do That Now Security standards development is being well addressed by some other organizations IETF, OASIS Some of our high-profile standards did not achieve the desired uptake and effect CDSA, AZN There are significant challenges in security that are not being addressed anywhere else on a systematic basis 1 December, 2018 (C) The Open Group 2003

Classical Security Analysis Classical model in a cartoon Analyze threats Analyze vulnerabilities Analyze risks Design and implement countermeasures What’s wrong with the classical model? It assumes closed domains It starts with bad things to prevent It assumes all risk is bad The resulting solutions often prevents good things 1 December, 2018 (C) The Open Group 2003

Our Model Is Different We believe that security exists to ensure that business gets done according to policy Policies are business-driven, for example: Comply with the law – to stay in business Respect your customers - to keep them Understand your risks and make business decisions about how to manage them - which to accept, which to offload, which to share, and how Security should enable right things & prevent wrong things – it’s not all about “bad guys” Security in global networked environments raises new challenges and requires new approaches 1 December, 2018 (C) The Open Group 2003

Current Security Activities in The Open Group Active Loss Prevention Business Context Risk Management Risk Vocabulary Identity Management PKI Guidelines & Management Secure Mobile Architecture ML Security For Real-time Security Guides For Managers Security Design Patterns Access Control Trust Services Secure Messaging 1 December, 2018 (C) The Open Group 2003

Problems from … External “Out” Space Internal Space External “In” 1 December, 2018 Problems from … Procuring Manufacturing Legal Finance Assembling Customer Support Selling Operational Processes External “In” Space Internal Space External “Out” Space Need to integrate and optimize processes Procurement Systems Design Online Systems ERP Requirements Let’s step back and take a look at the driving force for the need. There is the business imperative to optimize for operational efficiencies or competitive advantage. This comes about for many reasons be they that a company has had a merger and there is the need to integrate processes, or that a company has re-organized generating a need to integrate processes, or that there is a need to optimize the entire value chain. Whatever the case, the processes subject to scrutiny can be categorized as buy-side processes, internal processes that do the magic, and sell side processes. The process listed in each category are not complete but are typical. The need for organizations to have Boundaryless Information Flow™ stems from the need to improve operational efficiencies. Business processes must be integrated horizontally and vertically to improve operational efficiencies, however the systems supporting those business processes present obstacles because they contain multiple self-contained or point solutions where information is not currently (and can not easily be) shared – that is there is a lack of integrated information. Additionally, where access to the information in the multiple systems is provided by point solutions that don’t easily and readily submit to requests from other access paths. Note these problems aren’t merely about information technology, they start with business issues, business policies and are sometime supported by information technology. The barriers that must be broken down are at both the business and technical levels. 1 December, 2018 (C) The Open Group 2003 (C) The Open Group 2003

Actually Want This… Processes Systems External “Out” Space 1 December, 2018 Actually Want This… External “Out” Space Processes Customer Support Internal Space Manufacturing Legal Finance Assembling Online Systems External “In” Space Design Systems But looking at the details, even in an oversimplified way, one can see that the “systems” supporting these processes are not single systems - there are many. In order to get the operational efficiencies a level of integration must occur at 2 points. Integrated information must happen to provide a single view of information within a given vertical area such as procurement, or requirements, or enterprise resource planning information, … Additionally to support end to end process improvements an integrated view must be provided horizontally. These two points are integrated information and access. Note these systems need not be technology systems, they can be organizational systems. The need to integrate the information and provide access exists despite of the level of computer technology that exists in the environment. Procuring ERP Systems Requirements Systems Systems Procurement Systems 1 December, 2018 (C) The Open Group 2003 (C) The Open Group 2003

But Have This Processes Systems Ext. “Out” Space Internal Space 1 December, 2018 But Have This Ext. “Out” Space Processes Customer Support Internal Space Manufacturing Legal Finance Assembling Online Systems External “In” Space Design Systems Procuring ERP Systems Requirements Systems Systems Procurement Systems 1 December, 2018 (C) The Open Group 2003 (C) The Open Group 2003

Vision Boundaryless Information Flow™ 1 December, 2018 Vision Boundaryless Information Flow™ achieved through global interoperability in a secure, reliable and timely manner. Security is important to this vision – it is a “quality” that has to be in place throughout the environment. The Open Group’s Vision, and Mission, related to Boundaryless Information Flow™ is based on the customer’s problem statement which says that I (as the customer) could run my business better if I could gain operational efficiencies improving the many different business processes of the enterprise both internal, and spanning the key interactions with suppliers, customers, and partners using integrated information, and access to that information. Please see the next slide to explain what Boundaryless Information Flow™ is. 1 December, 2018 (C) The Open Group 2003 (C) The Open Group 2003

Boundaryless Information Flow™ - Technical Taxonomy 1 December, 2018 Boundaryless Information Flow™ - Technical Taxonomy Security Security Qualities Application Platform Mobility Information Consumer Applications Development Tools Brokering Applications Management Utilities The current view of the architecture reference model for Boundaryless Information Flow™ is depicted here. This picture was derived from the business issues already presented. First we understand that there are human and computing actors in the business environment that need information. These are information consumers. Second we understand that there are human and computing actors that have information and these are called information providers. Information consumers need technology services to help them request information. Information providers need services to help them liberate the information in their control. Thus information consumer services and information provider services. Additionally we have established that there are numerous types of information consumer and information provider, much like in the stock market industry where brokers serve the purpose of helping information consumers get access to all the information they need from all the different information providers. This we have Brokering services in the reference model. Additionally in the business environment we understand there are development organizations, outsourced or in-house, and there are management organizations. These organizations are supported by tools and utilities to develop and manage the information services already discussed. Also in the business environment we know that people and information are spread out and mobile. Therefore there is a need for a phone book, a directory. This is provided to the tools, utilities and services through the directory services in the reference model. Finally the business environment must be secure, is mobile, must perform to meet the business needs, and must be manageable. This is depicted by the associated qualities that the reference model must support. Again this reference model is focused on only those tools, utilities and services that develop, manage, or provide access to integrated information. It assumes an underlying technology platform of operating systems, networks, and middleware. Information Provider Applications Performance Manageability 1 December, 2018 (C) The Open Group 2003 (C) The Open Group 2003

Mission To drive the creation of Boundaryless Information Flow™ by: 1 December, 2018 Mission To drive the creation of Boundaryless Information Flow™ by: Working with customers to capture, understand and address current and emerging requirements, establish policies and share best practices; Working with suppliers, consortia and standards bodies to develop consensus and facilitate interoperability, to evolve and integrate open specifications and open source technologies; Offering a comprehensive set of services to enhance the operational efficiency of consortia; and Developing and operating the industry's premier certification service and encouraging procurement of certified products. One of the key drivers in the development of The Open Group’s Vision is the need, expressed by our members (and others) to “create a worldwide market for interoperable IT products supporting access to integrated information, in which all stakeholder needs are addressed”. As a consortia itself The Open Group is unique in working with both customers and suppliers, as well as other consortia and standards bodies to develop specifications for the interoperability of IT products – both hardware and software. And we go further by offering testing and certification services to ensure compliance with those standards. Helping to develop boundaryless information flow™, and deliver it too. We offer a comprehensive set of Consortia Services to help other Consortia to operate their own programs efficiently. 1 December, 2018 (C) The Open Group 2003 (C) The Open Group 2003

Security Forum Vision Security is about achieving business objectives within applicable law and policy Managing risk Not merely preventing bad things Security creates protected systems with controlled perimeters A controlled perimeter is “boundaryless” where (and only where) it needs to be Security design is necessarily pervasive 1 December, 2018 (C) The Open Group 2003

Security Forum - Mission 1 December, 2018 Security Forum - Mission Bridge the gap between business objectives and traditional “security” technology Identification of gaps in both understanding and technology Better understanding between buyers and suppliers of IT Positioning within the Security Life Cycle – Concept, Requirements, H-L Design, L-L Design, Implementation, Integration, Test & Certification, Operation & Maintenance, Obsolescence & Succession. Develop collaborative activities with other consortia to avoid duplication of effort leverage best-of-breed solutions A big part of the problem is just defining exactly what problem we’re solving So where are we headed … 1 December, 2018 (C) The Open Group 2003 (C) The Open Group 2003

Advancing the Vision: Architecture No one security technology just “solves” a business security problem Real solutions are composed of multiple technical elements working in concert to achieve a business objective Little guidance exists to help architects analyze security problems and choose solution elements – our “Reference Architecture” and “Family of Architectures” concept addresses the gap Develop Reference Architecture, and Family of Architectures - the “Security Clan” within the family 1 December, 2018 (C) The Open Group 2003

Advancing the Vision: Design Patterns Certain design elements are common to many security problems In software engineering, common elements are sometimes described as “design patterns” Based on Christopher Alexander’s concept – A Timeless Way of Building Following Gang-of-Four seminal work: Gamma, Helm, Johnson, Vlissides Security Forum is about to publish its catalog of “security design patterns” 1 December, 2018 (C) The Open Group 2003

Advancing the Vision: Education Manager’s Guide to Information Security Relating security to business objectives Written in plain English Helping business people relate to what information security can do (and what it can’t do) Intrusion Attack & Response - white paper & video: Illustrating a security incident in multiple simultaneous contexts: operations, financial, legal, PR, technical Manager’s Guide to Data Privacy Under way - Secure Messaging, PKI in Practice, Identity & Authentication, Security Managed Risk Security culture – do right because it’s the right thing to do 1 December, 2018 (C) The Open Group 2003

Advancing the Vision: Risk Management Management of Risk is the business driver for information security technologists to produce solutions Collaborate with experts on Active Loss Prevention: Integrating business, legal, insurance, and audit aspects of information security Measuring/quantifying IT-related risk and effectiveness of security solutions Developing Trust Services to support growth of e-Business 1 December, 2018 (C) The Open Group 2003

Managing Risk Risk is not necessarily a bad thing Every business transaction carries risk Some ways to deal with risk Disclaim it Transfer it by contract Hedge against it Insure against it Accept it Security helps you manage risk by design Active Loss Prevention provides a framework for mitigating risk and loss in the context of law, insurance, audit 1 December, 2018 (C) The Open Group 2003

Advancing the Vision: Security for Industry Sectors Collaborate with experts from industrial sectors on information security requirements and solutions: Ongoing discussions with the bio-technical industry –the Interoperable Informatics Infrastructure Consortium (I3C) They are grappling with specific (yet common) problems in security, so provide a good source of vertical industry case studies for security work: Patient record security and privacy Regulatory requirements for audit (Sarbanes-Oxley) and electronic records & digital signatures – US FDA regulation 21 CFR Part 11 Secure messaging Leverage solutions into open systems standards 1 December, 2018 (C) The Open Group 2003

So what is the Security Forum doing? Technical Guide to Security Design Patterns Working on Architectures for Security within context of Boundaryless Information Flow Identity Management: Business Scenario to verify real requirements Roadmap White paper Implementations Catalog Business Perspectives –architectural principles models Collaboration with Securities Industry Middleware Council (SIMC) 1 December, 2018 (C) The Open Group 2003

More on what we’re doing (2) Managers Guides: MGIS published Privacy Guide published Guide to Identity & Authentication Guide to PKI in Practice Guide to Security Managed Risk Guide to Secure Messaging Risk Vocabulary project well advanced: Pilot Seminar in June – London Plan formal launch of Risk Vocabulary in q403 1 December, 2018 (C) The Open Group 2003

More on what we’re doing (3) ALPINE (Active Loss Prevention for ICT eNabled Enterprise) project, supported by EU funding: Security Policy Management for Small & Medium Enterprises Liability in Mobile Transactions Trust Services Mapping Trustmarks Dependable Embedded Systems Roadmap 1 December, 2018 (C) The Open Group 2003

Future project proposals Selected proposals for potential new technical work projects: Identity Theft PKI Trust Models Role-Based Access Control Perimeter security outside the Desktop – Securing Data Additional security implications in grid computing - e.g. identity in virtual environments, scaling, workflow, data security, business implications. What are your requirements?…Suggestions please 1 December, 2018 (C) The Open Group 2003

The future … Next Meeting – Boston, 21-25 July 2003 – agenda to include Security Issues specific to Grid Computing, The Open Group’s Security Forum welcomes anyone who wants to work with seriously capable security experts on hard problems that really matter: Business requirements analysis Active Loss Prevention – Risk Management Technology solutions to real problems Contact Ian Dobson – i.dobson@opengroup.org Thank You 1 December, 2018 (C) The Open Group 2003