Monthly Archives: July 2012

Reflections of the Washington, D.C. Conference

By The Open Group Conference Team

It is time to announce the winners of the Washington, D.C. Photo Contest. For those of you who were unable to attend, conference attendees submitted some of their best photos to the contest for a chance to win one free conference pass to one of The Open Group global conferences over the next year – a prize valued at more than $1,000/€900 value. Attendees submitted some great pictures that captured the plenary session speakers to twilight views of the White House!

The contest ended today at noon PT, and it is time to announce the winners.

Capital City Award – For best photo taken in Washington, D.C. – the winner is Jude Umeh!

Reflections of the Capital – by Jude Umeh

Best of Washington, D.C. - For any photo taken during conference activities – the winner is Ron Schuldt!

Fun at a local pub – by Ron Schuldt

Honorable Mentions

The Washington Monument just as it started to rain – by Michael Lambert

Rapt audience listening to Joel Brenner’s keynote – by Jude Umeh

Thank you to all those who participated in this contest – whether it was submitting one of your own photos or voting for your favorite photo. Please visit The Open Group’s Facebook page to view all of the submissions. There are also other photos from the conference.

We’re always trying to improve our programs, so if you have any feedback regarding the photo contest, please email photo@opengroup.org or leave a comment below. We will see you in Barcelona!

1 Comment

Filed under Conference

Trust and Privacy – In an Identity Management Ecosystem

By Jim Hietala and Ian Dobson, The Open Group

In the first of these five identity videos from the Jericho Forum, a forum of The Open Group, we explained the “Identity First Principles” – about people (or any entity) having a core identity, and how we all operate with a number of personas. In the second “Operating with Personas” video, we explained how creating a digital core identifier from your (real-world) core identity must involve a trusted process that is immutable (i.e. enduring and unchangeable), and how we can create digital personas –as many as we like – to mirror the way we use personas in our daily lives.

This third video explains how trust and privacy interact to provide a trusted privacy-enhanced identity ecosystem:

Each persona requires only the personal information (attributes) it needs it assert what a relying party needs to know, and no more.  For example, your “eGovernment citizen” persona would link your core identifier to your national government confirmation that you are a citizen, so if this persona is hacked, then only the attribute information of you being a citizen would be exposed and nothing else.  No other attributes about you would be revealed, thereby protecting all your other identity information and your privacy.

This is a fundamental difference to having an identity provider that maintains a super-store containing all your attributes, which would all be exposed if it was successfully hacked, or possibly mis-used under some future change-of-use marketing or government regulatory power. Remember, too, that once you give someone else, including identity providers, personal information, then you‘ve given up your control over how well it’s maintained/updated and used in the future.

If a relying party needs a higher level of trust before accepting that the digital you is really you, then you can create a new persona with additional attributes that will provide the required level of trust, or you can supply several of your personas (e.g., your address persona, your credit card persona and your online purchasing account persona), which together provide the relying party with the level of trust they need. A good example of this is buying a high-value item to be delivered to your door. Again, you only have to reveal information about you that the relying party requires.  This minimizes the exposure of your identity attributes and anyone’s ability to aggregate identity information about you.

In the next (fourth) video, which will be released next Tuesday, August 7, we will look at the bigger picture to understand why the identity ecosystem needs to be about more than just people.

Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

Ian Dobson is the director of the Security Forum and the Jericho Forum for The Open Group, coordinating and facilitating the members to achieve their goals in our challenging information security world.  In the Security Forum, his focus is on supporting development of open standards and guides on security architectures and management of risk and security, while in the Jericho Forum he works with members to anticipate the requirements for the security solutions we will need in future. 

Comments Off

Filed under Identity Management

Apple Registers Mac OS X 10.8 Mountain Lion to the UNIX® 03 Standard

By Andrew Josey, The Open Group

Today, Apple, Inc. released the latest version of the Mac OS X, version 10.8, also known as “Mountain Lion.” In addition to the product’s release, we are pleased to announce that Mac OS X Mountain Lion has achieved certification to The Open Group UNIX® 03 standard, which is the mark for systems conforming to the Single UNIX Specification, Version 3.

The Single UNIX Specification is an open specification that defines the set of required interfaces for a conformant UNIX system. Support for the Single UNIX Specification permits wide portability of applications between compliant and compatible operating systems. High reliability, availability and scalability are all attributes associated with certified UNIX® systems. By registering operating systems as compliant with the Single UNIX Specification, UNIX system suppliers assure their users of the stability, application portability and interoperability of their products.

Over the years, Apple has been a great supporter of the UNIX standard, and today, Mac OS X is the most widely used UNIX desktop operating system. Apple’s installed base—over 50 million users— and commitment to the UNIX standard as a platform is significant to the UNIX certification program. We look forward to continuing to work with Apple and our other UNIX partners in promoting open and interoperable operating systems as the specification continues to evolve.

Andrew Josey is Director of Standards within The Open Group. He is currently managing the standards process for The Open Group, and has recently led the standards development projects for TOGAF 9.1, ArchiMate 2.0, IEEE Std 1003.1-2008 (POSIX), and the core specifications of the Single UNIX Specification, Version 4. Previously, he has led the development and operation of many of The Open Group certification development projects, including industry-wide certification programs for the UNIX system, the Linux Standard Base, TOGAF, and IEEE POSIX. He is a member of the IEEE, USENIX, UKUUG, and the Association of Enterprise Architects.

Comments Off

Filed under Certifications, Standards, UNIX

Real-world and Online Personas – From an Identity Management Perspective

By Jim Hietala and Ian Dobson, The Open Group

In the first of the five identity videos from the Jericho Forum, a forum of The Open Group, we explained the “Identity First Principles” – about people (or any entity) having a core identity, and how we all operate with a number of personas that should be under our control using the principle of primacy, i.e., giving you the ability to control the information about your own identity. You may, of course, decide to pass that control on to some other identity management party.

In this second “Operating with Personas” video, we explain how creating a digital core identifier from your (real-world) core identity must involve a trusted process that is immutable, enduring and unchangeable.

We then describe how we need to create digital personas to mirror the way we use personas in our daily lives – at work, at home, handling our bank accounts, with the tax authority, at the golf club, etc. We can create as many digital personas for ourselves as we wish and can also create new personas from existing ones. We explain the importance of the resulting identity tree, which only works one-way; to protect privacy, we can never go back up the tree to find out about other personas created from the core identifier, especially not the real-world core identity itself. Have a look for yourself:

As you can see, the trust that a relying party has in a persona is a combination of the trust in its derivation from an immutable and secret core identifier – its binding to a trusted organizational identifier, and its attribute information provided by the relevant trusted attribute provider.

In the next (third) video, which will be released next Tuesday, July 31, we will see how trust and persona interact to provide a privacy-enhanced identity ecosystem.

Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

Ian Dobson is the director of the Security Forum and the Jericho Forum for The Open Group, coordinating and facilitating the members to achieve their goals in our challenging information security world.  In the Security Forum, his focus is on supporting development of open standards and guides on security architectures and management of risk and security, while in the Jericho Forum he works with members to anticipate the requirements for the security solutions we will need in future. 

Comments Off

Filed under Identity Management

Summer in the Capitol – Looking Back at The Open Group Conference in Washington, D.C.

By Jim Hietala, The Open Group

This past week in Washington D.C., The Open Group held our Q3 conference. The theme for the event was “Cybersecurity – Defend Critical Assets and Secure the Global Supply Chain,” and the conference featured a number of thought-provoking speakers and presentations.

Cybersecurity is at a critical juncture, and conference speakers highlighted the threat and attack reality and described industry efforts to move forward in important areas. The conference also featured a new capability, as several of the events were Livestreamed to the Internet.

For those who did not make the event, here’s a summary of a few of the key presentations, as well as what The Open Group is doing in these areas.

Joel Brenner, attorney with Cooley, was our first keynote. Joel’s presentation was titled, “Turning Us Inside-Out: Crime and Economic Espionage on our Networks,” The talk mirrored his recent book, “America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare,” and Joel talked about current threats to critical infrastructure, attack trends and challenges in securing information. Joel’s presentation was a wakeup call to the very real issues of IP theft and identity theft. Beyond describing the threat and attack landscape, Joel discussed some of the management challenges related to ownership of the problem, namely that the different stakeholders in addressing cybersecurity in companies, including legal, technical, management and HR, all tend to think that this is someone else’s problem. Joel stated the need for policy spanning the entire organization to fully address the problem.

Kristin Baldwin, principal deputy, systems engineering, Office of the Assistant Secretary of Defense, Research and Engineering, described the U.S. Department of Defense (DoD) trusted defense systems strategy and challenges, including requirements to secure their multi-tiered supply chain. She also talked about how the acquisition landscape has changed over the past few years. In addition, for all programs the DoD now requires the creation of a program protection plan, which is the single focal point for security activities on the program. Kristin’s takeaways included needing a holistic approach to security, focusing attention on the threat, and avoiding risk exposure from gaps and seams. DoD’s Trusted Defense Systems Strategy provides an overarching framework for trusted systems. Stakeholder integration with acquisition, intelligence, engineering, industry and research communities is key to success. Systems engineering brings these stakeholders, risk trades, policy and design decisions together. Kristin also stressed the importance of informing leadership early and providing programs with risk-based options.

Dr. Ron Ross of NIST presented a perfect storm of proliferation of information systems and networks, increasing sophistication of threat, resulting in an increasing number of penetrations of information systems in the public and private sectors potentially affecting security and privacy. He proposed a need an integrated project team approach to information security. Dr. Ross also provided an overview of the changes coming in NIST SP 800-53, version 4, which is presently available in draft form. He also advocated a dual protection strategy approach involving traditional controls at network perimeters that assumes attackers outside of organizational networks, as well as agile defenses, are already inside the perimeter. The objective of agile defenses is to enable operation while under attack and to minimize response times to ongoing attacks. This new approach mirrors thinking from the Jericho Forum and others on de-perimeterization and security and is very welcome.

The Open Group Trusted Technology Forum provided a panel discussion on supply chain security issues and the approach that the forum is taking towards addressing issues relating to taint and counterfeit in products. The panel included Andras Szakal of IBM, Edna Conway of Cisco and Dan Reddy of EMC, as well as Dave Lounsbury, CTO of The Open Group. OTTF continues to make great progress in the area of supply chain security, having published a snapshot of the Open Trusted Technology Provider Framework, working to create a conformance program, and in working to harmonize with other standards activities.

Dave Hornford, partner at Conexiam and chair of The Open Group Architecture Forum, provided a thought provoking presentation titled, “Secure Business Architecture, or just Security Architecture?” Dave’s talk described the problems in approaches that are purely focused on securing against threats and brought forth the idea that focusing on secure business architecture was a better methodology for ensuring that stakeholders had visibility into risks and benefits.

Geoff Besko, CEO of Seccuris and co-leader of the security integration project for the next version of TOGAF®, delivered a presentation that looked at risk from a positive and negative view. He recognized that senior management frequently have a view of risk embracing as taking risk with am eye on business gains if revenue/market share/profitability, while security practitioners tend to focus on risk as something that is to be mitigated. Finding common ground is key here.

Katie Lewin, who is responsible for the GSA FedRAMP program, provided an overview of the program, and how it is helping raise the bar for federal agency use of secure Cloud Computing.

The conference also featured a workshop on security automation, which featured presentations on a number of standards efforts in this area, including on SCAP, O-ACEML from The Open Group, MILE, NEA, AVOS and SACM. One conclusion from the workshop was that there’s presently a gap and a need for a higher level security automation architecture encompassing the many lower level protocols and standards that exist in the security automation area.

In addition to the public conference, a number of forums of The Open Group met in working sessions to advance their work in the Capitol. These included:

All in all, the conference clarified the magnitude of the cybersecurity threat, and the importance of initiatives from The Open Group and elsewhere to make progress on real solutions.

Join us at our next conference in Barcelona on October 22-25!

Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

Comments Off

Filed under Conference, Cybersecurity, Enterprise Architecture, Information security, OTTF, Security Architecture, Supply chain risk, TOGAF®

TOGAF® 9 Certification Growth – Number of Individuals Certified Doubles in the Last 12 Months – Now Over 14,800

By Andrew Josey, The Open Group

The number of individuals certified in the TOGAF® 9 certification program as of July 1st 2012 is 14,851. This represents a doubling of the number of individuals certified in the last 12 months with 7,640 new certifications during that period. The latest statistics show that certifications are now growing at two thousand individuals per quarter.

TOGAF is being adopted globally. The top five countries include the UK, Netherlands, USA, Australia and India.

Here is a list of individuals certifications among the top 20 countries, as of July 2012

Rank # Individuals Country Percentage
1 2444 UK 16.2
2 1916 USA 12.8
3 1607 Netherlands 10.8
4 1093 Australia 7.3
5 913 India 6.1
6 705 Canada 4.7
7 637 South Africa 4.2
8 524 Finland 3.5
9 517 France 3.4
10 434 China 2.8
11 379 Norway 2.5%
12 344 Sweden 2.3%
13 280 Germany 1.8%
14 271 Belgium 1.8%
15 244 United Arab Emirates 1.6%
16 224 Denmark 1.5%
17 209 Japan 1.4%
18 176 New Zealand 1.1%
19 173 Saudi Arabia 1.1%
20 136 Czech Republic 0.9%

There are 43 TOGAF 9 training partners worldwide and 48 accredited TOGAF 9 courses.  More information on TOGAF 9 Certification, including the official accredited training course calendar and a directory of certified people and, can be found on The Open Group website at: http://www.opengroup.org/togaf9/cert/.

(This blog post was edited on August 16)

Andrew Josey is Director of Standards within The Open Group. He is currently managing the standards process for The Open Group, and has recently led the standards development projects for TOGAF 9.1, ArchiMate 2.0, IEEE Std 1003.1-2008 (POSIX), and the core specifications of the Single UNIX Specification, Version 4. Previously, he has led the development and operation of many of The Open Group certification development projects, including industry-wide certification programs for the UNIX system, the Linux Standard Base, TOGAF, and IEEE POSIX. He is a member of the IEEE, USENIX, UKUUG, and the Association of Enterprise Architects.

14 Comments

Filed under Certifications, Enterprise Architecture, TOGAF®

Understanding the Importance of Identity

By Jim Hietala and Ian Dobson, The Open Group

In May 2011, the Jericho Forum, a forum of The Open Group, published its Identity, Entitlement & Access (IdEA) commandments, which specified 14 design principles that are essential for identity management solutions to assure globally interoperable trusted identities in cyberspace. These IdEA commandments are aimed at IT architects and designers of both Identity Management and Access Management systems, but the  importance of “identity” extends to everyone – eBusiness managers, eCommerce operations, and individual eConsumers. In order to safeguard our ability to control and manage our own identity and privacy in online activities, we need every online user to support creating an Identity Ecosystem that satisfies these IdEA commandments.

We’re proud to announce that the Jericho Forum has created a series of five “Identity Key Concepts” videos to explain the key concepts that we should all understand on the topics of identity, entitlement, and access management in cartoon-style plain language.

The first installment in the series, Identity First Principles, available here and below, starts the discussion of how we identify ourselves. The video describes some fundamental concepts in identity, including core identity, identity attributes, personas, root identity, trust, attribute aggregation and primacy. These can be complex concepts for non-identity experts However, the cartoons describe the concepts in an approachable and easy-to-understand manner.

The remaining videos in the series cover the following concepts:

  • Video 2 – Operating with Personas
  • Video 3 – Trust and Privacy
  • Video 4 – The Bigger Picture, Entities and Entitlements
  • Video 5 – Building a Global Ecosystem

These identity cartoon videos will be published on successive Tuesdays over the next five weeks, so be sure to come back next Tuesday!

Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

 

Ian Dobson is the director of the Security Forum and the Jericho Forum for The Open Group, coordinating and facilitating the members to achieve their goals in our challenging information security world.  In the Security Forum, his focus is on supporting development of open standards and guides on security architectures and management of risk and security, while in the Jericho Forum he works with members to anticipate the requirements for the security solutions we will need in future. 

1 Comment

Filed under Identity Management