Category Archives: Conference

Snapshots of The Open Group Barcelona Conference

By The Open Group Conference Team

It is time to announce the winners of the Barcelona Photo Contest! For those of you who were unable to attend, conference attendees submitted some of their best photos to the contest for a chance to win one free conference pass to one of the global Open Group conference over the next year – a prize valued at more than $1,000/€900 value.

Barcelona is a city for architects. While it is most known for works by Gaudi, enterprise architects flooded the streets for the Open Group Conference in Barcelona…and took some amazing pictures. We had a record number of photo contest submissions that captured everything from the plenary session speakers to flamenco dancers to Camp Nou, home of FC Barcelona!

The contest ended today at noon PDT, and it is time to announce the winners…

Modernista Award – For best photo taken in or around Barcelona

The winner is Craig Heath!

“Barcelona Sky from the Fundació Joan Miró”

Honorable Mentions

“Sagrada Familia Spiral Staircase” by David Boyett

 

Submission by Angela Spencer

Best of Barcelona Conference - For any photo taken during conference activities

The winner is Leonardo Ramirez!

A flamenco dancer at the Tuesday night event

Honorable Mentions

Submission by Leonardo Ramirez

The FACE™ team by David Boyett

Thank you to all those who participated in this contest – whether it was submitting one of your own photos or voting for your favorites. Please visit The Open Group’s Facebook page to view all of the submissions and conference photos.

We’re always trying to improve our programs, so if you have any feedback regarding the photo contest, please email photo@opengroup.org or leave a comment below. We’ll see you in Newport Beach!

Comments Off

Filed under Conference

Barcelona Highlights

By Steve Philp, The Open Group

Within a 15 minute walk of Camp Nou (home of FC Barcelona), The Open Group Conference “kicked off” on Monday morning with some excellent plenary presentations from Scott Radedztsky of Deloitte followed by Peter Haviland and Mick Adams of Ernst & Young, and after the break from Helen Sun of Oracle and finally Ron Tolido and Manuel Sevilla from Capgemini. You can see most of these Big Data presentations for yourself on The Open Group’s Livestream page.

The “second half” of the day was split into tracks for Big Data, Enterprise Architecture (EA), TOGAF® and ArchiMate®. Henry Franken of BiZZdesign talked about EA in terms of TOGAF and ArchiMate (you can see this on our Livestream site, too) and the other ArchiMate presentations from Peter Filip of Tatra Bank, Gerben Wierda of APG Asset Management and Mieke Mahakena of Capgemini were also well received by an enthusiastic audience. Networking and drinks followed at the end of the track sessions, and the “crowd” went away happy after day one.

Tuesday started with a plenary presentation by Dr. Robert Winter from the University of St Gallen on EA and Transformation Management. See the following clip to learn more about his presentation and his research.


This was followed by tracks on distributed services architecture, security, TOGAF 9 case studies, information architecture, quantum lifecycle management (QLM) and a new track on Practice Driven Research on Enterprise Transformation (PRET) and Trends in EA Research (TEAR). The evening entertainment on day two consisted of dinner and a spectacular flamenco dancing show at the Palacio de Flamenco – where a good time was had by all.

After the show there was also time for a number of us to watch Barcelona v. Celtic in their European Champions League match at the Camp Nou. This is the view from my seat:

 

The game ended in a 2-1 victory for Barcelona, and following the game there was much debate and friendly banter in the bar between the conference delegates and the Celtic fans that were staying at our hotel.

The track theme continued on day three of the conference along with member meetings such as the next version of TOGAF Working Group, the TOGAF Standard and ArchiMate Language Harmonization Project, Certification Standing Committee, and TOGAF Value Realization Working Group, etc. Member meetings of the Architecture Forum and Security Forum were held on Thursday and brought the Barcelona event to its conclusion.

At the end of the day, if your “goal” is to listen to some great presentations, network with your peers, participate in meetings and influence the generation of new IT standards, then you should get a ticket for our next fixture in Newport Beach, Calif., USA on January 28-31, 2013. The theme, again, will be Big Data.

I look forward to seeing you there!

Steve Philp is the Marketing Director at The Open Group. Over the past 20 years, Steve has worked predominantly in sales, marketing and general management roles within the IT training industry. Based in Reading, UK, he joined the Open Group in 2008 to promote and develop the organization’s skills and experience-based IT certifications. More recently, he has become responsible for corporate marketing as well as certification.

Comments Off

Filed under Conference

Barcelona Conference Spotlight: Dr. Robert Winter

By The Open Group Conference Team

The Open Group sat down with Dr. Robert Winter, professor at the University of St. Gallen in Switzerland, to talk about Enterprise Architecture management and transformation management following his keynote at the Barcelona Conference on Tuesday, October 23.

Dr. Winter’s session opened with the question, “Should we design and engineer methods like software?” His answer: “Yes!” Dr. Winter stresses that customization and componentization are essential when building Enterprise Architectures, making sure that architectures are constructed to fit a specific need or case and that components are reused. He also notes that enterprise architects cannot accomplish everything alone, as team work between enterprise architects and other departments are critical to organizational success.

Comments Off

Filed under Conference

The Open Group Conference in Barcelona – Day One Recap

By The Open Group Conference Team

Monday was jam-packed with excitement at The Open Group Conference in Barcelona. Since not everyone could make the trip, we’ve put together a recap of the day’s most popular sessions. Stay tuned for more recaps, which are coming soon!


How to Gain Big Insight from Big Data

In his talk titled, “How Companies Extract Insight and Foresight from Big Data,” Scott Radeztsky, CTO of Deloitte Analytics Innovation Center, discussed how companies can tackle Big Data. Scott recommended three specific steps that will help organizations make sense of Big Data:

  1. Get Buy-in First: Without the right tools, it is near impossible to make sense of Big Data. Research the technologies that will help you understand, break down and analyze Big Data. After determining which technology/technologies you would like to invest in, present a strong case to all decisions makers on why it is necessary, focusing on the activities that it will enable and the output that it will produce. Be sure to convey the direct business benefits to ensure that all stakeholders understand how this will ultimately help the business, both in the short- and long-term.
  1. Be Lean: Borrowing from Eric Ries’ Lean Startup Methodology, Scott encouraged attendees to think “low-fi before thinking high-fi.” Often times, planning and project management can be time consuming without producing results. By breaking up larger tasks and projects into smaller pieces, IT professionals can focus on a smaller number of features and really concentrate on the task at hand, rather than more administrative duties, which are necessary but don’t produce output.
  1. Create visuals: A spreadsheet full of numbers does not help anyone grasp data, let alone Big Data. Use visuals to present data to other users and stakeholders, to help them understand what the data means sooner rather than later. This will mean that dashboards and abstraction layers should be designed with user experience (UX) first, before diving into the user interface (UI). Helping all users within an organization understand Big Data more efficiently should be the primary focus of your efforts, and this is done through visuals and superior UX.

To view Scott’s presentation, please watch the session here: https://new.livestream.com/opengroup/Radeztsky-BCN12

Talking Big Data in the Boardroom

Peter Haviland, chief architect and head of business architecture within Ernst & Young’s Advisory Services, along with his colleague Mick Adams, emphasized that data impacts decision. Big Data is in prime position to help organizations improve the execution of strategy across business functions. We are moving toward a Big Data platform, and according to Haviland and Adams, the conversation for architects starts with technology.

The data explosion is happening and executives recognize the need to invest in and integrate technology and analytic capabilities into their architecture. According to Haviland and Adams, business capabilities need to support an information-centric reference model in order to take advantage of Big Data. During the session, Haviland and Adams presented a framework for architects to implement effective analytics using a wide range of common transformation tools, that when used in a coordinated fashion, unlocks the promise of enterprise analytics.

To view Peter and Mick’s presentation, please watch the session here: https://new.livestream.com/opengroup/Mick-Peter-BC12

Big Data Needs Big Architecture – An Architectural Approach to Business Information Management

In their talk titled, “Big Data Needs Big Architecture – An Architectural Approach to Business Information Management,” Ron Tolido and Manuel Sevilla of Capgemini asked, “Do we really need big frameworks to support big data?” They both concluded that they didn’t think so. Capgemini commissioned the Economist Intelligence Unit to survey over 6,000 business leaders worldwide about the use of Big Data on their organizations. Their research showed that a surprising 85 percent of respondents say the issue with Big Data is not the volume, but the ability to analyze and act on the data in real time.

Volume, variety and velocity is what Ron and Manuel think most people focus on in regards to Big Data. However, it’s not about volume; it’s really about value. By velocity, they mean that what happened one minute ago in more relevant than what happened one year ago. Time and the turnover of information is directly linked with value and relevancy.

Manual explained that there is a lot of data that isn’t being exploited. Big Data is about using all that data to yield a return on investment.

Ron and Manuel presented a “Big Data Process Model” with four steps:

  1. Acquisition (collecting the data)
  2. Marshaling (organizing the data)
  3. Analytics (finding insight and predictive modeling)
  4. Action (using insights to change business outcomes)

In sum, Manuel reiterated that volume is essentially a non-issue. IT has been seen often as a constraint when it comes to business; that is no longer. Big data means big business.

To view Ron and Manuel’s presentation, please watch the session here: https://new.livestream.com/opengroup/Tolido-BC12

Delivering Enterprise Architecture with TOGAF® and ArchiMate®

On Monday, BiZZdesign’s CEO Henry Franken opened his session titled, “Delivering Enterprise Architecture with TOGAF and ArchiMate” by speaking about what exactly Enterprise Architecture is, and why it’s needed. He explains it is both a model and a product and believes it falls into the implementation category in a business and bridges that gap between “as is” and what is “to be.”

Henry also covered TOGAF’s popular Architecture Development Method (ADM), which is broken down into four steps (but is a continuous process):

  1. Getting the organization committed and involved
  2. Getting the architecture right
  3. Making the architecture work
  4. Keeping the process running

Henry discussed The Open Group’s visual modeling language for Enterprise Architecture, ArchiMate. He explained that the language of ArchiMate is designed to talk about Enterprise Architecture domains (information architecture, process architecture, product architecture, application architecture and technical architecture), but more importantly to maintain the interrelationships between them. It allows for one language for all Enterprise Architecture change. The latest version also adds a motivation extension to facilitate what a stakeholder wants and what is changed within Enterprise Architecture. This way, changes can be easily traced back to stakeholder and business goals.

In closing, Henry explains the links between TOGAF and ArchiMate, in three layers – the business layer, application layer and technology layer. Together they can help a business accomplish its goals in the final migration and integration layer. He says TOGAF and ArchiMate are the perfect basis for a tool-supported enterprise architecture practice.

Henry provided examples of each layer and step, which can be viewed here, along with the whole presentation: https://new.livestream.com/opengroup/Franken-BC12

Comments Off

Filed under Conference

ArchiMate® 2.0 and Beyond

By The Open Group Conference Team

In this video, Henry Franken of BiZZdesign discusses ArchiMate® 2.0, the new version of the graphical modeling language for Enterprise Architecture that provides businesses with the means to communicate with different stakeholders from the business goals level to implementation scenarios.

Franken explains that the first edition allowed users to express Enterprise Architecture at its core – modeling business applications and infrastructure. ArchiMate® 2.0 has two major additions to make it fully aligned with TOGAF® – the motivation extension and the migration and planning extension. The motivation extension provides users with the ability to fully express business motivations and goals to enterprise architects; the migration and planning extension helps lay out programs and projects to make a business transition.

There are several sessions on ArchiMate® at the upcoming Open Group Conference in Barcelona. Notably, Henry Franken’s “Delivering Enterprise Architecture with TOGAF® and ArchiMate®” session on October 22 at 2:00-2:45 p.m. UTC / 8:00-8:45 a.m. EST will be livestreamed on The Open Group Website.

To view these sessions and for more information on the conference, please go to: http://www3.opengroup.org/barcelona2012

Comments Off

Filed under ArchiMate®, Conference, Enterprise Architecture

The Open Group is Livestreaming The Open Group Barcelona Conference

By The Open Group Conference Team

The Open Group Conference in Barcelona will commence next week and cover the theme of “Big Data – The Next Frontier in the Enterprise.” During the four day conference, which runs Oct. 22-24, speakers and sessions will address the challenges and solutions facing Enterprise Architecture within the context of Big Data.

With travel budgets tight, we know Barcelona is hard to get to for many of our Open Group members. As such, The Open Group will be Livestreaming some of our sessions on Monday, Oct. 22. The keynote speakers include Deloitte Analytics CTO Scott Radeztsky; Ernst & Young Head of Architecture Peter Haviland; Ernst & Young Chief Business Architecture Mick Adams; Oracle Senior Director of Enterprise Architecture Helen Sun; Capgemini CTO Ron Tolido; and Capgemini CTO Manuel Sevilla.

BiZZdesign CEO, Henry Franken, will host a Livestreaming session on how ArchiMate® with TOGAF® improves business efficiency. And on Wednesday, we are Livestreaming an “Ask the Experts” panel session with FACE™ Consortium members on their efforts to transform the U.S. Department of Defense’s Avionics Software Enterprise with open standards.

Livestreaming Sessions

Title: How Companies Extract Insight and Foresight from Big Data

Speaker: Scott Radeztsky, CTO, Deloitte Analytics Innovation Centers

Date: Monday, October 22

Time: 8:50-9:45 a.m. UTC / 2:50-3:45 a.m. ET

Link: https://new.livestream.com/opengroup/Radeztsky-BCN12

 

Title: Boardroom Business Architecture – What Executives Want to Know About Big Data and Analytics

Speaker: Peter Haviland, Head of Business Architecture, Ernst & Young; Mick Adams, Chief Business Architect, Ernst & Young

Date: Monday, October 22

Time: 9:50-10:35 a.m. UTC / 3:50-4:35 a.m. ET

Link: https://new.livestream.com/opengroup/Mick-Peter-BC12

 

Title: Enterprise Information Management

Speaker: Helen Sun, Senior Director of Enterprise Architecture, Oracle

Date: Monday, October 22

Time: 11:10-11:55 a.m. UTC / 5:10-5:55 a.m. ET

Link: https://new.livestream.com/opengroup/Sun-BC12

 

Title: Big Data Needs Big Architecture – An Architectural Approach to Business Information Management

Speaker: Ron Tolido, CTO, Application Services in Europe, Capgemini; Manuel Sevilla, Chief Technical Officer, Global Business Information Management TLI, Capgemini

Date: Monday, October 22

Time: 12:00-12:40 p.m. UTC / 6:00-6:40 a.m. ET

Link: https://new.livestream.com/opengroup/Tolido-BC12

 

Title: Delivering Enterprise Architecture with TOGAF® and ArchiMate®

Speaker: Henry Franken, CEO, BiZZdesign

Date: Monday, October 22

Time: 2:00-2:45 p.m. UTC / 8:00-8:45 a.m. ET

Link: https://new.livestream.com/opengroup/Franken-BC12

 

Title: Future Airborne Capability Environment (FACE™): Ask the Experts (panel)

Speakers: Jeff Howington, Rockwell Collins – FACE Steering Committee Vice-Chair; Kirk Avery, Lockheed Martin – FACE Technical Working Group Vice-Chair; Dennis Stevens, Lockheed Martin, FACE Business Chair; Chip Downing, Wind River – FACE Business Working Group Outreach Lead

Moderator: Judy Cerenzia, FACE Program Director

Date: Wednesday, October 24

Time: 4:00-5:00 p.m. UTC / 10:00-11:00 a.m. ET

Link: https://new.livestream.com/opengroup/Downing-BC12

 

We hope you we see you either in Barcelona or online during one of the Livestreaming sessions!

For more information on The Open Group Barcelona Conference, please visit: http://www.opengroup.org/barcelona2012.

Comments Off

Filed under Conference

Alex Osterwalder’s Business Model Canvas

By The Open Group Conference Team

At The Open Group Conference in Cannes, Alex Osterwalder, entrepreneur, “Business Model Generation” author and creator of the Business Model Canvas, discussed how enterprise architects can contribute to business models. He suggested that there needs to be a bridge between Enterprise Architecture and the highest strategic level of business, bringing strategic and implementation concepts together.  Osterwalder also encouraged organizations to have a shared discussion in a shared language with all stakeholders – a concept that enterprise architects are very familiar with.

To hear more from Alex Osterwalder on how enterprise architects can become more involved in the business model development process, please watch this video:

 

Later this month, The Open Group is hosting its Barcelona conference from October 22-25, where industry thought leaders, like Osterwalder, will be discussing emerging IT trends, specifically the concept of Big Data – the next frontier in the enterprise.

1 Comment

Filed under Business Architecture, Conference

Snapshots of Spain: The Open Group Conference Photo Contest

By The Open Group Conference Team

You’ve all seen the great photos our members produce during conferences, and as The Open Group Conference in Barcelona draws closer, it’s no surprise that we will be hosting the photo contest once again. The prize? A free pass to attend any one of the Open Group conferences in 2013!

Many of you are already familiar with the photo contest from previous conferences, but here are the details for those of you need a short refresher:

We will have two categories for this conference – which means you have two chances to win:

  • The Modernista Award for any photo taken in and around Barcelona.
  • Best of Barcelona Conference for any photo taken during the conference. This includes photos of any of the conference sessions, candid photos of Open Group members.

Similar to previous contests, all photos will be uploaded to The Open Group’s Facebook page, where members and Open Group Facebook fans can vote by “liking” a photo. Photos with the most “likes” in each category will be named the winner. Submissions will be uploaded in real-time, so the sooner you submit a photo, the more time members and fans will have to vote for it!

Conference attendees are free to participate, and winners of each category will receive a free conference pass to any global Open Group conference over the next year – an over $1,000/€ 900 value!

All photos must be submitted via email to photo@opengroup.org or via Twitter with the #ogPhoto hashtag. Please include your full name and the photo’s category upon submission. The submission period will end on Sunday, October 28 at 10:00 p.m. PT, with voting ending on Friday, November 2 at noon PT. The winners will be announced during the afternoon on Friday, November 2.

Below are the photo contest winners of the Washington, D.C. conference, which was held in July 2012:

Best of Washington, D.C.: Reflections of the Capital – by Jude Umeh

Capital City Award: Fun at a Local Pub – by Ron Schuldt

If you have any questions, please email kdene (at) bateman-group.com.

1 Comment

Filed under Conference

PODCAST: The Open Group FACE™ Consortium is Providing the Future of Airborne Systems

By The Open Group Staff

Recently, Judy Cerenzia, director of The Open Group Future Airborne Capability Environment (FACE™) Consortium sat down with Defense IQ to talk about FACE and its support for open architectures. The interview is in conjunction with the Interoperable Open Architecture (IOA) Conference taking place in London from October 29 31, 2012.

In the podcast interview, Judy talks about the FACE Consortium, an aviation-focused professional group made up of U.S. industry suppliers, customers and users, and its work to create a technologically appropriate open FACE reference architecture, standards and business models that point the way to the warfighter of tomorrow. Judy also discusses the evolution of FACE standards and business guidelines and what that means to the marketplace.

About IOA 2012

The IOA Conference will take place October 29-31, 2012 in London. The conference looks to make open systems truly open by empowering attendees to base future platforms architectures on publically available standards. More information about IOA is available on its website, and registration is available here.

Comments Off

Filed under Conference, FACE™

The Open Group Barcelona Conference – Early Bird Registration ends September 21

By The Open Group Conference Team

Early Bird registration for The Open Group Conference in Barcelona ends September 21. Register now and save!

The conference runs October 22-24, 2012. On Monday, October 22, the plenary theme is “Big Data – The Next Frontier in the Enterprise,” and speakers will address the challenges and solutions facing Enterprise Architecture within the context of the growth of Big Data. Topics to be explored include:

  • How does an enterprise adopt the means to contend with Big Data within its information architecture?
  • How does Big Data enable your business architecture?
  • What are the issues concerned with real-time analysis of the data resources on the cloud?
  • What are the information security challenges in the world of outsourced and massively streamed data analytics?
  • What is the architectural view of security for cloud computing? How can you take a risk-based approach to cloud security?

Plenary speakers include:

  • Peter Haviland, head of Business Architecture, Ernst & Young
  • Ron Tolido, CTO of Application Services in Europe, Capgemini; and Manuel Sevilla, chief technical officer, Global Business Information Management, Capgemini
  • Scott Radeztsky, chief technical officer, Deloitte Analytics Innovation Centers
  • Helen Sun, director of Enterprise Architecture, Oracle

On Tuesday, October 23, Dr. Robert Winter, Institute of Information Management, University of St. Gallen, Switzerland, will kick off the day with a keynote on EA Management and Transformation Management.

Tracks include:

  • Practice-driven Research on Enterprise Transformation (PRET)
  • Trends in Enterprise Architecture Research (TEAR)
  • TOGAF® and ArchiMate® Case Studies
  • Information Architecture
  • Distributed Services Architecture
  • Holistic Enterprise Architecture Workshop
  • Business Innovation & Technical Disruption
  • Security Architecture
  • Big Data
  • Cloud Computing for Business
  • Cloud Security and Cloud Architecture
  • Agile Enterprise Architecture
  • Enterprise Architecture and Business Value
  • Setting Up A Successful Enterprise Architecture Practice

For more information or to register: http://www.opengroup.org/barcelona2012/registration

Comments Off

Filed under Conference

Video Highlights Day 2 of Washington, D.C.

By The Open Group Conference Team

How can you use the tools of Enterprise Architecture and open standards to improve the capability of your company doing business? The Day 2 speakers of The Open Group Conference in Washington, D.C. addressed this question, focusing on Enterprise Transformation. Sessions included:

  • “Case Study: University Health Network (Toronto),” by Jason Uppal, chief enterprise architect at QR Systems, Inc. and winner of the 2012 Edison Award for Innovation
  • “Future Airborne Capability Environment (FACE™): Transforming the DoD Avionics Software Industry Through the Use of Open Standards,” by Judy Cerenzia, FACE™ program director at The Open Group, Kirk Avery, chief software architect at Lockheed Martin and Philip Minor, director at System of Systems of Engineering Directorate at the Office of Chief Systems Engineer, ASA(ALT)
  • “Using the TOGAF® Architecture Content Framework with the ArchiMate® Modeling Language,” by Henry Franken, CEO of BIZZdesign, and Iver Band, enterprise architect at Standard Insurance

David Lounsbury, CTO of The Open Group summarizes some of the day’s sessions:

Comments Off

Filed under ArchiMate®, Business Architecture, Certifications, Conference, Cybersecurity, Enterprise Architecture, Enterprise Transformation, FACE™, Information security, TOGAF®, Uncategorized

Reflections of the Washington, D.C. Conference

By The Open Group Conference Team

It is time to announce the winners of the Washington, D.C. Photo Contest. For those of you who were unable to attend, conference attendees submitted some of their best photos to the contest for a chance to win one free conference pass to one of The Open Group global conferences over the next year – a prize valued at more than $1,000/€900 value. Attendees submitted some great pictures that captured the plenary session speakers to twilight views of the White House!

The contest ended today at noon PT, and it is time to announce the winners.

Capital City Award – For best photo taken in Washington, D.C. – the winner is Jude Umeh!

Reflections of the Capital – by Jude Umeh

Best of Washington, D.C. - For any photo taken during conference activities – the winner is Ron Schuldt!

Fun at a local pub – by Ron Schuldt

Honorable Mentions

The Washington Monument just as it started to rain – by Michael Lambert

Rapt audience listening to Joel Brenner’s keynote – by Jude Umeh

Thank you to all those who participated in this contest – whether it was submitting one of your own photos or voting for your favorite photo. Please visit The Open Group’s Facebook page to view all of the submissions. There are also other photos from the conference.

We’re always trying to improve our programs, so if you have any feedback regarding the photo contest, please email photo@opengroup.org or leave a comment below. We will see you in Barcelona!

1 Comment

Filed under Conference

Summer in the Capitol – Looking Back at The Open Group Conference in Washington, D.C.

By Jim Hietala, The Open Group

This past week in Washington D.C., The Open Group held our Q3 conference. The theme for the event was “Cybersecurity – Defend Critical Assets and Secure the Global Supply Chain,” and the conference featured a number of thought-provoking speakers and presentations.

Cybersecurity is at a critical juncture, and conference speakers highlighted the threat and attack reality and described industry efforts to move forward in important areas. The conference also featured a new capability, as several of the events were Livestreamed to the Internet.

For those who did not make the event, here’s a summary of a few of the key presentations, as well as what The Open Group is doing in these areas.

Joel Brenner, attorney with Cooley, was our first keynote. Joel’s presentation was titled, “Turning Us Inside-Out: Crime and Economic Espionage on our Networks,” The talk mirrored his recent book, “America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare,” and Joel talked about current threats to critical infrastructure, attack trends and challenges in securing information. Joel’s presentation was a wakeup call to the very real issues of IP theft and identity theft. Beyond describing the threat and attack landscape, Joel discussed some of the management challenges related to ownership of the problem, namely that the different stakeholders in addressing cybersecurity in companies, including legal, technical, management and HR, all tend to think that this is someone else’s problem. Joel stated the need for policy spanning the entire organization to fully address the problem.

Kristin Baldwin, principal deputy, systems engineering, Office of the Assistant Secretary of Defense, Research and Engineering, described the U.S. Department of Defense (DoD) trusted defense systems strategy and challenges, including requirements to secure their multi-tiered supply chain. She also talked about how the acquisition landscape has changed over the past few years. In addition, for all programs the DoD now requires the creation of a program protection plan, which is the single focal point for security activities on the program. Kristin’s takeaways included needing a holistic approach to security, focusing attention on the threat, and avoiding risk exposure from gaps and seams. DoD’s Trusted Defense Systems Strategy provides an overarching framework for trusted systems. Stakeholder integration with acquisition, intelligence, engineering, industry and research communities is key to success. Systems engineering brings these stakeholders, risk trades, policy and design decisions together. Kristin also stressed the importance of informing leadership early and providing programs with risk-based options.

Dr. Ron Ross of NIST presented a perfect storm of proliferation of information systems and networks, increasing sophistication of threat, resulting in an increasing number of penetrations of information systems in the public and private sectors potentially affecting security and privacy. He proposed a need an integrated project team approach to information security. Dr. Ross also provided an overview of the changes coming in NIST SP 800-53, version 4, which is presently available in draft form. He also advocated a dual protection strategy approach involving traditional controls at network perimeters that assumes attackers outside of organizational networks, as well as agile defenses, are already inside the perimeter. The objective of agile defenses is to enable operation while under attack and to minimize response times to ongoing attacks. This new approach mirrors thinking from the Jericho Forum and others on de-perimeterization and security and is very welcome.

The Open Group Trusted Technology Forum provided a panel discussion on supply chain security issues and the approach that the forum is taking towards addressing issues relating to taint and counterfeit in products. The panel included Andras Szakal of IBM, Edna Conway of Cisco and Dan Reddy of EMC, as well as Dave Lounsbury, CTO of The Open Group. OTTF continues to make great progress in the area of supply chain security, having published a snapshot of the Open Trusted Technology Provider Framework, working to create a conformance program, and in working to harmonize with other standards activities.

Dave Hornford, partner at Conexiam and chair of The Open Group Architecture Forum, provided a thought provoking presentation titled, “Secure Business Architecture, or just Security Architecture?” Dave’s talk described the problems in approaches that are purely focused on securing against threats and brought forth the idea that focusing on secure business architecture was a better methodology for ensuring that stakeholders had visibility into risks and benefits.

Geoff Besko, CEO of Seccuris and co-leader of the security integration project for the next version of TOGAF®, delivered a presentation that looked at risk from a positive and negative view. He recognized that senior management frequently have a view of risk embracing as taking risk with am eye on business gains if revenue/market share/profitability, while security practitioners tend to focus on risk as something that is to be mitigated. Finding common ground is key here.

Katie Lewin, who is responsible for the GSA FedRAMP program, provided an overview of the program, and how it is helping raise the bar for federal agency use of secure Cloud Computing.

The conference also featured a workshop on security automation, which featured presentations on a number of standards efforts in this area, including on SCAP, O-ACEML from The Open Group, MILE, NEA, AVOS and SACM. One conclusion from the workshop was that there’s presently a gap and a need for a higher level security automation architecture encompassing the many lower level protocols and standards that exist in the security automation area.

In addition to the public conference, a number of forums of The Open Group met in working sessions to advance their work in the Capitol. These included:

All in all, the conference clarified the magnitude of the cybersecurity threat, and the importance of initiatives from The Open Group and elsewhere to make progress on real solutions.

Join us at our next conference in Barcelona on October 22-25!

Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

Comments Off

Filed under Conference, Cybersecurity, Enterprise Architecture, Information security, OTTF, Security Architecture, Supply chain risk, TOGAF®

Conference Highlight: Exhibitors

By The Open Group Conference Team

The Open Group conferences bring together leading minds in technology and government to network discuss current issues and processes related to Enterprise Architecture, Cloud and security. In addition to hosting more than 65 session and world-class speakers, we also offer the opportunity for attendees to network with exhibiting companies and consulting firms. During The Open Group Conference in Washington, D.C. there will a number of innovative companies exhibiting that are well worth checking out:

Exhibitors List

Architecting the Enterprise

Architecting the Enterprise has been at the forefront of the move from IT to Enterprise Architectures, and provides training and consultancy in Enterprise Architecture methods and standards. The founder, Judith Jones, is a key member of the Open Group Architecture Forum and has been heavily involved in the current TOGAF® 9 framework.

Armstrong Process Group

Armstrong Process Group provides consulting, customized classroom training and professional development products to align information technology and systems engineering capabilities with business strategy.

BiZZdesign

BiZZdesign offers complete and integrated solutions to design and improve businesses. These integrated solutions consist of proven and easy to use tools, best practice models and methods, training and business consultancy. BiZZdesign also embraces open standards, and actively participates in The Open Group (TOGAF®, ArchiMate®), the BPM-Forum, NAF, and other organizations.

Build the Vision

Build the Vision specializes in consulting, training and mentoring to help clients achieve innovative competitive advantage by leveraging the power of information through the alignment of culture, process and technology. Build The Vision is also an accredited The Open Group Architecture Framework Version 9 (TOGAF® 9.1) Course Provider.

Conexiam

Conexiam is an enterprise transformation consulting firm that helps organizations solve their complex business problems so they can operate more effectively and efficiently.

EA Principals

EA Principals is a service-disabled veteran-owned small business (SDVOSB) that services major U.S. government agencies and large corporations to accelerate and simplify the services procurement process.

IBM

IBM is a global technology and innovation company, with approximately 427,000 employees serving clients in 170 countries. Utilizing its business consulting, technology and R&D expertise, IBM helps clients become “smarter” as the planet becomes more digitally interconnected. This includes working with organizations and governments to build systems that improve traffic congestion, availability of clean water, and the health and safety of populations.

Metaplexity Associates

Metaplexity Associates helps organizations work through the process of defining and implementing their Enterprise Architectures. The company’s services are founded in a curriculum of education and training services that enable architecture personnel and other participants to climb the learning curve quickly and develop a tailored architecture framework for their organization. Metaplexity also provide consultancy and assessment services that provide specialized skills and knowledge that enable an organization to assess their current architecture and envision a target state.

QR Systems

QR Systems helps IT Organizations transform their position in the Enterprise by leveraging industry best practices and adapted them to meet the needs of its customers, partners and employees.

If you are attending the conference, please stop by the various exhibitor booths to learn more about each company’s services, and for more information The Open Group Conference in Washington, D.C., please visit: www.opengroup.org/dc2012.

Comments Off

Filed under Conference

Using Foursquare at #ogDCA

By The Open Group Conference Team

We’re pleased to announce that we will be holding our first foursquare campaign at The Open Group conference in Washington, D.C.!

For those who are unfamiliar with the service, foursquare is a location-based social networking application for smartphones. Users “check in” at venues using a device-specific application by selecting from a list of venues located nearby based on GPS hardware in the mobile device. Each check-in awards the user points and sometimes “badges.” For those who don’t already have the foursquare app, it is available for download for iPhones, Android phones and BlackBerrys. More information about foursquare can be found here.

The venue for the conference is titled “The Open Group Conference Washington DC, #ogDCA,” and those who check in are eligible for Open Group foursquare campaigns:

Pre-conference Sessions

On Sunday, July 15, people who attend the pre-conference sessions starting at 3:30 p.m. ET and check in to the conference via foursquare will receive a TOGAF® Pocket Guide or another piece of Open Group swag.

Conference

On Monday, July 16 and Tuesday, July 17, attendees who check in to the conference via foursquare before 4:00 p.m. ET Tuesday will be entered to win one of the following prizes.

  • Grand prize – a seat at Allen Brown’s table at the Tuesday night networking dinner event on the W Hotel Terrace (5 seats available)
  • Consolation prizes – swag from ten of our conference exhibitors.

Foursquare basics

If you’ve never “checked in” before, it’s pretty simple. Below are some instructions for iPhone users. (Note: The screen shots below illustrate the “check in” process at a different location, not the conference venue and are provided as an example only.

1. Download the Foursquare app.

2. When you get to the conference, simply open the app and a screen will appear showing you where your “friends” have recently checked in.

3. Click the upside-down teardrop emblem in the upper right corner.

4. Choose the “The Open Group Conference Washington DC, #ogDCA,” by tapping the words.

5. Next, write a little something about what you’re doing (eg. “Getting ready to hear a great panel at The Open Group conference.”).

6. Make sure to sync your Foursquare account with Twitter by tapping the bird in the lower right corner of the check in screen (make sure it turns blue).

7. Then press “check in” and wait for the app to finish.

All winners will be chosen at random. Good luck!

Comments Off

Filed under Conference

ArchiMate at the Washington, D.C. Conference #ogDCA

By Iver Band, Standard Insurance Company

The Open Group offers many opportunities to learn about ArchiMate®, the fast-growing visual modeling language standard for Enterprise Architecture. ArchiMate enables enterprise architects to develop rich and clear graphical representations that are accessible to a wide range of stakeholders while providing clear direction to downstream architects and designers. Looking forward to this week’s Washington, D.C. conference, let’s examine the various sessions where attendees can learn more about this modeling language standard.

On Sunday, July 15, start with the ArchiMate 2.0 pre-conference introductory session from 4:30-5:00 p.m. ET led by BiZZdesign CEO and ArchiMate Forum Chair Henry Franken. Right afterward, from 5:00-5:30 ET, learn about ArchiMate certification along with other certifications offered by The Open Group.  Conference attendees can engage further with the language at one of the interactive Learning Lab sessions from 5:30-6:15 p.m. ET.

On Tuesday, July 17, learn how to use the ArchiMate language for architecture projects based on TOGAF®.  From 11:30-12:45 p.m. ET, I will join Henry, and together, we will present an in-depth tutorial on “Using the TOGAF Architecture Content Framework with the ArchiMate Modeling Language.” From 2:00-2:45 p.m. ET,  I will explore how to use ArchiMate to shed light on the complex interplay between people and organizations, and their often conflicting challenges, principles, goals and concerns.  My presentation “Modeling the Backstory with ArchiMate 2.0 Motivation Extension” will demonstrate this approach with a case study on improving customer service. Then, from 2:45-3:30 p.m. ET, The Business Forge Principal Neil Levette will present the session “Using the ArchiMate Standard as Tools for Modeling the Business.” Neil will explain how to use the ArchiMate language with Archi, a free tool, to model key business management mechanisms and the relationships between business motivations and operations. Finally, from 4:00-5:30 p.m. ET, Henry and I will join the “Ask the Experts: TOGAF and ArchiMate” panel to address conference attendee and Open Group member questions.

Don’t miss these opportunities to learn more about this powerful standard!

Iver Band is the vice chair of The Open Group ArchiMate Forum and is an enterprise architect at Standard Insurance Company in Portland, Oregon. Iver chose the TOGAF and ArchiMate standards for his IT organization and applies them enthusiastically to his daily responsibilities. He co-developed the initial examination content for the ArchiMate 2 Certification for People  and made other contributions to the ArchiMate 2 standard. He is TOGAF 9 Certified,  ArchiMate 2 Certified and a Certified Information Systems Security Professional.

Comments Off

Filed under ArchiMate®, Conference, Enterprise Architecture

Leveraging TOGAF to Deliver DoDAF Capabilities

By Chris Armstrong, Armstrong Process Group

In today’s environment of competing priorities and constrained resources, companies and government agencies are in even greater need to understand how to balance those priorities, leverage existing investments and align their critical resources to realize their business strategy. Sound appealing? It turns out that this is the fundamental goal of establishing an Enterprise Architecture (EA) capability. In fact, we have seen some of our clients position EA as the Enterprise Decision Support capability – that is, providing an architecture-grounded, fact-based approach to making business and IT decisions.

Many government agencies and contractors have been playing the EA game for some time — often in the context of mandatory compliance with architecture frameworks, such as the Federal Enterprise Architecture (FEA) and the Department of Defense Architecture Framework (DoDAF). These frameworks often focus significantly on taxonomies and reference models that organizations are required to use when describing their current state and their vision of a future state. We’re seeing a new breed of organizations that are looking past contractual compliance and want to exploit the business transformation dimension of EA.

In the Department of Defense (DoD) world, this is in part due to the new “capability driven” aspect of DoDAF version 2.0, where an organization aligns its architecture to a set of capabilities that are relevant to its mission. The addition of the Capability Viewpoint (CV) in DoDAF 2 enables organizations to describe their capability requirements and how their organization supports and delivers those capabilities. The CV also provides models for representing capability gaps and how new capabilities are going to be deployed over time and managed in the context of an overall capability portfolio.

Another critical difference in DoDAF 2 is the principle of “fit-for-purpose,” which allows organizations to select which architecture viewpoints and models to develop based on mission/program requirements and organizational context. One fundamental consequence of this is that an organization is no longer required to create all the models for each DoDAF viewpoint. They are to select the models and viewpoints that are relevant to developing and deploying their new, evolved capabilities.

While DoDAF 2 does provide some brief guidance on how to build architecture descriptions and subsequently leverage them for capability deployment and management, many organizations are seeking a more well-defined set of techniques and methods based on industry standard best practices.

This is where the effectiveness of DoDAF 2 can be significantly enhanced by integrating it with The Open Group Architecture Framework (TOGAF®) version 9.1, in particular the TOGAF Architecture Development Method (ADM). The ADM not only describes how to develop descriptions of the baseline and target architectures, but also provides considerable guidance on how to establish an EA capability and performing architecture roadmapping and migration planning. Most important, the TOGAF ADM describes how to drive the realization of the target architecture through integration with the systems engineering and solution delivery lifecycles. Lastly, TOGAF describes how to sustain an EA capability through the operation of a governance framework to manage the evolution of the architecture. In a nutshell, DoDAF 2 provides a common vocabulary for architecture content, while TOGAF provides a common vocabulary for developing and using that content.

I hope that those of you in the Washington, D.C. area will join me at The Open Group conference next week, where we’ll continue the discussion of how to deliver DoDAF capabilities using TOGAF. For those of you who can’t make it, I’m pleased to announce that The Open Group will also be delivering a Livestream of my presentation (free of charge) on Monday, July 16 at 2:45 p.m. ET.

Hope to see you there!

Chris Armstrong, president of Armstrong Process Group, Inc., is an internationally recognized thought leader in Enterprise Architecture, formal modeling, process improvement, systems and software engineering, requirements management, and iterative and agile development. Chris represents APG at The Open Group, the Object Management Group and the Eclipse Foundation.

 

2 Comments

Filed under Conference, Enterprise Architecture, TOGAF®

Social Networking at The Open Group Washington, D.C. Conference (#ogDCA)

By Andrew Josey, The Open Group

Those who attend The Open Group conferences benefit from the opportunity to leverage the expertise of other experts, learn from others’ experiences and delve into content most relevant to their jobs and organizations. One way to maximize the benefit is to make technology work for you. If you are attending The Open Group conference in Washington, D.C., we’ve put together a few tips on how to leverage technology to make networking and meet-ups easier, quicker and more effective.

Using Twitter at #ogDCA

Twitter is a real-time news-sharing tool that anyone can use. The official hashtag for the conference is #ogDCA. This allows anybody, whether they are present or not, to follow what’s happening at the Washington, D.C. conference in real-time and to interact with each other.

Before the conference, be sure to update your Twitter client to monitor #ogDCA and to tweet about the conference. If you need to contact the conference team we can be reached on @theopengroup

To follow the conference on twitter you can point your mobile device to http://bit.ly/LyJBbA

Using foursquare to network at the Washington, D.C. conference

We’ve setup a foursquare venue for the conference and also for the exhibits hall. Be sure to check in at the venue to see a number of specials and leave tips for other attendees – more information about #ogDCA foursquare campaigns to come shortly. Also, be sure also to check in at the exhibitors on foursquare.

You can check in at the venue at: http://4sq.com/LD1qfQ, or search for “The Open Group Conference Washington DC, #ogCDA.”

Using Facebook at the Washington, D.C. conference

You can also track what is happening at the conference on The Open Group Facebook page. We will be running another photo contest, where all entries will be uploaded to our Facebook page. Members and Open Group Facebook fans can vote by “liking” a photo. The photos with the most “likes” in each category will be named the winner. Submissions will be uploaded in real-time, so the sooner you submit a photo, the more time members and fans will have to vote on it!

For full details of the contest and how to enter see The Open Group Blog.

If you have any questions about social media usage at the conference, feel free to tweet me (@aj_josey)!

Andrew Josey is Director of Standards within The Open Group. He is currently managing the standards process for The Open Group, and has recently led the standards development projects for TOGAF 9.1, ArchiMate 2.0, IEEE Std 1003.1-2008 (POSIX), and the core specifications of the Single UNIX Specification, Version 4. Previously, he has led the development and operation of many of The Open Group certification development projects, including industry-wide certification programs for the UNIX system, the Linux Standard Base, TOGAF, and IEEE POSIX. He is a member of the IEEE, USENIX, UKUUG, and the Association of Enterprise Architects.

Comments Off

Filed under Conference

The Open Group and MIT Experts Detail New Advances in ID Management to Help Reduce Cyber Risk

By Dana Gardner, The Open Group

This BriefingsDirect thought leadership interview comes in conjunction with The Open Group Conference in Washington, D.C., beginning July 16. The conference will focus on how Enterprise Architecture (EA), enterprise transformation and securing global supply chains.

We’re joined in advance by some of the main speakers at the July 16 conference to examine the relationship between controlled digital identities in cyber risk management. Our panel will explore how the technical and legal support of ID management best practices have been advancing rapidly. And we’ll see how individuals and organizations can better protect themselves through better understanding and managing of their online identities.

The panelist are Jim Hietala, vice president of security at The Open Group; Thomas Hardjono, technical lead and executive director of the MIT Kerberos Consortium; and Dazza Greenwood, president of the CIVICS.com consultancy and lecturer at the MIT Media Lab. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Gardner: What is ID management, and how does it form a fundamental component of cybersecurity?

Hietala: ID management is really the process of identifying folks who are logging onto computing services, assessing their identity, looking at authenticating them, and authorizing them to access various services within a system. It’s something that’s been around in IT since the dawn of computing, and it’s something that keeps evolving in terms of new requirements and new issues for the industry to solve.

Particularly as we look at the emergence of cloud and software-as-a-service (SaaS) services, you have new issues for users in terms of identity, because we all have to create multiple identities for every service we access.

You have issues for the providers of cloud and SaaS services, in terms of how they provision, where they get authoritative identity information for the users, and even for enterprises who have to look at federating identity across networks of partners. There are a lot of challenges there for them as well.

Key theme

Figuring out who is at the other end of that connection is fundamental to all of cybersecurity. As we look at the conference that we’re putting on this month in Washington, D.C., a key theme is cybersecurity — and identity is a fundamental piece of that.

You can look at things that are happening right now in terms of trojans, bank fraud, scammers and attackers, wire transferring money out of company’s bank accounts and other things you can point to.

There are failures in their client security and the customer’s security mechanisms on the client devices, but I think there are also identity failures. They need new approaches for financial institutions to adopt to prevent some of those sorts of things from happening. I don’t know if I’d use the word “rampant,” but they are clearly happening all over the place right now. So I think there is a high need to move quickly on some of these issues.

Gardner: Are we at a plateau? Or has ID management been a continuous progression over the past decade?

Hardjono: So it’s been at least a decade since the industry began addressing identity and identity federation. Someone in the audience might recall Liberty Alliance, the Project Liberty in its early days.

One notable thing about the industry is that the efforts have been sort of piecemeal, and the industry, as a whole, is now reaching the point where a true correct identity is absolutely needed now in transactions in a time of so many so-called Internet scams.

Gardner: Dazza, is there a casual approach to this, or a professional need? By that, I mean that we see a lot of social media activities, Facebook for example, where people can have an identity and may or may not be verified. That’s sort of the casual side, but it sounds like what we’re really talking about is more for professional business or eCommerce transactions, where verification is important. In other words, is there a division between these two areas that we should consider before we get into it more deeply?

Greenwood: Rather than thinking of it as a division, a spectrum would be a more useful way to look at it. On one side, you have, as you mentioned, a very casual use of identity online, where it may be self-asserted. It may be that you’ve signed a posting or an email.

On the other side, of course, the Internet and other online services are being used to conduct very high value, highly sensitive, or mission-critical interactions and transactions all the time. When you get toward that spectrum, a lot more information is needed about the identity authenticating, that it really is that person, as Thomas was starting to foreshadow. The authorization, workflow permissions, and accesses are also incredibly important.

In the middle, you have a lot of gradations, based partly on the sensitivity of what’s happening, based partly on culture and context as well. When you have people who are operating within organizations or within contexts that are well-known and well-understood — or where there is already a lot of not just technical, but business, legal and cultural understanding of what happens — if something goes wrong, there are the right kind of supports and risk management processes.

There are different ways that this can play out. It’s not always just a matter of higher security. It’s really higher confidence, and more trust based on a variety of factors. But the way you phrased it is a good way to enter this topic, which is, we have a spectrum of identity that occurs online, and much of it is more than sufficient for the very casual or some of the social activities that are happening.

Higher risk

But as the economy in our society moves into a digital age, ever more fully and at ever-higher speeds, much more important, higher risk, higher value interactions are occurring. So we have to revisit how it is that we have been addressing identity — and give it more attention and a more careful design, instead of architectures and rules around it. Then we’ll be able to make that transition more gracefully and with less collateral damage, and really get to the benefits of going online.

Gardner: What’s happening to shore this up and pull it together? Let’s look at some of the big news.

Hietala: I think the biggest recent news is the U.S. National Strategy for Trusted Identities in Cyber Space (NSTIC) initiative. It clearly shows that a large government, the United States government, is focused on the issue and is willing to devote resources to furthering an ID management ecosystem and construct for the future. To me that’s the biggest recent news.

At a crossroads

Greenwood: We’re just now is at a crossroads where finally industry, government and increasingly the populations in general, are understanding that there is a different playing field. In the way that we interact, the way we work, the way we do healthcare, the way we do education, the way our social groups cohere and communicate, big parts are happening online.

In some cases, it happens online through the entire lifecycle. What that means now is that a deeper approach is needed. Jim mentioned NSTIC as one of those examples. There are a number of those to touch on that are occurring because of the profound transition that requires a deeper treatment.

NSTIC is the U.S. government’s roadmap to go from its piecemeal approach to a coherent architecture and infrastructure for identity within the United States. It could provide a great model for other countries as well.

People can reuse their identity, and we can start to address what you’re talking about with identity and other people taking your ID, and more to the point, how to prove you are who you said you were to get that ID back. That’s not always so easy after identity theft, because we don’t have an underlying effective identity structure in the United States yet.

I just came back from the United Kingdom at a World Economic Forum meeting. I was very impressed by what their cabinet officers are doing with an identity-assurance scheme in large scale procurement. It’s very consistent with the NSTIC approach in the United States. They can get tens of millions of their citizens using secure well-authenticated identities across a number of transactions, while always keeping privacy, security, and also individual autonomy at the forefront.

There are a number of technology and business milestones that are occurring as well. Open Identity Exchange (OIX) is a great group that’s beginning to bring industry and other sectors together to look at their approaches and technology. We’ve had Security Assertion Markup Language (SAML). Thomas is co-chair of the PC, and that’s getting a facelift.

That approach was being brought to match scale with OpenID Connect, which is OpenID and OAuth. There are a great number of technology innovations that are coming online.

Legally, there are also some very interesting newsworthy harbingers. Some of it is really just a deeper usage of statutes that have been passed a few years ago — the Uniform Electronic Transactions Act, the Electronic Signatures in Global and National Commerce Act, among others, in the U.S.

There is eSignature Directive and others in Europe and in the rest of the world that have enabled the use of interactions online and dealt with identity and signatures, but have left to the private sector and to culture which technologies, approaches, and solutions we’ll use.

Now, we’re not only getting one-off solutions, but architectures for a number of different solutions, so that whole sectors of the economy and segments of society can more fully go online. Practically everywhere you look, you see news and signs of this transition that’s occurring, an exciting time for people interested in identity.

Gardner: What’s most new and interesting from your perspective on what’s being brought to bear on this problem, particularly from a technology perspective?

Two dimensions

Hardjono: It’s along two dimensions. The first one is within the Kerberos Consortium. We have a number of people coming from the financial industry. They all have the same desire, and that is to scale their services to the global market, basically sign up new customers abroad, outside United States. In wanting to do so, they’re facing a question of identity. How do we assert that somebody in a country is truly who they say they are.

The second, introduces a number of difficult technical problems. Closer to home and maybe at a smaller scale, the next big thing is user consent. The OpenID exchange and the OpenID Connect specifications have been completed, and people can do single sign-on using technology such as OAuth 2.0.

The next big thing is how can an attribute provider, banks, telcos and so on, who have data about me, share data with other partners in the industry and across the sectors of the industry with my expressed consent in a digital manner.

Gardner: Tell us a bit about the MIT Core ID approach and how this relates to the Jericho Forum approach.

Greenwood: I would defer to Jim of The Open Group to speak more authoritatively on Jericho Forum, which is a part of Open Group. But, in general, Jericho Forum is a group of experts in the security field from industry and, more broadly, who have done some great work in the past on deperimeterized security and some other foundational work.

In the last few years, they’ve been really focused on identity, coming to realize that identity is at the center of what one would have to solve in order to have a workable approach to security. It’s necessary, but not sufficient, for security. We have to get that right.

To their credit, they’ve come up with a remarkably good list of simple understandable principles, that they call the Jericho Forum Identity Commandments, which I strongly commend to everybody to read.

It puts forward a vision of an approach to identity, which is very constant with an approach that I’ve been exploring here at MIT for some years. A person would have a core ID identity, a core ID, and could from that create more than one persona. You may have a work persona, an eCommerce persona, maybe a social and social networking persona and so on. Some people may want a separate political persona.

You could cluster all of the accounts, interactions, services, attributes, and so forth, directly related to each of those to those individual personas, but not be in a situation where we’re almost blindly backing into right now. With a lot of the solutions in the market, your different aspects of life, unintentionally sometimes or even counter-intentionally, will merge.

Good architecture

Sometimes, that’s okay. Sometimes, in fact, we need to be able to have an inability to separate different parts of life. That’s part of privacy and can be part of security. It’s also just part of autonomy. It’s a good architecture. So Jericho Forum has got the commandments.

Many years ago, at MIT, we had a project called the Identity Embassy here in the Media Lab, where we put forward some simple prototypes and ideas, ways you could do that. Now, with all the recent activity we mentioned earlier toward full-scale usage of architectures for identity in U.S. with NSTIC and around the world, we’re taking a stronger, deeper run at this problem.

Thomas and I have been collaborating across different parts of MIT. I’m putting out what we think is a very exciting and workable way that you can in a high security manner, but also quite usably, have these core identifiers or individuals and inextricably link them to personas, but escape that link back to the core ID, and from across the different personas, so that you can get the benefits when you want them, keeping the personas separate.

Also it allows for many flexible business models and other personalization and privacy services as well, but we can get into that more in the fullness of time. But, in general, that’s what’s happening right now and we couldn’t be more excited about it.

Hardjono: For a global infrastructure for core identities to be able to develop, we definitely need collaboration between the governments of the world and the private sector. Looking at this problem, we were searching back in history to find an analogy, and the best analogy we could find was the rollout of a DNS infrastructure and the IP address assignment.

It’s not perfect and it’s got its critics, but the idea is that you could split blocks of IP addresses and get it sold and resold by private industry, really has allowed the Internet to scale, hitting limitations, but of course IPv6 is on the horizon. It’s here today.

So we were thinking along the same philosophy, where core identifiers could be arranged in blocks and handed out to the private sector, so that they can assign, sell it, or manage it on behalf of people who are Internet savvy, and perhaps not, such as my mom. So we have a number of challenges in that phase.

Gardner: Does this relate to the MIT Model Trust Framework System Rules project?

Greenwood: The Model Trust Framework System Rules project that we are pursuing in MIT is a very important aspect of what we’re talking about. Thomas and I talked somewhat about the technical and practical aspects of core identifiers and core identities. There is a very important business and legal layer within there as well.

So these trust framework system rules are ways to begin to approach the complete interconnected set of dimensions necessary to roll out these kinds of schemes at the legal, business, and technical layers.

They come from very successful examples in the past, where organizations have federated ID with more traditional approaches such as SAML and other approaches. There are some examples of those trust framework system rules at the business, legal, and technical level available.

Right now it’s CIVICS.com, and soon, when we have our model MIT under Creative Commons approach, we’ll take a lot of the best of what’s come before codified in a rational way. Business, legal, and technical rules can really be aligned in a more granular way to fit well, and put out a model that we think will be very helpful for the identity solutions of today that are looking at federate according to NSTIC and similar models. It absolutely would be applicable to how at the core identity persona underlying architecture and infrastructure that Thomas, I, and Jericho Forum are postulating could occur.

Hardjono: Looking back 10-15 years, we engineers came up with all sorts of solutions and standardized them. What’s really missing is the business models, business cases, and of course the legal side.

How can a business make revenue out of the management of identity-related aspects, management of attributes, and so on and how can they do so in such a manner that it doesn’t violate the user’s privacy. But it’s still user-centric in the sense that the user needs to give consent and can withdraw consent and so on. And trying to develop an infrastructure where everybody is protected.

Gardner: The Open Group, being a global organization focused on the collaboration process behind the establishment of standards, it sounds like these are some important aspects that you can bring out to your audience, and start to create that collaboration and discussion that could lead to more fuller implementation. Is that the plan, and is that what we’re expecting to hear more of at the conference next month?

Hietala: It is the plan, and we do get a good mix at our conferences and events of folks from all over the world, from government organizations and large enterprises as well. So it tends to be a good mixing of thoughts and ideas from around the globe on whatever topic we’re talking about — in this case identity and cybersecurity.

At the Washington, D.C. Conference, we have a mix of discussions. The kick-off one is a fellow by the name Joel Brenner who has written a book, America the Vulnerable, which I would recommend. He was inside the National Security Agency (NSA) and he’s been involved in fighting a lot of the cyber attacks. He has a really good insight into what’s actually happening on the threat and defending against the threat side. So that will be a very interesting discussion. [Read an interview with Joel Brenner.]

Then, on Monday, we have conference presentations in the afternoon looking at cybersecurity and identity, including Thomas and Dazza presenting on some of the projects that they’ve mentioned.

Cartoon videos

Then, we’re also bringing to that event for the first time, a series of cartoon videos that were produced for the Jericho Forum. They describe a lot of the commandments that Dazza mentioned in a more approachable way. So they’re hopefully understandable to laymen, and folks with not as much understanding about all the identity mechanisms that are out there. So, yeah, that’s what we are hoping to do.

Gardner: Perhaps we could now better explain what NSTIC is and does?

Greenwood:The best person to speak about NSTIC in the United States right now is probably President Barrack Obama, because he is the person that signed the policy. Our president and the administration has taken a needed, and I think a very well-conceived approach, to getting industry involved with other stakeholders in creating the architecture that’s going to be needed for identity for the United States and as a model for the world, and also how to interact with other models.

Jeremy Grant is in charge of the program office and he is very accessible. So if people want more information, they can find Jeremy online easily in at nist.gov/nstic. And nstic.us also has more information.

In general, NSTIC is a strategy document and a roadmap for how a national ecosystem can emerge, which is comprised of a governing body. They’re beginning to put that together this very summer, with 13 different stakeholders groups, each of which would self-organize and elect or appoint a person — industry, government, state and local government, academia, privacy groups, individuals — which is terrific — and so forth.

That governance group will come up with more of the details in terms of what the accreditation and trust marks look like, the types of technologies and approaches that would be favored according to the general principles I hope everyone reads within the NSTIC document.

At a lower level, Congress has appropriated more than $10 million to work with the White House for a number of pilots that will be under a million half dollars each for a year or two, where individual proof of concept, technologies, or approaches to trust frameworks will be piloted and put out into where they can be used in the market.

In general, by this time two months from now, we’ll know a lot more about the governing body, once it’s been convened and about the pilots once those contracts have been awarded and grants have been concluded. What we can say right now is that the way it’s going to come together is with trust framework system rules, the same exact type of entity that we are doing a model of, to help facilitate people’s understanding and having templates and well-thought through structures that they can pull down and, in turn, use as a starting point.

Circle of trust

So industry-by-industry, sector-by-sector, but also what we call circle of trust by circle of trust. Folks will come up with their own specific rules to define exactly how they will meet these requirements. They can get a trust mark, be interoperable with other trust framework consistent rules, and eventually you’ll get a clustering of those, which will lead to an ecosystem.

The ecosystem is not one size fits all. It’s a lot of systems that interoperate in a healthy way and can adapt and involve over time. A lot more, as I said, is available on nstic.us and nist.gov/nstic, and it’s exciting times. It’s certainly the best government document I have ever read. I’ll be so very excited to see how it comes out.

Gardner: What’s coming down the pike that’s going to make this yet more important?

Hietala: I would turn to the threat and attacks side of the discussion and say that, unfortunately, we’re likely to see more headlines of organizations being breached, of identities being lost, stolen, and compromised. I think it’s going to be more bad news that’s going to drive this discussion forward. That’s my take based on working in the industry and where it’s at right now.

Hardjono: I mentioned the user consent going forward. I think this is increasingly becoming an important sort of small step to address and to resolve in the industry and efforts like the User Managed Access (UMA) working group within the Kantara Initiative.

Folks are trying to solve the problem of how to share resources. How can I legitimately not only share my photos on Flickr with data, but how can I allow my bank to share some of my attributes with partners of the bank with my consent. It’s a small step, but it’s a pretty important step.

Greenwood: Keep your eyes on UMA out of Kantara. Keep looking at OASIS, as well, and the work that’s coming with SAML and some of the Model Trust Framework System Rules.

Most important thing

In my mind the most strategically important thing that will happen is OpenID Connect. They’re just finalizing the standard now, and there are some reference implementations. I’m very excited to work with MIT, with our friends and partners at MITRE Corporation and elsewhere.

That’s going to allow mass scales of individuals to have more ready access to identities that they can reuse in a great number of places. Right now, it’s a little bit catch-as-catch-can. You’ve got your Google ID or Facebook, and a few others. It’s not something that a lot of industries or others are really quite willing to accept to understand yet.

They’ve done a complete rethink of that, and use the best lessons learned from SAML and a bunch of other federated technology approaches. I believe this one is going to change how identity is done and what’s possible.

They’ve done such a great job on it, I might add It fits hand in glove with the types of Model Trust Framework System Rules approaches, a layer of UMA on top, and is completely consistent with the architecture rights, with a future infrastructure where people would have a Core ID and more than one persona, which could be expressed as OpenID Connect credentials that are reusable by design across great numbers of relying parties getting where we want to be with single sign-on.

So it’s exciting times. If it’s one thing you have to look at, I’d say do a Google search and get updates on OpenID Connect and watch how that evolves.

************

For more information on The Open Group’s upcoming conference in Washington, D.C., please visit: http://www.opengroup.org/dc2012

Dana Gardner is president and principal analyst at Interarbor Solutions, an enterprise IT analysis, market research, and consulting firm. Gardner, a leading identifier of software and Cloud productivity trends and new IT business growth opportunities, honed his skills and refined his insights as an industry analyst, pundit, and news editor covering the emerging software development and enterprise infrastructure arenas for the last 18 years.

1 Comment

Filed under Conference, Cybersecurity

The Increasing Importance of Cybersecurity: The Open Group Conference in Washington, D.C.

By Jim Hietala, The Open Group

As we move through summer here in the U.S., cybersecurity continues to be top of mind, not only for security professionals, but for IT management as well as for senior managers in large organizations.

The IT security world tends to fixate on the latest breach reported or the latest vulnerability disclosed. Clearly the recent news around Stuxnet and Flame has caused a stir in the community, as professionals debate what it means to have cyberwar attacks being carried out by nations. However, there have also been other significant developments in cybersecurity that have heightened the need for better understanding of risk and security posture in large organizations.

In the U.S., the SEC recently issued guidance to public companies on disclosing the risks of cybersecurity incidents in financial reports, as well as disclosing actual breaches if there is material affect. This is a significant new development, as there’s little that directs the attention of CEO’s and Boards like new financial disclosure requirements. In publicly traded organizations that struggled to find funding to perform adequate risk management and for IT security initiatives, IT folks will have a new impetus and mandate, likely with support from the highest levels.

The upcoming Open Group conference in Washington, D.C. on July 16-20 will explore cybersecurity, with a focus on defending critical assets and securing the global supply chain. To highlight a few of the notable presentations:

  • Joel Brenner, author of America the Vulnerable, attorney, and former senior counsel at the NSA, will keynote on Monday, July 16 and will speak on “America the Vulnerable: Inside the New Threat Matrix.”
  • Kristen Baldwin, principal deputy, DASD, Systems Engineering, and acting cirector, Systems Analysis, will speak on “Meeting the Challenge of Cybersecurity Threats through Industry-Government Partnerships.”
  • Dr. Ron Ross, project leader, NIST, will talk to “Integrating Cyber Security Requirements into Main Stream Organizational Mission and Business Processes.”
  • Andras Szakal, VP & CTO, IBM Federal will moderate a panel that will include Daniel Reddy, EMC; Edna Conway, Cisco; and Hart Rossman, SAIC on “Mitigating Tainted & Counterfeit Products.”
  • Dazza (Daniel) J. Greenwood, JD, MIT and CIVICS.com Consultancy Services, and Thomas Hardjono, executive director of MIT Kerberos Consortium, will discuss “Meeting the Challenge of Identity and Security.”

Apart from our quarterly conferences and member meetings, The Open Group undertakes a broad set of programs aimed at addressing challenges in information security.

Our Security Forum focuses on developing standards and best practices in the areas of information security management and secure architecture. The Real Time and Embedded Systems Forum addresses high assurance systems and dependability through work focused on MILS, software assurance, and dependability engineering for open systems. Our Trusted Technology Forum addresses supply chain issues of taint and counterfeit products through the development of the Trusted Technology Provider Framework, which is a draft standard aimed at enabling commercial off the shelf ICT products to be built with integrity, and bought with confidence. Finally, The Open Group Jericho Forum continues to provide thought leadership in the area of information security, most notably in the areas of de-perimeterization, secure cloud computing and identity management.

I hope to see you at the conference. More information about the conference, including the full program can be found here: http://www.opengroup.org/dc2012

Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.


Comments Off

Filed under Conference, Cybersecurity, Information security, OTTF, Security Architecture