Category Archives: Identity Management

Open FAIR Blog Series – An Introduction to Risk Analysis and the Open FAIR Body of Knowledge

By Jim Hietala, VP, Security and Andrew Josey, Director of Standards, The Open Group

This is the first in a four-part series of blogs introducing the Open FAIR Body of Knowledge. In this first blog. we look at what the Open FAIR Body of Knowledge provides, and why a taxonomy is needed for Risk Analysis.

An Introduction to Risk Analysis and the Open FAIR Body of Knowledge

The Open FAIR Body of Knowledge provides a taxonomy and method for understanding, analyzing and measuring information risk. It allows organizations to:

  • Speak in one language concerning their risk using the standard taxonomy and terminology, and communicate risk effectively to senior management
  • Consistently study and apply risk analysis principles to any object or asset
  • View organizational risk in total
  • Challenge and defend risk decisions
  • Compare risk mitigation options

What does FAIR stand for?

FAIR is an acronym for Factor Analysis of Information Risk.

Risk Analysis: The Need for an Accurate Model and Taxonomy

Organizations seeking to analyze and manage risk encounter some common challenges. Put simply, it is difficult to make sense of risk without having a common understanding of both the factors that (taken together) contribute to risk, and the relationships between those factors. The Open FAIR Body of Knowledge provides such a taxonomy.

Here’s an example that will help to illustrate why a standard taxonomy is important. Let’s assume that you are an information security risk analyst tasked with determining how much risk your company is exposed to from a “lost or stolen laptop” scenario. The degree of risk that the organization experiences in such a scenario will vary widely depending on a number of key factors. To even start to approach an analysis of the risk posed by this scenario to your organization, you will need to answer a number of questions, such as:

  • Whose laptop is this?
  • What data resides on this laptop?
  • How and where did the laptop get lost or stolen?
  • What security measures were in place to protect the data on the laptop?
  • How strong were the security controls?

The level of risk to your organization will vary widely based upon the answers to these questions. The degree of overall organizational risk posed by lost laptops must also include an estimation of the frequency of occurrence of lost or stolen laptops across the organization.

In one extreme, suppose the laptop belonged to your CTO, who had IP stored on it in the form of engineering plans for a revolutionary product in a significant new market. If the laptop was unprotected in terms of security controls, and it was stolen while he was on a business trip to a country known for state-sponsored hacking and IP theft, then there is likely to be significant risk to your organization. On the other extreme, suppose the laptop belonged to a junior salesperson a few days into their job, it contained no customer or prospect lists, and it was lost at a security checkpoint at an airport. In this scenario, there’s likely to be much less risk. Or consider a laptop which is used by the head of sales for the organization, who has downloaded Personally Identifiable Information (PII) on customers from the CRM system in order to do sales analysis, and has his or her laptop stolen. In this case, there could be Primary Loss to the organization, and there might also be Secondary Losses associated with reactions by the individuals whose data is compromised.

The Open FAIR Body of Knowledge is designed to help you to ask the right questions to determine the asset at risk (is it the laptop itself, or the data?), the magnitude of loss, the skill level and motivations of the attacker, the resistance strength of any security controls in place, the frequency of occurrence of the threat and of an actual loss event, and other factors that contribute to the overall level of risk for any specific risk scenario.

In our next blog in this series, we will consider 5 reasons why you should use The Open FAIR Body of Knowledge for Risk Analysis.

The Open FAIR Body of Knowledge consists of the following Open Group standards:

  • Risk Taxonomy (O-RT), Version 2.0 (C13K, October 2013) defines a taxonomy for the factors that drive information security risk – Factor Analysis of Information Risk (FAIR).
  • Risk Analysis (O-RA) (C13G, October 2013) describes process aspects associated with performing effective risk analysis.

These can be downloaded from The Open Group publications catalog at http://www.opengroup.org/bookstore/catalog.

Our other publications include a Pocket Guide and a Certification Study Guide.

62940-hietalaJim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT Security, Risk Management and Healthcare programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on Information Security, Risk Management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

 

andrew-small1Andrew Josey is Director of Standards within The Open Group. He is currently managing the standards process for The Open Group, and has recently led the standards development projects for TOGAF® 9.1, ArchiMate® 2.0, IEEE Std 1003.1-2008 (POSIX), and the core specifications of the Single UNIX® Specification, Version 4. Previously, he has led the development and operation of many of The Open Group certification development projects, including industry-wide certification programs for the UNIX system, the Linux Standard Base, TOGAF, and IEEE POSIX. He is a member of the IEEE, USENIX, UKUUG, and the Association of Enterprise Architects.

1 Comment

Filed under Data management, digital technologies, Identity Management, Information security, Open FAIR Certification, RISK Management, Security, Standards, Uncategorized

The Enterprise Architecture Kaleidoscope

By Stuart Boardman, Senior Business Consultant, Business & IT Advisory, KPN Consulting

Last week I attended a Club of Rome (Netherlands) debate about a draft report on sustainability and social responsibility. The author of the report described his approach as being like a kaleidoscope, because the same set of elements can form quite different pictures.

EA 1

Some people had some difficulty with this. They wanted a single picture they could focus on. To me it felt quite natural, because that’s very much what we try to do in Enterprise Architecture (EA) – produce different views of the same whole for the benefit of different stakeholders. And suddenly I realized how to express the relationship between EA and a broader topic like sustainability. That matters to me, because sustainability is something I’m passionate about and I’d like my work to be some small contribution to achieving that.

Before that, I’d been thinking that EA obviously has a role to play in a sustainable enterprise but I hadn’t convinced myself that the relationship was so fundamental – it felt a bit too much like wishful thinking on my part.

When we talk about sustainability today, we need to be clear that we’re not just talking about environmental issues and we’re certainly not talking about “greenwashing”. There’s an increasing awareness that a change needs to occur (and is to some extent occurring) in how we work, how we do business, how we relate to and value each other and how we relate to and value our natural environment.

This is relevant too for The Open Group Open Platform 3.0™. Plenty is written these days about the role that the Internet of Things and Big Data Analytics can play in sustainability. A lot is actually happening. Too much of this fails to take any account of the kaleidoscope and offers a purely technological and resource centric view of a shining future. People are reduced to being the happy consumers of this particular soma. By bringing other factors and in particular social media and locating the discussion in The Open Group’s traditions of Enterprise Architecture (and see also The Open Group’s work on Identity), these rather dangerous limitations can be overcome.

EA 2

 

 

 

 

EA 3

 Source: Wikipedia

Success in any one of these areas is dependent on success in the others. That was really the message of the Club of Rome discussion.

And that’s where EA comes in – the architecture of a global enterprise. There are multiple stakeholders with multiple concerns. They range from a CEO with a company to keep afloat to a farming community, whose livelihood is threatened by a giant coal mine. They also include those whose livelihood is threatened by closing that mine and governments saddled with crippling national debt. They include the people working to achieve change. These people also have their own areas of focus within the overall picture. There are people designing the new solutions – technological or otherwise. There are the people who will have to operate the changed situation. There are the stewards for the natural environment and the non-human inhabitants of platform Earth.

Now Enterprise Architects are in a sense always concerned with sustainability, at least at the micro level of one organization or enterprise. We try to develop an architecture in which the whole enterprise (and all its parts) can achieve its goals – with a minimum of instability and with the ability to respond effectively to change. That in and of itself requires us to be aware of what’s going on in the world outside our organization’s direct sphere of influence, so it’s a small step to looking at a broader picture and wondering what the future of the enterprise might be in a non-sustainable world.

The next step is an obvious one for any Enterprise Architect – well actually any architect at all in any kind of enterprise. This isn’t a political or moral question (although architects have as much right as anyone to else to such considerations) but really just one of drawing conclusions, which are logical and obvious – unless one is merely driven by short-term considerations. What you do with those conclusions is up to you and constrained by your own situation. You do what you can. You can take the campaigning viewpoint or look for collateral lack of damage or just facilitate sustainability when it’s on the agenda – look for opportunities for re-use or repair. And if your situation is one where nothing is possible, you might want to be thinking about moving on.

Sustainability is not conservatism. Some things reach the end of their useful life or can’t survive unexpected and/or dramatic changes. Some things actually improve as a result of taking a serious knock – what Nicholas Nassim Taleb calls anti-fragility. That’s true in nature at both micro and macro levels and it’s particularly true in nature. It’s not surprising that the ideas of biomimicry are rapidly gaining traction in sustainability circles.

EA 4

 

 

 

 

 

Stickybot

In this sense, agile is really about sustainability. When we work with agile methods, we’re not trying to create something changeless. We’re trying to create a way of working in which our enterprise or some small part of it, can change and adapt so as to continue to fulfill its mission for so long as that remains relevant in the world.

So yes, there’s a lot an (enterprise) architect can do towards achieving a sustainable world and there are more than enough reasons that’s consistent with our role in the organizations and enterprises we serve.

Agreed? Not? Please comment one way or the other and let’s continue the discussion.

SONY DSCStuart Boardman is a Senior Business Consultant with KPN Consulting where he leads the Enterprise Architecture practice and consults to clients on Cloud Computing, Enterprise Mobility and The Internet of Everything. He is Co-Chair of The Open Group Open Platform 3.0™ Forum and was Co-Chair of the Cloud Computing Work Group’s Security for the Cloud and SOA project and a founding member of both The Open Group Cloud Computing Work Group and The Open Group SOA Work Group. Stuart is the author of publications by KPN, the Information Security Platform (PvIB) in The Netherlands and of his previous employer, CGI as well as several Open Group white papers, guides and standards. He is a frequent speaker at conferences on the topics of Open Platform 3.0 and Identity.

1 Comment

Filed under Enterprise Architecture, Enterprise Transformation, Identity Management, Professional Development, Uncategorized

Key Concepts Underpinning Identity Management

By Ian Dobson, The Open Group

Having trust in the true Identity of who and what we connect with in our global online world is vital if we are to have confidence in going online to buy and sell goods, as well as sharing any confidential or private information.  Today, the lack of trust in online Identity forces organizations to set up their own identity management systems, dishing out their own usernames and passwords/PINs for us.  The result is that we end up having to remember (or write and keep in a secret place) typically well over 50 different online identities, which poses a large problem since our online identities are stored by many organizations in many places that are attractive targets for identity thieves.

Online identity is important to all users of computing devices.  Today, our mobile phones are powerful computers.  There are so many mobile apps available that phones are no longer primarily used to make phone calls.  The Internet connects us to a global online world, so we need a global online identity ecosystem that’s robust enough to give us the confidence we need to feel safe and secure online.  Just like credit cards and passports, we need to aim for an online identity ecosystem that has a high-enough level of trust for it to work worldwide.

Of course, this is not easy, as identity is a complex subject.  Online identity experts have been working on trusted identities for many years now, but no acceptable identity ecosystem solution has emerged yet.  There are masses of publications written on the subject by and for technical experts. Two significant ones addressing design principles for online identity are Kim Cameron’s “Laws of Identity“, and the Jericho Forum’s Identity Commandments.

However, these design principles are written for technical experts.  Online identity is a multi-million dollar industry, so why is it so important to non-techie users of online services?

What’s In It For Me?
Why should I care?
Who else has a stake in this?
What’s the business case?
Why should I control my own identity?
Where does privacy come in?
What’s the problem with current solutions?
Why do identity schemes fail?
What key issues should I look for?
How might a practical scheme work?

This is where the Jericho Forum® took a lead.   They recognized the need to provide plain-language answers to these questions and more, so that end-users can appreciate the key issues that make online identity important to them and demand the industry provide identity solutions that make then safe and secure wherever they are in the world.  In August 2012, we published a set of five 4-minute “Identity Key Concepts” videos explaining in a non-techie way why trusted online identity is so important, and what key requirements are needed to create a trustworthy online identity ecosystem.

The Jericho Forum has now followed up by building on the key concepts explained in these five videos in our “Identity Commandments: Key Concepts” guide. This guide fills in the gaps that couldn’t be included in the videos and further explains why supporting practical initiatives aimed at developing a trusted global identity ecosystem is so important to everyone.

Here are links to other relevant identity publications:

Laws of Identity: http://www.identityblog.com/?p=354

Identity Commandments: https://www2.opengroup.org/ogsys/jsp/publications/PublicationDetails.jsp?publicationid=12677

Identity Key Concepts videos: https://collaboration.opengroup.org/jericho/?gpid=326

Identity Commandments: Key Concepts: https://www2.opengroup.org/ogsys/jsp/publications/PublicationDetails.jsp?publicationid=12724

Ian Dobson is the director of the Security Forum and the Jericho Forum for The Open Group, coordinating and facilitating the members to achieve their goals in our challenging information security world.  In the Security Forum, his focus is on supporting development of open standards and guides on security architectures and management of risk and security, while in the Jericho Forum he works with members to anticipate the requirements for the security solutions we will need in future.

Comments Off

Filed under Identity Management

Challenges to Building a Global Identity Ecosystem

By Jim Hietala and Ian Dobson, The Open Group

In our five identity videos from the Jericho Forum, a forum of The Open Group:

  • Video #1 explained the “Identity First Principles” – about people (or any entity) having a core identity and how we all operate with a number of personas.
  • Video #2 “Operating with Personas” explained how we use a digital core identifier to create digital personas –as many as we like – to mirror the way we use personas in our daily lives.
  • Video #3 described how “Trust and Privacy interact to provide a trusted privacy-enhanced identity ecosystem.
  • Video #4 “Entities and Entitlement” explained why identity is not just about people – we must include all entities that we want to identify in our digital world, and how “entitlement” rules control access to resources.

In this fifth video – Building a Global Identity Ecosystem – we highlight what we need to change and develop to build a viable identity ecosystem.

The Internet is global, so any identity ecosystem similarly must be capable of being adopted and implemented globally.

This means that establishing a trust ecosystem is essential to widespread adoption of an identity ecosystem. To achieve this, an identity ecosystem must demonstrate its architecture is sufficiently robust to scale to handle the many billions of entities that people all over the world will want, not only to be able to assert their identities and attributes, but also to handle the identities they will also want for all their other types of entities.

It also means that we need to develop an open implementation reference model, so that anyone in the world can develop and implement interoperable identity ecosystem identifiers, personas, and supporting services.

In addition, the trust ecosystem for asserting identities and attributes must be robust, to allow entities to make assertions that relying parties can be confident to consume and therefore use to make risk-based decisions. Agile roots of trust are vital if the identity ecosystem is to have the necessary levels of trust in entities, personas and attributes.

Key to the trust in this whole identity ecosystem is being able to immutably (enduringly and changelessly) link an entity to a digital Core Identifier, so that we can place full trust in knowing that only the person (or other type of entity) holding that Core Identifier can be the person (or other type of entity) it was created from, and no-one or thing can impersonate it. This immutable binding must be created in a form that guarantees the binding and include the interfaces necessary to connect with the digital world.  It should also be easy and cost-effective for all to use.

Of course, the cryptography and standards that this identity ecosystem depends on must be fully open, peer-reviewed and accepted, and freely available, so that all governments and interested parties can assure themselves, just as they can with AES encryption today, that it’s truly open and there are no barriers to implementation. The technologies needed around cryptography, one-way trusts, and zero-knowledge proofs, all exist today, and some of these are already implemented. They need to be gathered into a standard that will support the required model.

Adoption of an identity ecosystem requires a major mindset change in the thinking of relying parties – to receive, accept and use trusted identities and attributes from the identity ecosystem, rather than creating, collecting and verifying all this information for themselves. Being able to consume trusted identities and attributes will bring significant added value to relying parties, because the information will be up-to-date and from authoritative sources, all at significantly lower cost.

Now that you have followed these five Identity Key Concepts videos, we encourage you to use our Identity, Entitlement and Access (IdEA) commandments as the test to evaluate the effectiveness of all identity solutions – existing and proposed. The Open Group is also hosting an hour-long webinar that will preview all five videos and host an expert Q&A shortly afterward on Thursday, August 16.

Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

 

Ian Dobson is the director of the Security Forum and the Jericho Forum for The Open Group, coordinating and facilitating the members to achieve their goals in our challenging information security world.  In the Security Forum, his focus is on supporting development of open standards and guides on security architectures and management of risk and security, while in the Jericho Forum he works with members to anticipate the requirements for the security solutions we will need in future.

1 Comment

Filed under Identity Management, Uncategorized

WEBINAR: The Jericho Forum Presents Identity Key Concepts

By Ian Dobson, The Open Group

On Thursday, August 16 at 8:00 a.m. PT/ 4:00 p.m. BST/5:00 p.m. CET, identity management experts will host a webinar to discuss the key concepts in identity management today.

The Jericho Forum recently published a video series that looked at the topics of “Identity First Principles,” “Operating with Personas,” “Trust and Privacy” and Entities and Entitlement. The fifth and final video will be released on Tuesday, August 14 and will examine the global identity ecosystem and the key challenges that need to be solved in order to realize it.

During the hour-long webinar, the panel will preview these five short videos, which explain in cartoon-style why “identity” is important to everyone – eBusiness managers, eCommerce operations and individual eConsumers – and how to safeguard our ability to control and manage our own identity and privacy in cyberspace. Then, a panel Q&A will discuss the need as to why every online user needs an identity ecosystem that satisfies our Jericho Forum Identity Commandments. The webinar will also coincide with the second day of the inaugural NSTIC Identity Ecosystem Steering Group meeting in Chicago on August 15-16, in which The Open Group will be a strongly supportive participant.

The webinar panel is made up of the following members and advocates of the Jericho Forum:

  • Guy Bunker, Jericho Forum Steering Committee member
  • Ian Dobson, The Open Group
  • Jim Hietala, The Open Group
  • Dazza Greenwood, MIT Media Labs
  • Paul Simmonds, Jericho Forum founding member
  • Andrew Yeomans, Jericho Forum founding member

To register for the webinar please visit: https://opengroupevents.webex.com/ec0606l/eventcenter/enroll/join.do?confViewID=1002904418&theAction=detail&confId=1002904418&path=program_detail&siteurl=opengroupevents

Here are some additional resources on the topic of identity management that were developed around The Open Group conference in Washington, D.C.:

Ian Dobson is the director of the Security Forum and the Jericho Forum for The Open Group, coordinating and facilitating the members to achieve their goals in our challenging information security world.  In the Security Forum, his focus is on supporting development of open standards and guides on security architectures and management of risk and security, while in the Jericho Forum he works with members to anticipate the requirements for the security solutions we will need in future.

2 Comments

Filed under Identity Management

Entities and Entitlement – The Bigger Picture of Identity Management

By Jim Hietala and Ian Dobson, The Open Group

In the first of these five identity videos from the Jericho Forum, a forum of The Open Group, we explained the “Identity First Principles” – about people (or any entity) having a core identity, and how we all operate with a number of personas. In the second “Operating with Personas” video, we explained how we use a digital core identifier to create digital personas –as many as we like – to mirror the way we use personas in our daily lives. And in the third video we described how “Trust and Privacy” interact to provide a trusted privacy-enhanced identity ecosystem.

In this fourth “Entities and Entitlement” video, we explain the bigger picture – why identity is not just about people. It’s about all things – we call them “entities” – that we want to identify in our digital world. Also, an identity ecosystem doesn’t stop at just “identity,” but additionally involves “entitlement” to access resources.

In our identity ecosystem, we define five types of “entity” that require digital identity: people, devices, organizations, code and agents. For example, a laptop is a device that needs identity. Potentially this device is a company-owned laptop and, therefore, will have a “corporate laptop” persona involving an organization identity. The laptop is running code (we include data in this term), and this code needs to be trusted, therefore, necessitating both identity and attributes. Finally there are agents – someone or something you give authority to act on your behalf. For example, you may give your personal assistant the authority to use specified attributes of your business credit card and frequent flyer personas to book your travel, but your assistant would use their identity.

Identity needs to encompass all these entities to ensure a trusted transaction chain.

All entities having their identity defined using interoperable identifiers allows for rich risk-based decisions to be made. This is “entitlement” – a set of rules, defined by the resource owner, for managing access to a resource (asset, service, or entity) and for what purpose. The level of access is conditioned not only by your identity but is also likely to be constrained by a number of further security considerations. For example your company policy, your location (i.e., are you inside your secure corporate environment, connected via a hotspot or from an Internet café, etc.) or time of day.

In the final (fifth) video, which will be released next Tuesday, August 14, we will examine how this all fits together into a global Identity ecosystem and the key challenges that need to be solved in order to realize it.

Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

Ian Dobson is the director of the Security Forum and the Jericho Forum for The Open Group, coordinating and facilitating the members to achieve their goals in our challenging information security world.  In the Security Forum, his focus is on supporting development of open standards and guides on security architectures and management of risk and security, while in the Jericho Forum he works with members to anticipate the requirements for the security solutions we will need in future.

1 Comment

Filed under Identity Management

Trust and Privacy – In an Identity Management Ecosystem

By Jim Hietala and Ian Dobson, The Open Group

In the first of these five identity videos from the Jericho Forum, a forum of The Open Group, we explained the “Identity First Principles” – about people (or any entity) having a core identity, and how we all operate with a number of personas. In the second “Operating with Personas” video, we explained how creating a digital core identifier from your (real-world) core identity must involve a trusted process that is immutable (i.e. enduring and unchangeable), and how we can create digital personas –as many as we like – to mirror the way we use personas in our daily lives.

This third video explains how trust and privacy interact to provide a trusted privacy-enhanced identity ecosystem:

Each persona requires only the personal information (attributes) it needs it assert what a relying party needs to know, and no more.  For example, your “eGovernment citizen” persona would link your core identifier to your national government confirmation that you are a citizen, so if this persona is hacked, then only the attribute information of you being a citizen would be exposed and nothing else.  No other attributes about you would be revealed, thereby protecting all your other identity information and your privacy.

This is a fundamental difference to having an identity provider that maintains a super-store containing all your attributes, which would all be exposed if it was successfully hacked, or possibly mis-used under some future change-of-use marketing or government regulatory power. Remember, too, that once you give someone else, including identity providers, personal information, then you‘ve given up your control over how well it’s maintained/updated and used in the future.

If a relying party needs a higher level of trust before accepting that the digital you is really you, then you can create a new persona with additional attributes that will provide the required level of trust, or you can supply several of your personas (e.g., your address persona, your credit card persona and your online purchasing account persona), which together provide the relying party with the level of trust they need. A good example of this is buying a high-value item to be delivered to your door. Again, you only have to reveal information about you that the relying party requires.  This minimizes the exposure of your identity attributes and anyone’s ability to aggregate identity information about you.

In the next (fourth) video, which will be released next Tuesday, August 7, we will look at the bigger picture to understand why the identity ecosystem needs to be about more than just people.

Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

Ian Dobson is the director of the Security Forum and the Jericho Forum for The Open Group, coordinating and facilitating the members to achieve their goals in our challenging information security world.  In the Security Forum, his focus is on supporting development of open standards and guides on security architectures and management of risk and security, while in the Jericho Forum he works with members to anticipate the requirements for the security solutions we will need in future. 

Comments Off

Filed under Identity Management