Tag Archives: Jim Hietala

Big Data Security Tweet Jam

By Patty Donovan, The Open Group

On Tuesday, January 22, The Open Group will host a tweet jam examining the topic of Big Data and its impact on the security landscape.

Recently, Big Data has been dominating the headlines, analyzing everything about the topic from how to manage and process it, to the way it will impact your organization’s IT roadmap. As 2012 came to a close, analyst firm, Gartner predicted that data will help drive IT spending to $3.8 trillion in 2014. Knowing the phenomenon is here to stay, enterprises face a new and daunting challenge of how to secure Big Data. Big Data security also raises other questions, such as: Is Big Data security different from data security? How will enterprises handle Big Data security? What is the best approach to Big Data security?

It’s yet to be seen if Big Data will necessarily revolutionize enterprise security, but it certainly will change execution – if it hasn’t already. Please join us for our upcoming Big Data Security tweet jam where leading security experts will discuss the merits of Big Data security.

Please join us on Tuesday, January 22 at 9:00 a.m. PT/12:00 p.m. ET/5:00 p.m. GMT for a tweet jam, moderated by Dana Gardner (@Dana_Gardner), ZDNet – Briefings Direct, that will discuss and debate the issues around big data security. Key areas that will be addressed during the discussion include: data security, privacy, compliance, security ethics and, of course, Big Data. We welcome Open Group members and interested participants from all backgrounds to join the session and interact with our panel of IT security experts, analysts and thought leaders led by Jim Hietala (@jim_hietala) and Dave Lounsbury (@Technodad) of The Open Group. To access the discussion, please follow the #ogChat hashtag during the allotted discussion time.

And for those of you who are unfamiliar with tweet jams, here is some background information:

What Is a Tweet Jam?

A tweet jam is a one hour “discussion” hosted on Twitter. The purpose of the tweet jam is to share knowledge and answer questions on Big Data security. Each tweet jam is led by a moderator and a dedicated group of experts to keep the discussion flowing. The public (or anyone using Twitter interested in the topic) is encouraged to join the discussion.

Participation Guidance

Whether you’re a newbie or veteran Twitter user, here are a few tips to keep in mind:

  • Have your first #ogChat tweet be a self-introduction: name, affiliation, occupation.
  • Start all other tweets with the question number you’re responding to and the #ogChat hashtag.
    • Sample: “Q1 enterprises will have to make significant adjustments moving forward to secure Big Data environments #ogChat”
    • Please refrain from product or service promotions. The goal of a tweet jam is to encourage an exchange of knowledge and stimulate discussion.
    • While this is a professional get-together, we don’t have to be stiff! Informality will not be an issue!
    • A tweet jam is akin to a public forum, panel discussion or Town Hall meeting – let’s be focused and thoughtful.

If you have any questions prior to the event or would like to join as a participant, please direct them to Rod McLeod (rmcleod at bateman-group dot com). We anticipate a lively chat and hope you will be able to join!

 

patricia donovanPatricia Donovan is Vice President, Membership & Events, at The Open Group and a member of its executive management team. In this role she is involved in determining the company’s strategic direction and policy as well as the overall management of that business area. Patricia joined The Open Group in 1988 and has played a key role in the organization’s evolution, development and growth since then. She also oversees the company’s marketing, conferences and member meetings. She is based in the U.S.

1 Comment

Filed under Tweet Jam

2013 Open Group Predictions, Vol. 1

By The Open Group

A big thank you to all of our members and staff who have made 2012 another great year for The Open Group. There were many notable achievements this year, including the release of ArchiMate 2.0, the launch of the Future Airborne Capability Environment (FACE™) Technical Standard and the publication of the SOA Reference Architecture (SOA RA) and the Service-Oriented Cloud Computing Infrastructure Framework (SOCCI).

As we wrap up 2012, we couldn’t help but look towards what is to come in 2013 for The Open Group and the industries we‘re a part of. Without further ado, here they are:

Big Data
By Dave Lounsbury, Chief Technical Officer

Big Data is on top of everyone’s mind these days. Consumerization, mobile smart devices, and expanding retail and sensor networks are generating massive amounts of data on behavior, environment, location, buying patterns – etc. – producing what is being called “Big Data”. In addition, as the use of personal devices and social networks continue to gain popularity so does the expectation to have access to such data and the computational power to use it anytime, anywhere. Organizations will turn to IT to restructure its services so it meets the growing expectation of control and access to data.

Organizations must embrace Big Data to drive their decision-making and to provide the optimal service mix services to customers. Big Data is becoming so big that the big challenge is how to use it to make timely decisions. IT naturally focuses on collecting data so Big Data itself is not an issue.. To allow humans to keep on top of this flood of data, industry will need to move away from programming computers for storing and processing data to teaching computers how to assess large amounts of uncorrelated data and draw inferences from this data on their own. We also need to start thinking about the skills that people need in the IT world to not only handle Big Data, but to make it actionable. Do we need “Data Architects” and if so, what would their role be?

In 2013, we will see the beginning of the Intellectual Computing era. IT will play an essential role in this new era and will need to help enterprises look at uncorrelated data to find the answer.

Security

By Jim Hietala, Vice President of Security

As 2012 comes to a close, some of the big developments in security over the past year include:

  • Continuation of hacktivism attacks.
  • Increase of significant and persistent threats targeting government and large enterprises. The notable U.S. National Strategy for Trusted Identities in Cyberspace started to make progress in the second half of the year in terms of industry and government movement to address fundamental security issues.
  • Security breaches were discovered by third parties, where the organizations affected had no idea that they were breached. Data from the 2012 Verizon report suggests that 92 percent of companies breached were notified by a third party.
  • Acknowledgement from senior U.S. cybersecurity professionals that organizations fall into two groups: those that know they’ve been penetrated, and those that have been penetrated, but don’t yet know it.

In 2013, we’ll no doubt see more of the same on the attack front, plus increased focus on mobile attack vectors. We’ll also see more focus on detective security controls, reflecting greater awareness of the threat and on the reality that many large organizations have already been penetrated, and therefore responding appropriately requires far more attention on detection and incident response.

We’ll also likely see the U.S. move forward with cybersecurity guidance from the executive branch, in the form of a Presidential directive. New national cybersecurity legislation seemed to come close to happening in 2012, and when it failed to become a reality, there were many indications that the administration would make something happen by executive order.

Enterprise Architecture

By Leonard Fehskens, Vice President of Skills and Capabilities

Preparatory to my looking back at 2012 and forward to 2013, I reviewed what I wrote last year about 2011 and 2012.

Probably the most significant thing from my perspective is that so little has changed. In fact, I think in many respects the confusion about what Enterprise Architecture (EA) and Business Architecture are about has gotten worse.

The stress within the EA community as both the demands being placed on it and the diversity of opinion within it increase continues to grow.  This year, I saw a lot more concern about the value proposition for EA, but not a lot of (read “almost no”) convergence on what that value proposition is.

Last year I wrote “As I expected at this time last year, the conventional wisdom about Enterprise Architecture continues to spin its wheels.”  No need to change a word of that. What little progress at the leading edge was made in 2011 seems to have had no effect in 2012. I think this is largely a consequence of the dust thrown in the eyes of the community by the ascendance of the concept of “Business Architecture,” which is still struggling to define itself.  Business Architecture seems to me to have supplanted last year’s infatuation with “enterprise transformation” as the means of compensating for the EA community’s entrenched IT-centric perspective.

I think this trend and the quest for a value proposition are symptomatic of the same thing — the urgent need for Enterprise Architecture to make its case to its stakeholder community, especially to the people who are paying the bills. Something I saw in 2011 that became almost epidemic in 2012 is conflation — the inclusion under the Enterprise Architecture umbrella of nearly anything with the slightest taste of “business” to it. This has had the unfortunate effect of further obscuring the unique contribution of Enterprise Architecture, which is to bring architectural thinking to bear on the design of human enterprise.

So, while I’m not quite mired in the slough of despond, I am discouraged by the community’s inability to advance the state of the art. In a private communication to some colleagues I wrote, “the conventional wisdom on EA is at about the same state of maturity as 14th century cosmology. It is obvious to even the most casual observer that the earth is both flat and the center of the universe. We debate what happens when you fall off the edge of the Earth, and is the flat earth carried on the back of a turtle or an elephant?  Does the walking of the turtle or elephant rotate the crystalline sphere of the heavens, or does the rotation of the sphere require the turtlephant to walk to keep the earth level?  These are obviously the questions we need to answer.”

Cloud

By Chris Harding, Director of Interoperability

2012 has seen the establishment of Cloud Computing as a mainstream resource for enterprise architects and the emergence of Big Data as the latest hot topic, likely to be mainstream for the future. Meanwhile, Service-Oriented Architecture (SOA) has kept its position as an architectural style of choice for delivering distributed solutions, and the move to ever more powerful mobile devices continues. These trends have been reflected in the activities of our Cloud Computing Work Group and in the continuing support by members of our SOA work.

The use of Cloud, Mobile Computing, and Big Data to deliver on-line systems that are available anywhere at any time is setting a new norm for customer expectations. In 2013, we will see the development of Enterprise Architecture practice to ensure the consistent delivery of these systems by IT professionals, and to support the evolution of creative new computing solutions.

IT systems are there to enable the business to operate more effectively. Customers expect constant on-line access through mobile and other devices. Business organizations work better when they focus on their core capabilities, and let external service providers take care of the rest. On-line data is a huge resource, so far largely untapped. Distributed, Cloud-enabled systems, using Big Data, and architected on service-oriented principles, are the best enablers of effective business operations. There will be a convergence of SOA, Mobility, Cloud Computing, and Big Data as they are seen from the overall perspective of the enterprise architect.

Within The Open Group, the SOA and Cloud Work Groups will continue their individual work, and will collaborate with other forums and work groups, and with outside organizations, to foster the convergence of IT disciplines for distributed computing.

3 Comments

Filed under Business Architecture, Cloud, Cloud/SOA, Cybersecurity, Enterprise Architecture

Data Protection Today and What’s Needed Tomorrow

By Ian Dobson and Jim Hietala, The Open Group

Technology today allows thieves to copy sensitive data, leaving the original in place and thus avoiding detection. One needn’t look far in today’s headlines to understand why protection of data is critical going forward. As this recent article from Bloomberg points out, penetrations of corporate IT systems with the aim to extract sensitive information, IP and other corporate data are rampant.  Despite the existence of data breach and data privacy laws in the U.S., EU and elsewhere, this issue is still not well publicized. The article cites specific intrusions at large consumer products companies, the EU, itself, law firms and a nuclear power plant.

Published in October 2012, the Jericho Forum® Data Protection white paper reviews the state of data protection today and where it should be heading to meet tomorrow’s business needs. The Open Group’s Jericho Forum contends that future data protection solutions must aim to provide stronger, more flexible protection mechanisms around the data itself.

The white paper argues that some of the current issues with data protection are:

  • It is too global and remote to be effective
  • Protection is neither granular nor interoperable enough
  • It’s not integrated with Centralized Authorization Services
  • Weak security services are relied on for enforcement

Refreshingly, it explains not only why, but also how. The white paper reviews the key issues surrounding data protection today; describes properties that data protection mechanisms should include to meet current and future requirements; considers why current technologies don’t deliver what is required; and proposes a set of data protection principles to guide the design of effective solutions.

It goes on to describe how data protection has evolved to where it’s at today, and outlines a series of target stages for progressively moving the industry forward to deliver stronger more flexible protection solutions that business managers are already demanding their IT systems managers provide.  Businesses require these solutions to ensure appropriate data protection levels are wrapped around the rapidly increasing volumes of confidential information that is shared with their business partners, suppliers, customers and outworkers/contractors on a daily basis.

Having mapped out an evolutionary path for what we need to achieve to move data protection forward in the direction our industry needs, we’re now planning optimum approaches for how to achieve each successive stage of protection. The Jericho Forum welcomes folks who want to join us in this important journey.

 

Ian Dobson is the director of the Security Forum and the Jericho Forum for The Open Group, coordinating and facilitating the members to achieve their goals in our challenging information security world.  In the Security Forum, his focus is on supporting development of open standards and guides on security architectures and management of risk and security, while in the Jericho Forum he works with members to anticipate the requirements for the security solutions we will need in future.

Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

1 Comment

Filed under Cybersecurity

Challenges to Building a Global Identity Ecosystem

By Jim Hietala and Ian Dobson, The Open Group

In our five identity videos from the Jericho Forum, a forum of The Open Group:

  • Video #1 explained the “Identity First Principles” – about people (or any entity) having a core identity and how we all operate with a number of personas.
  • Video #2 “Operating with Personas” explained how we use a digital core identifier to create digital personas –as many as we like – to mirror the way we use personas in our daily lives.
  • Video #3 described how “Trust and Privacy interact to provide a trusted privacy-enhanced identity ecosystem.
  • Video #4 “Entities and Entitlement” explained why identity is not just about people – we must include all entities that we want to identify in our digital world, and how “entitlement” rules control access to resources.

In this fifth video – Building a Global Identity Ecosystem – we highlight what we need to change and develop to build a viable identity ecosystem.

The Internet is global, so any identity ecosystem similarly must be capable of being adopted and implemented globally.

This means that establishing a trust ecosystem is essential to widespread adoption of an identity ecosystem. To achieve this, an identity ecosystem must demonstrate its architecture is sufficiently robust to scale to handle the many billions of entities that people all over the world will want, not only to be able to assert their identities and attributes, but also to handle the identities they will also want for all their other types of entities.

It also means that we need to develop an open implementation reference model, so that anyone in the world can develop and implement interoperable identity ecosystem identifiers, personas, and supporting services.

In addition, the trust ecosystem for asserting identities and attributes must be robust, to allow entities to make assertions that relying parties can be confident to consume and therefore use to make risk-based decisions. Agile roots of trust are vital if the identity ecosystem is to have the necessary levels of trust in entities, personas and attributes.

Key to the trust in this whole identity ecosystem is being able to immutably (enduringly and changelessly) link an entity to a digital Core Identifier, so that we can place full trust in knowing that only the person (or other type of entity) holding that Core Identifier can be the person (or other type of entity) it was created from, and no-one or thing can impersonate it. This immutable binding must be created in a form that guarantees the binding and include the interfaces necessary to connect with the digital world.  It should also be easy and cost-effective for all to use.

Of course, the cryptography and standards that this identity ecosystem depends on must be fully open, peer-reviewed and accepted, and freely available, so that all governments and interested parties can assure themselves, just as they can with AES encryption today, that it’s truly open and there are no barriers to implementation. The technologies needed around cryptography, one-way trusts, and zero-knowledge proofs, all exist today, and some of these are already implemented. They need to be gathered into a standard that will support the required model.

Adoption of an identity ecosystem requires a major mindset change in the thinking of relying parties – to receive, accept and use trusted identities and attributes from the identity ecosystem, rather than creating, collecting and verifying all this information for themselves. Being able to consume trusted identities and attributes will bring significant added value to relying parties, because the information will be up-to-date and from authoritative sources, all at significantly lower cost.

Now that you have followed these five Identity Key Concepts videos, we encourage you to use our Identity, Entitlement and Access (IdEA) commandments as the test to evaluate the effectiveness of all identity solutions – existing and proposed. The Open Group is also hosting an hour-long webinar that will preview all five videos and host an expert Q&A shortly afterward on Thursday, August 16.

Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

 

Ian Dobson is the director of the Security Forum and the Jericho Forum for The Open Group, coordinating and facilitating the members to achieve their goals in our challenging information security world.  In the Security Forum, his focus is on supporting development of open standards and guides on security architectures and management of risk and security, while in the Jericho Forum he works with members to anticipate the requirements for the security solutions we will need in future.

1 Comment

Filed under Identity Management, Uncategorized

Entities and Entitlement – The Bigger Picture of Identity Management

By Jim Hietala and Ian Dobson, The Open Group

In the first of these five identity videos from the Jericho Forum, a forum of The Open Group, we explained the “Identity First Principles” – about people (or any entity) having a core identity, and how we all operate with a number of personas. In the second “Operating with Personas” video, we explained how we use a digital core identifier to create digital personas –as many as we like – to mirror the way we use personas in our daily lives. And in the third video we described how “Trust and Privacy” interact to provide a trusted privacy-enhanced identity ecosystem.

In this fourth “Entities and Entitlement” video, we explain the bigger picture – why identity is not just about people. It’s about all things – we call them “entities” – that we want to identify in our digital world. Also, an identity ecosystem doesn’t stop at just “identity,” but additionally involves “entitlement” to access resources.

In our identity ecosystem, we define five types of “entity” that require digital identity: people, devices, organizations, code and agents. For example, a laptop is a device that needs identity. Potentially this device is a company-owned laptop and, therefore, will have a “corporate laptop” persona involving an organization identity. The laptop is running code (we include data in this term), and this code needs to be trusted, therefore, necessitating both identity and attributes. Finally there are agents – someone or something you give authority to act on your behalf. For example, you may give your personal assistant the authority to use specified attributes of your business credit card and frequent flyer personas to book your travel, but your assistant would use their identity.

Identity needs to encompass all these entities to ensure a trusted transaction chain.

All entities having their identity defined using interoperable identifiers allows for rich risk-based decisions to be made. This is “entitlement” – a set of rules, defined by the resource owner, for managing access to a resource (asset, service, or entity) and for what purpose. The level of access is conditioned not only by your identity but is also likely to be constrained by a number of further security considerations. For example your company policy, your location (i.e., are you inside your secure corporate environment, connected via a hotspot or from an Internet café, etc.) or time of day.

In the final (fifth) video, which will be released next Tuesday, August 14, we will examine how this all fits together into a global Identity ecosystem and the key challenges that need to be solved in order to realize it.

Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

Ian Dobson is the director of the Security Forum and the Jericho Forum for The Open Group, coordinating and facilitating the members to achieve their goals in our challenging information security world.  In the Security Forum, his focus is on supporting development of open standards and guides on security architectures and management of risk and security, while in the Jericho Forum he works with members to anticipate the requirements for the security solutions we will need in future.

1 Comment

Filed under Identity Management

Trust and Privacy – In an Identity Management Ecosystem

By Jim Hietala and Ian Dobson, The Open Group

In the first of these five identity videos from the Jericho Forum, a forum of The Open Group, we explained the “Identity First Principles” – about people (or any entity) having a core identity, and how we all operate with a number of personas. In the second “Operating with Personas” video, we explained how creating a digital core identifier from your (real-world) core identity must involve a trusted process that is immutable (i.e. enduring and unchangeable), and how we can create digital personas –as many as we like – to mirror the way we use personas in our daily lives.

This third video explains how trust and privacy interact to provide a trusted privacy-enhanced identity ecosystem:

Each persona requires only the personal information (attributes) it needs it assert what a relying party needs to know, and no more.  For example, your “eGovernment citizen” persona would link your core identifier to your national government confirmation that you are a citizen, so if this persona is hacked, then only the attribute information of you being a citizen would be exposed and nothing else.  No other attributes about you would be revealed, thereby protecting all your other identity information and your privacy.

This is a fundamental difference to having an identity provider that maintains a super-store containing all your attributes, which would all be exposed if it was successfully hacked, or possibly mis-used under some future change-of-use marketing or government regulatory power. Remember, too, that once you give someone else, including identity providers, personal information, then you‘ve given up your control over how well it’s maintained/updated and used in the future.

If a relying party needs a higher level of trust before accepting that the digital you is really you, then you can create a new persona with additional attributes that will provide the required level of trust, or you can supply several of your personas (e.g., your address persona, your credit card persona and your online purchasing account persona), which together provide the relying party with the level of trust they need. A good example of this is buying a high-value item to be delivered to your door. Again, you only have to reveal information about you that the relying party requires.  This minimizes the exposure of your identity attributes and anyone’s ability to aggregate identity information about you.

In the next (fourth) video, which will be released next Tuesday, August 7, we will look at the bigger picture to understand why the identity ecosystem needs to be about more than just people.

Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

Ian Dobson is the director of the Security Forum and the Jericho Forum for The Open Group, coordinating and facilitating the members to achieve their goals in our challenging information security world.  In the Security Forum, his focus is on supporting development of open standards and guides on security architectures and management of risk and security, while in the Jericho Forum he works with members to anticipate the requirements for the security solutions we will need in future. 

Comments Off

Filed under Identity Management

Real-world and Online Personas – From an Identity Management Perspective

By Jim Hietala and Ian Dobson, The Open Group

In the first of the five identity videos from the Jericho Forum, a forum of The Open Group, we explained the “Identity First Principles” – about people (or any entity) having a core identity, and how we all operate with a number of personas that should be under our control using the principle of primacy, i.e., giving you the ability to control the information about your own identity. You may, of course, decide to pass that control on to some other identity management party.

In this second “Operating with Personas” video, we explain how creating a digital core identifier from your (real-world) core identity must involve a trusted process that is immutable, enduring and unchangeable.

We then describe how we need to create digital personas to mirror the way we use personas in our daily lives – at work, at home, handling our bank accounts, with the tax authority, at the golf club, etc. We can create as many digital personas for ourselves as we wish and can also create new personas from existing ones. We explain the importance of the resulting identity tree, which only works one-way; to protect privacy, we can never go back up the tree to find out about other personas created from the core identifier, especially not the real-world core identity itself. Have a look for yourself:

As you can see, the trust that a relying party has in a persona is a combination of the trust in its derivation from an immutable and secret core identifier – its binding to a trusted organizational identifier, and its attribute information provided by the relevant trusted attribute provider.

In the next (third) video, which will be released next Tuesday, July 31, we will see how trust and persona interact to provide a privacy-enhanced identity ecosystem.

Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

Ian Dobson is the director of the Security Forum and the Jericho Forum for The Open Group, coordinating and facilitating the members to achieve their goals in our challenging information security world.  In the Security Forum, his focus is on supporting development of open standards and guides on security architectures and management of risk and security, while in the Jericho Forum he works with members to anticipate the requirements for the security solutions we will need in future. 

Comments Off

Filed under Identity Management