Tag Archives: OTTF

Why Technology Must Move Toward Dependability through Assuredness™

By Allen Brown, President and CEO, The Open Group

In early December, a technical problem at the U.K.’s central air traffic control center in Swanwick, England caused significant delays that were felt at airports throughout Britain and Ireland, also affecting flights in and out of the U.K. from Europe to the U.S. At Heathrow—one of the world’s largest airports—alone, there were a reported 228 cancellations, affecting 15 percent of the 1,300 daily flights flying to and from the airport. With a ripple effect that also disturbed flight schedules at airports in Birmingham, Dublin, Edinburgh, Gatwick, Glasgow and Manchester, the British National Air Traffic Services (NATS) were reported to have handled 20 percent fewer flights that day as a result of the glitch.

According to The Register, the problem was caused when a touch-screen telephone system that allows air traffic controllers to talk to each other failed to update during what should have been a routine shift change from the night to daytime system. According to news reports, the NATS system is the largest of its kind in Europe, containing more than a million lines of code. It took the engineering and manufacturing teams nearly a day to fix the problem. As a result of the snafu, Irish airline Ryanair even went so far as to call on Britain’s Civil Aviation Authority to intervene to prevent further delays and to make sure better contingency efforts are in place to prevent such failures happening again.

Increasingly complex systems

As businesses have come to rely more and more on technology, the systems used to keep operations running smoothly from day to day have gotten not only increasingly larger but increasingly complex. We are long past the days where a single mainframe was used to handle a few batch calculations.

Today, large global organizations, in particular, have systems that are spread across multiple centers of technical operations, often scattered in various locations throughout the globe. And with industries also becoming more inter-related, even individual company systems are often connected to larger extended networks, such as when trading firms are connected to stock exchanges or, as was the case with the Swanwick failure, airlines are affected by NATS’ network problems. Often, when systems become so large that they are part of even larger interconnected systems, the boundaries of the entire system are no longer always known.

The Open Group’s vision for Boundaryless Information Flow™ has never been closer to fruition than it is today. Systems have become increasingly open out of necessity because commerce takes place on a more global scale than ever before. This is a good thing. But as these systems have grown in size and complexity, there is more at stake when they fail than ever before.

The ripple effect felt when technical problems shut down major commercial systems cuts far, wide and deep. Problems such as what happened at Swanwick can affect the entire extended system. In this case, NATS, for example, suffers from damage to its reputation for maintaining good air traffic control procedures. The airlines suffer in terms of cancelled flights, travel vouchers that must be given out and angry passengers blasting them on social media. The software manufacturers and architects of the system are blamed for shoddy planning and for not having the foresight to prevent failures. And so on and so on.

Looking for blame

When large technical failures happen, stakeholders, customers, the public and now governments are beginning to look for accountability for these failures, for someone to assign blame. When the Obamacare website didn’t operate as expected, the U.S. Congress went looking for blame and jobs were lost. In the NATS fiasco, Ryanair asked for the government to intervene. Risk.net has reported that after the Royal Bank of Scotland experienced a batch processing glitch last summer, the U.K. Financial Services Authority wrote to large banks in the U.K. requesting they identify the people in their organization’s responsible for business continuity. And when U.S. trading company Knight Capital lost $440 million in 40 minutes when a trading software upgrade failed in August, U.S. Securities and Exchange Commission Chairman Mary Schapiro was quoted in the same article as stating: “If there is a financial loss to be incurred, it is the firm committing the error that should suffer that loss, not its customers or other investors. That more than anything sends a wake-up call to the entire industry.”

As governments, in particular, look to lay blame for IT failures, companies—and individuals—will no longer be safe from the consequences of these failures. And it won’t just be reputations that are lost. Lawsuits may ensue. Fines will be levied. Jobs will be lost. Today’s organizations are at risk, and that risk must be addressed.

Avoiding catastrophic failure through assuredness

As any IT person or Enterprise Architect well knows, completely preventing system failure is impossible. But mitigating system failure is not. Increasingly the task of keeping systems from failing—rather than just up and running—will be the job of CTOs and enterprise architects.

When systems grow to a level of massive complexity that encompasses everything from old legacy hardware to Cloud infrastructures to worldwide data centers, how can we make sure those systems are reliable, highly available, secure and maintain optimal information flow while still operating at a maximum level that is cost effective?

In August, The Open Group introduced the first industry standard to address the risks associated with large complex systems, the Dependability through Assuredness™ (O-DA) Framework. This new standard is meant to help organizations both determine system risk and help prevent failure as much as possible.

O-DA provides guidelines to make sure large, complex, boundaryless systems run according to the requirements set out for them while also providing contingencies for minimizing damage when stoppage occurs. O-DA can be used as a standalone or in conjunction with an existing architecture development method (ADM) such as the TOGAF® ADM.

O-DA encompasses lessons learned within a number of The Open Group’s forums and work groups—it borrows from the work of the Security Forum’s Dependency Modeling (O-DM) and Risk Taxonomy (O-RT) standards and also from work done within the Open Group Trusted Technology Forum and the Real-Time and Embedded Systems Forums. Much of the work on this standard was completed thanks to the efforts of The Open Group Japan and its members.

This standard addresses the issue of responsibility for technical failures by providing a model for accountability throughout any large system. Accountability is at the core of O-DA because without accountability there is no way to create dependability or assuredness. The standard is also meant to address and account for the constant change that most organization’s experience on a daily basis. The two underlying principles within the standard provide models for both a change accommodation cycle and a failure response cycle. Each cycle, in turn, provides instructions for creating a dependable and adaptable architecture, providing accountability for it along the way.

oda2

Ultimately, the O-DA will help organizations identify potential anomalies and create contingencies for dealing with problems before or as they happen. The more organizations can do to build dependability into large, complex systems, hopefully the less technical disasters will occur. As systems continue to grow and their boundaries continue to blur, assuredness through dependability and accountability will be an integral part of managing complex systems into the future.

Allen Brown

Allen Brown is President and CEO, The Open Group – a global consortium that enables the achievement of business objectives through IT standards.  For over 14 years Allen has been responsible for driving The Open Group’s strategic plan and day-to-day operations, including extending its reach into new global markets, such as China, the Middle East, South Africa and India. In addition, he was instrumental in the creation of the AEA, which was formed to increase job opportunities for all of its members and elevate their market value by advancing professional excellence.

Leave a comment

Filed under Dependability through Assuredness™, Standards

New Accreditation Program – Raises the Bar for Securing Global Supply Chains

By Sally Long, Director of The Open Group Trusted Technology Forum (OTTF)™

In April 2013, The Open Group announced the release of the Open Trusted Technology Provider™ Standard (O-TTPS) 1.0 – Mitigating Maliciously Tainted and Counterfeit Products. Now we are announcing the O-TTPS Accreditation Program, launched on February 3, 2014, which enables organizations that conform to the standard to be accredited as Open Trusted Technology Providers™.

The O-TTPS, a standard of The Open Group, provides a set of guidelines, recommendations and requirements that help assure against maliciously tainted and counterfeit products throughout commercial off-the-shelf (COTS) information and communication technology (ICT) product lifecycles. The standard includes best practices throughout all phases of a product’s life cycle: design, sourcing, build, fulfillment, distribution, sustainment, and disposal, thus enhancing the integrity of COTS ICT products and the security of their global supply chains.

This accreditation program is one of the first of its kind in providing accreditation for conforming to standards for product integrity coupled with supply chain security.

The standard and the accreditation program are the result of a collaboration between government, third party evaluators and some of industry’s most mature and respected providers who came together and, over a period of four years, shared their practices for integrity and security, including those used in-house and those used with their own supply chains.

Applying for O-TTPS Accreditation

When the OTTF started this initiative, one of its many mantras was “raise all boats.” The  objective was to raise the security bar across the full spectrum of the supply chain, from small component suppliers to the providers who include those components in their products and to the integrators who incorporate those providers’ products into customers’ systems.

The O-TTPS Accreditation Program is open to all component suppliers, providers and integrators. The holistic aspect of this program’s potential, as illustrated in the diagram below should not be underestimated—but it will take a concerted effort to reach and encourage all constituents in the supply chain to become involved.

OTTPSThe importance of mitigating the risk of maliciously tainted and counterfeit products

The focus on mitigating the risks of tainted and counterfeit products by increasing the security of the supply chain is critical in today’s global economy. Virtually nothing is made from one source.

COTS ICT supply chains are complex. A single product can be comprised of hundreds of components from multiple component suppliers from numerous different areas around the world—and providers can change their component suppliers frequently depending on the going rate for a particular component.  If, along the supply chain, bad things happen, such as inserting counterfeit components in place of authentic ones or inserting maliciously tainted code or the double-hammer—maliciously tainted counterfeit parts—then terrible things can happen when that product is installed at a customer site.

With the threat of tainted and counterfeit technology products posing a major risk to global organizations, it is increasingly important for those organizations to take what steps they can to mitigate these risks. The O-TTPS Accreditation Program is one of those steps. Can an accreditation program completely eliminate the risk of tainted and counterfeit components? No!  Does it reduce the risk? Absolutely!

How the Accreditation Program works

The Open Group, with over 25 years’ experience managing vendor- and technology-neutral certification programs, will assume the role of the Accreditation Authority over the entire program. Additionally the program will utilize third-party assessors to assess conformance to the O-TTPS requirements.

Companies seeking accreditation will declare their Scope of Accreditation, which means they can choose to be accredited for conforming to the O-TTPS standard and adhering to the best practice requirements across their entire enterprise, within a specific product line or business unit or within an individual product.  Organizations applying for accreditation are then required to provide evidence of conformance for each of the O-TTPS requirements, demonstrating they have the processes in place to secure in-house development and their supply chains across the entire COTS ICT product lifecycle. O-TTPS accredited organizations will then be able to identify themselves as Open Trusted Technology Providers™ and will become part of a public registry of trusted providers.

The Open Group has also instituted the O-TTPS Recognized Assessor Program, which assures that Recognized Assessor (companies) meet certain criteria as assessor organizations and that their assessors (individuals) meet an additional set of criteria and have passed the O-TTPS Assessor exam, before they can be assigned to an O-TTPS Assessment. The Open Group will operate this program, grant O-TTPS Recognized Assessor certificates and list those qualifying organizations on a public registry of recognized assessor companies.

Efforts to increase awareness of the program

The Open Group understands that to achieve global uptake we need to reach out to other countries across the globe for market adoption, as well as to other standards groups for harmonization. The forum has a very active outreach and harmonization work group and the OTTF is increasingly being recognized for its efforts. A number of prominent U.S. government agencies, including the General Accounting Office and NASA have recognized the standard as an important supply chain security effort. Dave Lounsbury, the CTO of The Open Group, has testified before Congress on the value of this initiative from the industry-government partnership perspective. The Open Group has also met with President Obama’s Cybersecurity Coordinators (past and present) to apprise them of our work. We continue to work closely with NIST from the perspective of the Cybersecurity Framework, which recognizes the supply chain as a critical area for the next version, and the OTTF work is acknowledged in NIST’s Special Publication 161. We have liaisons with ISO and are working internally at mapping our standards and accreditation to Common Criteria. The O-TTPS has also been discussed with government agencies in China, India, Japan and the UK.

The initial version of the standard and the accreditation program are just the beginning. OTTF members will continue to evolve both the standard and the accreditation program to provide additional versions that refine existing requirements, introduce additional requirements, and cover additional threats. And the outreach and harmonization efforts will continue to strengthen so that we can reach that holistic potential of Open Trusted Technology Providers™ throughout all global supply chains.

For more details on the O-TTPS accreditation program, to apply for accreditation, or to learn more about becoming an O-TTPS Recognized Assessor visit the O-TTPS Accreditation page.

For more information on The Open Group Trusted Technology Forum please visit the OTTF Home Page.

The O-TTPS standard and the O-TTPS Accreditation Policy they are freely available from the Trusted Technology Section in The Open Group Bookstore.

For information on joining the OTTF membership please contact Mike Hickey – m.hickey@opengroup.org

Sally LongSally Long is the Director of The Open Group Trusted Technology Forum (OTTF). She has managed customer supplier forums and collaborative development projects for over twenty years. She was the release engineering section manager for all multi-vendor collaborative technology development projects at The Open Software Foundation (OSF) in Cambridge Massachusetts. Following the merger of the OSF and X/Open under The Open Group, she served as director for multiple forums in The Open Group. Sally has a Bachelor of Science degree in Electrical Engineering from Northeastern University in Boston, Massachusetts.

Leave a comment

Filed under Cybersecurity, OTTF, Supply chain risk

The Open Group Philadelphia – Day Two Highlights

By Loren K. Baynes, Director, Global Marketing Communications at The Open Group.

philly 2.jpgDay 2 at The Open Group conference in the City of Brotherly Love, as Philadelphia is also known, was another busy and remarkable day.

The plenary started with a fascinating presentation, “Managing the Health of the Nation” by David Nash, MD, MBA, Dean of Jefferson School of Population Health.  Healthcare is the number one industry in the city of Philadelphia, with the highest number of patients in beds in the top 10 US cities. The key theme of his thought-provoking speech was “boundaryless information sharing” (sound familiar?), which will enable a healthcare system that is “safe, effective, patient-centered, timely, equitable, efficient”.

Following Dr. Nash’s presentation was the Healthcare Transformation Panel moderated by Allen Brown, CEO of The Open Group.  Participants were:  Gina Uppal (Fulbright-Killam Fellow, American University Program), Mike Lambert (Open Group Fellow, Architecting the Enterprise), Rosemary Kennedy (Associate Professor, Thomas Jefferson University), Blaine Warkentine, MD, MPH and Fran Charney (Pennsylvania Patient Safety Authority). The group brought different sets of experiences within the healthcare system and provided reaction to Dr. Nash’s speech.  All agree on the need for fundamental change and that technology will be key.

The conference featured a spotlight on The Open Group’s newest forum, Open Platform 3.0™ by Dr. Chris Harding, Director of Interoperability.  Open Platform 3.0 was formed to advance The Open Group vision of Boundaryless Information Flow™ to help enterprises in the use of Cloud, Social, Mobile Computing and Big Data.  For more info; http://www.opengroup.org/getinvolved/forums/platform3.0

The Open Group flourishes because of people interaction and collaboration.  The accolades continued with several members being recognized for their outstanding contributions to The Open Group Trusted Technology Forum (OTTF) and the Service-Oriented Architecture (SOA) and Cloud Computing Work Groups.  To learn more about our Forums and Work Groups and how to get involved, please visit http://www.opengroup.org/getinvolved

Presentations and workshops were also held in the Healthcare, Finance and Government vertical industries. Presenters included Larry Schmidt (Chief Technologist, HP), Rajamanicka Ponmudi (IT Architect, IBM) and Robert Weisman (CEO, Build the Vision, Inc.).

2 Comments

Filed under ArchiMate®, Business Architecture, Cloud/SOA, Conference, Cybersecurity, Data management, Enterprise Architecture, Enterprise Transformation, Healthcare, O-TTF, Open Platform 3.0, Security Architecture, Standards, TOGAF®

Developing standards to secure our global supply chain

By Sally Long, Director of The Open Group Trusted Technology Forum (OTTF)™

In a world where tainted and counterfeit products pose significant risks to organizations, we see an increasing need for a standard that protects both organizations and consumers. Altered or non-genuine products introduce the possibility of untracked malicious behavior or poor performance. These risks can damage both customers and suppliers resulting in the potential for failed or inferior products, revenue and brand equity loss and disclosure of intellectual property.

On top of this, cyber-attacks are growing more sophisticated, forcing technology suppliers and governments to take a more comprehensive approach to risk management as it applies to product integrity and supply chain security. Customers are now seeking assurances that their providers are following standards to mitigate the risks of tainted and counterfeit components, while providers of Commercial Off-the-Shelf (COTS) Information and Communication Technology (ICT) products are focusing on protecting the integrity of their products and services as they move through the global supply chain.

In this climate we need a standard more than ever, which is why today we’re proud to announce the publication of the Open Trusted Technology Provider Standard (O-TTPS)™(Standard). The O-TTPS is the first complete standard published by The Open Group Trusted Technology Forum (OTTF)™ which will benefit global providers and acquirers of COTS and ICT products.

The first of its kind, the open standard has been developed to help organizations achieve Trusted Technology Provider status, assuring the integrity of COTS and ICT products worldwide and safeguarding the global supply chain against the increased sophistication of cyber security attacks.

Specifically intended to prevent maliciously tainted and counterfeit products from entering the supply chain, the standard codifies best practices across the entire COTS ICT product lifecycle, including the design, sourcing, build, fulfilment, distribution, sustainment, and disposal phases. Our intention is that it will help raise the bar globally by helping the technology industry and its customers to “Build with Integrity, Buy with Confidence.”™.

What’s next?

The OTTF is now working to develop an accreditation program to help provide assurance that Trusted Technology Providers conform to the O-TTPS Standard. The planned accreditation program is intended to mitigate maliciously tainted and counterfeit products by raising the assurance bar for: component suppliers, technology providers, and integrators, who are part of and depend on the global supply chain.Using the guidelines and best practices documented in the Standard as a basis, the OTTF will also release updated versions of the O-TTPS Standard based on changes to the threat landscape.

Interested in seeing the Standard for yourself? You can download it directly from The Open Group Bookstore, here. For more information on The Open Group Trusted Technology Forum, please click here, or keep checking back on the blog for updates.

 

2 Comments

Filed under Uncategorized

Quick Hit Thoughts from RSA Conference 2013

By Joshua Brickman, CA Technologies

I have a great job at CA Technologies, I can’t deny it. Working in CA Technologies Federal Certification Program Office, I have the responsibility of knowing what certifications, accreditations, mandates, etc. are relevant and then helping them get implemented.

One of the responsibilities (and benefits) of my job is getting to go to great conferences like the RSA Security Conference which just wrapped last week. This year I was honored to be selected by the Program Committee to speak twice at the event. Both talks fit well to the Policy and Government track at the show.

First I was on a panel with a distinguished group of senior leaders from both industry and government. The title of the session was, Certification of Products or Accreditation of Organizations: Which to Do? The idea was to discuss the advantages and disadvantages of individual product certifications vs. looking at an entire company or business unit. Since I’ve led CA through many product certifications (certs) and have been involved in accreditation programs as well, my position was to be able to bring real-world industry perspective to the panel. The point I tried to make was that product certs (like Common Criteria – CC) add value, but only for the specific purpose that they are designed for (security functions). We’ve seen CC expanding beyond just security enforcing products and that’s concerning. Product certs are expensive, time consuming and take away from time that could be spent on innovation. We want to do CC when it will be long lasting and add value.

On the idea of accreditation of organizations, I first talked about CMMI and my views on its challenges. I then shifted to the Open Trusted Technology Forum (OTTF), a forum of The Open Group, as I’ve written about before and said that the accreditation program that group is building is more focused than CMMI. OTTF is building something that  – when adopted by industry and THEIR suppliers – will provide assurance that technology is being built the right way (best practices) and will give acquirers confidence that products bought from vendors that have the OTTF mark can be trusted. The overall conclusion of the panel was that accreditation of organizations and certifications of products both had a place, and that it is important that the value was understood by buyers and vendors.

A couple of days later, I presented with Mary Ann Davidson, CSO of Oracle. The main point of the talk was to try and give the industry perspective on mandates, legislation and regulations – which all seemed to be focused on technology providers – to solve the cyber security issues which we see every day. We agreed that sometimes regulations make sense but having a clear problem definition, language and limited scope was the path to success and acceptance. We also encouraged government to get involved with industry via public/private partnerships, like The Open Group Trusted Technology Forum.

Collaboration is the key to fighting the cyber security battle. If you are interested in hearing more about ways to get involved in building a safer and more productive computing environment, feel free to contact me or leave a comment on this blog. Cybersecurity is a complicated issue and there were well over 20,000 security professionals discussing it at RSA Conference. We’d love to hear your views as well.

 This blog post was originally published on the CA Technologies blog.


joshJoshua Brickman, PMP (Project Management Professional), runs CA Technologies Federal Certifications Program. He has led CA through the successful evaluation of sixteen products through the Common Criteria over the last six years (in both the U.S. and Canada). He is also a Steering Committee member on The Open Group consortium focused on Supply Chain Integrity and Security, The Open Group Trusted Technology Forum (OTTF). He also runs CA Technologies Accessibility Program. 

1 Comment

Filed under OTTF

2013 Open Group Predictions, Vol. 2

By The Open Group

Continuing on the theme of predictions, here are a few more, which focus on global IT trends, business architecture, OTTF and Open Group events in 2013.

Global Enterprise Architecture

By Chris Forde, Vice President of Enterprise Architecture and Membership Capabilities

Cloud is no longer a bleeding edge technology – most organizations are already well on their way to deploying cloud technology.  However, Cloud implementations are resurrecting a perennial problem for organizations—integration. Now that Cloud infrastructures are being deployed, organizations are having trouble integrating different systems, especially with systems hosted by third parties outside their organization. What will happen when two, three or four technical delivery systems are hosted on AND off premise? This presents a looming integration problem.

As we see more and more organizations buying into cloud infrastructures, we’ll see an increase in cross-platform integration architectures globally in 2013. The role of the enterprise architect will become more complex. Architectures must not only ensure that systems are integrated properly, but architects also need to figure out a way to integrate outsourced teams and services and determine responsibility across all systems. Additionally, outsourcing and integration will lead to increased focus on security in the coming year, especially in healthcare and financial sectors. When so many people are involved, and responsibility is shared or lost in the process, gaping holes can be left unnoticed. As data is increasingly shared between organizations and current trends escalate, security will also become more and more of a concern. Integration may yield great rewards architecturally, but it also means greater exposure to vulnerabilities outside of your firewall.

Within the Architecture Forum, we will be working on improvements to the TOGAF® standard throughout 2013, as well as an effort to continue to harmonize the TOGAF specification with the ArchiMate® modelling language.  The Forum also expects to publish a whitepaper on application portfolio management in the new year, as well as be involved in the upcoming Cloud Reference Architecture.

In China, The Open Group is progressing well. In 2013, we’ll continue translating The Open Group website, books and whitepapers from English to Chinese. Partnerships and Open CA certification will remain in the forefront of global priorities, as well as enrolling TOGAF trainers throughout Asia Pacific as Open Group members. There are a lot of exciting developments arising, and we will keep you updated as we expand our footprint in China and the rest of Asia.

Open Group Events in 2013

By Patty Donovan, Vice President of Membership and Events

In 2013, the biggest change for us will be our quarterly summit. The focus will shift toward an emphasis on verticals. This new focus will debut at our April event in Sydney where the vertical themes include Mining, Government, and Finance. Additional vertical themes that we plan to cover throughout the year include: Healthcare, Transportation, Retail, just to name a few. We will also continue to increase the number of our popular Livestream sessions as we have seen an extremely positive reaction to them as well as all of our On-Demand sessions – listen to best selling authors and industry leaders who participated as keynote and track speakers throughout the year.

Regarding social media, we made big strides in 2012 and will continue to make this a primary focus of The Open Group. If you haven’t already, please “like” us on Facebook, follow us on Twitter, join the chat on (#ogchat) one of our Security focused Tweet Jams, and join our LinkedIn Group. And if you have the time, we’d love for you to contribute to The Open Group blog.

We’re always open to new suggestions, so if you have a creative idea on how we can improve your membership, Open Group events, webinars, podcasts, please let me know! Also, please be sure to attend the upcoming Open Group Conference in Newport Beach, Calif., which is taking place on January 28-31. The conference will address Big Data.

Business Architecture

By Steve Philp, Marketing Director for Open CA and Open CITS

Business Architecture is still a relatively new discipline, but in 2013 I think it will continue to grow in prominence and visibility from an executive perspective. C-Level decision makers are not just looking at operational efficiency initiatives and cost reduction programs to grow their future revenue streams; they are also looking at market strategy and opportunity analysis.

Business Architects are extremely valuable to an organization when they understand market and technology trends in a particular sector. They can then work with business leaders to develop strategies based on the capabilities and positioning of the company to increase revenue, enhance their market position and improve customer loyalty.

Senior management recognizes that technology also plays a crucial role in how organizations can achieve their business goals. A major role of the Business Architect is to help merge technology with business processes to help facilitate this business transformation.

There are a number of key technology areas for 2013 where Business Architects will be called upon to engage with the business such as Cloud Computing, Big Data and social networking. Therefore, the need to have competent Business Architects is a high priority in both the developed and emerging markets and the demand for Business Architects currently exceeds the supply. There are some training and certification programs available based on a body of knowledge, but how do you establish who is a practicing Business Architect if you are looking to recruit?

The Open Group is trying to address this issue and has incorporated a Business Architecture stream into The Open Group Certified Architect (Open CA) program. There has already been significant interest in this stream from both organizations and practitioners alike. This is because Open CA is a skills- and experience-based program that recognizes, at different levels, those individuals who are actually performing in a Business Architecture role. You must complete a candidate application package and be interviewed by your peers. Achieving certification demonstrates your competency as a Business Architect and therefore will stand you in good stead for both next year and beyond.

You can view the conformance criteria for the Open CA Business Architecture stream at https://www2.opengroup.org/ogsys/catalog/X120.

Trusted Technology

By Sally Long, Director of Consortia Services

The interdependency of all countries on global technology providers and technology providers’ dependencies on component suppliers around the world is more certain than ever before.  The need to work together in a vendor-neutral, country-neutral environment to assure there are standards for securing technology development and supply chain operations will become increasingly apparent in 2013. Securing the global supply chain can not be done in a vacuum, by a few providers or a few governments, it must be achieved by working together with all governments, providers, component suppliers and integrators and it must be done through open standards and accreditation programs that demonstrate conformance to those standards and are available to everyone.

The Open Group’s Trusted Technology Forum is providing that open, vendor and country-neutral environment, where suppliers from all countries and governments from around the world can work together in a trusted collaborative environment, to create a standard and an accreditation program for securing the global supply chain. The Open Trusted Technology Provider Standard (O-TTPS) Snapshot (Draft) was published in March of 2012 and is the basis for our 2013 predictions.

We predict that in 2013:

  • Version 1.0 of the O-TTPS (Standard) will be published.
  • Version 1.0 will be submitted to the ISO PAS process in 2013, and will likely become part of the ISO/IEC 27036 standard, where Part 5 of that ISO standard is already reserved for the O-TTPS work
  • An O-TTPS Accreditation Program – open to all providers, component suppliers, and integrators, will be launched
  • The Forum will continue the trend of increased member participation from governments and suppliers around the world

4 Comments

Filed under Business Architecture, Conference, Enterprise Architecture, O-TTF, OTTF

#ogChat Summary – 2013 Security Priorities

By Patty Donovan, The Open Group

Totaling 446 tweets, yesterday’s 2013 Security Priorities Tweet Jam (#ogChat) saw a lively discussion on the future of security in 2013 and became our most successful tweet jam to date. In case you missed the conversation, here’s a recap of yesterday’s #ogChat!

The event was moderated by former CNET security reporter Elinor Mills, and there was a total of 28 participants including:

Here is a high-level snapshot of yesterday’s #ogChat:

Q1 What’s the biggest lesson learned by the security industry in 2012? #ogChat

The consensus among participants was that 2012 was a year of going back to the basics. There are many basic vulnerabilities within organizations that still need to be addressed, and it affects every aspect of an organization.

  • @Dana_Gardner Q1 … Security is not a product. It’s a way of conducting your organization, a mentality, affects all. Repeat. #ogChat #security #privacy
  • @Technodad Q1: Biggest #security lesson of 2102: everyone is in two security camps: those who know they’ve been penetrated & those who don’t. #ogChat
  • @jim_hietala Q1. Assume you’ve been penetrated, and put some focus on detective security controls, reaction/incident response #ogChat
  • @c7five Lesson of 2012 is how many basics we’re still not covering (eg. all the password dumps that showed weak controls and pw choice). #ogChat

Q2 How will organizations tackle #BYOD security in 2013? Are standards needed to secure employee-owned devices? #ogChat

Participants debated over the necessity of standards. Most agreed that standards and policies are key in securing BYOD.

  • @arj Q2: No “standards” needed for BYOD. My advice: collect as little information as possible; use MDM; create an explicit policy #ogChat
  • @Technodad @arj Standards are needed for #byod – but operational security practices more important than technical standards. #ogChat
  • @AWildCSO Organizations need to develop a strong asset management program as part of any BYOD effort. Identification and Classification #ogChat
  • @Dana_Gardner Q2 #BYOD forces more apps & data back on servers, more secure; leaves devices as zero client. Then take that to PCs too. #ogChat #security
  • @taosecurity Orgs need a BYOD policy for encryption & remote wipe of company data; expect remote compromise assessment apps too @elinormills #ogChat

Q3 In #BYOD era, will organizations be more focused on securing the network, the device, or the data? #ogChat

There was disagreement here. Some emphasized focusing on protecting data, while others argued that it is the devices and networks that need protecting.

  • @taosecurity Everyone claims to protect data, but the main ways to do so remain protecting devices & networks. Ignores code sec too. @elinormills #ogChat
  • @arj Q3: in the BYOD era, the focus must be on the data. Access is gated by employee’s entitlements + device capabilities. #ogChat
  • @Technodad @arj Well said. Data sec is the big challenge now – important for #byod, #cloud, many apps. #ogChat
  • @c7five Organization will focus more on device management while forgetting about the network and data controls in 2013. #ogChat #BYOD

Q4 What impact will using 3rd party #BigData have on corporate security practices? #ogChat

Participants agreed that using third parties will force organizations to rely on security provided by those parties. They also acknowledged that data must be secure in transit.

  • @daviottenheimer Q4 Big Data will redefine perimeter. have to isolate sensitive data in transit, store AND process #ogChat
  • @jim_hietala Q4. 3rd party Big Data puts into focus 3rd party risk management, and transparency of security controls and control state #ogChat
  • @c7five Organizations will jump into 3rd party Big Data without understanding of their responsibilities to secure the data they transfer. #ogChat
  • @Dana_Gardner Q4 You have to trust your 3rd party #BigData provider is better at #security than you are, eh? #ogChat  #security #SLA
  • @jadedsecurity @Technodad @Dana_Gardner has nothing to do with trust. Data that isn’t public must be secured in transit #ogChat
  • @AWildCSO Q4: with or without bigdata, third party risk management programs will continue to grow in 2013. #ogChat

Q5 What will global supply chain security look like in 2013? How involved should governments be? #ogChat

Supply chains are an emerging security issue, and governments need to get involved. But consumers will also start to understand what they are responsible for securing themselves.

  • @jim_hietala Q5. supply chain emerging as big security issue, .gov’s need to be involved, and Open Group’s OTTF doing good work here #ogChat
  • @Technodad Q5: Governments are going to act- issue is getting too important. Challenge is for industry to lead & minimize regulatory patchwork. #ogChat
  • @kjhiggins Q5: Customers truly understanding what they’re responsible for securing vs. what cloud provider is. #ogChat

Q6 What are the biggest unsolved issues in Cloud Computing security? #ogChat

Cloud security is a big issue. Most agreed that Cloud security is mysterious, and it needs to become more transparent. When Cloud providers claim they are secure, consumers and organizations put blind trust in them, making the problem worse.

  • @jadedsecurity @elinormills Q6 all of them. Corps assume cloud will provide CIA and in most cases even fails at availability. #ogChat
  • @jim_hietala Q6. Transparency of security controls/control state, cloud risk management, protection of unstructured data in cloud services #ogChat
  • @c7five Some PaaS cloud providers advertise security as something users don’t need to worry about. That makes the problem worse. #ogChat

Q7 What should be the top security priorities for organizations in 2013? #ogChat

Top security priorities varied. Priorities highlighted in the discussion included:  focusing on creating a culture that promotes secure activity; prioritizing security spending based on risk; focusing on where the data resides; and third-party risk management coming to the forefront.

  • @jim_hietala Q7. prioritizing security spend based on risks, protecting data, detective controls #ogChat
  • @Dana_Gardner Q7 Culture trumps technology and business. So make #security policy adherence a culture that is defined and rewarded. #ogChat #security
  • @kjhiggins Q7 Getting a handle on where all of your data resides, including in the mobile realm. #ogChat
  • @taosecurity Also for 2013: 1) count and classify your incidents & 2) measure time from detection to containment. Apply Lean principles to both. #ogChat
  • @AWildCSO Q7: Asset management, third party risk management, and risk based controls for 2013. #ogChat

A big thank you to all the participants who made this such a great discussion!

Patricia Donovan is Vice President, Membership & Events, at The Open Group and a member of its executive management team. In this role she is involved in determining the company’s strategic direction and policy as well as the overall management of that business area. Patricia joined The Open Group in 1988 and has played a key role in the organization’s evolution, development and growth since then. She also oversees the company’s marketing, conferences and member meetings. She is based in the U.S.

1 Comment

Filed under Tweet Jam

Call for Submissions

By Patty Donovan, The Open Group

The Open Group Blog is celebrating its second birthday this month! Over the past few years, our blog posts have tended to cover Open Group activities – conferences, announcements, our lovely members, etc. While several members and Open Group staff serve as regular contributors, we’d like to take this opportunity to invite our community members to share their thoughts and expertise on topics related to The Open Group’s areas of expertise as guest contributors.

Here are a few examples of popular guest blog posts that we’ve received over the past year

Blog posts generally run between 500 and 800 words and address topics relevant to The Open Group workgroups, forums, consortiums and events. Some suggested topics are listed below.

  • ArchiMate®
  • Big Data
  • Business Architecture
  • Cloud Computing
  • Conference recaps
  • DirectNet
  • Enterprise Architecture
  • Enterprise Management
  • Future of Airborne Capability Environment (FACE™)
  • Governing Board Businesses
  • Governing Board Certified Architects
  • Governing Board Certified IT Specialists
  • Identity Management
  • IT Security
  • The Jericho Forum
  • The Open Group Trusted Technology Forum (OTTF)
  • Quantum Lifecycle Management
  • Real-Time Embedded Systems
  • Semantic Interoperability
  • Service-Oriented Architecture
  • TOGAF®

If you have any questions or would like to contribute, please contact opengroup (at) bateman-group.com.

Please note that all content submitted to The Open Group blog is subject to The Open Group approval process. The Open Group reserves the right to deny publication of any contributed works. Anything published shall be copyright of The Open Group.

Patricia Donovan is Vice President, Membership & Events, at The Open Group and a member of its executive management team. In this role she is involved in determining the company’s strategic direction and policy as well as the overall management of that business area. Patricia joined The Open Group in 1988 and has played a key role in the organization’s evolution, development and growth since then. She also oversees the company’s marketing, conferences and member meetings. She is based in the U.S.

1 Comment

Filed under Uncategorized

Viewpoint: Technology Supply Chain Security – Becoming a Trust-Worthy Provider

By Andras Szakal, IBM

Increasingly, the critical systems of the planet — telecommunications, banking, energy and others — depend on and benefit from the intelligence and interconnectedness enabled by existing and emerging technologies. As evidence, one need only look to the increase in enterprise mobile applications and BYOD strategies to support corporate and government employees.

Whether these systems are trusted by the societies they serve depends in part on whether the technologies incorporated into them are fit for the purpose they are intended to serve. Fit for purpose is manifested in two essential ways: first, does the product meet essential functional requirements; and second, has the product or component been produced by trustworthy provider. Of course, the leaders or owners of these systems have to do their part to achieve security and safety (e.g., to install, use and maintain technology appropriately, and to pay attention to people and process aspects such as insider threats). Cybersecurity considerations must be addressed in a sustainable way from the get-go, by design, and across the whole ecosystem — not after the fact, or in just one sector or another, or in reaction to crisis.

In addressing the broader cybersecurity challenge, however, buyers of mission-critical technology naturally seek reassurance as to the quality and integrity of the products they procure. In our view, the fundamentals of the institutional response to that need are similar to those that have worked in prior eras and in other industries — like food.

For example:  Most of us are able to enjoy a meal of stir-fried shrimp and not give a second thought as to whether the shellfish is safe to eat.

Why is that? Because we are the beneficiaries of a system whose workings greatly increase the likelihood — in many parts of the world — that the shellfish served to end consumers is safe and uncontaminated. While tainted technology is not quite the same as tainted foods it’s a useful analogy.

Of course, a very high percentage of the seafood industry is extremely motivated to provide safe and delicious shellfish to the end consumer. So we start with the practical perspective that, much more likely than not in today’s hyper-informed and communicative world, the food supply system will provide reasonably safe and tasty products. Invisible though it may be to most of us, however, this generalized confidence rests on a worldwide system that is built on globally recognized standards and strong public-private collaboration.

This system is necessary because mistakes happen, expectations evolve and — worse — the occasional participant in the food supply chain may take a shortcut in their processing practices. Therefore, some kind of independent oversight and certification has proven useful to assure consumers that what they pay for — their desired size and quality grade and, always, safety — is what they will get. In many countries, close cooperation between industry and government results in industry-led development and implementation of food safety standards.[1]

Government’s role is limited but important. Clearly, government cannot look at and certify every piece of shellfish people buy. So its actions are focused on areas in which it can best contribute: to take action in the event of a reported issue; to help convene industry participants to create and update safety practices; to educate consumers on how to choose and prepare shellfish safely; and to recognize top performers.[2]

Is the system perfect? Of course not. But it works, and supports the most practical and affordable methods of conducting safe and global commerce.

Let’s apply this learning to another sphere: information technology. To wit:

  • We need to start with the realization that the overwhelming majority of technology suppliers are motivated to provide securely engineered products and services, and that competitive dynamics reward those who consistently perform well.
  • However, we also need to recognize that there is a gap in time between the corrective effect of the market’s Invisible Hand and the damage that can be done in any given incident. Mistakes will inevitably happen, and there are some bad actors. So some kind of oversight and governmental participation are important, to set the right incentives and expectations.
  • We need to acknowledge that third-party inspection and certification of every significant technology product at the “end of pipe” is not only impractical but also insufficient. It will not achieve trust across a wide variety of infrastructures and industries.  A much more effective approach is to gather the world’s experts and coalesce industry practices around the processes that the experts agree are best suited to produce desired end results.
  • Any proposed oversight or government involvement must not stymie innovation or endanger a provider’s intellectual capital by requiring exposure to 3rd party assessments or require overly burdensome escrow of source code.
  • Given the global and rapid manner in which technologies are invented, produced and sold, a global and agile approach to technology assurance is required to achieve scalable results.  The approach should be based on understood and transparently formulated standards that are, to the maximum extent possible, industry-led and global in their applicability.  Conformance to such standards once would then be recognized by multiple industry’s and geo-political regions.  Propagation of country or industry specific standards will result in economic fragmentation and slow the adoption of industry best practices.

The Open Group Trusted Technology Forum (OTTF)[3] is a promising and complementary effort in this regard. Facilitated by The Open Group, the OTTF is working with governments and industry worldwide to create vendor-neutral open standards and best practices that can be implemented by anyone. Membership continues to grow and includes representation from manufacturers world-wide.

Governments and enterprises alike will benefit from OTTF’s work. Technology purchasers can use the Open Trusted Technology Provider (OTTP) Standard and OTTP Framework best practice recommendations to guide their strategies.  And a wide range of technology vendors can use OTTF approaches to build security and integrity into their end-to-end supply chains. The first version of the OTTPS is focused on mitigating the risk of tainted and counterfeit technology components or products. The OTTF is currently working a program that will accredit technology providers to the OTTP Standard. We expect to begin pilot testing of the program by the end of 2012.

Don’t misunderstand us: Market leaders like IBM have every incentive to engineer security and quality into our products and services. We continually encourage and support others to do the same.

But we realize that trusted technology — like food safety — can only be achieved if we collaborate with others in industry and in government.  That’s why IBM is pleased to be an active member of the Trusted Technology Forum, and looks forward to contributing to its continued success.

A version of this blog post was originally posted by the IBM Institute for Advanced Security.

Andras Szakal is the Chief Architect and a Senior Certified Software IT Architect for IBM’s Federal Software Sales business unit. His responsibilities include developing e-Government software architectures using IBM middleware and managing the IBM federal government software IT architect team. Szakal is a proponent of service oriented and web services based enterprise architectures and participates in open standards and open source product development initiatives within IBM.

 

Comments Off

Filed under OTTF

Summer in the Capitol – Looking Back at The Open Group Conference in Washington, D.C.

By Jim Hietala, The Open Group

This past week in Washington D.C., The Open Group held our Q3 conference. The theme for the event was “Cybersecurity – Defend Critical Assets and Secure the Global Supply Chain,” and the conference featured a number of thought-provoking speakers and presentations.

Cybersecurity is at a critical juncture, and conference speakers highlighted the threat and attack reality and described industry efforts to move forward in important areas. The conference also featured a new capability, as several of the events were Livestreamed to the Internet.

For those who did not make the event, here’s a summary of a few of the key presentations, as well as what The Open Group is doing in these areas.

Joel Brenner, attorney with Cooley, was our first keynote. Joel’s presentation was titled, “Turning Us Inside-Out: Crime and Economic Espionage on our Networks,” The talk mirrored his recent book, “America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare,” and Joel talked about current threats to critical infrastructure, attack trends and challenges in securing information. Joel’s presentation was a wakeup call to the very real issues of IP theft and identity theft. Beyond describing the threat and attack landscape, Joel discussed some of the management challenges related to ownership of the problem, namely that the different stakeholders in addressing cybersecurity in companies, including legal, technical, management and HR, all tend to think that this is someone else’s problem. Joel stated the need for policy spanning the entire organization to fully address the problem.

Kristin Baldwin, principal deputy, systems engineering, Office of the Assistant Secretary of Defense, Research and Engineering, described the U.S. Department of Defense (DoD) trusted defense systems strategy and challenges, including requirements to secure their multi-tiered supply chain. She also talked about how the acquisition landscape has changed over the past few years. In addition, for all programs the DoD now requires the creation of a program protection plan, which is the single focal point for security activities on the program. Kristin’s takeaways included needing a holistic approach to security, focusing attention on the threat, and avoiding risk exposure from gaps and seams. DoD’s Trusted Defense Systems Strategy provides an overarching framework for trusted systems. Stakeholder integration with acquisition, intelligence, engineering, industry and research communities is key to success. Systems engineering brings these stakeholders, risk trades, policy and design decisions together. Kristin also stressed the importance of informing leadership early and providing programs with risk-based options.

Dr. Ron Ross of NIST presented a perfect storm of proliferation of information systems and networks, increasing sophistication of threat, resulting in an increasing number of penetrations of information systems in the public and private sectors potentially affecting security and privacy. He proposed a need an integrated project team approach to information security. Dr. Ross also provided an overview of the changes coming in NIST SP 800-53, version 4, which is presently available in draft form. He also advocated a dual protection strategy approach involving traditional controls at network perimeters that assumes attackers outside of organizational networks, as well as agile defenses, are already inside the perimeter. The objective of agile defenses is to enable operation while under attack and to minimize response times to ongoing attacks. This new approach mirrors thinking from the Jericho Forum and others on de-perimeterization and security and is very welcome.

The Open Group Trusted Technology Forum provided a panel discussion on supply chain security issues and the approach that the forum is taking towards addressing issues relating to taint and counterfeit in products. The panel included Andras Szakal of IBM, Edna Conway of Cisco and Dan Reddy of EMC, as well as Dave Lounsbury, CTO of The Open Group. OTTF continues to make great progress in the area of supply chain security, having published a snapshot of the Open Trusted Technology Provider Framework, working to create a conformance program, and in working to harmonize with other standards activities.

Dave Hornford, partner at Conexiam and chair of The Open Group Architecture Forum, provided a thought provoking presentation titled, “Secure Business Architecture, or just Security Architecture?” Dave’s talk described the problems in approaches that are purely focused on securing against threats and brought forth the idea that focusing on secure business architecture was a better methodology for ensuring that stakeholders had visibility into risks and benefits.

Geoff Besko, CEO of Seccuris and co-leader of the security integration project for the next version of TOGAF®, delivered a presentation that looked at risk from a positive and negative view. He recognized that senior management frequently have a view of risk embracing as taking risk with am eye on business gains if revenue/market share/profitability, while security practitioners tend to focus on risk as something that is to be mitigated. Finding common ground is key here.

Katie Lewin, who is responsible for the GSA FedRAMP program, provided an overview of the program, and how it is helping raise the bar for federal agency use of secure Cloud Computing.

The conference also featured a workshop on security automation, which featured presentations on a number of standards efforts in this area, including on SCAP, O-ACEML from The Open Group, MILE, NEA, AVOS and SACM. One conclusion from the workshop was that there’s presently a gap and a need for a higher level security automation architecture encompassing the many lower level protocols and standards that exist in the security automation area.

In addition to the public conference, a number of forums of The Open Group met in working sessions to advance their work in the Capitol. These included:

All in all, the conference clarified the magnitude of the cybersecurity threat, and the importance of initiatives from The Open Group and elsewhere to make progress on real solutions.

Join us at our next conference in Barcelona on October 22-25!

Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

Comments Off

Filed under Conference, Cybersecurity, Enterprise Architecture, Information security, OTTF, Security Architecture, Supply chain risk, TOGAF®

The Open Group Trusted Technology Forum is Leading the Way to Securing Global IT Supply Chains

By Dana Gardner, Interarbor Solutions

This BriefingsDirect thought leadership interview comes in conjunction with The Open Group Conference in Washington, D.C., beginning July 16. The conference will focus on Enterprise Architecture (EA), enterprise transformation, and securing global supply chains.

We’re joined in advance by some of the main speakers at the conference to examine the latest efforts to make global supply chains for technology providers more secure, verified, and therefore trusted. We’ll examine the advancement of The Open Group Trusted Technology Forum (OTTF) to gain an update on the effort’s achievements, and to learn more about how technology suppliers and buyers can expect to benefit.

The expert panel consists of Dave Lounsbury, Chief Technical Officer at The Open Group; Dan Reddy, Senior Consultant Product Manager in the Product Security Office at EMC Corp.; Andras Szakal, Vice President and Chief Technology Officer at IBM’s U.S. Federal Group, and also the Chair of the OTTF, and Edna Conway, Chief Security Strategist for Global Supply Chain at Cisco. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Gardner: Why this is an important issue, and why is there a sense of urgency in the markets?

Lounsbury: The Open Group has a vision of boundaryless information flow, and that necessarily involves interoperability. But interoperability doesn’t have the effect that you want, unless you can also trust the information that you’re getting, as it flows through the system.

Therefore, it’s necessary that you be able to trust all of the links in the chain that you use to deliver your information. One thing that everybody who watches the news would acknowledge is that the threat landscape has changed. As systems become more and more interoperable, we get more and more attacks on the system.

As the value that flows through the system increases, there’s a lot more interest in cyber crime. Unfortunately, in our world, there’s now the issue of state-sponsored incursions in cyberspace, whether officially state-sponsored or not, but politically motivated ones certainly.

So there is an increasing awareness on the part of government and industry that we must protect the supply chain, both through increasing technical security measures, which are handled in lots of places, and in making sure that the vendors and consumers of components in the supply chain are using proper methodologies to make sure that there are no vulnerabilities in their components.

I’ll note that the demand we’re hearing is increasingly for work on standards in security. That’s top of everybody’s mind these days.

Reddy: One of the things that we’re addressing is the supply chain item that was part of the Comprehensive National Cybersecurity Initiative (CNCI), which spans the work of two presidents. Initiative 11 was to develop a multi-pronged approach to global supply chain risk management. That really started the conversation, especially in the federal government as to how private industry and government should work together to address the risks there.

In the OTTF, we’ve tried create a clear measurable way to address supply-chain risk. It’s been really hard to even talk about supply chain risk, because you have to start with getting a common agreement about what the supply chain is, and then talk about how to deal with risk by following best practices.

Szakal: One of the observations that I’ve made over the last couple of years is that this group of individuals, who are now part of this standards forum, have grown in their ability to collaborate, define, and rise to the challenges, and work together to solve the problem.

Standards process

Technology supply chain security and integrity are not necessarily a set of requirements or an initiative that has been taken on by the standards committee or standards groups up to this point The people who are participating in this aren’t your traditional IT standards gurus. They had to learn the standards process. They had to understand how to approach the standardization of best practices, which is how we approach solving this problem.

It’s sharing information. It’s opening up across the industry to share best practices on how to secure the supply chain and how to ensure its overall integrity. Our goal has been to develop a framework of best practices and then ultimately take those codified best practices and instantiate them into a standard, which we can then assess providers against. It’s a big effort, but I think we’re making tremendous progress.

Gardner: Because The Open Group Conference is taking place in Washington, D.C., what’s the current perception in the U.S. Government about this in terms of its role?

Szakal:The government has always taken a prominent role, at least to help focus the attention of the industry.

Now that they’ve corralled the industry and they’ve got us moving in the right direction, in many ways, we’ve fought through many of the intricate complex technology supply chain issues and we’re ahead of some of the thinking of folks outside of this group because the industry lives these challenges and understands the state of the art. Some of the best minds in the industry are focused on this, and we’ve applied some significant internal resources across our membership to work on this challenge.

So the government is very interested in it. We’ve had collaborations all the way from the White House across the Department of Defense (DoD) and within the Department of Homeland Security (DHS), and we have members from the government space in NASA and DoD.

It’s very much a collaborative effort, and I’m hoping that it can continue to be so and be utilized as a standard that the government can point to, instead of coming up with their own policies and practices that may actually not work as well as those defined by the industry.

Conway: Our colleagues on the public side of the public-private partnership that is addressing supply-chain integrity have recognized that we need to do it together.

More importantly, you need only to listen to a statement, which I know has often been quoted, but it’s worth noting again from EU Commissioner Algirdas Semeta. He recently said that in a globalized world, no country can secure the supply chain in isolation. He recognized that, again quoting, national supply chains are ineffective and too costly unless they’re supported by enhanced international cooperation.

Mindful focus

The one thing that we bring to bear here is a mindful focus on the fact that we need a public-private partnership to address comprehensively in our information and communications technology industry supply chain integrity internationally. That has been very important in our focus. We want to be a one-stop shop of best practices that the world can look at, so that we continue to benefit from commercial technology which sells globally and frequently builds once or on a limited basis.

Combining that international focus and the public-private partnership is something that’s really coming home to roost in everyone’s minds right now, as we see security value migrating away from an end point and looking comprehensively at the product lifecycle or the global supply chain.

Lounsbury:I had the honor of testifying before the U.S. House Energy and Commerce Committee on Oversight Investigations, on the view from within the U.S. Government on IT security.

It was very gratifying to see that the government does recognize this problem. We had witnesses in from the DoD and Department of Energy (DoE). I was there, because I was one of the two voices on industry that the government wants to tap into to get the industry’s best practices into the government.

It was even more gratifying to see that the concerns that were raised in the hearings were exactly the ones that the OTTF is pursuing. How do you validate a long and complex global supply chain in the face of a very wide threat environment, recognizing that it can’t be any single country? Also, it really does need to be not a process that you apply to a point, but something where you have a standard that raises the bar for our security for all the participants in your supply chain.

So it was really good to know that we were on track and that the government, and certainly the U.S. Government, as we’ve heard from Edna, the European governments, and I suspect all world governments are looking at exactly how to tap into this industry activity.

Gardner: Where we are in the progression of OTTF?

Lounsbury: In the last 18 months, there has been a tremendous amount of progress. The thing that I’ll highlight is that early in 2012, the OTTF published a snapshot of the standard. A snapshot is what The Open Group uses to give a preview of what we expect the standards will apply. It has fleshed out two areas, one on tainted products and one on counterfeit products, the standards and best practices needed to secure a supply chain against those two vulnerabilities.

So that’s out there. People can take a look at that document. Of course, we would welcome their feedback on it. We think other people have good answers too. Also, if they want to start using that as guidance for how they should shape their own practices, then that would be available to them.

Normative guidance

That’s the top development topic inside the OTTF itself. Of course, in parallel with that, we’re continuing to engage in an outreach process and talking to government agencies that have a stake in securing the supply chain, whether it’s part of government policy or other forms of steering the government to making sure they are making the right decisions. In terms of exactly where we are, I’ll defer to Edna and Andras on the top priority in the group.

Gardner: Edna, what’s been going on at OTTF and where do things stand?

Conway: We decided that this was, in fact, a comprehensive effort that was going to grow over time and change as the challenges change. We began by looking at two primary areas, which were counterfeit and taint in that communications technology arena. In doing so, we first identified a set of best practices, which you referenced briefly inside of that snapshot.

Where we are today is adding the diligence, and extracting the knowledge and experience from the broad spectrum of participants in the OTTF to establish a set of rigorous conformance criteria that allow a balance between flexibility and how one goes about showing compliance to those best practices, while also assuring the end customer that there is rigor sufficient to ensure that certain requirements are met meticulously, but most importantly comprehensively.

We have a practice right now where we’re going through each and every requirement or best practice and thinking through the broad spectrum of the development stage of the lifecycle, as well as the end-to-end nodes of the supply chain itself.

This is to ensure that there are requirements that would establish conformance that could be pointed to, by both those who would seek accreditation to this international standard, as well as those who would rely on that accreditation as the imprimatur of some higher degree of trustworthiness in the products and solutions that are being afforded to them, when they select an OTTF accredited provider.

Gardner: Andras, I’m curious where in an organization like IBM that these issues are most enforceable. Where within the private sector is the knowledge and the expertise to reside?

Szakal: Speaking for IBM, we recently celebrated our 100th anniversary in 2011. We’ve had a little more time than some folks to come up with a robust engineering and development process, which harkens back to the IBM 701 and the beginning of the modern computing era.

Integrated process

We have what we call the integrated product development process (IPD), which all products follow and that includes hardware and software. And we have a very robust quality assurance team, the QSE team, which ensures that the folks are following those practices that are called out. Within each of line of business there exist specific requirements that apply more directly to the architecture of a particular product offering.

For example, the hardware group obviously has additional standards that they have to follow during the course of development that is specific to hardware development and the associated supply chain, and that is true with the software team as well.

The product development teams are integrated with the supply chain folks, and we have what we call the Secure Engineering Framework, of which I was an author and the Secure Engineering Initiative which we have continued to evolve for quite some time now, to ensure that we are effectively engineering and sourcing components and that we’re following these Open Trusted Technology Provider Standard (O-TTPS) best practices.

In fact, the work that we’ve done here in the OTTF has helped to ensure that we’re focused in all of the same areas that Edna’s team is with Cisco, because we’ve shared our best practices across all of the members here in the OTTF, and it gives us a great view into what others are doing, and helps us ensure that we’re following the most effective industry best practices.

Gardner: Dan, at EMC, is the Product Security Office something similar to what Andras explained for how IBM operates? Perhaps you could just give us a sense of how it’s done there?

Reddy: At EMC in our Product Security Office, we house the enabling expertise to define how to build their products securely. We’re interested in building that in as soon as possible throughout the entire lifecycle. We work with all of our product teams to measure where they are, to help them define their path forward, as they look at each of the releases of their other products. And we’ve done a lot of work in sharing our practices within the industry.

One of the things this standard does for us, especially in the area of dealing with the supply chain, is it gives us a way to communicate what our practices are with our customers. Customers are looking for that kind of assurance and rather than having a one-by-one conversation with customers about what our practices are for a particular organization. This would allow us to have a way of demonstrating the measurement and the conformance against a standard to our own customers.

Also, as we flip it around and take a look at our own suppliers, we want to be able to encourage suppliers, which may be small suppliers, to conform to a standard, as we go and select who will be our authorized suppliers.

Gardner: Dave, what would you suggest for those various suppliers around the globe to begin the process?

Publications catalog

Lounsbury: Obviously, the thing I would recommend right off is to go to The Open Group website, go to the publications catalog, and download the snapshot of the OTTF standard. That gives a good overview of the two areas of best practices for protection from tainted and counterfeit products we’ve mentioned on the call here.

That’s the starting point, but of course, the reason it’s very important for the commercial world to lead this is that commercial vendors face the commercial market pressures and have to respond to threats quickly. So the other part of this is how to stay involved and how to stay up to date?

And of course the two ways that The Open Group offers to let people do that is that you can come to our quarterly conferences, where we do regular presentations on this topic. In fact, the Washington meeting is themed on the supply chain security.

Of course, the best way to do it is to actually be in the room as these standards are evolved to meet the current and the changing threat environment. So, joining The Open Group and joining the OTTF is absolutely the best way to be on the cutting edge of what’s happening, and to take advantage of the great information you get from the companies represented on this call, who have invested years-and-years, as Andras said, in making their own best practices and learning from them.

Gardner:Edna, what’s on the short list of next OTTF priorities?

Conway: You’ve heard us talk about CNCI, and the fact that cybersecurity is on everyone’s minds today. So while taint embodies that to some degree, we probably need to think about partnering in a more comprehensive way under the resiliency and risk umbrella that you heard Dan talk about and really think about embedding security into a resilient supply chain or a resilient enterprise approach.

In fact, to give that some forethought, we actually have invited at the upcoming conference, a colleague who I’ve worked with for a number of years who is a leading expert in enterprise resiliency and supply chain resiliency to join us and share his thoughts.

He is a professor at MIT, and his name is Yossi Sheffi. Dr. Sheffi will be with us. It’s from that kind of information sharing, as we think in a more comprehensive way, that we begin to gather the expertise that not only resides today globally in different pockets, whether it be academia, government, or private enterprise, but also to think about what the next generation is going to look like.

Resiliency, as it was known five years ago, is nothing like supply chain resiliency today, and where we want to take it into the future. You need only look at the US national strategy for global supply chain security to understand that. When it was announced in January of this year at Davos by Secretary Napolitano of the DHS, she made it quite clear that we’re now putting security at the forefront, and resiliency is a part of that security endeavor.

So that mindset is a change, given the reliance ubiquitously on communications, for everything, everywhere, at all times — not only critical infrastructure, but private enterprise, as well as all of us on a daily basis today. Our communications infrastructure is essential to us.

Thinking about resiliency

Given that security has taken top ranking, we’re probably at the beginning of this stage of thinking about resiliency. It’s not just about continuity of supply, not just about prevention from the kinds of cyber incidents that we’re worried about, but also to be cognizant of those nation-state concerns or personal concerns that would arise from those parties who are engaging in malicious activity, either for political, religious or reasons.

Or, as you know, some of them are just interested in seeing whether or not they can challenge the system, and that causes loss of productivity and a loss of time. In some cases, there are devastating negative impacts to infrastructure.

Szakal: There’s another area too that I am highly focused on, but have kind of set aside, and that’s the continued development and formalization of the framework itself that is to continue the collective best practices from the industry and provide some sort of methods by which vendors can submit and externalize those best practices. So those are a couple of areas that I think that would keep me busy for the next 12 months easily.

Gardner: What do IT vendors companies gain if they do this properly?

Secure by Design

Szakal: Especially now in this day and age, any time that you actually approach security as part of the lifecycle — what we call an IBM Secure by Design – you’re going to be ahead of the market in some ways. You’re going to be in a better place. All of these best practices that we’ve defined are additive in effect. However, the very nature of technology as it exists today is that it will be probably another 50 or so years, before we see a perfect security paradigm in the way that we all think about it.

So the researchers are going to be ahead of all of the providers in many ways in identifying security flaws and helping us to remediate those practices. That’s part of what we’re doing here, trying to make sure that we continue to keep these practices up to date and relevant to the entire lifecycle of commercial off-the-shelf technology (COTS) development.

So that’s important, but you also have to be realistic about the best practices as they exist today. The bar is going to move as we address future challenges.

************

For more information on The Open Group’s upcoming conference in Washington, D.C., please visit: http://www.opengroup.org/dc2012

Dana Gardner is president and principal analyst at Interarbor Solutions, an enterprise IT analysis, market research, and consulting firm. Gardner, a leading identifier of software and Cloud productivity trends and new IT business growth opportunities, honed his skills and refined his insights as an industry analyst, pundit, and news editor covering the emerging software development and enterprise infrastructure arenas for the last 18 years.

Comments Off

Filed under Cybersecurity, Information security, OTTF, Supply chain risk

The Increasing Importance of Cybersecurity: The Open Group Conference in Washington, D.C.

By Jim Hietala, The Open Group

As we move through summer here in the U.S., cybersecurity continues to be top of mind, not only for security professionals, but for IT management as well as for senior managers in large organizations.

The IT security world tends to fixate on the latest breach reported or the latest vulnerability disclosed. Clearly the recent news around Stuxnet and Flame has caused a stir in the community, as professionals debate what it means to have cyberwar attacks being carried out by nations. However, there have also been other significant developments in cybersecurity that have heightened the need for better understanding of risk and security posture in large organizations.

In the U.S., the SEC recently issued guidance to public companies on disclosing the risks of cybersecurity incidents in financial reports, as well as disclosing actual breaches if there is material affect. This is a significant new development, as there’s little that directs the attention of CEO’s and Boards like new financial disclosure requirements. In publicly traded organizations that struggled to find funding to perform adequate risk management and for IT security initiatives, IT folks will have a new impetus and mandate, likely with support from the highest levels.

The upcoming Open Group conference in Washington, D.C. on July 16-20 will explore cybersecurity, with a focus on defending critical assets and securing the global supply chain. To highlight a few of the notable presentations:

  • Joel Brenner, author of America the Vulnerable, attorney, and former senior counsel at the NSA, will keynote on Monday, July 16 and will speak on “America the Vulnerable: Inside the New Threat Matrix.”
  • Kristen Baldwin, principal deputy, DASD, Systems Engineering, and acting cirector, Systems Analysis, will speak on “Meeting the Challenge of Cybersecurity Threats through Industry-Government Partnerships.”
  • Dr. Ron Ross, project leader, NIST, will talk to “Integrating Cyber Security Requirements into Main Stream Organizational Mission and Business Processes.”
  • Andras Szakal, VP & CTO, IBM Federal will moderate a panel that will include Daniel Reddy, EMC; Edna Conway, Cisco; and Hart Rossman, SAIC on “Mitigating Tainted & Counterfeit Products.”
  • Dazza (Daniel) J. Greenwood, JD, MIT and CIVICS.com Consultancy Services, and Thomas Hardjono, executive director of MIT Kerberos Consortium, will discuss “Meeting the Challenge of Identity and Security.”

Apart from our quarterly conferences and member meetings, The Open Group undertakes a broad set of programs aimed at addressing challenges in information security.

Our Security Forum focuses on developing standards and best practices in the areas of information security management and secure architecture. The Real Time and Embedded Systems Forum addresses high assurance systems and dependability through work focused on MILS, software assurance, and dependability engineering for open systems. Our Trusted Technology Forum addresses supply chain issues of taint and counterfeit products through the development of the Trusted Technology Provider Framework, which is a draft standard aimed at enabling commercial off the shelf ICT products to be built with integrity, and bought with confidence. Finally, The Open Group Jericho Forum continues to provide thought leadership in the area of information security, most notably in the areas of de-perimeterization, secure cloud computing and identity management.

I hope to see you at the conference. More information about the conference, including the full program can be found here: http://www.opengroup.org/dc2012

Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.


Comments Off

Filed under Conference, Cybersecurity, Information security, OTTF, Security Architecture

OTTF – Providing a Level of “Surety”

By Joshua Brickman, CA Technologies

A couple of weeks ago while the Supreme Court heard testimony about the constitutionality of “Obamacare,” I was glued to my computer watching the House of Representatives Sub-Committee on Energy and Commerce hear a very different but no less important type of testimony. The topic was supply chain integrity and security.    Two panels appeared before the committee – one containing U.S. government agencies; and the other focused on industry’s response to the issue. Representing industry was Dave Lounsbury from The Open Group.  While it seemed to me that the focus of the committee was the lack of preparedness some agencies had for supply chain attacks, Lounsbury admirably represented how industry is responding to the burgeoning topic with a public/private partnership and a consensus-driven process.

The process he referred to is the Open Trusted Technology Provider Standard (O-TTPS) for which the Open Trusted Technology Forum (OTTF) published a snapshot of this past February. In full disclosure, I represent a founding member of OTTF. You might say I have a vested interest in the O-TTPS becoming the de-facto standard for supply chain integrity and security, and you would be right. But that’s not just because I worked on the creation of this document. It’s because, as Lounsbury emphasized to the House, I believe the right way to ensure the integrity and security for the supply chains of acquirers or purchasers of technology is to build a consensus driven standard that focuses on the best practices needed to ensure the integrity of the product being produced.  This would allow acquirers to buy products with confidence. With this “snapshot” release, we’ve focused on the two most prevalent threats

  1. Tainted product – the product is produced by the provider and is acquired through reputable channels but has been tampered with maliciously.
  2. Counterfeit product – the product is produced other than by, or for, the provider, or is supplied by other than a reputable channel, and is presented as being legitimate.[1]

For the first time, industry has come together and put together a comprehensive set of best practices that, when followed, can help to protect the supply chain for Information and Communication Technology (ICT) products  starting with sourcing, through manufacturing, and ending with delivery to the customer.

But the work is not done. Now that we have a snapshot, the team is working hard to define conformance criteria as well as an accreditation program. The next quarterly meeting at the upcoming Open Group Cannes conference will have some great opportunities for people to hear more about OTTF.

  • Andras Szakal, Chief Technology Officer, IBM U.S. Federal, will present as a part of the Open Trusted Technology Track a talk entitled, “The Global Supply Chain: Presentation and Discussion on The Open Group Trusted Technology Forum and the Challenges of Protecting Products Against Counterfeit and Tampering”
  • Sally Long, Director, The Open Group Trusted Technology Forum, U.S., will follow with “The Global Supply Chain: Presentation and Discussion on The Open Group Trusted Identifying Trusted Technology Providers – What are the Conformance Criteria that Technology Providers and their Component Suppliers need to Meet to be Considered Trusted Technology Providers?”

When Rep. Terry from Nebraska asked Lounsbury if additional definition (regulations) was needed for ensuring the integrity of the supply chain, Lounsbury answered perfectly when he said: “Ultimately the use of COTs implies that an agency purchases from a commercial marketplace. The question is what are the standards that your supplier uses to demonstrate that they can be trusted? Part of that would be the processes they have for themselves throughout their product development and fulfillment lifecycle but also are they imposing those standards on their suppliers as well.”

Rep. Terry followed up:  “Do you think that is sufficient? How do they have a level of surety that somethings not being compromised way down the assembly line?”

Lounsbury:  “In the commercial world typically we look to some sort of a conformance program in which a supplier would submit evidence either through a third party lab and certainly to an independent certification authority to make sure in fact that they have some evidence of those best practices before they are recognized as a trusted partner.”

It’s clear that government is concerned about this issue. The OTTF is building a standard that customers can point to and ask suppliers about. When the OTTF finishes its conformance criteria, rolls out the accreditation program and vendors become accredited, that will help provide a level of “surety” that Rep. Terry and others on the committee want.

Joshua Brickman, project management professional, runs CA Technologies Federal Certifications Program. He has led CA through the successful evaluation of sixteen products through the Common Criteria over the last five years (in both the U.S. and Canada). Brickman has given talks at the last four International Common Criteria Conferences. Most recently, he has been a Steering Committee member on the Open Group consortium focused on Supply Chain Integrity and Security, The Trusted Technology Forum. He also runs CA Technologies Accessibility Program. 

[1] Open Trusted Technology Provider Standard (O-TTPS), Catalog number S121, Feb 2012, p1-2

Comments Off

Filed under Conference, O-TTF, OTTF, Standards, Supply chain risk

The Open Group Testifies before Congress on the Supply Chain Landscape

By David Lounsbury, The Open Group

On Tuesday, March 27, I had the honor of testifying on behalf of The Open Group Trusted Technology Forum to the House Energy and Commerce Oversight and Investigations Subcommittee at their congressional hearing on IT supply chain security. The hearing focused on these major supply chain issues:

  • The key risks associated with supply chains used by federal agencies to procure IT equipment, software or services
  • The extent to which selected national security-related agencies have addressed IT supply chain risks
  • The extent to which national security-related federal agencies have determined that their telecommunications networks contain foreign-developed equipment, software or services
  • The extent to which private industry has addressed IT supply chain risks

This was the first time that an Open Group employee has testified in front of Congress, and the invitation was a testament to The Open Group’s work as a vendor-neutral certification authority business for over 20 years as well as the traction that The Open Group Trusted Technology Forum (OTTF) has made over the past year.

You can see the full session on the YouTube video embedded below. The Chair and Ranking Member’s opening statements underscored three things for me:

  • That this problem is both widespread and critical – both government agencies and many private companies are struggling to address global supply chain vulnerabilities
  • There is a clear need for collaboration and standards, as well as a need to bring transparency on conformance to such standards at all links in the supply chain.
  • The most critical issues are tainted code / malware and counterfeit products in the supply chain – exactly the focus areas of OTTF

We launched OTTF in December 2010 with the objective of reducing risks to IT products that can be introduced through vulnerable supply chain and development processes. Our goal has been to help the technology industry build with integrity and enable customer organizations and governments to buy with confidence. We have worked closely with the U.S. government throughout the process of developing the Open Trusted Technology Provider Standard (O-TTPS). The U.S. Department of Defense (DoD) was a founding member of the forum, and the impetus for the forum came out of a collaborative initiative between the DoD and industry verticals looking into cybersecurity for acquisitions. I was very gratified that the DoD witness singled out The Open Group’s efforts on OTTF and highlighted their participation in the forum.

Recognizing that a secure global supply chain is important to all governments, one of OTTF’s main objectives is to outreach to other governments around the world in much the same way they have with the U.S. To that end, forum members plan to extend an invitation to participate in the development of the standard and planned accreditation program for trusted technology providers, which will include governments, providers, integrators and component suppliers from around the world. To preview OTTF’s work, you can download the current draft of the Open-Trusted Technology Provider Standard (Snapshot).

The subcommittee already had a strong background on OTTF’s mission and its current initiatives and was very interested to hear what global procurement strategies and best practices OTTF is planning to include in the O-TTPS and how these best practices could be applied within the U.S. government to ensure the security of supply chain both nationally and globally. The subcommittee noted Open Group’s previous work with international standards such as International Standardization for Organization (ISO) as encouraging, illustrating that the global supply chain is taking a step in the right direction under the stewardship of The Open Group.

Overall, the hearing was very positive, and the whole experience validated the work that OTTF has produced thus far. We anticipate that the standard will have a significant impact on how organizations procure large commercial off-the-shelf information and communication technology over the next few years across the global supply chain and are excited to see governments take an active interest in securing the global supply chain.

 

Dave LounsburyDavid Lounsbury is The Open Group‘s Chief Technology Officer, previously VP ofCollaboration Services.  Dave holds three U.S. patents and is based in the U.S.

Comments Off

Filed under OTTF

OTTF Releases Snapshot of Developing Standard

By Sally Long, The Open Group

Globalization has transformed the supply chain forever. While it has brought benefits to large Commercial Off-the-Shelf (COTS) Information and Communication Technology (ICT), it has also brought considerable risk. Although most technology hardware and software products today would not exist without global development, the increase of sophisticated cyberattacks has forced technology suppliers and governments to take a more comprehensive approach to risk management in order to protect supply chain integrity and security.

The Open Group Trusted Technology Forum (OTTF) was founded to help technology companies, customers, government and supplier organizations address the risks that tainted and counterfeit products posed to organizations, and the forum made a big step in that direction this week. On March 5, OTTF announced the release of a snapshot preview of the Open Trusted Technology Provider Standard (O-TTPS) that will help global providers and acquirers of COTS ICT products by providing them with best practices that aim to enhance the security of the global supply chain.

The purpose of the snapshot is to:

  • Enable participants across the COTS ICT supply chain to understand the value in adopting best practice requirements and recommendations
  • Provide an early look at the standard so providers, component suppliers and integrators can begin planning how to implement the standard within their organizations, and so customers, including government acquirers, can differentiate those providers who adopt the standard’s practices
  • Preview the criteria for mitigating tainted or counterfeit technology products from entering the supply chain

O-TTPS Version 1.0 will be published later this year. There have been many organizations that have helped shape the initiative thus far, and we will continue to rely on the support and guidance of: Apex Assurance, atsec Information Security, Boeing, Booz Allen Hamilton, CA Technologies, Carnegie Mellon SEI, Cisco, EMC, Fraunhofer SIT, Hewlett-Packard, IBM, IDA, Juniper Networks, Kingdee, Lockheed Martin, Microsoft, MITRE, Motorola Solutions, NASA, Oracle, Office of the Under Secretary of Defense for Acquisition, Technology and Logistics (OUSD AT&L), SAIC, Tata Consultancy Services, and U.S. Department of Defense/CIO.

We anticipate that O-TTPS will have a significant impact on how organizations procure COTS ICT products over the next few years across the global supply chain and are interested in hearing your thoughts on the snapshot and the initial direction of the standard. We welcome any feedback in the comments section below, and if you would like to help further define this standard and the conformance criteria for accreditation, please contact Mike Hickey or Chris Parnell regarding membership.

Sally Long is the Director of Consortia Services at The Open Group. She was the Release Engineering Section Manager for all collaborative, multi-vendor, development projects (OSF/1, DME, DCE, and Motif) at The Open Software Foundation (OSF), in Cambridge Massachusetts.  Following the merger of OSF and X/Open under The Open Group, Sally served as the Program Director for multiple Forums within The Open Group including: The Distributed Computing Environment (DCE) Forum, The Enterprise Management Forum, The Quality of Service (QoS) Task Force, The Real-time and Embedded Systems Forum and most recently the Open Trusted Technology Forum. 

4 Comments

Filed under Cybersecurity, OTTF

PODCAST: Industry moves to fill gap for building trusted supply chain technology accreditation

By Dana Gardner, Interabor Solutions

Listen to this recorded podcast here: BriefingsDirect-IT Industry Looks to Open Trusted Technology Forum to Help Secure Supply Chains That Support Technology Products

The following is the transcript of a sponsored podcast panel discussion on how the OTTF is developing an accreditation process for trusted technology, in conjunction with the The Open Group Conference, Austin 2011.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect. Today, we present a sponsored podcast discussion in conjunction with The Open Group Conference in Austin, Texas, the week of July 18, 2011.

We’ve assembled a distinguished panel to update us on The Open Group Trusted Technology Forum, also known as the OTTF, and an accreditation process to help technology acquirers and buyers safely conduct global procurement and supply chain commerce. We’ll examine how the security risk for many companies and organizations has only grown, even as these companies form essential partnerships and integral supplier relationships. So, how can all the players in a technology ecosystem gain assurances that the other participants are adhering to best practices and taking the proper precautions?

Here to help us better understand how established standard best practices and an associated accreditation approach can help make supply chains stronger and safer is our panel. We’re here with Dave Lounsbury, the Chief Technical Officer at The Open Group. Welcome back, Dave.

Dave Lounsbury: Hello Dana. How are you?

Gardner: Great. We are also here with Steve Lipner, Senior Director of Security Engineering Strategy in the Trustworthy Computing Security at Microsoft. Welcome back, Steve.

Steve Lipner: Hi, Dana. Glad to be here.

Gardner: We’re here also with Joshua Brickman, Director of the Federal Certification Program Office at CA Technologies. Welcome, Joshua.

Joshua Brickman: Thanks for having me.

Gardner: And, we’re here too with Andras Szakal. He’s the Vice President and CTO of IBM’s Federal Software Group. Welcome back, Andras.

Andras Szakal: Thank you very much, Dana. I appreciate it.

Gardner: Dave, let’s start with you. We’ve heard so much lately about “hacktivism,” break-ins, and people being compromised. These are some very prominent big companies, both public and private. How important is it that we start to engage more with things like the OTTF?

No backup plan

Dave LounsburyLounsbury: Dana, a great quote coming out of this week’s conference was that we have moved the entire world’s economy to being dependent on the Internet, without a backup plan. Anyone who looks at the world economy will see, not only are we dependent on it for exchange of value in many cases, but even information about how our daily lives are run, traffic, health information, and things like that. It’s becoming increasingly vitally important that we understand all the aspects of what it means to have trust in the chain of components that deliver that connectivity to us, not just as technologists, but as people who live in the world.

Gardner: Steve Lipner, your thoughts on how this problem seems to be only getting worse?

Lipner: Well, the attackers are becoming more determined and more visible across the Internet ecosystem. Vendors have stepped up to improve the security of their product offerings, but customers are concerned. A lot of what we’re doing in The Open Group and in the OTTF is about trying to give them additional confidence of what vendors are doing, as well as inform vendors what they should be doing.

Gardner: Joshua Brickman, this is obviously a big topic and a very large and complex area. From your perspective, what is it that the OTTF is good at? What is it focused on? What should we be looking to it for in terms of benefit in this overall security issue?

Brickman: One of the things that I really like about this group is that you have all of the leaders, everybody who is important in this space, working together with one common goal. Today, we had a discussion where one of the things we were thinking about is, whether there’s a 100 percent fail-safe solution to cyber? And there really isn’t. There is just a bar that you can set, and the question is how much do you want to make the attackers spend, before they can get over that bar? What we’re going to try to do is establish that level, and working together, I feel very encouraged that we are getting there, so far.

Gardner: Andras, we are not just trying to set the bar, but we’re also trying to enforce, or at least have clarity into, what other players in an ecosystem are doing. So that accreditation process seems to be essential.

Szakal: We’re going to develop a standard, or are in the process of developing a specification and ultimately an accreditation program, that will validate suppliers and providers against that standard. It’s focused on building trust into a technology provider organization through this accreditation program, facilitated through either one of several different delivery mechanisms that we are working on. We’re looking for this to become a global program, with global partners, as we move forward.

Gardner: It seems as if almost anyone is a potential target, and when someone decides to target you, you do seem to suffer. We’ve seen things with Booz Allen, RSA, and consumer organizations like Sony. Is this something that almost everyone needs to be more focused on? Are we at the point now where there is no such thing as turning back, Dave Lounsbury?

Global effort

Lounsbury: I think there is, and we have talked about this before. Any electronic or information system now is really built on components and software that are delivered from all around the globe. We have software that’s developed in one continent, hardware that’s developed in another, integrated in a third, and used globally. So, we really do need to have the kinds of global standards and engagement that Andras has referred to, so that there is that one bar for all to clear in order to be considered as a provider of trusted components.

Gardner: As we’ve seen, there is a weak link in any chain, and the hackers or the cyber criminals or the state sponsored organizations will look for those weak links. That’s really where we need to focus.

Lounsbury: I would agree with that. In fact, some of the other outcomes of this week’s conference have been the change in these attacks, from just nuisance attacks, to ones that are focused on monetization of cyber crimes and exfiltration of data. So the spectrum of threats is increasing a lot. More sophisticated attackers are looking for narrower and narrower attack vectors each time. So we really do need to look across the spectrum of how this IT technology gets produced in order to address it.

Gardner: Steve Lipner, it certainly seems that the technology supply chain is essential. If there is weakness there, then it’s difficult for the people who deploy those technologies to cover their bases. It seems that focusing on the technology providers, the ecosystems that support them, is a really necessary first step to taking this to a larger, either public or private, buyer side value.

Lipner: The tagline we have used for The Open Group TTF is “Build with Integrity, Buy with Confidence.” We certainly understand that customers want to have confidence in the hardware and software of the IT products that they buy. We believe that it’s up to the suppliers, working together with other members of the IT community, to identify best practices and then articulate them, so that organizations up and down the supply chain will know what they ought to be doing to ensure that customer confidence.

Gardner: Let’s take a step back and get a little bit of a sense of where this process that you are all involved with is. I know you’re all on working groups and in other ways involved in moving this forward, but it’s been about six months now since The OTTF was developed initially, and there was a white paper to explain that. Perhaps, one of you will volunteer to give us sort of a state of affairs where things are,. Then, we’d also like to hear an update about what’s been going on here in Austin. Anyone?

Szakal: Well, as the chair, I have the responsibility of keeping track of our milestones, so I’ll take that one. A, we completed the white paper earlier this year, in the first quarter. The white paper was visionary in nature, and it was obviously designed to help our constituents understand the goals of the OTTF. However, in order to actually make this a normative specification and design a program, around which you would have conformance and be able to measure suppliers’ conformity to that specification, we have to develop a specification with normative language.

First draft

We’re finishing that up as we speak and we are going to have a first draft here within the next month. We’re looking to have that entire specification go through company review in the fourth quarter of this year.

Simultaneously, we’ll be working on the accreditation policy and conformance criteria and evidence requirements necessary to actually have an accreditation program, while continuing to liaise with other evaluation schemes that are interested in partnering with us. In a global international environment, that’s very important, because there exist more than one of these regimes that we will have to exist, coexist, and partner with. Over the next year, we’ll have completed the accreditation program and have begun testing of the process, probably having to make some adjustments along the way. We’re looking at sometime within the first half of 2012 for having a completed program to begin ramping up.

Gardner: Is there an update on the public sector’s, or in the U.S., the federal government’s, role in this? Are they active? Are they leading? How would you characterize the public role or where you would like to see that go?

Szakal: The Forum itself continues to liaise with the government and all of our constituents. As you know, we have several government members that are part of the TTF and they are just as important as any of the other members. We continue to provide update to many of the governments that we are working with globally to ensure they understand the goals of the OTTF and how they can provide value synergistically with what we are doing, as we would to them.

Gardner: I’ll throw this back out to the panel? How about the activities this week at the conference? What have been the progress or insights that you can point to from that?

Brickman: We’ve been meeting for the first couple of days and we have made tremendous progress on wrapping up our framework and getting it ready for the first review. We’ve also been meeting with several government officials. I can’t say who they are, but what’s been good about it is that they’re very positive on the work that we’re doing, they support what we are doing and want to continue this discussion. It’s very much a partnership, and we do feel like it’s not just an industry-led project, where we have participation from folks who could very much be the consumers of this initiative.

Gardner: Clearly, there are a lot of stakeholders around the world, across both the public and private domains. Dave Lounsbury, what’s possible? What would we gain if this is done correctly? How would we tangibly look to improvements? I know that’s hard with security. It’s hard to point out what doesn’t happen, which is usually the result of proper planning, but how would you characterize the value of doing this all correctly say a year or two from now?

Awareness of security

Lounsbury: One of the trends we’ll see is that people are increasingly going to be making decisions about what technology to produce and who to partner with, based on more awareness of security.

A very clear possible outcome is that there will be a set of simple guidelines and ones that can be implemented by a broad spectrum of vendors, where a consumer can look and say, “These folks have followed good practices. They have baked secure engineering, secure design, and secure supply chain processes into their thing, and therefore I am more comfortable in dealing with them as a partner.”

Of course, what the means is that, not only do you end up with more confidence in your supply chain and the components for getting to that supply chain, but also it takes a little bit of work off your plate. You don’t have to invest as much in evaluating your vendors, because you can use commonly available and widely understood sort of best practices.

From the vendor perspective, it’s helpful because we’re already seeing places where a company, like a financial services company, will go to a vendor and say, “We need to evaluate you. Here’s our checklist.” Of course, the vendor would have to deal with many different checklists in order to close the business, and this will give them some common starting point.

Of course, everybody is going to customize and build on top of what that minimum bar is, depending on what kind of business they’re in. But at least it gives everybody a common starting point, a common reference point, some common vocabulary for how they are going to talk about how they do those assessments and make those purchasing decisions.

Gardner: Steve Lipner, do you think that this is going to find its way into a lot of RFPs, beginning a sales process, looking to have a major checkbox around these issues? Is that sort of how you see this unfolding?

Lipner: If we achieve the sort of success that we are aiming for and anticipating, you’ll see requirements for the OTTF, not only in RFPs, but also potentially in government policy documents around the world, basically aiming to increase the trust of broad collections of products that countries and companies use.

Gardner: Joshua Brickman, I have to imagine that this is a living type of an activity that you never really finish. There’s always something new to be done, a type of threat that’s evolving that needs to be reacted to. Would the TTF over time take on a larger role? Do you see it expanding into larger set of requirements, even as it adjusts to the contemporary landscape?

Brickman: That’s possible. I think that we are going to try to get something achievable out there in a timeframe that’s useful and see what sticks. One of the things that will happen is that as companies start to go out and test this, as with any other standard, the 1.0 standard will evolve to something that will become more germane, and as Steve said, will hopefully be adopted worldwide.

Agile and useful

It’s absolutely possible. It could grow. I don’t think anybody wants it to become a behemoth. We want it to be agile, useful, and certainly something readable and achievable for companies that are not multinational billion dollar companies, but also companies that are just out there trying to sell their piece of the pie into the space. That’s ultimately the goal of all of us, to make sure that this is a reasonable achievement.

Lounsbury: Dana, I’d like to expand on what Joshua just said. This is another thing that has come out of our meetings this week. We’ve heard a number of times that governments, of course, feel the need to protect their infrastructure and their economies, but also have a realization that because of the rapid evolution of technology and the rapid evolution of security threats that it’s hard for them to keep up. It’s not really the right vehicle.

There really is a strong preference. The U.S. strategy on this is to let industry take the lead. One of the reasons for that is the fact that industry can evolve, in fact must evolve, at the pace of the commercial marketplace. Otherwise, they wouldn’t be in business.

So, we really do want to get that first stake in the ground and get this working, as Joshua said. But there is some expectation that, over time, the industry will drive the evolution of security practices and security policies, like the ones OTTF is developing at the pace of commercial market, so that governments won’t have to do that kind of regulation which may not keep up.

Gardner: Andras, any thoughts from your perspective on this ability to keep up in terms of market forces? How do you see the dynamic nature of this being able to be proactive instead of reactive?

Szakal: One of our goals is to ensure that the viability of the specification itself, the best practices, are updated periodically. We’re talking about potentially yearly. And to include new techniques and the application of potentially new technologies to ensure that providers are implementing the best practices for development engineering, secure engineering, and supply chain integrity. It’s going to be very important for us to continue to evolve these best practices over a period of time and not allow them to fall into a state of static disrepair.

I’m very enthusiastic, because many of the members are very much in agreement that this is something that needs to be happening in order to actually raise the bar on the industry, as we move forward, and help the entire industry adopt the practices and then move forward in our journey to secure our critical infrastructure.

Gardner: Given that this has the potential of being a fairly rapidly evolving standard that may start really appearing in RFPs and be impactful for real world business success, how should enterprises get involved from the buy side? How should suppliers get involved from the sell side, given that this is seemingly a market driven, private enterprise driven activity?

I’ll throw this out to the crowd. What’s the responsibility from the buyers and the sellers to keep this active and to keep themselves up-to-date?

Lounsbury: Let me take the first stab at this. The reason we’ve been able to make the progress we have is that we’ve got the expertise in security from all of these major corporations and government agencies participating in the TTF. The best way to maintain that currency and maintain that drive is for people who have a problem, if you’re on the buy side or expertise from either side, to come in and participate.

Hands-on awareness

You have got the hands-on awareness of the market, and bringing that in and adding that knowledge of what is needed to the specification and helping move its evolution along is absolutely the best thing to do.

That’s our steady state, and of course the way to get started on that is to go and look at the materials. The white paper is out there. I expect we will be doing snapshots of early versions of this that would be available, so people can take a look at those. Or, come to an Open Group Conference and learn about what we are doing.

Gardner: Anyone else have a reaction to that? I’m curious. Given that we are looking to the private sector and market forces to be the drivers of this, will they also be the drivers in terms of enforcement? Is this voluntary? One would hope that market forces reward those who seek accreditation and demonstrate adhesion to the standard, and that those who don’t would suffer. Or is there a potential for more teeth and more enforcement? Again, I’ll throw this out to the panel at large.

Szakal: As vendors, we’d would like to see minimal regulation and that’s simply the nature of the beast. In order for us to conduct our business and lower the cost of market entry, I think that’s important.

I think it’s important that we provide leadership within the industry to ensure that we’re following the best practices to ensure the integrity of the products that we provide. It’s through that industry leadership that we will avoid potential damaging regulations across different regional environments.

We certainly wouldn’t want to see different regulations pop-up in different places globally. It makes for very messy technology insertion opportunity for us. We’re hoping that by actually getting engaged and providing some self-regulation, we won’t see additional government or international regulation.

Lipner: One of the things that my experience has taught me is that customers are very aware these days of security, product integrity, and the importance of suppliers paying attention to those issues. Having a robust program like the TTF and the certifications that it envisions will give customers confidence, and they will pay attention to that. That will change their behavior in the market even without formal regulations.

Gardner: Joshua Brickman, any thoughts on the self-regulation benefits? If that doesn’t work, is it self-correcting? Is there a natural approach that if this doesn’t work at first, that a couple of highly publicized incidents and corporations that suffer for not regulating themselves properly, would ride that ship, so to speak?

Brickman: First of all, industry setting the standard is an idea that has been thrown around a while, and I think that it’s great to see us finally doing it in this area, because we know our stuff the best.

But as far as an incident indicating that it’s not working, I don’t think so. We’re going to try to set up a standard, whereby we’re providing public information about what our products do and what we do as far as best practices. At the end of the day the acquiring agency, or whatever, is going to have to make decisions, and they’re going to make intelligent decisions, based upon looking at folks that choose to go through this and folks that choose not to go through it.

It will continue

The bad news that continues to come out is going to continue to happen. The only thing that they’ll be able to do is to look to the companies that are the experts in this to try to help them with that, and they are going to get some of that with the companies that go through these evaluations. There’s no question about it.

At the end of the day, this accreditation program is going to shake out the products and companies that really do follow best practices for secure engineering and supply chain best practices.

Gardner: What should we expect next? As we heard, there has been a lot of activity here in Austin at the conference. We’ve got that white paper. We’re working towards more mature definitions and approaching certification and accreditation types of activities. What’s next? What milestone should we look to? Andras, this is for you.

Szakal: Around November, we’re going to be going through company review of the specification and we’ll be publishing that in the fourth quarter.

We’ll also be liaising with our government and international partners during that time and we’ll also be looking forward to several upcoming conferences within The Open Group where we conduct those activities. We’re going to solicit some of our partners to be speaking during those events on our behalf.

As we move into 2012, we’ll be working on the accreditation program, specifically the conformance criteria and the accreditation policy, and liaising again with some of our international partners on this particular issue. Hopefully we will, if all things go well and according to plan, come out of 2012 with a viable program.

Gardner: Dave Lounsbury, any further thoughts about next steps, what people should be looking for, or even where they should go for more information?

Lounsbury: Andras has covered it well. Of course, you can always learn more by going to www.opengroup.org and looking on our website for information about the OTTF. You can find drafts of all the documents that have been made public so far, and there will be our white paper and, of course, more information about how to become involved.

Gardner: Very good. We’ve been getting an update about The Open Group Trusted Technology Forum, OTTF, and seeing how this can have a major impact from a private sector perspective and perhaps head off issues about lack of trust and lack of clarity in a complex evolving technology ecosystem environment.

I’d like to thank our guests. We’ve been joined by Dave Lounsbury, Chief Technical Officer at The Open Group. Thank you, sir.

Lounsbury: Thank you, Dana.

Gardner: Steve Lipner, the Senior Director of Security Engineering Strategy in the Trustworthy

Computing Security Group at Microsoft. Thank you, Steve.

Lipner: Thanks, Dana.

Gardner: Joshua Brickman, who is the Director of the Federal Certification Program Office in CA Technologies, has also joined us. Thank you.

Brickman: I enjoyed it very much.

Gardner: And Andras Szakal, Vice President and CTO of IBM’s Federal Software Group. Thank you, sir.

Szakal: It’s my pleasure. Thank you very much, Dana.

Gardner: This discussion has come to you as a sponsored podcast in conjunction with The Open Group Conference in Austin, Texas. We are here the week of July 18, 2011. I want to thank our listeners as well. This is Dana Gardner, Principal Analyst at Interarbor Solutions. Don’t forget to come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com.

Copyright The Open Group 2011. All rights reserved.

Dana Gardner is the Principal Analyst at Interarbor Solutions, which identifies and interprets the trends in Services-Oriented Architecture (SOA) and enterprise software infrastructure markets. Interarbor Solutions creates in-depth Web content and distributes it via BriefingsDirect™ blogs, podcasts and video-podcasts to support conversational education about SOA, software infrastructure, Enterprise 2.0, and application development and deployment strategies.

3 Comments

Filed under Cybersecurity, Supply chain risk

Government Outreach for Global Supply Chain Integrity (OTTF)

By Sally Long, The Open Group

On May 10th in London, a select group of technology, government and Cybersecurity leaders and supply chain strategists met for a lunchtime briefing and discussion during The Open Group Conference. The message that came across loud and clear by all who participated was that fostering honest and open dialogue between government and industry is critical to securing the global supply chain; and that the only way we will do this effectively is by working together to assure coordination and adoption among current and emerging approaches.

This industry/government roundtable event was the fourth in a series of planned events for government outreach. In December and January, members of The Open Group Trusted Technology Forum (OTTF) met with Howard Schmidt, US Cybersecurity Coordinator for the Obama Administration, and with US House and Senate Committees and the Department of Commerce. In March, there were some inroads made into the Japanese government, and in April we held a session with government officials in India. Coming up are more briefings and discussions planned for Europe, Canada, China and Brazil.

The event in London brought together representatives from Atsec, Boeing, CA Technologies, Capgemini, CESG, Chatham House, Cisco, Fraunhofer SIT, Fujitsu, Hewlett-Packard, IBM, IDA, Kingdee Software, Microsoft, MITRE, NASA, Oracle, Real IRM, SAIC, SAP, and the UK Government. These, along with thought leaders from Chatham House, discussed global supply-chain challenges and a potential solution through The Open Group Trusted Technology Provider Framework (O-TTPF). Other existing approaches were highlighted by CESG as effective in some areas, though those areas were not directly focused on supply-chain best practices.

The beauty of the O-TTPF, a set of best practices for engineering and secure development methods and supply chain integrity, is that the Framework and guidelines are being developed by industry — architects, developers, manufacturers and supply chain experts, with input from government(s) — for industry. The fact that these best practices will be open, international, publically available and translated where appropriate, will allow all providers to understand what they need to do to “Build with Integrity” – so that customers can “Buy with Confidence”.

This is critically important because as we all know, a chain is only as strong as its weakest link. Even though a large system vendor may follow the O-TTPF best practices, those vendors often rely on sub-component suppliers of software and hardware from around the world, and in order to maintain the integrity of their supply-chain their sub-suppliers need to understand what it means to be trustworthy as well.

One of the OTTF’s objectives is to develop an accreditation program, which will help customers, in government and industry, identify secure technology providers and products in the global supply chain. Governments and large enterprises that base their purchasing decisions on trusted technology providers who have developed their products using the best practices identified by the O-TTPF will be able to rely on a more comprehensive approach to risk management and product assurance when selecting COTS technology products.

One of the major messages at the Roundtable event was that the OTTF is not just about major industry providers. It’s about opening the doors to all providers and all customers, and it’s about reaching out to all governments to assure the O-TTPF best practice requirements are aligned with their acquisition requirements — so that there is true global recognition and demand for Trusted Technology Providers who conform to the O-TTPF Best Practices.

The OTTF members believe it is critical to reach out to governments around the world, to foster industry-government dialogue about government acquisition requirements for trusted technology and trusted technology providers, so they can enable the global recognition required for a truly secure global supply chain. Any government or government agency representative interested in working together to provide a trusted global supply chain can contact the OTTF global outreach and acquisition team through ottf-interest@opengroup.org.

The Forum operates under The Open Group, an international vendor- and technology-neutral consortium well known for providing an open and collaborative environment for such work. We are seeking additional participants from global government and commercial entities. If you are interested in learning more about the Forum please feel free to contact me, Sally Long, OTTF Forum Director, at s.long@opengroup.org.

Sally Long, Director of Consortia Services at The Open Group, has been managing customer-vendor forums and collaborative development projects for the past nineteen years. She was the Release Engineering Section Manager for all collaborative, multi-vendor, development projects (OSF/1, DME, DCE, and Motif) at The Open Software Foundation (OSF), in Cambridge Massachusetts.  Following the merger of OSF and X/Open under The Open Group, Sally served as the Program Director for multiple Forums within The Open Group including: The Distributed Computing Environment (DCE) Forum, The Enterprise Management Forum, The Quality of Service (QoS) Task Force, The Real-time and Embedded Systems Forum and most recently the Open Group Trusted Technology Forum. Sally has also been instrumental in business development and program definition for certification programs developed and operated by The Open Group for the North American State and Provincial Lotteries Association (NASPL) and for the Near Field Communication (NFC) Forum. Sally has a Bachelor of Science degree in Electrical Engineering from Northeastern University in Boston, Massachusetts, and a Bachelor of Science degree in Occupational Therapy from The Ohio State University.

1 Comment

Filed under Cybersecurity, Supply chain risk

PODCAST: Exploring the role and impact of the Open Trusted Technology Framework (OTTF)

by Dana Gardner, Interarbor Solutions

Listen to this recorded podcast here: BriefingsDirect-Discover the Open Trusted Technology Provider Framework

The following is the transcript of a sponsored podcast panel discussion from The Open Group Conference, San Diego 2011 on The Open Trusted Technology Forum and its impact on business and government.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Today, we present a sponsored podcast discussion in conjunction with The Open Group Conference held in San Diego, the week of February 7, 2011. We’ve assembled a panel to examine The Open Group’s new Open Trusted Technology Forum (OTTF), which was established in December.

The forum is tasked with finding ways to better conduct global procurement and supply-chain commerce among and between technology acquirers and buyers and across the ecosystem of technology providers. By providing transparency, collaboration, innovation, and more trust on the partners and market participants in the IT environment, the OTTF will lead to improved business risk for global supply activities in the IT field.

We’ll examine how the OTTF will function, what its new framework will be charged with providing, and we will examine ways that participants in the global IT commerce ecosystem can become involved with and perhaps use the OTTF’s work to its advantage.

Here with us to delve into the mandate and impact of the Trusted Technology Forum, we’re here with Dave Lounsbury. He is the Chief Technology Officer for The Open Group. Welcome, Dave.

Dave Lounsbury: Hi, Dana. How are you?

Gardner: I’m great. We’re also here with Steve Lipner, the Senior Director of Security Engineering Strategy in Microsoft’s Trustworthy Computing Group. Welcome, Steve.

Steve Lipner: Hi, Dana. Glad to be here.

Gardner: And, we’re also here with Andras Szakal, the Chief Architect in IBM’s Federal Software Group and an IBM distinguished engineer. Welcome.

Andras Szakal: Welcome. Thanks for having me.

Gardner: We’re also here with Carrie Gates, Vice President and Research Staff Member at CA Labs. Welcome.Carrie Gates: Thank you.

Gardner: Let’s start with you, Dave. Tell us in a nutshell what the OTTF is and why it came about?

Lounsbury: The OTTF is a group that came together under the umbrella of The Open Group to identify and develop standards and best practices for trusting supply chain. It’s about how one consumer in a supply chain could trust their partners and how they will be able to indicate their use of best practices in the market, so that people who are buying from the supply chain or buying from a specific vendor will be able to know that they can procure this with a high level of confidence.

Gardner: Clearly, people have been buying these sorts of products for some time. What’s new? What’s changed that makes this necessary?

Concerns by DoD

Lounsbury: There are a couple of dimensions on it, and I will start this off because the other folks in the room are far more expert in this than I am.

This actually started a while ago at The Open Group by a question from the U.S. Department of Defense (DoD), which faced the challenge of buying commercial off-the-shelf product. Obviously, they wanted to take advantage of the economies of scale and the pace of technology in the commercial supply chain, but realized that means they’re not going to get purpose-built equipment, that they are going to buy things from a global supply chain.

They asked, “What would we look for in these things that we are buying to know that people have used good engineering practices and good supply chain management practices? Do they have a good software development methodology? What would be those indicators?”

Now, that was a question from the DoD, but everybody is on somebody’s supply chain. People buy components. The big vendors buy components from smaller vendors. Integrators bring multiple systems together.

So, this is a really broad question in the industry. Because of that, we felt the best way to address this was bring together a broad spectrum of industry to come in, identify the practices that they have been using — your real, practical experience — and bring that together within a framework to create a standard for how we would do that.

Gardner: And this is designed with that word “open” being important to being inclusive. This is about a level playing field, but not necessarily any sort of exclusionary affair.

Lounsbury: Absolutely. Not only is the objective of all The Open Group activities to produce open standards and conformance programs that are available to everyone,

but in this case, because we are dealing with a global supply chain, we know that we are going to have not only vendors at all scales, but also vendors from all around the world.

If you pick up any piece of technology, it will be designed in the USA, assembled in Mexico, and built in China. So we need that international and global dimension in production of this set of standards as well.

Gardner: Andras, you’ve been involved with this quite a bit. For the edification of our listeners, is this mostly software we’re talking about? Is it certain components? Can we really put a bead on what will be the majority of technologies that would probably be affected?

Szakal: That’s a great question, Dana. I’d like to provide a little background. In today’s environment, we’re seeing a bit of a paradigm shift. We’re seeing technology move out of the traditional enterprise infrastructure. We’re seeing these very complex value chains be created. We’re seeing cloud computing.

Smarter infrastructures

We’re actually working to create smarter infrastructures that are becoming more intelligent, automated, and instrumented, and they are very much becoming open-loop systems. Traditionally, they were closed loop systems, in other words, closed environments, for example, the energy and utility (E&U) industry, the transportation industry, and the health-care industry.

As technology becomes more pervasive and gets integrated into these environments, into the critical infrastructure, we have to consider whether they are vulnerable and how the components that have gone into these solutions are trustworthy.

Governments worldwide are asking that question. They’re worried about critical infrastructure and the risk of using commercial, off-the-shelf technology — software and hardware — in a myriad of ways, as it gets integrated into these more complex solutions.

That’s part of the worry internationally from a government and policy perspective, and part of our focus here is to help our constituents, government customers and critical infrastructure customers, understand how the commercial technology manufacturers, the software development manufactures, go about engineering and managing their supply chain integrity.

Gardner: I got the impression somehow, listening to some of the presentations here at the Conference, that this was mostly about software. Maybe at the start, would that be the case?

Szakal: No, it’s about all types of technology. Software obviously is a particularly important focus, because it’s at the center of most technology anyway. Even if you’re developing a chip, a chip has some sort of firmware, which is ultimately software. So that perception is valid to a certain extent, but no, not just software, hardware as well.

Gardner: Steve, I heard also the concept of “build with integrity,” as applied to the OTTF. What does that mean, build with integrity?

Lipner: Build with integrity really means that the developer who is building a technology product, whether it be hardware or software, applies best practices and understood techniques to prevent the inclusion of security problems, holes, bugs, in the product — whether those problems arise from some malicious act in the supply chain or whether they arise from inadvertent errors. With the complexity of modern software, it’s likely that security vulnerabilities can creep in.

So, what build with integrity really means is that the developer applies best practices to reduce the likelihood of security problems arising, as much as commercially feasible.

And not only that, but any given supplier has processes for convincing himself that upstream suppliers, component suppliers, and people or organizations that he relies on, do the same, so that ultimately he delivers as secure a product as possible.

Gardner: Carrie, one of the precepts of good commerce is a lack of friction between borders, where more markets can become involved, where the highest quality at the lowest cost types of effects can take place. This notion of trust, when applied to IT resources and assets, seems to be important to try to keep this a global market and to allow for the efficiencies that are inherent in an open market to take place. How do you see this as a borderless technology ecosystem? How does this help?

International trust

Gates: This helps tremendously in improving trust internationally. We’re looking at developing a framework that can be applied regardless of which country you’re coming from. So, it is not a US-centric framework that we’ll be using and adhering to.

We’re looking for a framework so that each country, regardless of its government, regardless of the consumers within that country, all of them have confidence in what it is that we’re building, that we’re building with integrity, that we are concerned about both, as Steve mentioned, malicious acts or inadvertent errors.

And each country has its own bad guy, and so by adhering to international standard we can say we’re looking for bad guys for every country and ensuring that what we provide is the best possible software.

Gardner: Let’s look a little bit at how this is going to shape up as a process. Dave, let’s explain the idea of The Open Group being involved as a steward. What is The Open Group’s role in this?

Lounsbury: The Open Group provides the framework under which both buyers and suppliers at any scale could come together to solve a common problem — in this case, the question of providing trusted technology best practices and standards. We operate a set of proven processes that ensure that everyone has a voice and that all these standards go forward in an orderly manner.

We provide infrastructure for doing that in the meetings and things like that. The third leg is that The Open Group operates industry-based conformance programs, the certification programs, that allow someone who is not a member to come in and indicate their conformance standard and give evidence that they’re using the best practices there.

Gardner: That’s important. I think there is a milestone set that you were involved with. You’ve created the forum. You’ve done some gathering of information. Now, you’ve come out right here at this conference with the framework, with the first step towards a framework, that could be accepted across the community. There is also a white paper that explains how that’s all going to work. But, eventually, you’re going to get to an accreditation capability. What does that mean? Is that a stamp of approval?

Lounsbury: Let me back up just a little bit. The white paper actually lays out the framework. The work of forum is to turn that framework into an Open Group standard and populate it. That will provide the standards and best practice foundation for this conformance program.

We’re just getting started on the vision for a conformance program. One of the challenges here is that first, not only do we have to come up with the standard and then come up with the criteria by which people would submit evidence, but you also have to deal with the problem of scale.

If we really want to address this problem of global supply chains, we’re talking about a very large number of companies around the world. It’s a part of the challenge that the forum faces.

Accrediting vendors

Part of the work that they’ve embarked on is, in fact, to figure out how we wouldn’t necessarily do that kind of conformance one on one, but how we would accredit either vendors themselves who have their own duty of quality processes as a big vendor would or third parties who can do assessments and then help provide the evidence for that conformance.

We’re getting ahead of ourselves here, but there would be a certification authority that would verify that all the evidence is correct and grant some certificate that says that they have met some or all of the standards.

Szakal: Our vision is that we want to leverage some of the capability that’s already out there. Most of us go through common criteria evaluations and that is actually listed as a best practice for a validating security function and products.

Where we are focused, from an accreditation point of view, affects more than just security products. That’s important to know. However, we definitely believe that the community of assessment labs that exists out there that already conducts security evaluations, whether they be country-specific or that they be common criteria, needs to be leveraged. We’ll endeavor to do that and integrate them into both the membership and the thinking of the accreditation process.

Gardner: Thank you, Andras. Now, for a company that is facing some hurdles — and we heard some questions in our sessions earlier about: “What do I have to do? Is this going to be hard for an SMB? — the upside could be pretty significant. If you’re a company and you do get that accreditation, you’re going to have some business value. Steve Lipner, what from your perspective is the business rationale for these players to go about this accreditation to get this sort of certification?

Lipner: To the extent that the process is successful, why then customers will really value the certification? And will that open markets or create preferences in markets for organizations that have sought and achieved the certification?

Obviously, there will be effort involved in achieving the certification, but that will be related to real value, more trust, more security, and the ability of customers to buy with confidence.

The challenge that we’ll face as a forum going forward is to make the processes deterministic and cost-effective. I can understand what I have to do. I can understand what it will cost me. I won’t get surprised in the certification process and I can understand that value equation. Here’s what I’m going to have to do and then here are the markets and the customer sets, and the supply chains it’s going to open up to me.

Gardner: So, we understand that there is this effort afoot that the idea is to create more trust and a set of practices in place, so that everyone understands that certain criteria have been met and vulnerabilities have been reduced. And, we understand that this is going to be community effort and you’re going to try to be inclusive.

What I’m now curious about is what is it this actually consists of — a list of best practices, technology suggestions? Are there certain tests and requirements that are already in place that one would have to tick off? Let me take that to you, Carrie, and we’ll go around the panel. How do you actually assure that this is safe stuff?

Different metrics

Gates: If you refer to our white paper, we start to address that there. We were looking at a number of different metrics across the board. For example, what do you have for documentation practices? Do you do code reviews? There are a number of different best practices that are already in the field that people are using. Anyone who wants to be a certified, can go and look at this document and say, “Yes, we are following these best practices” or “No, we are missing this. Is it something that we really need to add? What kind of benefit it will provide to us beyond the certification?”

Gardner: Dave, anything to add as to how a company would go about this? What are some of the main building blocks to a low-vulnerability technology creation and distribution process?

Lounsbury: Again, I refer everybody to the white paper, which is available on The Open Group website. You’ll see there in the categories that we’ve divided these kinds of best practice into four broad categories: product engineering and development methods, secure engineering development methods, supply chain integrity methods and the product evaluation methods.

Under there those are the categories, we’ll be looking at the attributes that are necessary to each of those categories and then identifying the underlying standards or bits of evidence, so people can submit to indicate their conformance.

I want to underscore this point about the question of the cost to a vendor. Steve said it very well. The objective here is to raise best practices across the industry and make the best practice commonplace. One of the great things about an industry-based conformance program is that it gives you the opportunity to take the standards and those categories that we’ve talked about as they are developed by OTTF and incorporate those in your engineering and development processes.

So you’re baking in the quality as you go along, and not trying to have an expensive thing going on at the end.

Gardner: Andras, IBM is perhaps one of the largest providers to governments and defense agencies when it comes to IT and certainly, at the center of a large ecosystem around the world, you probably have some insights into best practices that satisfy governments and military and defense organizations.

Can you offer a few major building blocks that perhaps folks that have been in a completely commercial environment would need to start thinking more about as they try to think about reaching accreditation?

Szakal: We have three broad categories here and we’ve broken each of the categories into a set of principles, what we call best practice attributes. One of those is secure engineering. Within secure engineering, for example, one of the attributes is threat assessment and threat modeling.

Another would be to focus on lineage of open-source. So, these are some of the attributes that go into these large-grained categories.

Unpublished best practices

You’re absolutely right, we have thought about this before. Steve and I have talked a lot about this. We’ve worked on his secure engineering initiative, his SDLC initiative within Microsoft. I worked on and was co-author of the IBM Secure Engineering Framework. So, these are living examples that have been published, but are proprietary, for some of the best practices out there. There are others, and in many cases, most companies have addressed this internally, as part of their practices without having to publish them.

Part of the challenge that we are seeing, and part of the reason that Microsoft and IBM went to the length of publishing there is that government customers and critical infrastructure were asking what is the industry practice and what were the best practices.

What we’ve done here is taken the best practices in the industry and bringing them together in a way that’s a non-vendor specific. So you’re not looking to IBM, you’re not having to look at the other vendors’ methods of implementing these practices, and it gives you a non-specific way of addressing them based on outcome.

These have all been realized in the field. We’ve observed these practices in the wild, and we believe that this is going to actually help vendors mature in these specific areas. Governments recognize that, to a certain degree, the industry is not a little drunk and disorderly and we do actually have a view on what it means to develop product in a secure engineering manner and that we have supply chain integrity initiatives out there. So, those are very important.

Gardner: Somebody mentioned earlier that technology is ubiquitous across so many products and services. Software in particular growing more important in how it affects all sorts of different aspects of different businesses around the world. It seems to me this is an inevitable step that you’re taking here and that it might even be overdue.

If we can take the step of certification and agreement about technology best practices, does this move beyond just technology companies in the ecosystem to a wider set of products and services? Any thoughts about whether this is a framework for technology that could become more of a framework for general commerce, Dave?

Lounsbury: Well, Dana, you asked me a question I’m not sure I have an answer for. We’ve got a quite a task in front of us doing some of these technology standards. I guess there might be cases where vertical industries that are heavy technology employers or have similar kinds of security problems might look to this or there might be some overlap. The one that comes to my mind immediately is health care, but we will be quite happy if we get the technology industry, standards and best practices in place in the near future.

Gardner: I didn’t mean to give you more work to do necessarily. I just wanted to emphasize how this is an important and inevitable step and that the standardization around best practices trust and credibility for lack of malware and other risks that comes in technology is probably going to become more prevalent across the economy and the globe. Would you agree with that, Andras?

Szakal: This approach is, by the way, our best practices approach to solving this problem. It’s an approach that’s been taken before by the industry or industries from a supply chain perspective. There are several frameworks out there that abstract the community practice into best practices and use it as a way to help global manufacturing and development practices, in general, ensure integrity.

Our approach is not all that unique, but it’s certainly the first time the technology industry has come together to make sure that we have an answer to some of these most important questions.

Gardner: Any thoughts, Steve?

Lipner: I think Andras was right in terms of the industry coming together to articulate best practices. You asked a few minutes ago about existing certifications and beyond in the trust and assurance space. Beyond common criteria for security features, security products, there’s really not much in terms of formal evaluation processes today.

Creating a discipline

One of the things we think that the forum can contribute is a discipline that governments and potentially other customers can use to say, “What is my supplier actually doing? What assurance do I have? What confidence do I have?”

Gardner: Dave?

Lounsbury: I want to expand on that point a little bit. The white paper’s name, “The Open Trusted Technology Provider Framework” was quite deliberately chosen. There are a lot of practices out there that talk about how you would establish specific security criteria or specific security practices for products. The Open Trusted Technology Provider Forum wants to take a step up and not look at the products, but actually look at the practices that the providers employ to do that. So it’s bringing together those best practices.

Now, good technology providers will use good practices, when they’re looking at their products, but we want to make sure that they’re doing all of the necessary standards and best practices across the spectrum, not just, “Oh, I did this in this product.”

Szakal: I have to agree 100 percent. We’re not simply focused on a bunch of security controls here. This is industry continuity and practices for supply chain integrity, as well as our internal manufacturing practices around the actual practice and process of engineering or software development, as well as supply chain integrity practices.

That’s a very important point to be made. This is not a traditional security standard, insomuch as that we’ve got a hundred security controls that you should always go out and implement. You’re going to have certain practices that make sense in certain situations, depending on the context of the product you’re manufacturing.

Gardner: Carrie, any suggestions for how people could get started at least from an educational perspective? What resources they might look to or what maybe in terms of a mindset they should start to develop as they move towards wanting to be a trusted part of a larger supply chain?

Gates: I would say an open mindset. In terms of getting started, the white paper is an excellent resource to get started and understand how the OTTF is thinking about the problem. How we are sort of structuring things? What are the high-level attributes that we are looking at? Then, digging down further and saying, “How are we actually addressing the problem?”

We had mentioned threat modeling, which for some — if you’re not security-focused — might be a new thing to think about, as an example, in terms of your supply chain. What are the threats to your supply chain? Who might be interested, if you’re looking at malicious attack, in inserting something into your code? Who are your customers and who might be interested in potentially compromising them? How might you go about protecting them?

I am going to contradict Andras a little bit, because there is a security aspect to this, and there is a security mindset that is required. The security mindset is a little bit different, in that you tend to be thinking about who is it that would be interested in doing harm and how do you prevent that?

It’s not a normal way of thinking about problems. Usually, people have a problem, they want to solve it, and security is an add-on afterwards. We’re asking that they start that thinking as part of their process now and then start including that as part of their process.

Szakal: But, you have to agree with me that this isn’t your hopelessly lost techie 150-paragraph list of security controls you have to do in all cases, right?

Gates: Absolutely, there is no checklist of, “Yes, I have a Firewall. Yes, I have an IDS.”

Gardner: Okay. It strikes me that this is really a unique form of insurance — insurance for the buyer, insurance for the seller — that they can demonstrate that they’ve taken proper steps — and insurance for the participants in a vast and complex supply chain of contractors and suppliers around the world. Do you think the word “insurance” makes sense or “assurance?” How would you describe it, Steve?

Lipner: We talk about security assurance, and assurance is really what the OTTF is about, providing developers and suppliers with ways to achieve that assurance in providing their customers ways to know that they have done that. Andras referred to install the Firewall, and so on. This is really not about adding some security band-aid onto a technology or a product. It’s really about the fundamental attributes or assurance of the product or technology that’s being produced.

Gardner: Very good. I think we’ll need to leave it there. We have been discussing The Open Group’s new Open Trusted Technology Forum, The Associated Open Trusted Technology Provider Framework, and the movement towards more of an accreditation process for the global supply chains around technology products.

I want to thank our panel. We’ve been joined by Dave Lounsbury, the Chief Technology Officer of The Open Group. Thank you.

Lounsbury: Thank you, Dana.

Gardner: Also, Steve Lipner, the Senior Director of Security Engineering Strategy in Microsoft’s Trustworthy Computing Group. Thank you, Steve.

Lipner: Thank you, Dana.

Gardner: And also, Andras Szakal, he is the Chief Architect in the IBM Federal Software Group and an IBM’s Distinguished Engineer. Thank you.

Szakal: Thank you so much.

Gardner: And, also Carrie Gates, Vice President and Research Staff Member at CA Labs. Thank you.

Gates: Thank you.

Gardner: You’ve been listening to a sponsored podcast discussion in conjunction with The Open Group Conference here in San Diego, the week of February 7, 2011. I’m Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks for joining and come back next time.

Copyright The Open Group and Interarbor Solutions, LLC, 2005-2011. All rights reserved.

Dana Gardner is the Principal Analyst at Interarbor Solutions, which identifies and interprets the trends in Services-Oriented Architecture (SOA) and enterprise software infrastructure markets. Interarbor Solutions creates in-depth Web content and distributes it via BriefingsDirectblogs, podcasts and video-podcasts to support conversational education about SOA, software infrastructure, Enterprise 2.0, and application development and deployment strategies.

Comments Off

Filed under Cybersecurity, Supply chain risk

A First Step in Securing the Global Technology Supply Chain: Introducing The Open Group Trusted Technology Provider Framework Whitepaper

By Andras Szakal, IBM

Nearly two months ago, we announced the formation of The Open Group Trusted Technology Forum (OTTF), a global standards initiative among technology companies, customers, government and supplier organizations to create and promote guidelines for manufacturing, sourcing, and integrating trusted, secure technologies. The OTTF’s purpose is to shape global procurement strategies and best practices to help reduce threats and vulnerabilities in the global supply chain. I’m proud to say that we have just completed our first deliverable towards achieving our goal: The Open Trusted Technology Provider Framework (O-TTPF) whitepaper.

The framework outlines industry best practices that contribute to the secure and trusted development, manufacture, delivery and ongoing operation of commercial software and hardware products. Even though the OTTF has only recently been announced to the public, the framework and the work that led to this whitepaper have been in development for more than a year: first as a project of the Acquisition Cybersecurity Initiative, a collaborative effort facilitated by The Open Group between government and industry verticals under the sponsorship of the U.S. Department of Defense (OUSD (AT&L)/DDR&E). The framework is intended to benefit technology buyers and providers across all industries and across the globe concerned with secure development practices and supply chain management.

More than 15 member organizations joined efforts to form the OTTF as a proactive response to the changing cybersecurity threat landscape, which has forced governments and larger enterprises to take a more comprehensive view of risk management and product assurance. Current members of the OTTF include Atsec, Boeing, Carnegie Mellon SEI, CA Technologies, Cisco Systems, EMC, Hewlett-Packard, IBM, IDA, Kingdee, Microsoft, MITRE, NASA, Oracle, and the U.S. Department of Defense (OUSD(AT&L)/DDR&E), with the Forum operating under the stewardship and guidance of The Open Group.

Over the past year, OTTF member organizations have been hard at work collaborating, sharing and identifying secure engineering and supply chain integrity best practices that currently exist.  These best practices have been compiled from a number of sources throughout the industry including cues taken from industry associations, coalitions, traditional standards bodies and through existing vendor practices. OTTF member representatives have also shared best practices from within their own organizations.

From there, the OTTF created a common set of best practices distilled into categories and eventually categorized into the O-TTPF whitepaper. All this was done with a goal of ensuring that the practices are practical, outcome-based, aren’t unnecessarily prescriptive and don’t favor any particular vendor.

The Framework

The diagram below outlines the structure of the framework divided into categories that outline a hierarchy of how the OTTF arrived at the best practices it created.

Trusted Technology Provider Categories

Best practices were grouped by category because the types of technology development, manufacturing or integration activities conducted by a supplier are usually tailored to suit the type of product being produced, whether it is hardware, firmware, or software-based. Categories may also be aligned by manufacturing or development phase so that, for example, a supplier can implement a Secure Engineering/Development Method if necessary.

Provider categories outlined in the framework include:

  • Product Engineering/Development Method
  • Secure Engineering/Development Method
  • Supply Chain Integrity Method
  • Product Evaluation Method

Establishing Conformance and Determining Accreditation

In order for the best practices set forth in the O-TTPF to have a long-lasting effect on securing product development and the supply chain, the OTTF will define an accreditation process. Without an accreditation process, there can be no assurance that a practitioner has implemented practices according to the approved framework.

After the framework is formally adopted as a specification, The Open Group will establish conformance criteria and design an accreditation program for the O-TTPF. The Open Group currently manages multiple industry certification and accreditation programs, operating some independently and some in conjunction with third party validation labs. The Open Group is uniquely positioned to provide the foundation for creating standards and accreditation programs. Since trusted technology providers could be either software or hardware vendors, conformance will be applicable to each technology supplier based on the appropriate product architecture.

At this point, the OTTF envisions a multi-tiered accreditation scheme, which would allow for many levels of accreditation including enterprise-wide accreditations or a specific division. An accreditation program of this nature could provide alternative routes to claim conformity to the O-TTPF.

Over the long-term, the OTTF is expected to evolve the framework to make sure its industry best practices continue to ensure the integrity of the global supply chain. Since the O-TTPF is a framework, the authors fully expect that it will evolve to help augment existing manufacturing processes rather than replace existing organizational practices or policies.

There is much left to do, but we’re already well on the way to ensuring the technology supply chain stays safe and secure. If you’re interested in shaping the Trusted Technology Provider Framework best practices and accreditation program, please join us in the OTTF.

Download the O-TTPF, or visit read the OTTPF in full here.

Andras Szakal is an IBM Distinguished Engineer and Director of IBM’s Federal Software Architecture team. Andras is an Open Group Distinguished Certified IT Architect, IBM Certified SOA Solution Designer and a Certified Secure Software Lifecycle Professional (CSSLP). His responsibilities include developing e-Government software architectures using IBM middleware and leading the IBM U.S. Federal Software IT Architect Team. His team is responsible for designing solutions to enable smarter government by applying innovative approaches to secure service based computing and mission critical systems. He holds undergraduate degrees in Biology and Computer Science and a Masters Degree in Computer Science from James Madison University. Andras has been a driving force behind IBM’s adoption of federal government IT standards as a member of the IBM Software Group Government Standards Strategy Team and the IBM Corporate Security Executive Board focused on secure development and cybersecurity. Andras represents the IBM Software Group on the Board of Directors of The Open Group and currently holds the Chair of the IT Architect Profession Certification Standard (ITAC). More recently he was appointed chair of The Open Trusted Technology Forum.

4 Comments

Filed under Cybersecurity, Supply chain risk

Open Group conference next week focuses on role and impact of enterprise architecture amid shifting sands for IT and business

by Dana Gardner, Interarbor Solutions

Republished from his blog, BriefingsDirect, originally published Feb. 2, 2011

Next week’s The Open Group Conference in San Diego comes at an important time in the evolution of IT and business. And it’s not too late to attend the conference, especially if you’re looking for an escape from the snow and ice.

From Feb. 7 through 9 at the Marriott San Diego Mission Valley, the 2011 conference is organized around three key themes: architecting cyber securityenterprise architecture (EA) and business transformation, and the business and financial impact of cloud computingCloudCamp San Diego will be held in conjunction with the conference on Wednesday, Feb. 9. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

Registration is open to both members and non-members of The Open Group. For more information, or to register for the conference in San Diego please visit:http://www.opengroup.org/sandiego2011/register.htm. Registration is free for members of the press and industry analysts.

The Open Group is a vendor- and technology-neutral consortium, whose vision ofBoundaryless Information Flow™ will enable access to integrated information within and between enterprises based on open standards and global interoperability.

I’ve found these conferences over the past five years an invaluable venue for meeting and collaborating with CIOs, enterprise architects, standards stewards and thought leaders on enterprise issues. It’s one of the few times when the mix of technology, governance and business interests mingle well for mutual benefit.

The Security Practitioners Conference, being held on Feb. 7, provides guidelines on how to build trusted solutions; take into account government and legal considerations; and connects architecture and information security management. Confirmed speakers include James Stikeleather, chief innovation officer, Dell Services; Bruce McConnell, cybersecurity counselor, National Protection and Programs Directorate, U.S. Department of Homeland Security; and Ben Calloni, Lockheed Martin Fellow, Software Security, Lockheed Martin Corp.

Change management processes requiring an advanced, dynamic and resilient EA structure will be discussed in detail during The Enterprise Architecture Practitioners Conference on Feb. 8. The Cloud Computing track, on Feb. 9, includes sessions on the business and financial impact of cloud computing; cloud security; and how to architect for the cloud — with confirmed speakers Steve Else, CEO, EA Principals; Pete Joodi, distinguished engineer, IBM; and Paul Simmonds, security consultant, the Jericho Forum.

General conference keynote presentation speakers include Dawn Meyerriecks, assistant director of National Intelligence for Acquisition, Technology and Facilities, Office of the Director of National Intelligence; David Mihelcic, CTO, the U.S. Defense Information Systems Agency; and Jeff Scott, senior analyst, Forrester Research.

I’ll be moderating an on-stage panel on Wednesday on the considerations that must be made when choosing a cloud solution — custom or “shrink-wrapped” — and whether different forms of cloud computing are appropriate for different industry sectors. The tension between plain cloud offerings and enterprise demands for customization is bound to build, and we’ll work to find a better path to resolution.

I’ll also be hosting and producing a set of BriefingsDirect podcasts at the conference, on such topics as the future of EA groups, EA maturity and future roles, security risk management, and on the new Trusted Technology Forum (OTTF) established in December. Look for those podcasts, blog summaries and transcripts here over the next few days and weeks.

For the first time, The Open Group Photo Contest will encourage the members and attendees to socialize, collaborate and share during Open Group conferences, as well as document and share their favorite experiences. Categories include best photo on the conference floor, best photo of San Diego, and best photo of the conference outing (dinner aboard the USS Midway in San Diego Harbor). The winner of each category will receive a $125 Amazon gift card. The winners will be announced on Monday, Feb. 14 via social media communities.

It’s not too late to join in, or to plan to look for the events and presentations online. Registration is open to both members and non-members of The Open Group. For more information, or to register for the conference in San Diego please visit:http://www.opengroup.org/sandiego2011/register.htm. Registration is free for members of the press and industry analysts.

You may also be interested in:

Dana Gardner is the Principal Analyst at Interarbor Solutions, which identifies and interprets the trends in Services-Oriented Architecture (SOA) and enterprise software infrastructure markets. Interarbor Solutions creates in-depth Web content and distributes it via BriefingsDirectblogs, podcasts and video-podcasts to support conversational education about SOA, software infrastructure, Enterprise 2.0, and application development and deployment strategies.

2 Comments

Filed under Uncategorized