Tag Archives: Security Forum

Beyond Big Data

By Chris Harding, The Open Group

The big bang that started The Open Group Conference in Newport Beach was, appropriately, a presentation related to astronomy. Chris Gerty gave a keynote on Big Data at NASA, where he is Deputy Program Manager of the Open Innovation Program. He told us how visualizing deep space and its celestial bodies created understanding and enabled new discoveries. Everyone who attended felt inspired to explore the universe of Big Data during the rest of the conference. And that exploration – as is often the case with successful space missions – left us wondering what lies beyond.

The Big Data Conference Plenary

The second presentation on that Monday morning brought us down from the stars to the nuts and bolts of engineering. Mechanical devices require regular maintenance to keep functioning. Processing the mass of data generated during their operation can improve safety and cut costs. For example, airlines can overhaul aircraft engines when it needs doing, rather than on a fixed schedule that has to be frequent enough to prevent damage under most conditions, but might still fail to anticipate failure in unusual circumstances. David Potter and Ron Schuldt lead two of The Open Group initiatives, Quantum Lifecycle management (QLM) and the Universal Data Element Framework (UDEF). They explained how a semantic approach to product lifecycle management can facilitate the big-data processing needed to achieve this aim.

Chris Gerty was then joined by Andras Szakal, vice-president and chief technology officer at IBM US Federal IMT, Robert Weisman, chief executive officer of Build The Vision, and Jim Hietala, vice-president of Security at The Open Group, in a panel session on Big Data that was moderated by Dana Gardner of Interarbor Solutions. As always, Dana facilitated a fascinating discussion. Key points made by the panelists included: the trend to monetize data; the need to ensure veracity and usefulness; the need for security and privacy; the expectation that data warehouse technology will exist and evolve in parallel with map/reduce “on-the-fly” analysis; the importance of meaningful presentation of the data; integration with cloud and mobile technology; and the new ways in which Big Data can be used to deliver business value.

More on Big Data

In the afternoons of Monday and Tuesday, and on most of Wednesday, the conference split into streams. These have presentations that are more technical than the plenary, going deeper into their subjects. It’s a pity that you can’t be in all the streams at once. (At one point I couldn’t be in any of them, as there was an important side meeting to discuss the UDEF, which is in one of the areas that I support as forum director). Fortunately, there were a few great stream presentations that I did manage to get to.

On the Monday afternoon, Tom Plunkett and Janet Mostow of Oracle presented a reference architecture that combined Hadoop and NoSQL with traditional RDBMS, streaming, and complex event processing, to enable Big Data analysis. One application that they described was to trace the relations between particular genes and cancer. This could have big benefits in disease prediction and treatment. Another was to predict the movements of protesters at a demonstration through analysis of communications on social media. The police could then concentrate their forces in the right place at the right time.

Jason Bloomberg, president of Zapthink – now part of Dovel – is always thought-provoking. His presentation featured the need for governance vitality to cope with ever changing tools to handle Big Data of ever increasing size, “crowdsourcing” to channel the efforts of many people into solving a problem, and business transformation that is continuous rather than a one-time step from “as is” to “to be.”

Later in the week, I moderated a discussion on Architecting for Big Data in the Cloud. We had a well-balanced panel made up of TJ Virdi of Boeing, Mark Skilton of Capgemini and Tom Plunkett of Oracle. They made some excellent points. Big Data analysis provides business value by enabling better understanding, leading to better decisions. The analysis is often an iterative process, with new questions emerging as answers are found. There is no single application that does this analysis and provides the visualization needed for understanding, but there are a number of products that can be used to assist. The role of the data scientist in formulating the questions and configuring the visualization is critical. Reference models for the technology are emerging but there are as yet no commonly-accepted standards.

The New Enterprise Platform

Jogging is a great way of taking exercise at conferences, and I was able to go for a run most mornings before the meetings started at Newport Beach. Pacific Coast Highway isn’t the most interesting of tracks, but on Tuesday morning I was soon up in Castaways Park, pleasantly jogging through the carefully-nurtured natural coastal vegetation, with views over the ocean and its margin of high-priced homes, slipways, and yachts. I reflected as I ran that we had heard some interesting things about Big Data, but it is now an established topic. There must be something new coming over the horizon.

The answer to what this might be was suggested in the first presentation of that day’s plenary, Mary Ann Mezzapelle, security strategist for HP Enterprise Services, talked about the need to get security right for Big Data and the Cloud. But her scope was actually wider. She spoke of the need to secure the “third platform” – the term coined by IDC to describe the convergence of social, cloud and mobile computing with Big Data.

Securing Big Data

Mary Ann’s keynote was not about the third platform itself, but about what should be done to protect it. The new platform brings with it a new set of security threats, and the increasing scale of operation makes it increasingly important to get the security right. Mary Ann presented a thoughtful analysis founded on a risk-based approach.

She was followed by Adrian Lane, chief technology officer at Securosis, who pointed out that Big Data processing using NoSQL has a different architecture from traditional relational data processing, and requires different security solutions. This does not necessarily mean new techniques; existing techniques can be used in new ways. For example, Kerberos may be used to secure inter-node communications in map/reduce processing. Adrian’s presentation completed the Tuesday plenary sessions.

Service Oriented Architecture

The streams continued after the plenary. I went to the Distributed Services Architecture stream, which focused on SOA.

Bill Poole, enterprise architect at JourneyOne in Australia, described how to use the graphical architecture modeling language ArchiMate® to model service-oriented architectures. He illustrated this using a case study of a global mining organization that wanted to consolidate its two existing bespoke inventory management applications into a single commercial off-the-shelf application. It’s amazing how a real-world case study can make a topic come to life, and the audience certainly responded warmly to Bill’s excellent presentation.

Ali Arsanjani, chief technology officer for Business Performance and Service Optimization, and Heather Kreger, chief technology officer for International Standards, both at IBM, described the range of SOA standards published by The Open Group and available for use by enterprise architects. Ali was one of the brains that developed the SOA Reference Architecture, and Heather is a key player in international standards activities for SOA, where she has helped The Open Group’s Service Integration Maturity Model and SOA Governance Framework to become international standards, and is working on an international standard SOA reference architecture.

Cloud Computing

To start Wednesday’s Cloud Computing streams, TJ Virdi, senior enterprise architect at The Boeing Company, discussed use of TOGAF® to develop an Enterprise Architecture for a Cloud ecosystem. A large enterprise such as Boeing may use many Cloud service providers, enabling collaboration between corporate departments, partners, and regulators in a complex ecosystem. Architecting for this is a major challenge, and The Open Group’s TOGAF for Cloud Ecosystems project is working to provide guidance.

Stuart Boardman of KPN gave a different perspective on Cloud ecosystems, with a case study from the energy industry. An ecosystem may not necessarily be governed by a single entity, and the participants may not always be aware of each other. Energy generation and consumption in the Netherlands is part of a complex international ecosystem involving producers, consumers, transporters, and traders of many kinds. A participant may be involved in several ecosystems in several ways: a farmer for example, might consume energy, have wind turbines to produce it, and also participate in food production and transport ecosystems.

Penelope Gordon of 1-Plug Corporation explained how choice and use of business metrics can impact Cloud service providers. She worked through four examples: a start-up Software-as-a-Service provider requiring investment, an established company thinking of providing its products as cloud services, an IT department planning to offer an in-house private Cloud platform, and a government agency seeking budget for government Cloud.

Mark Skilton, director at Capgemini in the UK, gave a presentation titled “Digital Transformation and the Role of Cloud Computing.” He covered a very broad canvas of business transformation driven by technological change, and illustrated his theme with a case study from the pharmaceutical industry. New technology enables new business models, giving competitive advantage. Increasingly, the introduction of this technology is driven by the business, rather than the IT side of the enterprise, and it has major challenges for both sides. But what new technologies are in question? Mark’s presentation had Cloud in the title, but also featured social and mobile computing, and Big Data.

The New Trend

On Thursday morning I took a longer run, to and round Balboa Island. With only one road in or out, its main street of shops and restaurants is not a through route and the island has the feel of a real village. The SOA Work Group Steering Committee had found an excellent, and reasonably priced, Italian restaurant there the previous evening. There is a clear resurgence of interest in SOA, partly driven by the use of service orientation – the principle, rather than particular protocols – in Cloud Computing and other new technologies. That morning I took the track round the shoreline, and was reminded a little of Dylan Thomas’s “fishing boat bobbing sea.” Fishing here is for leisure rather than livelihood, but I suspected that the fishermen, like those of Thomas’s little Welsh village, spend more time in the bar than on the water.

I thought about how the conference sessions had indicated an emerging trend. This is not a new technology but the combination of four current technologies to create a new platform for enterprise IT: Social, Cloud, and Mobile computing, and Big Data. Mary Ann Mezzapelle’s presentation had referenced IDC’s “third platform.” Other discussions had mentioned Gartner’s “Nexus of forces,” the combination of Social, Cloud and Mobile computing with information that Gartner says is transforming the way people and businesses relate to technology, and will become a key differentiator of business and technology management. Mark Skilton had included these same four technologies in his presentation. Great minds, and analyst corporations, think alike!

I thought also about the examples and case studies in the stream presentations. Areas as diverse as healthcare, manufacturing, energy and policing are using the new technologies. Clearly, they can deliver major business benefits. The challenge for enterprise architects is to maximize those benefits through pragmatic architectures.

Emerging Standards

On the way back to the hotel, I remarked again on what I had noticed before, how beautifully neat and carefully maintained the front gardens bordering the sidewalk are. I almost felt that I was running through a public botanical garden. Is there some ordinance requiring people to keep their gardens tidy, with severe penalties for anyone who leaves a lawn or hedge unclipped? Is a miserable defaulter fitted with a ball and chain, not to be removed until the untidy vegetation has been properly trimmed, with nail clippers? Apparently not. People here keep their gardens tidy because they want to. The best standards are like that: universally followed, without use or threat of sanction.

Standards are an issue for the new enterprise platform. Apart from the underlying standards of the Internet, there really aren’t any. The area isn’t even mapped out. Vendors of Social, Cloud, Mobile, and Big Data products and services are trying to stake out as much valuable real estate as they can. They have no interest yet in boundaries with neatly-clipped hedges.

This is a stage that every new technology goes through. Then, as it matures, the vendors understand that their products and services have much more value when they conform to standards, just as properties have more value in an area where everything is neat and well-maintained.

It may be too soon to define those standards for the new enterprise platform, but it is certainly time to start mapping out the area, to understand its subdivisions and how they inter-relate, and to prepare the way for standards. Following the conference, The Open Group has announced a new Forum, provisionally titled Open Platform 3.0, to do just that.

The SOA and Cloud Work Groups

Thursday was my final day of meetings at the conference. The plenary and streams presentations were done. This day was for working meetings of the SOA and Cloud Work Groups. I also had an informal discussion with Ron Schuldt about a new approach for the UDEF, following up on the earlier UDEF side meeting. The conference hallways, as well as the meeting rooms, often see productive business done.

The SOA Work Group discussed a certification program for SOA professionals, and an update to the SOA Reference Architecture. The Open Group is working with ISO and the IEEE to define a standard SOA reference architecture that will have consensus across all three bodies.

The Cloud Work Group had met earlier to further the TOGAF for Cloud ecosystems project. Now it worked on its forthcoming white paper on business performance metrics. It also – though this was not on the original agenda – discussed Gartner’s Nexus of Forces, and the future role of the Work Group in mapping out the new enterprise platform.

Mapping the New Enterprise Platform

At the start of the conference we looked at how to map the stars. Big Data analytics enables people to visualize the universe in new ways, reach new understandings of what is in it and how it works, and point to new areas for future exploration.

As the conference progressed, we found that Big Data is part of a convergence of forces. Social, mobile, and Cloud Computing are being combined with Big Data to form a new enterprise platform. The development of this platform, and its roll-out to support innovative applications that deliver more business value, is what lies beyond Big Data.

At the end of the conference we were thinking about mapping the new enterprise platform. This will not require sophisticated data processing and analysis. It will take discussions to create a common understanding, and detailed committee work to draft the guidelines and standards. This work will be done by The Open Group’s new Open Platform 3.0 Forum.

The next Open Group conference is in the week of April 15, in Sydney, Australia. I’m told that there’s some great jogging there. More importantly, we’ll be reflecting on progress in mapping Open Platform 3.0, and thinking about what lies ahead. I’m looking forward to it already.

Dr. Chris Harding is Director for Interoperability and SOA at The Open Group. He has been with The Open Group for more than ten years, and is currently responsible for managing and supporting its work on interoperability, including SOA and interoperability aspects of Cloud Computing. He is a member of the BCS, the IEEE and the AEA, and is a certified TOGAF practitioner.

2 Comments

Filed under Conference

#ogChat Summary – 2013 Security Priorities

By Patty Donovan, The Open Group

Totaling 446 tweets, yesterday’s 2013 Security Priorities Tweet Jam (#ogChat) saw a lively discussion on the future of security in 2013 and became our most successful tweet jam to date. In case you missed the conversation, here’s a recap of yesterday’s #ogChat!

The event was moderated by former CNET security reporter Elinor Mills, and there was a total of 28 participants including:

Here is a high-level snapshot of yesterday’s #ogChat:

Q1 What’s the biggest lesson learned by the security industry in 2012? #ogChat

The consensus among participants was that 2012 was a year of going back to the basics. There are many basic vulnerabilities within organizations that still need to be addressed, and it affects every aspect of an organization.

  • @Dana_Gardner Q1 … Security is not a product. It’s a way of conducting your organization, a mentality, affects all. Repeat. #ogChat #security #privacy
  • @Technodad Q1: Biggest #security lesson of 2102: everyone is in two security camps: those who know they’ve been penetrated & those who don’t. #ogChat
  • @jim_hietala Q1. Assume you’ve been penetrated, and put some focus on detective security controls, reaction/incident response #ogChat
  • @c7five Lesson of 2012 is how many basics we’re still not covering (eg. all the password dumps that showed weak controls and pw choice). #ogChat

Q2 How will organizations tackle #BYOD security in 2013? Are standards needed to secure employee-owned devices? #ogChat

Participants debated over the necessity of standards. Most agreed that standards and policies are key in securing BYOD.

  • @arj Q2: No “standards” needed for BYOD. My advice: collect as little information as possible; use MDM; create an explicit policy #ogChat
  • @Technodad @arj Standards are needed for #byod – but operational security practices more important than technical standards. #ogChat
  • @AWildCSO Organizations need to develop a strong asset management program as part of any BYOD effort. Identification and Classification #ogChat
  • @Dana_Gardner Q2 #BYOD forces more apps & data back on servers, more secure; leaves devices as zero client. Then take that to PCs too. #ogChat #security
  • @taosecurity Orgs need a BYOD policy for encryption & remote wipe of company data; expect remote compromise assessment apps too @elinormills #ogChat

Q3 In #BYOD era, will organizations be more focused on securing the network, the device, or the data? #ogChat

There was disagreement here. Some emphasized focusing on protecting data, while others argued that it is the devices and networks that need protecting.

  • @taosecurity Everyone claims to protect data, but the main ways to do so remain protecting devices & networks. Ignores code sec too. @elinormills #ogChat
  • @arj Q3: in the BYOD era, the focus must be on the data. Access is gated by employee’s entitlements + device capabilities. #ogChat
  • @Technodad @arj Well said. Data sec is the big challenge now – important for #byod, #cloud, many apps. #ogChat
  • @c7five Organization will focus more on device management while forgetting about the network and data controls in 2013. #ogChat #BYOD

Q4 What impact will using 3rd party #BigData have on corporate security practices? #ogChat

Participants agreed that using third parties will force organizations to rely on security provided by those parties. They also acknowledged that data must be secure in transit.

  • @daviottenheimer Q4 Big Data will redefine perimeter. have to isolate sensitive data in transit, store AND process #ogChat
  • @jim_hietala Q4. 3rd party Big Data puts into focus 3rd party risk management, and transparency of security controls and control state #ogChat
  • @c7five Organizations will jump into 3rd party Big Data without understanding of their responsibilities to secure the data they transfer. #ogChat
  • @Dana_Gardner Q4 You have to trust your 3rd party #BigData provider is better at #security than you are, eh? #ogChat  #security #SLA
  • @jadedsecurity @Technodad @Dana_Gardner has nothing to do with trust. Data that isn’t public must be secured in transit #ogChat
  • @AWildCSO Q4: with or without bigdata, third party risk management programs will continue to grow in 2013. #ogChat

Q5 What will global supply chain security look like in 2013? How involved should governments be? #ogChat

Supply chains are an emerging security issue, and governments need to get involved. But consumers will also start to understand what they are responsible for securing themselves.

  • @jim_hietala Q5. supply chain emerging as big security issue, .gov’s need to be involved, and Open Group’s OTTF doing good work here #ogChat
  • @Technodad Q5: Governments are going to act- issue is getting too important. Challenge is for industry to lead & minimize regulatory patchwork. #ogChat
  • @kjhiggins Q5: Customers truly understanding what they’re responsible for securing vs. what cloud provider is. #ogChat

Q6 What are the biggest unsolved issues in Cloud Computing security? #ogChat

Cloud security is a big issue. Most agreed that Cloud security is mysterious, and it needs to become more transparent. When Cloud providers claim they are secure, consumers and organizations put blind trust in them, making the problem worse.

  • @jadedsecurity @elinormills Q6 all of them. Corps assume cloud will provide CIA and in most cases even fails at availability. #ogChat
  • @jim_hietala Q6. Transparency of security controls/control state, cloud risk management, protection of unstructured data in cloud services #ogChat
  • @c7five Some PaaS cloud providers advertise security as something users don’t need to worry about. That makes the problem worse. #ogChat

Q7 What should be the top security priorities for organizations in 2013? #ogChat

Top security priorities varied. Priorities highlighted in the discussion included:  focusing on creating a culture that promotes secure activity; prioritizing security spending based on risk; focusing on where the data resides; and third-party risk management coming to the forefront.

  • @jim_hietala Q7. prioritizing security spend based on risks, protecting data, detective controls #ogChat
  • @Dana_Gardner Q7 Culture trumps technology and business. So make #security policy adherence a culture that is defined and rewarded. #ogChat #security
  • @kjhiggins Q7 Getting a handle on where all of your data resides, including in the mobile realm. #ogChat
  • @taosecurity Also for 2013: 1) count and classify your incidents & 2) measure time from detection to containment. Apply Lean principles to both. #ogChat
  • @AWildCSO Q7: Asset management, third party risk management, and risk based controls for 2013. #ogChat

A big thank you to all the participants who made this such a great discussion!

Patricia Donovan is Vice President, Membership & Events, at The Open Group and a member of its executive management team. In this role she is involved in determining the company’s strategic direction and policy as well as the overall management of that business area. Patricia joined The Open Group in 1988 and has played a key role in the organization’s evolution, development and growth since then. She also oversees the company’s marketing, conferences and member meetings. She is based in the U.S.

1 Comment

Filed under Tweet Jam

The Increasing Importance of Cybersecurity: The Open Group Conference in Washington, D.C.

By Jim Hietala, The Open Group

As we move through summer here in the U.S., cybersecurity continues to be top of mind, not only for security professionals, but for IT management as well as for senior managers in large organizations.

The IT security world tends to fixate on the latest breach reported or the latest vulnerability disclosed. Clearly the recent news around Stuxnet and Flame has caused a stir in the community, as professionals debate what it means to have cyberwar attacks being carried out by nations. However, there have also been other significant developments in cybersecurity that have heightened the need for better understanding of risk and security posture in large organizations.

In the U.S., the SEC recently issued guidance to public companies on disclosing the risks of cybersecurity incidents in financial reports, as well as disclosing actual breaches if there is material affect. This is a significant new development, as there’s little that directs the attention of CEO’s and Boards like new financial disclosure requirements. In publicly traded organizations that struggled to find funding to perform adequate risk management and for IT security initiatives, IT folks will have a new impetus and mandate, likely with support from the highest levels.

The upcoming Open Group conference in Washington, D.C. on July 16-20 will explore cybersecurity, with a focus on defending critical assets and securing the global supply chain. To highlight a few of the notable presentations:

  • Joel Brenner, author of America the Vulnerable, attorney, and former senior counsel at the NSA, will keynote on Monday, July 16 and will speak on “America the Vulnerable: Inside the New Threat Matrix.”
  • Kristen Baldwin, principal deputy, DASD, Systems Engineering, and acting cirector, Systems Analysis, will speak on “Meeting the Challenge of Cybersecurity Threats through Industry-Government Partnerships.”
  • Dr. Ron Ross, project leader, NIST, will talk to “Integrating Cyber Security Requirements into Main Stream Organizational Mission and Business Processes.”
  • Andras Szakal, VP & CTO, IBM Federal will moderate a panel that will include Daniel Reddy, EMC; Edna Conway, Cisco; and Hart Rossman, SAIC on “Mitigating Tainted & Counterfeit Products.”
  • Dazza (Daniel) J. Greenwood, JD, MIT and CIVICS.com Consultancy Services, and Thomas Hardjono, executive director of MIT Kerberos Consortium, will discuss “Meeting the Challenge of Identity and Security.”

Apart from our quarterly conferences and member meetings, The Open Group undertakes a broad set of programs aimed at addressing challenges in information security.

Our Security Forum focuses on developing standards and best practices in the areas of information security management and secure architecture. The Real Time and Embedded Systems Forum addresses high assurance systems and dependability through work focused on MILS, software assurance, and dependability engineering for open systems. Our Trusted Technology Forum addresses supply chain issues of taint and counterfeit products through the development of the Trusted Technology Provider Framework, which is a draft standard aimed at enabling commercial off the shelf ICT products to be built with integrity, and bought with confidence. Finally, The Open Group Jericho Forum continues to provide thought leadership in the area of information security, most notably in the areas of de-perimeterization, secure cloud computing and identity management.

I hope to see you at the conference. More information about the conference, including the full program can be found here: http://www.opengroup.org/dc2012

Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.


Comments Off

Filed under Cybersecurity, Information security, Security Architecture, Conference, OTTF

How to manage requirements within the Enterprise Architecture using the TOGAF® and SABSA® frameworks

By Pascal de Koning, KPN 

You want to put your company’s business strategy into action. What’s the best way to accomplish this?  This can be done in a structured manner by using an Enterprise Architecture
Framework like TOGAF®. TOGAF® offers an overview of business and IT related architectures, as well as a process model to deliver these, called the Architecture Development Method (ADM-figure 1).

As the figure shows, Requirements Management plays a central role in the architecture work in the TOGAF® methodology. It’s very important to know the business requirements, because these demand what’s needed in the underlying architecture layer. In fact, this counts for every layer. Each architecture layer fulfills the requirements that are defined in the layer above. Without proper Requirements Management, the whole architecture would be loose sand.

Unfortunately, TOGAF® does not offer guidance on Requirements Management. It does however stress the importance and central role of Requirements Management, but doesn’t offer a way to actually do Requirements Management. This is a white spot in the TOGAF® ADM. To resolve this, a requirements management method is needed that is well-described and flexible to use on all levels in the architecture. We found this in the SABSA® (Sherwood’s Applied Business-driven Security Architecture) framework. SABSA® offers the unique Business Attribute Profiling (BAP) technique as a means to effectively carry out Requirements Management.

Business Attribute Profiling is a requirements engineering technique that translates business goals and drivers into requirements (see figure 2). Some advantages of this technique are:

  • Executive communication in non-ICT terms
  • Grouping and structuring of requirements, keeping oversight
  • Traceability mapping between business drivers, requirements and capabilities

The BAP process decomposes the business goal into its core elements. Each core element is a single business attribute. Examples of business attributes are Available, Scalable, Supported, Confidential, Traceable, etc.

As business processes tend to become more Internet-based, cyber security is becoming more important every day because the business processes are increasingly vulnerable to forces outside the business. Organizations must now consider not only the processes and requirements when planning an architecture, but they also need to consider the security of that architecture. A Security Architecture consists of all the security-related drivers, requirements, services and capabilities within the Enterprise. With the adoption of the Business Attribute Profiling technique for Requirements Management, it is now possible to integrate information security into the Enterprise Architecture.

The TOGAF®-SABSA® Integration white paper elaborates more on this and provides a guide that describes how TOGAF® and SABSA® can be combined such that the SABSA® business risk-driven security architecture approach is seamlessly integrated into the a TOGAF®-based enterprise architecture. It can be downloaded from https://www2.opengroup.org/ogsys/jsp/publications/PublicationDetails.jsp?publicationid=12449

TOGAF® is a registered trademark of The Open Group.  SABSA® is a registered trademark of The SABSA Institute.

Pascal de Koning MSc CISSP is a Senior Business Consultant with KPN Trusted Services, where he leads the security consulting practice. He is chairman of The Open Group TOGAF-SABSA Integration Working Group. He has worked on information security projects for the Dutch central government, European Union and KPN, to name just a few. Pascal has written articles for Computable and PvIB, and is a frequent speaker at conferences like RSA Europe and COSAC on the topics of Cyber Security and Enterprise Security Architecture. When not working, Pascal loves to go running.

1 Comment

Filed under Enterprise Architecture, Security Architecture, TOGAF®

The Open Group and SABSA Institute Publish TOGAF® Integration Whitepaper

By Jim Hietala, Vice President, Security, The Open Group

2011 confirmed what many in the Enterprise Architecture industry have feared – data breaches are on the rise. It’s not just the number and cost of data breaches, but the sheer volume of information that cyber criminals are able to get their hands on. Today’s organizations cannot risk being vulnerable.

To help address this issue, The Open Group Security and Architecture Forums, and the SABSA® Institute, developers of the SABSA® security and risk management framework, joined forces to explore how security methodologies and risk management approaches can be an integrated with enterprise-level architectures for better protection and flexibility.

If you are an enterprise architect with responsibility for ensuring architectures are secure or a security professional tasked with developing secure architectures you’ll be interested in the work the Architecture Forum and SABSA® have done over the last 15 months, culminating in a whitepaper released today that provides a valuable contribution to the security and enterprise architecture communities.

 A Project Designed to Protect

All too often vulnerabilities can occur due to lack of alignment across organizations, with security and IT experts failing to consider the entire infrastructure together rather than different parts separately.

The impetus for this project came from large enterprises and consulting organizations that frequently saw TOGAF® being used as a tool for developing enterprise architecture, and SABSA® as a tool for creating security architectures. Practitioners of either TOGAF® or SABSA® asked for guidance on how best to align these frameworks in practical usage, and on how to re-use artifacts from each.

This quote from the whitepaper sums up the rationale for the effort best:

 “For too long, information security has been considered a separate discipline, isolated from the enterprise architecture. This Whitepaper documents an approach to enhance the TOGAF® enterprise architecture methodology with the SABSA® security architecture approach and thus create one holistic architecture methodology.”

The vision for the project has been to support enterprise architects who need to take operational risk management into account, by providing guidance describing how TOGAF® and SABSA® can be combined such that the SABSA® business risk and opportunity-driven security architecture approach can be seamlessly integrated into the TOGAF® business strategy-driven approach to develop a richer, more complete enterprise architecture.

There are two important focal points for this effort, first to provide a practical approach for seamlessly integrating SABSA® security requirements and services in common TOGAF®-based architecture engagements – instead of treating security as a separate entity within the architecture.

The second focal point is to illustrate how the requirements management processes in TOGAF® can be fulfilled in their widest generic sense (i.e., not only with regard to security architecture) by application of the SABSA® concept of Business Attribute Profiling to the entire ADM process.

Download a free copy of the TOGAF® and SABSA® whitepaper here.

If you are interested in exploring TOGAF® 9, online access to the framework is available here.

Information on SABSA® may be obtained here.

A large number of individuals participated in the development of this valuable resource. Thank you to all project team members who made this effort a reality, including from the SABSA® Institute, the Open Group Architecture Forum, and the Open Group Security Forum!

3 Comments

Filed under Enterprise Architecture, Security Architecture, TOGAF®

The Open Group updates Enterprise Security Architecture, guidance and reference architecture for information security

By Jim Hietala, The Open Group

One of two key focus areas for The Open Group Security Forum is security architecture. The Security Forum has several ongoing projects in this area, including our TOGAF® and SABSA integration project, which will produce much needed guidance on how to use these frameworks together.

When the Network Application Consortium ceased operating a few years ago, The Open Group agreed to bring the intellectual property from the organization into our Security Forum, along with extending membership to the former NAC members. While the NAC did great work in information security, one publication from the NAC stood out as a highly valuable resource. This document, Enterprise Security Acrhitecture (ESA), A Framework and Template for Policy-Driven Security, was originally published by the NAC in 2004, and provided valuable guidance to IT architects and security architects. At the time it was first published, the ESA document filled a void in the IT security community by describing important information security functions, and how they related to each other in an overall enterprise security architecture. ESA was at the time unique in describing information security architectural concepts, and in providing examples in a reference architecture format.

The IT environment has changed significantly over the past several years since the original publication of the ESA document. Major changes that have affected information security architecture in this time include the increased usage of mobile computing devices, increased need to collaborate (and federation of identities among partner organizations), and changes in the threats and attacks.

Members of the Security Forum, having realized the need to revisit the document and update its guidance to address these changes, have significantly rewritten the document to provide new and revised guidance. Significant changes to the ESA document have been made in the areas of federated identity, mobile device security, designing for malice, and new categories of security controls including data loss prevention and virtualization security.

In keeping with the many changes to our industry, The Open Group Security Forum has now updated and published a significant revision to the Enterprise Security Architecture (O-ESA), which you can access and download (for free, minimal registration required) here; or purchase a hardcover edition here.

Our thanks to the many members of the Security Forum (and former NAC members) who contributed to this work, and in particular to Stefan Wahe who guided the revision, and to Gunnar Peterson, who managed the project and provided significant updates to the content.

Jim HietalaAn IT security industry veteran, Jim is Vice President of Security at The Open Group, where he is responsible for security programs and standards activities. He holds the CISSP and GSEC certifications. Jim is based in the U.S.

Comments Off

Filed under Security Architecture

The Open Group Announces New Information Security Management Standard: O-ISM3

By Jim Hietala, The Open Group

The Open Group yesterday announced the approval of a new standard in information security, O-ISM3. This standard, which derives its name from The Open Group Information Security Management Maturity Model, aims to help information security managers and practitioners to more effectively manage information security. Information security management is one of two focus areas for The Open Group Security Forum (security architecture being the other).

The development of the O-ISM3 standard has been in process in the Security Forum for the past 18 months. Like all Open Group standards, O-ISM3 was developed through an open, consensus-based process. The O-ISM3 standard leverages work previously done by the ISM3 consortium to produce the ISM3 version 2.3 document.

O-ISM3 brings some fresh thinking to information security management. O-ISM3:

  • Provides a framework to align security objectives and security targets to overall business objectives
  • Delivers a much-needed continuous improvement approach to the management of information security
  • Expresses security outcomes in positive terms

O-ISM3 can be implemented as a top-down methodology to manage an entire information security program, or it can be deployed more tactically, starting with just a few information security processes. As such, it can deliver value to information security organizations of varying sizes, maturity levels, and in different industries.

The O-ISM3 standard is available free on The Open Group website (registration required), and on Kindle. The standard provides an approach which is complementary to ISO 27001/2, as well as to ITIL and COBIT.

The Open Group is conducting a series of webcasts on the O-ISM3 standard in April and May. Details and registration may be found here.

Many thanks to the many members of The Open Group who worked hard over the past 18 months to make O-ISM3 a reality. Many had a hand in developing O-ISM3 in the Security Forum, and I thank them all; however, I would be remiss if I did not recognize the leadership of workgroup chair Vicente Aceituno, who brought this work to The Open Group, and who has continued to work tirelessly to make O-ISM3 an important standard for information security.

The working group will in the coming months be developing maturity levels for O-ISM3, and exploring certification programs. If you have interest in O-ISM3 and these future developments, please contact us at ogsecurity-interest@opengroup.org and we will help you get involved.

Jim HietalaAn IT security industry veteran, Jim is Vice President of Security at The Open Group, where he is responsible for security programs and standards activities. He holds the CISSP and GSEC certifications. Jim is based in the U.S.

2 Comments

Filed under Information security, Standards

PODCAST: Examining the current state of Enterprise Architecture with The Open Group’s Steve Nunn

By Dana Gardner, Interabor Solutions

Listen to this recorded podcast here: BriefingsDirect-Open Group COO Steve Nunn on EA Professional Groups

The following is the transcript of a sponsored podcast panel discussion on the state of EA, from The Open Group Conference, San Diego 2011.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Today, we present a sponsored podcast discussion in conjunction with The Open Group Conference held in San Diego, the week of February 7, 2011. We’re here with an executive from The Open Group to examine the current state of enterprise architecture (EA). We’ll hear about how EA is becoming more business-oriented and how organizing groups for the EA profession are consolidating and adjusting. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

We’ll get an update on The Association of Open Group Enterprise Architects (AOGEA) and learn more about its recent merger with the Association of Enterprise Architects. What’s more, we’ll get an assessment of the current maturity levels and overall professionalism drive of EA, and we’re going to learn more about what to expect from the EA field and these organizing groups over the next few years.

Here to help us delve into the current state of EA, please join me now in welcoming Steve Nunn, Chief Operating Officer of The Open Group and CEO of The Association of Open Group Enterprise Architects.

Welcome back, Steve.

Steve Nunn: Hi, Dana. Good to be back.

Gardner: We’re hearing an awful lot these days about EA being dead, outmoded, or somehow out of sync. I know there’s a lot more emphasis on the business issues, rather than just the technical or IT issues, but what’s going on with that? Are we at a point where this topic, this professional category, is in some danger?

Nunn: Absolutely not. EA is very much the thing of the moment, but it’s also something that’s going to be with us for the foreseeable future too. Both inside The Open Group and the AOGEA, we’re seeing significant growth and interest in the area of EA. In the association, it’s individuals becoming certified and wanting to join a professional body for their own purposes and to help the push to professionalize EA.

Within The Open Group, it’s entities and organizations. Whether they be commercial, governments, academic, they are regularly joining The Open Group Architecture Forum. So, it’s far from dead and in terms of the importance of business overall, EA being relevant to business.

Tomorrow’s plenary session here at the Conference is a good example. It’s about using EA for business transformation. It’s about using EA to tie IT into the business. There is no point in doing IT for IT’s sake. It’s there to support the business, and people are finding that one way of doing that is EA.

Gardner: I would think too, Steve, that some of the major trends around mobile, security, and cyber risk would augment the need for a more holistic governing role, and the architect seems to fit that bill quite nicely. So is there wind in your sails around some of these trends?

Central to the organization

Nunn: Absolutely. We’re seeing increasingly that you can’t just look at EA in some kind of silo. It’s more about how it fits. It’s so central to an organization and the way that organizations are built that it has all of the factors that you mentioned. Security is a good one, as well as cloud. They’re all impacted by EA. EA has a role to play in all of those.

Inside the Open Group, what’s happening is a lot of cross-functional working groups between the Architecture Forum, the Security Forum, and the Cloud Work Group, which is just recognition of that fact. But, the central tool of it is EA.

Gardner: In addition to recognizing that the function of the EA is important, you can’t just have people walking the door and say, well, I’m an enterprise architect. It’s hard to define the role, but it seems necessary. Tell me about the importance of certification, so that we really know what an enterprise architect is.

Nunn: That’s right. Everyone seems to want to be an enterprise architect or an IT architect right now. It’s that label to have on your business card. What we’re trying to do is separate the true architects from one of these, and certification is a key part of that.

If you’re an employer and you’re looking to take somebody on to help in the EA role, then it’s having some means to assess whether somebody really has any experience of EA, whether they know any frameworks, and what projects they’ve led that involve EA. All those things are obviously important to know.

There are various certification programs, particularly in The Open Group, that help with that. The TOGAF® Certification Program is focused on the TOGAF® framework. At the other end of the spectrum is the ITAC Program, which is a skills- and experience-based program that assesses by peer review an individual’s experience in EA.

There are those, there are others out there, and there are more coming. One of the great things we see is the general acceptance of certification as a means to telling the wood from the trees.

Gardner: So, we certainly have a need. We have some major trends that are requiring this role and we have the ability to begin certifying. Looking at this whole professionalism of EA, we also have these organizations. It was three years ago this very event that The AOGEA was officially launched. Maybe you could tell us what’s happened over the past three years and set the stage for what’s driving the momentum in the organization itself?

Nunn: Three years ago, we launched the association with 700 members. We were delighted to have that many at the start. As we sit here today, we have over 18,000 members. Over that period, we added members through more folks becoming certified through not only The Open Group programs, but with other programs. For example, we acknowledged the FIAC Certification Program as a valid path to full membership of the association.

We also embraced the Global Enterprise Architecture Organization (GEAO), and those folks, relevant to your earlier question, really have a particular business focus. We’ve also embraced the Microsoft Certified Architect individuals. Microsoft stopped its own program about a year ago now, and one of the things they encouraged their individuals who were certified to do was to join the association. In fact, Microsoft would help them pay to be members of the association, which was good.

So, it reflects the growth and membership reflects the interest in the area of EA and the interest in individuals’ wanting to advance their own careers through being part of a profession.

Valuable resource

Enterprise architects are a highly valuable resource inside an organization, and so we are both promoting that message to the outside world. For our members as individuals what we’re focusing on is delivering to them latest thinking in EA moving towards best practices, whitepapers, and trying to give them, at this stage, a largely virtual community in which to deal with each other.

Where we have turned it in to real community is through local chapters. We now have about 20 local chapters around the world. The members have formed those. They meet at varying intervals, but the idea is to get face time with each other and talk about issues that concern enterprise architects and the advancement of profession. It’s all good stuff. It’s growing by the week, by the month, in terms of the number of folks who want to do that. We’re very happy with what has gone in three years.

Gardner: We’ve got a little bit of alphabet soup out there. There are several organizations, several communities, that have evolved around them, but now you are working to bring that somewhat together.

As I alluded to earlier, the AOGEA has just announced its merger with the Association of Enterprise Architects (AEA). What’s the difference now? How does that shape up? Is this simply a melding of the two or is there something more to it?

Nunn: Well, it is certainly a melding of the two. The two organizations actually became one in late fall last year, and obviously we have the usual post merger integration things to take care of.

But, I think it’s not just a melding. The whole is greater than the sum of the parts. We have two different communities. We have the AOGEA folks who have come primarily through certification route, and we also have the AEA folks who haven’t been so, so focused on certification, but they bring to the table something very important. They have chapters in different areas than the AOGEA folks by and large.

Also, they have a very high respected quarterly publication called The Journal of Enterprise Architecture, along the lines of an academic journal, but with a leaning towards practitioners as well. That’s published on a quarterly basis. The great thing is that that’s now a membership benefit to the merged association membership of over 18,000, rather than the subscribed base before the merger.

As we develop, we’re getting closer to our goal of being able to really promote the profession of EA in a coherent way. There are other groups beyond that, and there are the early signs of co- operation and working together to try to achieve one voice for the profession going forward.

Gardner: And this also followed about a year ago, the GOAO merger with the AOGEA. So, it seems as if we’re getting the definitive global organization with variability in terms of how it can deal with communities, but also that common central organizing principle. Tell me about this new über organization, what are you going to call it and what is the reach? How big is it going to be?

Nunn: Well, the first part of that is the easy part. We have consulted the membership multiple times now actually, and we are going to name the merged organization, The Association of Enterprise Architects. So that will keep things nice and simple and that will be the name going forward. It does encompass so far GEAO, AOGEA and AEA. It’s fair to say that, as a membership organization, it is the leading organization for enterprise architects.

Role to play

There are other organizations in the ecosystem who are, for example, advocacy groups, training organizations, or certification groups, and they all have a role to play in the profession. But, where we’re going with AEA in the future is to make that the definitive professional association for enterprise architects. It’s a non-profit 501(c)(6) incorporated organization, which is there to act as the professional body for its members.

Gardner: You have been with The Open Group for well over 15 years now. You’ve seen a lot of the evolution and maturity. Let’s get back to the notion of the enterprise architect as an entity. As you said, we have now had a process where we recognize the need. We’ve got major trends and dynamics in the marketplace. We have organizations that are out there helping to corral people and manage the whole notion of EA better.

What is it about the maturity? Where are we in a spectrum, on a scale of 1 to 10? What does that mean for where there is left go? This isn’t cooked yet. You can’t take it out of the oven quite yet.

Nunn: No, absolutely no. There’s a long way to go, and I think to measure it on a scale of 1 to 10, I’d like to say higher, but it’s probably about 2 right now. Just because a lot of things that need to be done to create profession are partly done by one group or another, but not done in a unified way or with anything like one voice for the profession.

It’s interesting. We did some research on how long we might expect to take to achieve the status of a profession. Certainly, in the US at least, the shortest period of time taken so far was 26 years by librarians, but typically it was closer to 100 years and, in fact, the longest was 170-odd years. So, we’re doing pretty well. We’re going pretty quickly compared to those organizations.

We’re trying to do it on a global basis, which to my knowledge is the first time that’s been done for any profession. If anything, that will obviously make things a little more complicated, but I think there is a lot of will in the EA world to make this happen, a lot of support from all sorts of groups. Press and analysts are keen to see it happen from the talks that we’ve had and the articles we’ve read. So, where there is a will there is a way. There’s a long way to go, but we’ve made good progress in a short numbers of years, really.

Gardner: So, there’s a great deal of opportunity coming up. We’ve talked about how this is relevant to the individual. This is something good for their career. They recognize a path where they can be beneficial, appreciated, and valued. But, what’s in it for the enterprise, for the organizations that are trying to run their businesses dealing with a lot of change already? What does a group like the AEA do for them?

Nunn: It’s down to giving them the confidence that the folks that they are hiring or the folks that they are developing to do EA work within their enterprise are qualified to do that, knowledgeable to do that, or on a path to becoming true professionals in EA.

Certainly if you were hiring into your organization an accountant or a lawyer, you’d be looking to hire one that was a member of the relevant professional body with the appropriate certifications. That’s really what we’re promoting for EA. That’s the role that the association can play.

Confidence building

When we achieve success with the association is when folks are hiring enterprise architects, they will only look at folks who are members of the association, because to do anything else would be like hiring an unqualified lawyer or accountant. It’s about risk minimization and confidence building in your staff.

Gardner: Now, you wear two hats. You’re the Chief Operating Officer at The Open Group and you’re the CEO of the AEA. How do these two groups relate? You’re in the best position to tell us what’s the relationship or the context that the listeners should appreciate in terms of how these shakeouts?

Nunn: That’s a good point. It’s something that I do get asked periodically. The fact is that the association, whilst a separately incorporated body, was started by The Open Group. With these things, somebody has to start them and The Open Group’s Membership was all you needed for this to happen. So, very much the association has its roots in The Open Group and today still it works very closely with The Open Group in terms of how it operates and certain infrastructure things for the association are provided by The Open Group.

The support is still there, but increasingly the association is becoming a separate body. I mentioned the journal that’s published in the association’s name that has its own websites, its own membership.

So, little by little, there will be more separation between the two, but the aims of the two or the interests of the two are both served by EA becoming recognized as profession. It just couldn’t have happened without The Open Group, and we intend to pay a lot of attention to what goes on inside The Open Group in EA. It’s one of the leading organizations in the EA space and a group that the association would be foolish not to pay attention to, in terms of the direction of certifications and what the members, who are enterprise architects, are saying, experiencing, and what they’re needing for the future.

Gardner: So, I suppose we should expect an ongoing partnership between them for quite some time.

Nunn: Absolutely. A very close partnership and along with partnerships with other groups. The association is not looking to take anyone’s turf or tread on anyone’s toes, but to partner with the other groups that are in the ecosystem. Because if we work together, we’ll get to this profession status a lot quicker, but certainly a key partner will be The Open Group.

Gardner: Well, very good. We have been looking at the current state of EA as profession, learning about the organizing groups around that effort and the certification process that they support. We’ve been talking with Steve Nunn, the Chief Operating Officer at The Open Group and also the CEO of the newly named Association of Enterprise Architects. Thank you so much, Steve.

Nunn: Thank you, Dana.

Gardner: You’ve been listening to a sponsored BriefingsDirect podcast coming to you in conjunction with the Open Group Conference here in San Diego, the week of the February 7, 2011. This is Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks for joining, and come back next time.

Copyright The Open Group and Interarbor Solutions, LLC, 2005-2011. All rights reserved.

Dana Gardner is the Principal Analyst at Interarbor Solutions, which identifies and interprets the trends in Services-Oriented Architecture (SOA) and enterprise software infrastructure markets. Interarbor Solutions creates in-depth Web content and distributes it via BriefingsDirectblogs, podcasts and video-podcasts to support conversational education about SOA, software infrastructure, Enterprise 2.0, and application development and deployment strategies.

Comments Off

Filed under Enterprise Architecture

Security Forum Completes Third & Final Phase of Risk Management Project: Cookbook for ISO/IEC 27005:2005

By Jim Hietala, The Open Group

The Open Group Security Forum recently completed the last phase of our major risk management initiative with the publication of the Cookbook for ISO/IEC 27005:2005. The Cookbook is the culmination of the work the members of the Security Forum have undertaken over the past two and a half years — a comprehensive initiative aimed at eliminating widespread industry confusion about risk management among risk managers, security and IT professionals, as well as business managers.

The new Cookbook for ISO/IEC 27005:2005 is meant to be a “recipe” of sorts, providing a detailed description of how to apply The Open Group’s FAIR (Factor Analysis for Information Risk) Risk Taxonomy Standard to any other risk management framework to help improve the consistency and accuracy of the resulting framework. By following the “cookbook” example in the guide, risk technology practitioners can apply the example with significantly beneficial outcomes when using other frameworks of their choice.

We created the guide for anyone tasked with selecting, performing, evaluating, or developing a risk assessment methodology, including all stakeholders responsible for areas with anything risk related, such as business managers, information security/risk management professionals, auditors, and regulators (both policy-makers and as law-makers).

The initiative started in the summer of 2008 with Phase 1, the Risk Taxonomy Standard, which is based on the FAIR methodology and specifies a standard definition and taxonomy for information security risk, and how to apply this to perform risk assessments. A year later, we completed the second phase and published a technical guide entitled Requirements for Risk Assessment Methodologies, that describes key risk assessment traits, provides advice on quantitative versus qualitative measurements and addresses the need for senior management involvement. The Cookbook completes our project.

As we wrap up our work on this initiative and look at the current state of security, with escalating cyber threats, growing risks around mobile computing, and evolving government regulations, I can say with confidence that we have met our goals in creating comprehensive and needed guidance and standards in the area of risk analysis.

Looking ahead at the rest of 2011, The Open Group Security Forum has an active pipeline of projects to address the increasing risk and compliance concerns facing IT departments across organizations today. Be on the lookout for the publication of the ISM3 standard, revised Enterprise Security Architecture Guide, and ACEML standard in the late spring/early summer months!

Jim HietalaAn IT security industry veteran, Jim Hietala is Vice President of Security at The Open Group, where he is responsible for security programs and standards activities. He holds the CISSP and GSEC certifications. Jim is based in the U.S.

4 Comments

Filed under Cybersecurity

Cloud Conference — and Unconference

By Dr. Chris Harding, The Open Group

The Wednesday of The Open Group Conference in San Diego included a formal Cloud Computing conference stream. This was followed in the evening by an unstructured CloudCamp, which made an interesting contrast.

The Cloud Conference Stream

The Cloud conference stream featured presentations on Architecting for Cloud and Cloud Security, and included a panel discussion on the considerations that must be made when choosing a Cloud solution.

In the first session of the morning, we had two presentations on Architecting for Cloud. Both considered TOGAF® as the architectural context. The first, from Stuart Boardman of Getronics, explored the conceptual difference that Cloud makes to enterprise architecture, and the challenge of communicating an architecture vision and discussing the issues with stakeholders in the subsequent TOGAF® phases. The second, from Serge Thorn of Architecting the Enterprise, looked at the considerations in each TOGAF® phase, but in a more specific way. The two presentations showed different approaches to similar subject matter, which proved a very stimulating combination.

This session was followed by a presentation from Steve Else of EA Principals in which he shared several use cases related to Cloud Computing. Using these, he discussed solution architecture considerations, and put forward the lessons learned and some recommendations for more successful planning, decision-making, and execution.

We then had the first of the day’s security-related presentations. It was given by Omkhar Arasaratnam of IBM and Stuart Boardman of Getronics. It summarized the purpose and scope of the Security for the Cloud and SOA project that is being conducted in The Open Group as a joint project of The Open Group’s Cloud Computing Work Group, the SOA Work Group, and Security Forum. Omkhar and Stuart described the usage scenarios that the project team is studying to guide its thinking, the concepts that it is developing, and the conclusions that it has reached so far.

The first session of the afternoon was started by Ed Harrington, of Architecting the Enterprise, who gave an interesting presentation on current U.S. Federal Government thinking on enterprise architecture, showing clearly the importance of Cloud Computing to U.S. Government plans. The U.S. is a leader in the use of IT for government and administration, so we can expect that its conclusions – that Cloud Computing is already making its way into the government computing fabric, and that enterprise architecture, instantiated as SOA and properly governed, will provide the greatest possibility of success in its implementation – will have a global impact.

We then had a panel session, moderated by Dana Gardner with his usual insight and aplomb, that explored the considerations that must be made when choosing a Cloud solution — custom or shrink-wrapped — and whether different forms of Cloud Computing are appropriate to different industry sectors. The panelists represented different players in the Cloud solutions market – customers, providers, and consultants – so that the topic was covered in depth and from a variety of viewpoints. They were Penelope Gordon of 1Plug Corporation, Mark Skilton of Capgemini, Ed Harrington of Architecting the Enterprise, Tom Plunkett of Oracle, and TJ Virdi of the Boeing Company.

In the final session of the conference stream, we returned to the topic of Cloud Security. Paul Simmonds, a member of the Board of the Jericho Forum®, gave an excellent presentation on de-risking the Cloud through effective risk management, in which he explained the approach that the Jericho Forum has developed. The session was then concluded by Andres Kohn of Proofpoint, who addressed the question of whether data can be more secure in the Cloud, considering public, private and hybrid Cloud environment.

CloudCamp

The CloudCamp was hosted by The Open Group but run as a separate event, facilitated by CloudCamp organizer Dave Nielsen. There were around 150-200 participants, including conference delegates and other people from the San Diego area who happened to be interested in the Cloud.

Dave started by going through his definition of Cloud Computing. Perhaps he should have known better – starting a discussion on terminology and definitions can be a dangerous thing to do with an Open Group audience. He quickly got into a good-natured argument from which he eventually emerged a little bloodied, metaphorically speaking, but unbowed.

We then had eight “lightning talks”. These were five-minute presentations covering a wide range of topics, including how to get started with Cloud (Margaret Dawson, Hubspan), supplier/consumer relationship (Brian Loesgen, Microsoft), Cloud-based geographical mapping (Ming-Hsiang Tsou, San Diego University), a patterns-based approach to Cloud (Ken Klingensmith, IBM), efficient large-scale data processing (AlexRasmussen, San Diego University), using desktop spare capacity as a Cloud resource (Michael Krumpe, Intelligent Technology Integration), cost-effective large-scale data processing in the Cloud (Patrick Salami, Temboo), and Cloud-based voice and data communication (Chris Matthieu, Tropo).

The participants then split into groups to discuss topics proposed by volunteers. There were eight topics altogether. Some of these were simply explanations of particular products or services offered by the volunteers’ companies. Others related to areas of general interest such as data security and access control, life-changing Cloud applications, and success stories relating to “big data”.

I joined the groups discussing Cloud software development on Amazon Web Services (AWS) and Microsoft Azure. These sessions had excellent information content which would be valuable to anyone wishing to get started in – or already engaged in – software development on these platforms. They also brought out two points of general interest. The first is that the dividing line between IaaS and PaaS can be very thin. AWS and Azure are in theory on opposite sides of this divide; in practice they provide the developer with broadly similar capabilities. The second point is that in practice your preferred programming language and software environment is likely to be the determining factor in your choice of Cloud development platform.

Overall, the CloudCamp was a great opportunity for people to absorb the language and attitudes of the Cloud community, to discuss ideas, and to pick up specific technical knowledge. It gave an extra dimension to the conference, and we hope that this can be repeated at future events by The Open Group.

Cloud and SOA are a topic of discussion at The Open Group Conference, San Diego, which is currently underway.

Dr. Chris Harding is Director for Interoperability and SOA at The Open Group. He has been with The Open Group for more than ten years, and is currently responsible for managing and supporting its work on interoperability, including SOA and interoperability aspects of Cloud Computing. Before joining The Open Group, he was a consultant, and a designer and development manager of communications software. With a PhD in mathematical logic, he welcomes the current upsurge of interest in semantic technology, and the opportunity to apply logical theory to practical use. He has presented at Open Group and other conferences on a range of topics, and contributes articles to on-line journals. He is a member of the BCS, the IEEE, and the AOGEA, and is a certified TOGAF® practitioner.

1 Comment

Filed under Cloud/SOA

What’s the future of information security?

Today, Jan. 28, is Data Privacy Day around the world. While it’s meant to bring attention to personal privacy, it’s also a good time to think about organizational and global challenges relating to data security.

What is your organization’s primary cybersecurity challenge? Take our poll below, and read on to learn about some of The Open Group’s resources for security professionals.

The Open Group has several active working groups and forums dealing with various areas of information security. If your organization is in need of guidance or fresh thinking on information security challenges, we invite you to check out some of these security resources (all of which may be accessed at no charge):

  • The Open Group Jericho Forum®. Many useful guidance documents on topics including the Jericho Commandments (design principles), de-perimeterization, cloud security, secure collaboration, and identity management are available on The Open Group website.
  • Many of the Jericho Forum® members share their thoughts on a blog hosted by Computerworld UK.
  • The Open Group Security Forum: Access a series of documents on the topic of risk management published by the Security Forum over the past couple of years. These include the Risk Management Taxonomy Technical Standard, Requirements for Risk Assessment Methodologies, and the FAIR / ISO 27005 Cookbook. These and other useful publications may be accessed by searching for subject = security on our website’s publications page.

Cybersecurity will be a major topic at The Open Group Conference, San Diego, Feb. 7-11. Join us for plenary sessions on security, security-themed tracks, best practices, case studies and the future of information security, presented by preeminent thought leaders in the industry.

Comments Off

Filed under Cybersecurity, Information security

Security & architecture: Convergence, or never the twain shall meet?

By Jim Hietala, The Open Group

Our Security Forum chairman, Mike Jerbic, introduced a concept to The Open Group several months ago that is worth thinking a little about. Oversimplifying his ideas a bit, the first point is that much of what’s done in architecture is about designing for intention — that is, thinking about the intended function and goals of information systems, and architecting with these in mind. His second related point has been that in information security management, much of what we do tends to be reactive, and tends to be about dealing with the unintended consequences (variance) of poor architectures and poor software development practices. Consider a few examples:

architecture under fireSignature-based antivirus, which relies upon malware being seen in the wild, captured, and having signatures being distributed to A/V software around the world to pattern match and stop the specific attack. Highly reactive. The same is true for signature-based IDS/IPS, or anomaly-based systems.

Data Loss (or Leak) Prevention, which for the most part tries to spot sensitive corporate information being exfiltrated from a corporate network. Also very reactive.

Vulnerability management, which is almost entirely reactive. The cycle of “Scan my systems, find vulnerabilities, patch or remediate, and repeat” exists entirely to find the weak spots in our environments. This cycle almost ensures that more variance will be headed our way in the future, as each new patch potentially brings with it uncertainty and variance in the form of new bugs and vulnerabilities.

The fact that each of these security technology categories even exist has everything to do with poor architectural decisions made in years gone by, or inadequate ongoing software development and Q/A practices.

Intention versus variance. Architects tend to be good at the former; security professionals have (of necessity) had to be good at managing the consequences of the latter.

Can the disciplines of architecture and information security do a better job of co-existence? What would that look like? Can we get to the point where security is truly “built in” versus “bolted on”?

What do you think?

P.S. The Open Group has numerous initiatives in the area of security architecture. Look for an updated Enterprise Security Architecture publication from us in the next 30 days; plus we have ongoing projects to align TOGAF™ and SABSA, and to develop a Cloud Security Reference Architecture. If there are other areas where you’d like to see guidance developed in the area of security architecture, please contact us.

Jim HietalaAn IT security industry veteran, Jim Hietala is Vice President of Security at The Open Group, where he is responsible for security programs and standards activities. He holds the CISSP and GSEC certifications. Jim is based in the U.S.

Comments Off

Filed under Cybersecurity