Tag Archives: The Open Group

Real-world and Online Personas – From an Identity Management Perspective

By Jim Hietala and Ian Dobson, The Open Group

In the first of the five identity videos from the Jericho Forum, a forum of The Open Group, we explained the “Identity First Principles” – about people (or any entity) having a core identity, and how we all operate with a number of personas that should be under our control using the principle of primacy, i.e., giving you the ability to control the information about your own identity. You may, of course, decide to pass that control on to some other identity management party.

In this second “Operating with Personas” video, we explain how creating a digital core identifier from your (real-world) core identity must involve a trusted process that is immutable, enduring and unchangeable.

We then describe how we need to create digital personas to mirror the way we use personas in our daily lives – at work, at home, handling our bank accounts, with the tax authority, at the golf club, etc. We can create as many digital personas for ourselves as we wish and can also create new personas from existing ones. We explain the importance of the resulting identity tree, which only works one-way; to protect privacy, we can never go back up the tree to find out about other personas created from the core identifier, especially not the real-world core identity itself. Have a look for yourself:

As you can see, the trust that a relying party has in a persona is a combination of the trust in its derivation from an immutable and secret core identifier – its binding to a trusted organizational identifier, and its attribute information provided by the relevant trusted attribute provider.

In the next (third) video, which will be released next Tuesday, July 31, we will see how trust and persona interact to provide a privacy-enhanced identity ecosystem.

Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

Ian Dobson is the director of the Security Forum and the Jericho Forum for The Open Group, coordinating and facilitating the members to achieve their goals in our challenging information security world.  In the Security Forum, his focus is on supporting development of open standards and guides on security architectures and management of risk and security, while in the Jericho Forum he works with members to anticipate the requirements for the security solutions we will need in future. 

Comments Off

Filed under Identity Management

Summer in the Capitol – Looking Back at The Open Group Conference in Washington, D.C.

By Jim Hietala, The Open Group

This past week in Washington D.C., The Open Group held our Q3 conference. The theme for the event was “Cybersecurity – Defend Critical Assets and Secure the Global Supply Chain,” and the conference featured a number of thought-provoking speakers and presentations.

Cybersecurity is at a critical juncture, and conference speakers highlighted the threat and attack reality and described industry efforts to move forward in important areas. The conference also featured a new capability, as several of the events were Livestreamed to the Internet.

For those who did not make the event, here’s a summary of a few of the key presentations, as well as what The Open Group is doing in these areas.

Joel Brenner, attorney with Cooley, was our first keynote. Joel’s presentation was titled, “Turning Us Inside-Out: Crime and Economic Espionage on our Networks,” The talk mirrored his recent book, “America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare,” and Joel talked about current threats to critical infrastructure, attack trends and challenges in securing information. Joel’s presentation was a wakeup call to the very real issues of IP theft and identity theft. Beyond describing the threat and attack landscape, Joel discussed some of the management challenges related to ownership of the problem, namely that the different stakeholders in addressing cybersecurity in companies, including legal, technical, management and HR, all tend to think that this is someone else’s problem. Joel stated the need for policy spanning the entire organization to fully address the problem.

Kristin Baldwin, principal deputy, systems engineering, Office of the Assistant Secretary of Defense, Research and Engineering, described the U.S. Department of Defense (DoD) trusted defense systems strategy and challenges, including requirements to secure their multi-tiered supply chain. She also talked about how the acquisition landscape has changed over the past few years. In addition, for all programs the DoD now requires the creation of a program protection plan, which is the single focal point for security activities on the program. Kristin’s takeaways included needing a holistic approach to security, focusing attention on the threat, and avoiding risk exposure from gaps and seams. DoD’s Trusted Defense Systems Strategy provides an overarching framework for trusted systems. Stakeholder integration with acquisition, intelligence, engineering, industry and research communities is key to success. Systems engineering brings these stakeholders, risk trades, policy and design decisions together. Kristin also stressed the importance of informing leadership early and providing programs with risk-based options.

Dr. Ron Ross of NIST presented a perfect storm of proliferation of information systems and networks, increasing sophistication of threat, resulting in an increasing number of penetrations of information systems in the public and private sectors potentially affecting security and privacy. He proposed a need an integrated project team approach to information security. Dr. Ross also provided an overview of the changes coming in NIST SP 800-53, version 4, which is presently available in draft form. He also advocated a dual protection strategy approach involving traditional controls at network perimeters that assumes attackers outside of organizational networks, as well as agile defenses, are already inside the perimeter. The objective of agile defenses is to enable operation while under attack and to minimize response times to ongoing attacks. This new approach mirrors thinking from the Jericho Forum and others on de-perimeterization and security and is very welcome.

The Open Group Trusted Technology Forum provided a panel discussion on supply chain security issues and the approach that the forum is taking towards addressing issues relating to taint and counterfeit in products. The panel included Andras Szakal of IBM, Edna Conway of Cisco and Dan Reddy of EMC, as well as Dave Lounsbury, CTO of The Open Group. OTTF continues to make great progress in the area of supply chain security, having published a snapshot of the Open Trusted Technology Provider Framework, working to create a conformance program, and in working to harmonize with other standards activities.

Dave Hornford, partner at Conexiam and chair of The Open Group Architecture Forum, provided a thought provoking presentation titled, “Secure Business Architecture, or just Security Architecture?” Dave’s talk described the problems in approaches that are purely focused on securing against threats and brought forth the idea that focusing on secure business architecture was a better methodology for ensuring that stakeholders had visibility into risks and benefits.

Geoff Besko, CEO of Seccuris and co-leader of the security integration project for the next version of TOGAF®, delivered a presentation that looked at risk from a positive and negative view. He recognized that senior management frequently have a view of risk embracing as taking risk with am eye on business gains if revenue/market share/profitability, while security practitioners tend to focus on risk as something that is to be mitigated. Finding common ground is key here.

Katie Lewin, who is responsible for the GSA FedRAMP program, provided an overview of the program, and how it is helping raise the bar for federal agency use of secure Cloud Computing.

The conference also featured a workshop on security automation, which featured presentations on a number of standards efforts in this area, including on SCAP, O-ACEML from The Open Group, MILE, NEA, AVOS and SACM. One conclusion from the workshop was that there’s presently a gap and a need for a higher level security automation architecture encompassing the many lower level protocols and standards that exist in the security automation area.

In addition to the public conference, a number of forums of The Open Group met in working sessions to advance their work in the Capitol. These included:

All in all, the conference clarified the magnitude of the cybersecurity threat, and the importance of initiatives from The Open Group and elsewhere to make progress on real solutions.

Join us at our next conference in Barcelona on October 22-25!

Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

Comments Off

Filed under Conference, Cybersecurity, Enterprise Architecture, Information security, OTTF, Security Architecture, Supply chain risk, TOGAF®

Understanding the Importance of Identity

By Jim Hietala and Ian Dobson, The Open Group

In May 2011, the Jericho Forum, a forum of The Open Group, published its Identity, Entitlement & Access (IdEA) commandments, which specified 14 design principles that are essential for identity management solutions to assure globally interoperable trusted identities in cyberspace. These IdEA commandments are aimed at IT architects and designers of both Identity Management and Access Management systems, but the  importance of “identity” extends to everyone – eBusiness managers, eCommerce operations, and individual eConsumers. In order to safeguard our ability to control and manage our own identity and privacy in online activities, we need every online user to support creating an Identity Ecosystem that satisfies these IdEA commandments.

We’re proud to announce that the Jericho Forum has created a series of five “Identity Key Concepts” videos to explain the key concepts that we should all understand on the topics of identity, entitlement, and access management in cartoon-style plain language.

The first installment in the series, Identity First Principles, available here and below, starts the discussion of how we identify ourselves. The video describes some fundamental concepts in identity, including core identity, identity attributes, personas, root identity, trust, attribute aggregation and primacy. These can be complex concepts for non-identity experts However, the cartoons describe the concepts in an approachable and easy-to-understand manner.

The remaining videos in the series cover the following concepts:

  • Video 2 – Operating with Personas
  • Video 3 – Trust and Privacy
  • Video 4 – The Bigger Picture, Entities and Entitlements
  • Video 5 – Building a Global Ecosystem

These identity cartoon videos will be published on successive Tuesdays over the next five weeks, so be sure to come back next Tuesday!

Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

 

Ian Dobson is the director of the Security Forum and the Jericho Forum for The Open Group, coordinating and facilitating the members to achieve their goals in our challenging information security world.  In the Security Forum, his focus is on supporting development of open standards and guides on security architectures and management of risk and security, while in the Jericho Forum he works with members to anticipate the requirements for the security solutions we will need in future. 

1 Comment

Filed under Identity Management

The Open Group Trusted Technology Forum is Leading the Way to Securing Global IT Supply Chains

By Dana Gardner, Interarbor Solutions

This BriefingsDirect thought leadership interview comes in conjunction with The Open Group Conference in Washington, D.C., beginning July 16. The conference will focus on Enterprise Architecture (EA), enterprise transformation, and securing global supply chains.

We’re joined in advance by some of the main speakers at the conference to examine the latest efforts to make global supply chains for technology providers more secure, verified, and therefore trusted. We’ll examine the advancement of The Open Group Trusted Technology Forum (OTTF) to gain an update on the effort’s achievements, and to learn more about how technology suppliers and buyers can expect to benefit.

The expert panel consists of Dave Lounsbury, Chief Technical Officer at The Open Group; Dan Reddy, Senior Consultant Product Manager in the Product Security Office at EMC Corp.; Andras Szakal, Vice President and Chief Technology Officer at IBM’s U.S. Federal Group, and also the Chair of the OTTF, and Edna Conway, Chief Security Strategist for Global Supply Chain at Cisco. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Gardner: Why this is an important issue, and why is there a sense of urgency in the markets?

Lounsbury: The Open Group has a vision of boundaryless information flow, and that necessarily involves interoperability. But interoperability doesn’t have the effect that you want, unless you can also trust the information that you’re getting, as it flows through the system.

Therefore, it’s necessary that you be able to trust all of the links in the chain that you use to deliver your information. One thing that everybody who watches the news would acknowledge is that the threat landscape has changed. As systems become more and more interoperable, we get more and more attacks on the system.

As the value that flows through the system increases, there’s a lot more interest in cyber crime. Unfortunately, in our world, there’s now the issue of state-sponsored incursions in cyberspace, whether officially state-sponsored or not, but politically motivated ones certainly.

So there is an increasing awareness on the part of government and industry that we must protect the supply chain, both through increasing technical security measures, which are handled in lots of places, and in making sure that the vendors and consumers of components in the supply chain are using proper methodologies to make sure that there are no vulnerabilities in their components.

I’ll note that the demand we’re hearing is increasingly for work on standards in security. That’s top of everybody’s mind these days.

Reddy: One of the things that we’re addressing is the supply chain item that was part of the Comprehensive National Cybersecurity Initiative (CNCI), which spans the work of two presidents. Initiative 11 was to develop a multi-pronged approach to global supply chain risk management. That really started the conversation, especially in the federal government as to how private industry and government should work together to address the risks there.

In the OTTF, we’ve tried create a clear measurable way to address supply-chain risk. It’s been really hard to even talk about supply chain risk, because you have to start with getting a common agreement about what the supply chain is, and then talk about how to deal with risk by following best practices.

Szakal: One of the observations that I’ve made over the last couple of years is that this group of individuals, who are now part of this standards forum, have grown in their ability to collaborate, define, and rise to the challenges, and work together to solve the problem.

Standards process

Technology supply chain security and integrity are not necessarily a set of requirements or an initiative that has been taken on by the standards committee or standards groups up to this point The people who are participating in this aren’t your traditional IT standards gurus. They had to learn the standards process. They had to understand how to approach the standardization of best practices, which is how we approach solving this problem.

It’s sharing information. It’s opening up across the industry to share best practices on how to secure the supply chain and how to ensure its overall integrity. Our goal has been to develop a framework of best practices and then ultimately take those codified best practices and instantiate them into a standard, which we can then assess providers against. It’s a big effort, but I think we’re making tremendous progress.

Gardner: Because The Open Group Conference is taking place in Washington, D.C., what’s the current perception in the U.S. Government about this in terms of its role?

Szakal:The government has always taken a prominent role, at least to help focus the attention of the industry.

Now that they’ve corralled the industry and they’ve got us moving in the right direction, in many ways, we’ve fought through many of the intricate complex technology supply chain issues and we’re ahead of some of the thinking of folks outside of this group because the industry lives these challenges and understands the state of the art. Some of the best minds in the industry are focused on this, and we’ve applied some significant internal resources across our membership to work on this challenge.

So the government is very interested in it. We’ve had collaborations all the way from the White House across the Department of Defense (DoD) and within the Department of Homeland Security (DHS), and we have members from the government space in NASA and DoD.

It’s very much a collaborative effort, and I’m hoping that it can continue to be so and be utilized as a standard that the government can point to, instead of coming up with their own policies and practices that may actually not work as well as those defined by the industry.

Conway: Our colleagues on the public side of the public-private partnership that is addressing supply-chain integrity have recognized that we need to do it together.

More importantly, you need only to listen to a statement, which I know has often been quoted, but it’s worth noting again from EU Commissioner Algirdas Semeta. He recently said that in a globalized world, no country can secure the supply chain in isolation. He recognized that, again quoting, national supply chains are ineffective and too costly unless they’re supported by enhanced international cooperation.

Mindful focus

The one thing that we bring to bear here is a mindful focus on the fact that we need a public-private partnership to address comprehensively in our information and communications technology industry supply chain integrity internationally. That has been very important in our focus. We want to be a one-stop shop of best practices that the world can look at, so that we continue to benefit from commercial technology which sells globally and frequently builds once or on a limited basis.

Combining that international focus and the public-private partnership is something that’s really coming home to roost in everyone’s minds right now, as we see security value migrating away from an end point and looking comprehensively at the product lifecycle or the global supply chain.

Lounsbury:I had the honor of testifying before the U.S. House Energy and Commerce Committee on Oversight Investigations, on the view from within the U.S. Government on IT security.

It was very gratifying to see that the government does recognize this problem. We had witnesses in from the DoD and Department of Energy (DoE). I was there, because I was one of the two voices on industry that the government wants to tap into to get the industry’s best practices into the government.

It was even more gratifying to see that the concerns that were raised in the hearings were exactly the ones that the OTTF is pursuing. How do you validate a long and complex global supply chain in the face of a very wide threat environment, recognizing that it can’t be any single country? Also, it really does need to be not a process that you apply to a point, but something where you have a standard that raises the bar for our security for all the participants in your supply chain.

So it was really good to know that we were on track and that the government, and certainly the U.S. Government, as we’ve heard from Edna, the European governments, and I suspect all world governments are looking at exactly how to tap into this industry activity.

Gardner: Where we are in the progression of OTTF?

Lounsbury: In the last 18 months, there has been a tremendous amount of progress. The thing that I’ll highlight is that early in 2012, the OTTF published a snapshot of the standard. A snapshot is what The Open Group uses to give a preview of what we expect the standards will apply. It has fleshed out two areas, one on tainted products and one on counterfeit products, the standards and best practices needed to secure a supply chain against those two vulnerabilities.

So that’s out there. People can take a look at that document. Of course, we would welcome their feedback on it. We think other people have good answers too. Also, if they want to start using that as guidance for how they should shape their own practices, then that would be available to them.

Normative guidance

That’s the top development topic inside the OTTF itself. Of course, in parallel with that, we’re continuing to engage in an outreach process and talking to government agencies that have a stake in securing the supply chain, whether it’s part of government policy or other forms of steering the government to making sure they are making the right decisions. In terms of exactly where we are, I’ll defer to Edna and Andras on the top priority in the group.

Gardner: Edna, what’s been going on at OTTF and where do things stand?

Conway: We decided that this was, in fact, a comprehensive effort that was going to grow over time and change as the challenges change. We began by looking at two primary areas, which were counterfeit and taint in that communications technology arena. In doing so, we first identified a set of best practices, which you referenced briefly inside of that snapshot.

Where we are today is adding the diligence, and extracting the knowledge and experience from the broad spectrum of participants in the OTTF to establish a set of rigorous conformance criteria that allow a balance between flexibility and how one goes about showing compliance to those best practices, while also assuring the end customer that there is rigor sufficient to ensure that certain requirements are met meticulously, but most importantly comprehensively.

We have a practice right now where we’re going through each and every requirement or best practice and thinking through the broad spectrum of the development stage of the lifecycle, as well as the end-to-end nodes of the supply chain itself.

This is to ensure that there are requirements that would establish conformance that could be pointed to, by both those who would seek accreditation to this international standard, as well as those who would rely on that accreditation as the imprimatur of some higher degree of trustworthiness in the products and solutions that are being afforded to them, when they select an OTTF accredited provider.

Gardner: Andras, I’m curious where in an organization like IBM that these issues are most enforceable. Where within the private sector is the knowledge and the expertise to reside?

Szakal: Speaking for IBM, we recently celebrated our 100th anniversary in 2011. We’ve had a little more time than some folks to come up with a robust engineering and development process, which harkens back to the IBM 701 and the beginning of the modern computing era.

Integrated process

We have what we call the integrated product development process (IPD), which all products follow and that includes hardware and software. And we have a very robust quality assurance team, the QSE team, which ensures that the folks are following those practices that are called out. Within each of line of business there exist specific requirements that apply more directly to the architecture of a particular product offering.

For example, the hardware group obviously has additional standards that they have to follow during the course of development that is specific to hardware development and the associated supply chain, and that is true with the software team as well.

The product development teams are integrated with the supply chain folks, and we have what we call the Secure Engineering Framework, of which I was an author and the Secure Engineering Initiative which we have continued to evolve for quite some time now, to ensure that we are effectively engineering and sourcing components and that we’re following these Open Trusted Technology Provider Standard (O-TTPS) best practices.

In fact, the work that we’ve done here in the OTTF has helped to ensure that we’re focused in all of the same areas that Edna’s team is with Cisco, because we’ve shared our best practices across all of the members here in the OTTF, and it gives us a great view into what others are doing, and helps us ensure that we’re following the most effective industry best practices.

Gardner: Dan, at EMC, is the Product Security Office something similar to what Andras explained for how IBM operates? Perhaps you could just give us a sense of how it’s done there?

Reddy: At EMC in our Product Security Office, we house the enabling expertise to define how to build their products securely. We’re interested in building that in as soon as possible throughout the entire lifecycle. We work with all of our product teams to measure where they are, to help them define their path forward, as they look at each of the releases of their other products. And we’ve done a lot of work in sharing our practices within the industry.

One of the things this standard does for us, especially in the area of dealing with the supply chain, is it gives us a way to communicate what our practices are with our customers. Customers are looking for that kind of assurance and rather than having a one-by-one conversation with customers about what our practices are for a particular organization. This would allow us to have a way of demonstrating the measurement and the conformance against a standard to our own customers.

Also, as we flip it around and take a look at our own suppliers, we want to be able to encourage suppliers, which may be small suppliers, to conform to a standard, as we go and select who will be our authorized suppliers.

Gardner: Dave, what would you suggest for those various suppliers around the globe to begin the process?

Publications catalog

Lounsbury: Obviously, the thing I would recommend right off is to go to The Open Group website, go to the publications catalog, and download the snapshot of the OTTF standard. That gives a good overview of the two areas of best practices for protection from tainted and counterfeit products we’ve mentioned on the call here.

That’s the starting point, but of course, the reason it’s very important for the commercial world to lead this is that commercial vendors face the commercial market pressures and have to respond to threats quickly. So the other part of this is how to stay involved and how to stay up to date?

And of course the two ways that The Open Group offers to let people do that is that you can come to our quarterly conferences, where we do regular presentations on this topic. In fact, the Washington meeting is themed on the supply chain security.

Of course, the best way to do it is to actually be in the room as these standards are evolved to meet the current and the changing threat environment. So, joining The Open Group and joining the OTTF is absolutely the best way to be on the cutting edge of what’s happening, and to take advantage of the great information you get from the companies represented on this call, who have invested years-and-years, as Andras said, in making their own best practices and learning from them.

Gardner:Edna, what’s on the short list of next OTTF priorities?

Conway: You’ve heard us talk about CNCI, and the fact that cybersecurity is on everyone’s minds today. So while taint embodies that to some degree, we probably need to think about partnering in a more comprehensive way under the resiliency and risk umbrella that you heard Dan talk about and really think about embedding security into a resilient supply chain or a resilient enterprise approach.

In fact, to give that some forethought, we actually have invited at the upcoming conference, a colleague who I’ve worked with for a number of years who is a leading expert in enterprise resiliency and supply chain resiliency to join us and share his thoughts.

He is a professor at MIT, and his name is Yossi Sheffi. Dr. Sheffi will be with us. It’s from that kind of information sharing, as we think in a more comprehensive way, that we begin to gather the expertise that not only resides today globally in different pockets, whether it be academia, government, or private enterprise, but also to think about what the next generation is going to look like.

Resiliency, as it was known five years ago, is nothing like supply chain resiliency today, and where we want to take it into the future. You need only look at the US national strategy for global supply chain security to understand that. When it was announced in January of this year at Davos by Secretary Napolitano of the DHS, she made it quite clear that we’re now putting security at the forefront, and resiliency is a part of that security endeavor.

So that mindset is a change, given the reliance ubiquitously on communications, for everything, everywhere, at all times — not only critical infrastructure, but private enterprise, as well as all of us on a daily basis today. Our communications infrastructure is essential to us.

Thinking about resiliency

Given that security has taken top ranking, we’re probably at the beginning of this stage of thinking about resiliency. It’s not just about continuity of supply, not just about prevention from the kinds of cyber incidents that we’re worried about, but also to be cognizant of those nation-state concerns or personal concerns that would arise from those parties who are engaging in malicious activity, either for political, religious or reasons.

Or, as you know, some of them are just interested in seeing whether or not they can challenge the system, and that causes loss of productivity and a loss of time. In some cases, there are devastating negative impacts to infrastructure.

Szakal: There’s another area too that I am highly focused on, but have kind of set aside, and that’s the continued development and formalization of the framework itself that is to continue the collective best practices from the industry and provide some sort of methods by which vendors can submit and externalize those best practices. So those are a couple of areas that I think that would keep me busy for the next 12 months easily.

Gardner: What do IT vendors companies gain if they do this properly?

Secure by Design

Szakal: Especially now in this day and age, any time that you actually approach security as part of the lifecycle — what we call an IBM Secure by Design – you’re going to be ahead of the market in some ways. You’re going to be in a better place. All of these best practices that we’ve defined are additive in effect. However, the very nature of technology as it exists today is that it will be probably another 50 or so years, before we see a perfect security paradigm in the way that we all think about it.

So the researchers are going to be ahead of all of the providers in many ways in identifying security flaws and helping us to remediate those practices. That’s part of what we’re doing here, trying to make sure that we continue to keep these practices up to date and relevant to the entire lifecycle of commercial off-the-shelf technology (COTS) development.

So that’s important, but you also have to be realistic about the best practices as they exist today. The bar is going to move as we address future challenges.

************

For more information on The Open Group’s upcoming conference in Washington, D.C., please visit: http://www.opengroup.org/dc2012

Dana Gardner is president and principal analyst at Interarbor Solutions, an enterprise IT analysis, market research, and consulting firm. Gardner, a leading identifier of software and Cloud productivity trends and new IT business growth opportunities, honed his skills and refined his insights as an industry analyst, pundit, and news editor covering the emerging software development and enterprise infrastructure arenas for the last 18 years.

Comments Off

Filed under Cybersecurity, Information security, OTTF, Supply chain risk

#ogChat Summary – Walled Garden Networks

By Patty Donovan, The Open Group

With hundreds of tweets flying at break-neck pace, yesterday’s #ogChat saw a very spirited discussion on the Internet’s movement toward a walled garden model. In case you missed the conversation, you’re in luck! Here’s a recap of yesterday’s #ogChat.

The full list of participants included:

Here is a high-level a snapshot of yesterday’s #ogChat:

Q1 In the context of #WWW, why has there been a shift from the open Internet to portals, apps and walled environs? #ogChat

Participants generally agreed that the impetus behind the walled garden trend was led by two factors: companies and developers wanting more control, and a desire by users to feel “safer.”

  • @charleneli: Q1 Peeps & developers like order, structure, certainty. Control can provide that. But too much and they leave. #ogChat.
  • @Technodad: User info & contributions are raw material of walled sites-”If you’re not paying for the service, the product being sold is you”. #ogChat
  • @AlanWebber #ogChat Q1 – People feel safer inside the “Walls” but don’t realize what they are loosing

Q2 How has this trend affected privacy/control? Do users have enough control over their IDs/content within #walledgarden networks? #ogChat

This was a hot topic as participants debated the tradeoffs between great content and privacy controls. Questions of where data was used and leaked to also emerged, as walled gardens are known to have backdoors.

  • @AlanWebber: But do people understand what they are giving up inside the walls? #ogChat
  • @TheTonyBradley: Q2 — Yes and no. Users have more control than they’re aware of, but for many its too complex and cumbersome to manage properly. #ogchat
  • @jim_hietala: #ogChat Q2 privacy and control trade offs need to be made more obvious, visible
  • @zdFYRashid: Q2 users assume that #walledgarden means nothing leaves, so they think privacy is implied. They don’t realize that isn’t the case #ogchat
  • @JohnFontana: Q2 Notion is wall and gate is at the front of garden where users enter. It’s the back that is open and leaking their data #ogchat
  • @subreyes94: #ogchat .@DanaGardner More walls coming down through integration. FB and Twitter are becoming de facto login credentials for other sites

Q3 What has been the role of social and #mobile in developing #walledgardens? Have they accelerated this trend? #ogChat

Everyone agreed that social and mobile catalyzed the formation of walled garden networks. Many also gave a nod to location as a nascent driver.

  • @jaycross: Q3 Mobile adds your location to potential violations of privacy. It’s like being under surveillance. Not very far along yet. #ogChat
  • @charleneli: Q3: Mobile apps make it easier to access, reinforcing behavior. But also enables new connections a la Zynga that can escape #ogChat
  • @subreyes94: #ogChatQ3 They have accelerated the always-inside the club. The walls have risen to keep info inside not keep people out.
    • @Technodad: @subreyes94 Humans are social, want to belong to community & be in touch with others “in the group”. Will pay admission fee of info. #ogChat

Q4 Can people use the internet today without joining a walled garden network? What does this say about the current web? #ogChat

There were a lot of parallels drawn between real and virtual worlds. It was interesting to see that walled gardens provided a sense of exclusivity that human seek out by nature. It was also interesting to see a generational gap emerge as many participants cited their parents as not being a part of a walled garden network.

  • @TheTonyBradley: Q4 — You can, the question is “would you want to?” You can still shop Amazon or get directions from Mapquest. #ogchat
  • @zdFYRashid: Q4 people can use the internet without joining a walled garden, but they don’t want to play where no one is. #ogchat
  • @JohnFontana: Q4 I believe we are headed to a time when people will buy back their anonymity. That is the next social biz. #ogchat

Q5 Is there any way to reconcile the ideals of the early web with the need for companies to own information about users? #ogChat

While walled gardens have started to emerge, the consumerization of the Internet and social media has really driven user participation and empowered users to create content within these walled gardens.

  • @JohnFontana: Q5 – It is going to take identity, personal data lockers, etc. to reconcile the two. Wall-garden greed heads can’t police themselves #ogchat
  • @charleneli: Q5: Early Web optimism was less about being open more about participation. B4 you needed to know HTML. Now it’s fill in a box. #ogChat
  • @Dana_Gardner: Q5 Early web was more a one-way street, info to a user. Now it’s a mix-master of social goo. No one knows what the goo is, tho. #ogChat
  • @AlanWebber: Q5, Once there are too many walls, people will begin to look on to the next (virtual) world. Happening already #ogChat

Q6 What #Web2.0 lessons learned should be implemented into the next iteration of the web? How to fix this? #ogChat

Identity was the most common topic with the sixth and final question. Single sign-on, personal identities on mobile phones/passports and privacy seemed to be the biggest issues facing the next iteration of the web.

  • @Technodad: Q6 Common identity is a key – need portable, mutually-recognized IDs that can be used for access control of shared info. #ogChat
  • @JohnFontana: Q6 Users want to be digital. Give them ways to do that safely and privately if so desired. #ogChat
  • @TheTonyBradley: Q6 — Single ID has pros and cons. Convenient to login everywhere with FB credentials, but also a security Achilles heel. #ogchat

Thank you to all the participants who made this such a great discussion!

Patricia Donovan is Vice President, Membership & Events, at The Open Group and a member of its executive management team. In this role she is involved in determining the company’s strategic direction and policy as well as the overall management of that business area. Patricia joined The Open Group in 1988 and has played a key role in the organization’s evolution, development and growth since then. She also oversees the company’s marketing, conferences and member meetings. She is based in the U.S.

Comments Off

Filed under Tweet Jam

Social Networking at The Open Group Washington, D.C. Conference (#ogDCA)

By Andrew Josey, The Open Group

Those who attend The Open Group conferences benefit from the opportunity to leverage the expertise of other experts, learn from others’ experiences and delve into content most relevant to their jobs and organizations. One way to maximize the benefit is to make technology work for you. If you are attending The Open Group conference in Washington, D.C., we’ve put together a few tips on how to leverage technology to make networking and meet-ups easier, quicker and more effective.

Using Twitter at #ogDCA

Twitter is a real-time news-sharing tool that anyone can use. The official hashtag for the conference is #ogDCA. This allows anybody, whether they are present or not, to follow what’s happening at the Washington, D.C. conference in real-time and to interact with each other.

Before the conference, be sure to update your Twitter client to monitor #ogDCA and to tweet about the conference. If you need to contact the conference team we can be reached on @theopengroup

To follow the conference on twitter you can point your mobile device to http://bit.ly/LyJBbA

Using foursquare to network at the Washington, D.C. conference

We’ve setup a foursquare venue for the conference and also for the exhibits hall. Be sure to check in at the venue to see a number of specials and leave tips for other attendees – more information about #ogDCA foursquare campaigns to come shortly. Also, be sure also to check in at the exhibitors on foursquare.

You can check in at the venue at: http://4sq.com/LD1qfQ, or search for “The Open Group Conference Washington DC, #ogCDA.”

Using Facebook at the Washington, D.C. conference

You can also track what is happening at the conference on The Open Group Facebook page. We will be running another photo contest, where all entries will be uploaded to our Facebook page. Members and Open Group Facebook fans can vote by “liking” a photo. The photos with the most “likes” in each category will be named the winner. Submissions will be uploaded in real-time, so the sooner you submit a photo, the more time members and fans will have to vote on it!

For full details of the contest and how to enter see The Open Group Blog.

If you have any questions about social media usage at the conference, feel free to tweet me (@aj_josey)!

Andrew Josey is Director of Standards within The Open Group. He is currently managing the standards process for The Open Group, and has recently led the standards development projects for TOGAF 9.1, ArchiMate 2.0, IEEE Std 1003.1-2008 (POSIX), and the core specifications of the Single UNIX Specification, Version 4. Previously, he has led the development and operation of many of The Open Group certification development projects, including industry-wide certification programs for the UNIX system, the Linux Standard Base, TOGAF, and IEEE POSIX. He is a member of the IEEE, USENIX, UKUUG, and the Association of Enterprise Architects.

Comments Off

Filed under Conference

Social Networks – Challenging an Open Internet? Walled Gardens Tweet Jam

By Patty Donovan, The Open Group

On July 10, The Open Group will host a special tweet jam to examine “walled gardens” and the effect of social media networks on the web.

The World Wide Web was originally intended to be an open platform – from the early forums for programmers exchanging code or listservs to today’s daily photo blogs or corporate website providing product information. Information was meant to be free and available for public consumption, meaning any link on the World Wide Web could be accessed by anyone, anytime.

With the advent of Web 2.0, content no longer roams free. Increasingly, private companies and social networks, such as Facebook and Google Plus, have realized the value of controlling information and restricting the once open flow of the Internet. A link to a Facebook profile, for example, doesn’t lead to a member’s Facebook page, but instead to an invitation to join Facebook – a closed, member-only network where one must be inside the network to derive any benefit. And once one joins one of these “walled gardens,” personal content is shared in ways that are uncontrollable by the user.

As web data continues to explode and more and more information about Internet usage is gathered across sites, the pressure to “grow the gardens” with more personal data and content will continue to increase.

Please join us on July 10 at 9:00 a.m. PT/12:00 p.m. ET/5:00 p.m. BST for a tweet jam that will discuss the future of the web as it relates to information flow, identity management and privacy in the context of “walled garden” networks such as Facebook and Google. We welcome Open Group members and interested participants from all backgrounds to join the session and interact with our panel of experts, including:

To access the discussion, please follow the #ogChat hashtag next Tuesday during the allotted discussion time. Other hashtags we recommend you using include:

  • Open Group Conference, Washington, D.C.: #ogDCA
  • Facebook: #fb (Twitter account: @facebook)
  • Google: #google (Twitter account: @google)
  • Identity management: #idM
  • Mobile: #mobile
  • IT security: @ITsec
  • Semantic web: #semanticweb
  • Walled garden: #walledgarden
  • Web 2.0: #web20

Below is a list of the questions that will be addressed during the hour-long discussion:

  1. In the context of the World Wide Web, why has there been a shift from the open Internet to portals, apps and walled environments?
  2. How has this trend affected privacy and control? Do users have enough control over their IDs and content within walled garden networks?
  3. What has been the role of social and mobile in developing walled gardens? Have they accelerated this trend?
  4. Can people use the Internet today without joining a walled garden network? What does this say about the current web?
  5. Is there any way to reconcile the ideals of the early web with the need for companies to own information about users?
  6. What Web 2.0 lessons learned should be implemented into the next iteration of the web?

And for those of you who are unfamiliar with tweet jams, here is some background information:

What Is a Tweet Jam?

A tweet jam is a one hour “discussion” hosted on Twitter. The purpose of the tweet jam is to share knowledge and answer questions on a chosen topic. Each tweet jam is led by a moderator (Dana Gardner) and a dedicated group of experts to keep the discussion flowing. The public (or anyone using Twitter interested in the topic) is free (and encouraged!) to join the discussion.

Participation Guidance

Whether you’re a newbie or veteran Twitter user, here are a few tips to keep in mind:

  • Have your first #ogChat tweet be a self-introduction: name, affiliation, occupation.
  • Start all other tweets with the question number you’re responding to and the #ogChat hashtag.
    • Sample: “Q4 People can still use the Internet without joining a walled garden, but their content exposure would be extremely limited #ogChat”
  • Please refrain from product or service promotions. The goal of a tweet jam is to encourage an exchange of knowledge and stimulate discussion.
  • While this is a professional get-together, we don’t have to be stiff! Informality will not be an issue!
  • A tweet jam is akin to a public forum, panel discussion or Town Hall meeting – let’s be focused and thoughtful.

If you have any questions prior to the event, please direct them to Rod McLeod (rmcleod at bateman-group dot com). We anticipate a lively chat on July 10 and hope you will be able to join!

Patricia Donovan is Vice President, Membership & Events, at The Open Group and a member of its executive management team. In this role she is involved in determining the company’s strategic direction and policy as well as the overall management of that business area. Patricia joined The Open Group in 1988 and has played a key role in the organization’s evolution, development and growth since then. She also oversees the company’s marketing, conferences and member meetings. She is based in the US.

Comments Off

Filed under Identity Management, Tweet Jam

The Open Group and MIT Experts Detail New Advances in ID Management to Help Reduce Cyber Risk

By Dana Gardner, The Open Group

This BriefingsDirect thought leadership interview comes in conjunction with The Open Group Conference in Washington, D.C., beginning July 16. The conference will focus on how Enterprise Architecture (EA), enterprise transformation and securing global supply chains.

We’re joined in advance by some of the main speakers at the July 16 conference to examine the relationship between controlled digital identities in cyber risk management. Our panel will explore how the technical and legal support of ID management best practices have been advancing rapidly. And we’ll see how individuals and organizations can better protect themselves through better understanding and managing of their online identities.

The panelist are Jim Hietala, vice president of security at The Open Group; Thomas Hardjono, technical lead and executive director of the MIT Kerberos Consortium; and Dazza Greenwood, president of the CIVICS.com consultancy and lecturer at the MIT Media Lab. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Gardner: What is ID management, and how does it form a fundamental component of cybersecurity?

Hietala: ID management is really the process of identifying folks who are logging onto computing services, assessing their identity, looking at authenticating them, and authorizing them to access various services within a system. It’s something that’s been around in IT since the dawn of computing, and it’s something that keeps evolving in terms of new requirements and new issues for the industry to solve.

Particularly as we look at the emergence of cloud and software-as-a-service (SaaS) services, you have new issues for users in terms of identity, because we all have to create multiple identities for every service we access.

You have issues for the providers of cloud and SaaS services, in terms of how they provision, where they get authoritative identity information for the users, and even for enterprises who have to look at federating identity across networks of partners. There are a lot of challenges there for them as well.

Key theme

Figuring out who is at the other end of that connection is fundamental to all of cybersecurity. As we look at the conference that we’re putting on this month in Washington, D.C., a key theme is cybersecurity — and identity is a fundamental piece of that.

You can look at things that are happening right now in terms of trojans, bank fraud, scammers and attackers, wire transferring money out of company’s bank accounts and other things you can point to.

There are failures in their client security and the customer’s security mechanisms on the client devices, but I think there are also identity failures. They need new approaches for financial institutions to adopt to prevent some of those sorts of things from happening. I don’t know if I’d use the word “rampant,” but they are clearly happening all over the place right now. So I think there is a high need to move quickly on some of these issues.

Gardner: Are we at a plateau? Or has ID management been a continuous progression over the past decade?

Hardjono: So it’s been at least a decade since the industry began addressing identity and identity federation. Someone in the audience might recall Liberty Alliance, the Project Liberty in its early days.

One notable thing about the industry is that the efforts have been sort of piecemeal, and the industry, as a whole, is now reaching the point where a true correct identity is absolutely needed now in transactions in a time of so many so-called Internet scams.

Gardner: Dazza, is there a casual approach to this, or a professional need? By that, I mean that we see a lot of social media activities, Facebook for example, where people can have an identity and may or may not be verified. That’s sort of the casual side, but it sounds like what we’re really talking about is more for professional business or eCommerce transactions, where verification is important. In other words, is there a division between these two areas that we should consider before we get into it more deeply?

Greenwood: Rather than thinking of it as a division, a spectrum would be a more useful way to look at it. On one side, you have, as you mentioned, a very casual use of identity online, where it may be self-asserted. It may be that you’ve signed a posting or an email.

On the other side, of course, the Internet and other online services are being used to conduct very high value, highly sensitive, or mission-critical interactions and transactions all the time. When you get toward that spectrum, a lot more information is needed about the identity authenticating, that it really is that person, as Thomas was starting to foreshadow. The authorization, workflow permissions, and accesses are also incredibly important.

In the middle, you have a lot of gradations, based partly on the sensitivity of what’s happening, based partly on culture and context as well. When you have people who are operating within organizations or within contexts that are well-known and well-understood — or where there is already a lot of not just technical, but business, legal and cultural understanding of what happens — if something goes wrong, there are the right kind of supports and risk management processes.

There are different ways that this can play out. It’s not always just a matter of higher security. It’s really higher confidence, and more trust based on a variety of factors. But the way you phrased it is a good way to enter this topic, which is, we have a spectrum of identity that occurs online, and much of it is more than sufficient for the very casual or some of the social activities that are happening.

Higher risk

But as the economy in our society moves into a digital age, ever more fully and at ever-higher speeds, much more important, higher risk, higher value interactions are occurring. So we have to revisit how it is that we have been addressing identity — and give it more attention and a more careful design, instead of architectures and rules around it. Then we’ll be able to make that transition more gracefully and with less collateral damage, and really get to the benefits of going online.

Gardner: What’s happening to shore this up and pull it together? Let’s look at some of the big news.

Hietala: I think the biggest recent news is the U.S. National Strategy for Trusted Identities in Cyber Space (NSTIC) initiative. It clearly shows that a large government, the United States government, is focused on the issue and is willing to devote resources to furthering an ID management ecosystem and construct for the future. To me that’s the biggest recent news.

At a crossroads

Greenwood: We’re just now is at a crossroads where finally industry, government and increasingly the populations in general, are understanding that there is a different playing field. In the way that we interact, the way we work, the way we do healthcare, the way we do education, the way our social groups cohere and communicate, big parts are happening online.

In some cases, it happens online through the entire lifecycle. What that means now is that a deeper approach is needed. Jim mentioned NSTIC as one of those examples. There are a number of those to touch on that are occurring because of the profound transition that requires a deeper treatment.

NSTIC is the U.S. government’s roadmap to go from its piecemeal approach to a coherent architecture and infrastructure for identity within the United States. It could provide a great model for other countries as well.

People can reuse their identity, and we can start to address what you’re talking about with identity and other people taking your ID, and more to the point, how to prove you are who you said you were to get that ID back. That’s not always so easy after identity theft, because we don’t have an underlying effective identity structure in the United States yet.

I just came back from the United Kingdom at a World Economic Forum meeting. I was very impressed by what their cabinet officers are doing with an identity-assurance scheme in large scale procurement. It’s very consistent with the NSTIC approach in the United States. They can get tens of millions of their citizens using secure well-authenticated identities across a number of transactions, while always keeping privacy, security, and also individual autonomy at the forefront.

There are a number of technology and business milestones that are occurring as well. Open Identity Exchange (OIX) is a great group that’s beginning to bring industry and other sectors together to look at their approaches and technology. We’ve had Security Assertion Markup Language (SAML). Thomas is co-chair of the PC, and that’s getting a facelift.

That approach was being brought to match scale with OpenID Connect, which is OpenID and OAuth. There are a great number of technology innovations that are coming online.

Legally, there are also some very interesting newsworthy harbingers. Some of it is really just a deeper usage of statutes that have been passed a few years ago — the Uniform Electronic Transactions Act, the Electronic Signatures in Global and National Commerce Act, among others, in the U.S.

There is eSignature Directive and others in Europe and in the rest of the world that have enabled the use of interactions online and dealt with identity and signatures, but have left to the private sector and to culture which technologies, approaches, and solutions we’ll use.

Now, we’re not only getting one-off solutions, but architectures for a number of different solutions, so that whole sectors of the economy and segments of society can more fully go online. Practically everywhere you look, you see news and signs of this transition that’s occurring, an exciting time for people interested in identity.

Gardner: What’s most new and interesting from your perspective on what’s being brought to bear on this problem, particularly from a technology perspective?

Two dimensions

Hardjono: It’s along two dimensions. The first one is within the Kerberos Consortium. We have a number of people coming from the financial industry. They all have the same desire, and that is to scale their services to the global market, basically sign up new customers abroad, outside United States. In wanting to do so, they’re facing a question of identity. How do we assert that somebody in a country is truly who they say they are.

The second, introduces a number of difficult technical problems. Closer to home and maybe at a smaller scale, the next big thing is user consent. The OpenID exchange and the OpenID Connect specifications have been completed, and people can do single sign-on using technology such as OAuth 2.0.

The next big thing is how can an attribute provider, banks, telcos and so on, who have data about me, share data with other partners in the industry and across the sectors of the industry with my expressed consent in a digital manner.

Gardner: Tell us a bit about the MIT Core ID approach and how this relates to the Jericho Forum approach.

Greenwood: I would defer to Jim of The Open Group to speak more authoritatively on Jericho Forum, which is a part of Open Group. But, in general, Jericho Forum is a group of experts in the security field from industry and, more broadly, who have done some great work in the past on deperimeterized security and some other foundational work.

In the last few years, they’ve been really focused on identity, coming to realize that identity is at the center of what one would have to solve in order to have a workable approach to security. It’s necessary, but not sufficient, for security. We have to get that right.

To their credit, they’ve come up with a remarkably good list of simple understandable principles, that they call the Jericho Forum Identity Commandments, which I strongly commend to everybody to read.

It puts forward a vision of an approach to identity, which is very constant with an approach that I’ve been exploring here at MIT for some years. A person would have a core ID identity, a core ID, and could from that create more than one persona. You may have a work persona, an eCommerce persona, maybe a social and social networking persona and so on. Some people may want a separate political persona.

You could cluster all of the accounts, interactions, services, attributes, and so forth, directly related to each of those to those individual personas, but not be in a situation where we’re almost blindly backing into right now. With a lot of the solutions in the market, your different aspects of life, unintentionally sometimes or even counter-intentionally, will merge.

Good architecture

Sometimes, that’s okay. Sometimes, in fact, we need to be able to have an inability to separate different parts of life. That’s part of privacy and can be part of security. It’s also just part of autonomy. It’s a good architecture. So Jericho Forum has got the commandments.

Many years ago, at MIT, we had a project called the Identity Embassy here in the Media Lab, where we put forward some simple prototypes and ideas, ways you could do that. Now, with all the recent activity we mentioned earlier toward full-scale usage of architectures for identity in U.S. with NSTIC and around the world, we’re taking a stronger, deeper run at this problem.

Thomas and I have been collaborating across different parts of MIT. I’m putting out what we think is a very exciting and workable way that you can in a high security manner, but also quite usably, have these core identifiers or individuals and inextricably link them to personas, but escape that link back to the core ID, and from across the different personas, so that you can get the benefits when you want them, keeping the personas separate.

Also it allows for many flexible business models and other personalization and privacy services as well, but we can get into that more in the fullness of time. But, in general, that’s what’s happening right now and we couldn’t be more excited about it.

Hardjono: For a global infrastructure for core identities to be able to develop, we definitely need collaboration between the governments of the world and the private sector. Looking at this problem, we were searching back in history to find an analogy, and the best analogy we could find was the rollout of a DNS infrastructure and the IP address assignment.

It’s not perfect and it’s got its critics, but the idea is that you could split blocks of IP addresses and get it sold and resold by private industry, really has allowed the Internet to scale, hitting limitations, but of course IPv6 is on the horizon. It’s here today.

So we were thinking along the same philosophy, where core identifiers could be arranged in blocks and handed out to the private sector, so that they can assign, sell it, or manage it on behalf of people who are Internet savvy, and perhaps not, such as my mom. So we have a number of challenges in that phase.

Gardner: Does this relate to the MIT Model Trust Framework System Rules project?

Greenwood: The Model Trust Framework System Rules project that we are pursuing in MIT is a very important aspect of what we’re talking about. Thomas and I talked somewhat about the technical and practical aspects of core identifiers and core identities. There is a very important business and legal layer within there as well.

So these trust framework system rules are ways to begin to approach the complete interconnected set of dimensions necessary to roll out these kinds of schemes at the legal, business, and technical layers.

They come from very successful examples in the past, where organizations have federated ID with more traditional approaches such as SAML and other approaches. There are some examples of those trust framework system rules at the business, legal, and technical level available.

Right now it’s CIVICS.com, and soon, when we have our model MIT under Creative Commons approach, we’ll take a lot of the best of what’s come before codified in a rational way. Business, legal, and technical rules can really be aligned in a more granular way to fit well, and put out a model that we think will be very helpful for the identity solutions of today that are looking at federate according to NSTIC and similar models. It absolutely would be applicable to how at the core identity persona underlying architecture and infrastructure that Thomas, I, and Jericho Forum are postulating could occur.

Hardjono: Looking back 10-15 years, we engineers came up with all sorts of solutions and standardized them. What’s really missing is the business models, business cases, and of course the legal side.

How can a business make revenue out of the management of identity-related aspects, management of attributes, and so on and how can they do so in such a manner that it doesn’t violate the user’s privacy. But it’s still user-centric in the sense that the user needs to give consent and can withdraw consent and so on. And trying to develop an infrastructure where everybody is protected.

Gardner: The Open Group, being a global organization focused on the collaboration process behind the establishment of standards, it sounds like these are some important aspects that you can bring out to your audience, and start to create that collaboration and discussion that could lead to more fuller implementation. Is that the plan, and is that what we’re expecting to hear more of at the conference next month?

Hietala: It is the plan, and we do get a good mix at our conferences and events of folks from all over the world, from government organizations and large enterprises as well. So it tends to be a good mixing of thoughts and ideas from around the globe on whatever topic we’re talking about — in this case identity and cybersecurity.

At the Washington, D.C. Conference, we have a mix of discussions. The kick-off one is a fellow by the name Joel Brenner who has written a book, America the Vulnerable, which I would recommend. He was inside the National Security Agency (NSA) and he’s been involved in fighting a lot of the cyber attacks. He has a really good insight into what’s actually happening on the threat and defending against the threat side. So that will be a very interesting discussion. [Read an interview with Joel Brenner.]

Then, on Monday, we have conference presentations in the afternoon looking at cybersecurity and identity, including Thomas and Dazza presenting on some of the projects that they’ve mentioned.

Cartoon videos

Then, we’re also bringing to that event for the first time, a series of cartoon videos that were produced for the Jericho Forum. They describe a lot of the commandments that Dazza mentioned in a more approachable way. So they’re hopefully understandable to laymen, and folks with not as much understanding about all the identity mechanisms that are out there. So, yeah, that’s what we are hoping to do.

Gardner: Perhaps we could now better explain what NSTIC is and does?

Greenwood:The best person to speak about NSTIC in the United States right now is probably President Barrack Obama, because he is the person that signed the policy. Our president and the administration has taken a needed, and I think a very well-conceived approach, to getting industry involved with other stakeholders in creating the architecture that’s going to be needed for identity for the United States and as a model for the world, and also how to interact with other models.

Jeremy Grant is in charge of the program office and he is very accessible. So if people want more information, they can find Jeremy online easily in at nist.gov/nstic. And nstic.us also has more information.

In general, NSTIC is a strategy document and a roadmap for how a national ecosystem can emerge, which is comprised of a governing body. They’re beginning to put that together this very summer, with 13 different stakeholders groups, each of which would self-organize and elect or appoint a person — industry, government, state and local government, academia, privacy groups, individuals — which is terrific — and so forth.

That governance group will come up with more of the details in terms of what the accreditation and trust marks look like, the types of technologies and approaches that would be favored according to the general principles I hope everyone reads within the NSTIC document.

At a lower level, Congress has appropriated more than $10 million to work with the White House for a number of pilots that will be under a million half dollars each for a year or two, where individual proof of concept, technologies, or approaches to trust frameworks will be piloted and put out into where they can be used in the market.

In general, by this time two months from now, we’ll know a lot more about the governing body, once it’s been convened and about the pilots once those contracts have been awarded and grants have been concluded. What we can say right now is that the way it’s going to come together is with trust framework system rules, the same exact type of entity that we are doing a model of, to help facilitate people’s understanding and having templates and well-thought through structures that they can pull down and, in turn, use as a starting point.

Circle of trust

So industry-by-industry, sector-by-sector, but also what we call circle of trust by circle of trust. Folks will come up with their own specific rules to define exactly how they will meet these requirements. They can get a trust mark, be interoperable with other trust framework consistent rules, and eventually you’ll get a clustering of those, which will lead to an ecosystem.

The ecosystem is not one size fits all. It’s a lot of systems that interoperate in a healthy way and can adapt and involve over time. A lot more, as I said, is available on nstic.us and nist.gov/nstic, and it’s exciting times. It’s certainly the best government document I have ever read. I’ll be so very excited to see how it comes out.

Gardner: What’s coming down the pike that’s going to make this yet more important?

Hietala: I would turn to the threat and attacks side of the discussion and say that, unfortunately, we’re likely to see more headlines of organizations being breached, of identities being lost, stolen, and compromised. I think it’s going to be more bad news that’s going to drive this discussion forward. That’s my take based on working in the industry and where it’s at right now.

Hardjono: I mentioned the user consent going forward. I think this is increasingly becoming an important sort of small step to address and to resolve in the industry and efforts like the User Managed Access (UMA) working group within the Kantara Initiative.

Folks are trying to solve the problem of how to share resources. How can I legitimately not only share my photos on Flickr with data, but how can I allow my bank to share some of my attributes with partners of the bank with my consent. It’s a small step, but it’s a pretty important step.

Greenwood: Keep your eyes on UMA out of Kantara. Keep looking at OASIS, as well, and the work that’s coming with SAML and some of the Model Trust Framework System Rules.

Most important thing

In my mind the most strategically important thing that will happen is OpenID Connect. They’re just finalizing the standard now, and there are some reference implementations. I’m very excited to work with MIT, with our friends and partners at MITRE Corporation and elsewhere.

That’s going to allow mass scales of individuals to have more ready access to identities that they can reuse in a great number of places. Right now, it’s a little bit catch-as-catch-can. You’ve got your Google ID or Facebook, and a few others. It’s not something that a lot of industries or others are really quite willing to accept to understand yet.

They’ve done a complete rethink of that, and use the best lessons learned from SAML and a bunch of other federated technology approaches. I believe this one is going to change how identity is done and what’s possible.

They’ve done such a great job on it, I might add It fits hand in glove with the types of Model Trust Framework System Rules approaches, a layer of UMA on top, and is completely consistent with the architecture rights, with a future infrastructure where people would have a Core ID and more than one persona, which could be expressed as OpenID Connect credentials that are reusable by design across great numbers of relying parties getting where we want to be with single sign-on.

So it’s exciting times. If it’s one thing you have to look at, I’d say do a Google search and get updates on OpenID Connect and watch how that evolves.

************

For more information on The Open Group’s upcoming conference in Washington, D.C., please visit: http://www.opengroup.org/dc2012

Dana Gardner is president and principal analyst at Interarbor Solutions, an enterprise IT analysis, market research, and consulting firm. Gardner, a leading identifier of software and Cloud productivity trends and new IT business growth opportunities, honed his skills and refined his insights as an industry analyst, pundit, and news editor covering the emerging software development and enterprise infrastructure arenas for the last 18 years.

1 Comment

Filed under Conference, Cybersecurity

The Increasing Importance of Cybersecurity: The Open Group Conference in Washington, D.C.

By Jim Hietala, The Open Group

As we move through summer here in the U.S., cybersecurity continues to be top of mind, not only for security professionals, but for IT management as well as for senior managers in large organizations.

The IT security world tends to fixate on the latest breach reported or the latest vulnerability disclosed. Clearly the recent news around Stuxnet and Flame has caused a stir in the community, as professionals debate what it means to have cyberwar attacks being carried out by nations. However, there have also been other significant developments in cybersecurity that have heightened the need for better understanding of risk and security posture in large organizations.

In the U.S., the SEC recently issued guidance to public companies on disclosing the risks of cybersecurity incidents in financial reports, as well as disclosing actual breaches if there is material affect. This is a significant new development, as there’s little that directs the attention of CEO’s and Boards like new financial disclosure requirements. In publicly traded organizations that struggled to find funding to perform adequate risk management and for IT security initiatives, IT folks will have a new impetus and mandate, likely with support from the highest levels.

The upcoming Open Group conference in Washington, D.C. on July 16-20 will explore cybersecurity, with a focus on defending critical assets and securing the global supply chain. To highlight a few of the notable presentations:

  • Joel Brenner, author of America the Vulnerable, attorney, and former senior counsel at the NSA, will keynote on Monday, July 16 and will speak on “America the Vulnerable: Inside the New Threat Matrix.”
  • Kristen Baldwin, principal deputy, DASD, Systems Engineering, and acting cirector, Systems Analysis, will speak on “Meeting the Challenge of Cybersecurity Threats through Industry-Government Partnerships.”
  • Dr. Ron Ross, project leader, NIST, will talk to “Integrating Cyber Security Requirements into Main Stream Organizational Mission and Business Processes.”
  • Andras Szakal, VP & CTO, IBM Federal will moderate a panel that will include Daniel Reddy, EMC; Edna Conway, Cisco; and Hart Rossman, SAIC on “Mitigating Tainted & Counterfeit Products.”
  • Dazza (Daniel) J. Greenwood, JD, MIT and CIVICS.com Consultancy Services, and Thomas Hardjono, executive director of MIT Kerberos Consortium, will discuss “Meeting the Challenge of Identity and Security.”

Apart from our quarterly conferences and member meetings, The Open Group undertakes a broad set of programs aimed at addressing challenges in information security.

Our Security Forum focuses on developing standards and best practices in the areas of information security management and secure architecture. The Real Time and Embedded Systems Forum addresses high assurance systems and dependability through work focused on MILS, software assurance, and dependability engineering for open systems. Our Trusted Technology Forum addresses supply chain issues of taint and counterfeit products through the development of the Trusted Technology Provider Framework, which is a draft standard aimed at enabling commercial off the shelf ICT products to be built with integrity, and bought with confidence. Finally, The Open Group Jericho Forum continues to provide thought leadership in the area of information security, most notably in the areas of de-perimeterization, secure cloud computing and identity management.

I hope to see you at the conference. More information about the conference, including the full program can be found here: http://www.opengroup.org/dc2012

Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.


Comments Off

Filed under Cybersecurity, Information security, Security Architecture, Conference, OTTF

Adapting to an eBook World

By Chris Harding, The Open Group

Have you ever wanted to read something to prepare for a meeting while traveling, but  been frustrated by the difficulty of managing paper or a bulky PC? Travelers who read for pleasure have found eBooks a very convenient way to meet their needs. This format is now becoming available for select Open Group standards and guides, so that you can read them more easily when “on the road.”

The eBook format allows the device to lay out the text, rather than trying to fit pre-formatted pages to devices of all shapes and size (It is based on HTML). This makes reading an eBook a much easier and more pleasant experience than trying to read a static format such as PDF on a device where the page doesn’t fit.

There are portable electronic devices designed primarily for the purpose of reading digital books – the Amazon Kindle is the best known – but eBooks can also be read on tablets, mobile phones (on which the quality can be surprisingly good) and, of course, on laptops, using free-to-download software apps. The eBook readers are, essentially, small-sized special-purpose tablets with superb text display quality and – a big advantage on a long flight – batteries that can go weeks rather than hours without re-charging. As the quality and battery life of tablets continues to improve, they are starting to overtake specialized reader devices, which have one major disadvantage: a lack of standardization.

There are a number of different eBook formats, the most prominent being EPUB, an open standard created by the International Digital Publishing Forum, KF8, the proprietary format used by Amazon Kindle, and Mobipocket, a format that the Kindle will also handle (There is an excellent Wikipedia article on eBook formats, see http://en.wikipedia.org/wiki/Comparison_of_e-book_formats). You can read any of the most popular formats on a tablet (or PC, Mac, iPhone or Android device) using a software app, but you are likely to find that a specialized reader device is limited in the formats that it can handle.

Many of the Open Group SOA Standards and Guides are now freely available in the EPUB and Mobipocket formats from The Open Group bookstore. See http://soa-standards.opengroup.org/post/eBook-Versions-of-SOA-Standards-and-Guides-5884765 for the current list. We are hoping to make all our new SOA standards and guides available in this way, and also some Open Group publications on Cloud Computing. EPUB versions of TOGAF® Version 9.1, the TOGAF 9.1 Pocket Guide and the TOGAF 9 study guides are available for purchase from The Open Group’s official publisher, Van Haren. The SOA and the TOGAF EPUBS can be obtained from The Open Group bookstore at http://www.opengroup.org/bookstore/catalog .

Thirty years ago, I used to attend meetings of the CCITT (now the ITU-T) in Geneva. The trolleys that were pushed around the UN building, piled high with working documents for distribution to delegates, were an impressive sight, but the sheer weight of paper that had to be carried to and from the meetings was a real problem. Laptops with Internet access have removed the need to carry documents. Now, eBooks are making it easy to read them while traveling!

We have started to make eBook versions of our standards and guides available and are still exploring the possibilities. We’d love to hear your thoughts on what will or won’t work, and what will work best.  Please feel free to share your ideas in the comments section below.

Andrew Josey, director of standards at The Open Group, contributed to the technical aspects of this blog post. 

Dr. Chris Harding is Director for Interoperability and SOA at The Open Group. He has been with The Open Group for more than ten years, and is currently responsible for managing and supporting its work on interoperability, including SOA and interoperability aspects of Cloud Computing. He is a member of the BCS, the IEEE and the AEA, and is a certified TOGAF practitioner.

Comments Off

Filed under Cloud/SOA, TOGAF®

Cybersecurity Threats Key Theme at Washington, D.C. Conference – July 16-20, 2012

By The Open Group Conference Team

Identify risks and eliminating vulnerabilities that could undermine integrity and supply chain security is a significant global challenge and a top priority for governments, vendors, component suppliers, integrators and commercial enterprises around the world.

The Open Group Conference in Washington, D.C. will bring together leading minds in technology and government policy to discuss issues around cybersecurity and how enterprises can establish and maintain the necessary levels of integrity in a global supply chain. In addition to tutorial sessions on TOGAF and ArchiMate, the conference offers approximately 60 sessions on a varied of topics, including:

  • Cybersecurity threats and key approaches to defending critical assets and securing the global supply chain
  • Information security and Cloud security for global, open network environments within and across enterprises
  • Enterprise transformation, including Enterprise Architecture, TOGAF and SOA
  • Cloud Computing for business, collaborative Cloud frameworks and Cloud architectures
  • Transforming DoD avionics software through the use of open standards

Keynote sessions and speakers include:

  • America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime and Warfare - Keynote Speaker: Joel Brenner, author and attorney at Cooley LLP
  • Meeting the Challenge of Cybersecurity Threats through Industry-Government Partnerships - Keynote Speaker: Kristin Baldwin, principal deputy, deputy assistant secretary of defense for Systems Engineering
  • Implementation of the Federal Information Security Management Act (FISMA) - Keynote Speaker: Dr. Ron Ross, project leader at NIST (TBC)
  • Supply Chain: Mitigating Tainted and Counterfeit Products - Keynote Panel: Andras Szakal, VP and CTO at IBM Federal; Daniel Reddy, consulting product manager in the Product Security Office at EMC Corporation; John Boyens, senior advisor in the Computer Security Division at NIST; Edna Conway, chief security strategist of supply chain at Cisco; and Hart Rossman, VP and CTO of Cyber Security Services at SAIC
  • The New Role of Open Standards – Keynote Speaker: Allen Brown, CEO of The Open Group
  • Case Study: Ontario Healthcare - Keynote Speaker: Jason Uppal, chief enterprise architect at QRS
  • Future Airborne Capability Environment (FACE): Transforming the DoD Avionics Software Industry Through the Use of Open Standards - Keynote Speaker: Judy Cerenzia, program director at The Open Group; Kirk Avery of Lockheed Martin; and Robert Sweeney of Naval Air Systems Command (NAVAIR)

The full program can be found here: http://www3.opengroup.org/events/timetable/967

For more information on the conference tracks or to register, please visit our conference registration page. Please stay tuned throughout the next month as we continue to release blog posts and information leading up to The Open Group Conference in Washington, D.C. and be sure to follow the conference hashtag on Twitter – #ogDCA!

1 Comment

Filed under ArchiMate®, Cloud, Cloud/SOA, Conference, Cybersecurity, Enterprise Architecture, Information security, OTTF, Standards, Supply chain risk

RECAP: The Open Group Brazil Conference – May 24, 2012

By Isabela Abreu, The Open Group

Under an autumn Brazilian sky, The Open Group held its first regional event in São Paulo, Brazil, and it turned out to be a great success. More than 150 people attended the conference – including Open Group platinum members (CapGemini, HP, IBM and Oracle), the Brazil chapter of the Association of Enterprise Architecture (AEA), and Brazilian organizations (Daryus, Sensedia) – displaying a robust interest for Enterprise Architecture (EA) within the world’s sixth largest economy. The Open Group also introduced its mission, vision and values to the marketplace – a working model not very familiar to the Brazilian environment.

After the 10 hour, one-day event, I’m pleased to say that The Open Group’s first formal introduction to Brazil was well received, and the organization’s mission was immediately understood!

Introduction to Brazil

The event started with a brief introduction of The Open Group by myself, Isabela Abreu, Open Group country manager of Brazil, and was followed by an impressive presentation by Allen Brown, CEO of The Open Group, on how enterprise architects hold the power to change an organization’s future, and stay ahead of competitors, by using open standards that drive business transformation.

The conference aimed to provide an overview of trending topics, such as business transformation, EA, TOGAF®, Cloud Computing, SOA and Information Security. The presentations focused on case studies, including one by Marcelo Sávio of IBM that showed how the organization has evolved through the use of EA Governance; and one by Roberto Soria of Oracle that provided an introduction to SOA Governance.

Enterprise Architecture

Moving on to architecture, Roberto Severo, president of the AEA in Brazil, pointed out why architects must join the association to transform the Brazil EA community into a strong and ethical tool for transforming EA. He also demonstrated how to align tactical decisions to strategic objectives using Cloud Computing. Then Cecilio Fraguas of CPM Braxis CapGemini provided an introduction to TOGAF®; and Courtnay Guimarães of Instisys comically evinced that although it is sometimes difficult to apply, EA is a competitive tool for investment banks

Security

On the security front, Rodrigo Antão of Apura showed the audience that our enemies know us, but we don’t know them, in a larger discussion about counter-intelligence and cybersecurity; he indicated that architects are wrong when tend to believe EA has nothing to do with Information Security. In his session titled, “OSIMM: How to Measure Success with SOA and Design the Roadmap,” Luís Moraes of Sensedia provided a good overview for architects and explained how to measure success with SOA and design roadmaps with OSIMM - a maturity model of integration services soon to become an ISO standard, based on SOA and developed by The Open Group. Finally, Alberto Favero of Ernst & Young presented the findings of the Ernst & Young 2011 Global Information Security Survey, closing the event.

Aside from the competitive raffle, the real highlight of the event happened at lunch when I noticed the networking between conference attendees. I can testify that the Brazilian EA community actively ideas, in the spirit of The Open Group!

By the end of the day, everybody returned home with new ideas and new friends. I received many inquiries on how to keep the community engaged after the conference, and I promise to keep activities up and running here, in Brazil.

Stay tuned, as we plan sending on a survey to conference attendees, as well the link to all of the presentations. Thanks to everyone who made the conference a great success!

Isabela Abreu is The Open Group country manager for Brazil. She is a member of AEA Brazil and has participated in the translation of the glossary of TOGAF® 9.1, ISO/IEC 20000:1 and ISO/IEC 20000:5 and ITIL V3 to Portuguese. Abreu has worked for itSMF Brazil, EXIN Brazil – Examination Institute for Information Science, and PATH ITTS Consultancy, and is a graduate of São Paulo University.

1 Comment

Filed under Cloud, Conference, Cybersecurity, Enterprise Architecture, TOGAF®

FACE Consortium to Host Exposition Day on June 5

By Judy Cerenzia, The Open Group

On Tuesday, June 5, The Open Group Future Airborne Capability Environment (FACE™) Consortium will hold the FACE Consortium Exposition Day at the Patuxent River Naval Air Museum in Lexington Park, Maryland, to showcase applications and tools that promote reusable software capabilities for unifying DoD aviation systems. The event will take place and feature over 20 partners from government and the avionics industry showcasing examples of products aligned with the new FACE Technical Standard that help ensure warfighters can quickly and affordably benefit from continued software innovations.

The FACE Consortium is an aviation-focused professional group made up of avionics industry suppliers, customers and users. It provides a vendor-neutral forum for industry and the U.S. government to work together to develop and consolidate the open standards, best practices, guidance documents and business models necessary to achieve these results.

The exposition will consist of examples of FACE tools and applications by avionics industry partners from the FACE Consortium. The tools and applications showcased at the event are candidates for potential adoption of the FACE Technical Standard.

The details of the event are below and can be found in this flyer.

FACE Consortium Exposition Day

Location: Patuxent River Naval Air Museum, 22156 Three Notch Road, Lexington Park, MD

Date: Tuesday, June 5

Time: 10:00 a.m. – 5:00 p.m.

This event is free of charge and the venue is open to all visitors who are interested in open standards and open architectures for aviation systems. There will also be a social event held afterward from 5:00 to 7:00 p.m. at The Tides Restaurant.

For more information about the event, please contact Mike Hickey, or visit:  https://www.opengroup.us/face/events.php?action=show&geid=13116

Judy Cerenzia is currently The Open Group’s Program Director for the Future Airborne Capability Environment (FACE) Consortium. Judy has 10+ years senior program management experience leading cross-functional and cross-organizational teams to reach consensus, define, and meet business and technical goals during project lifecycles. 

Comments Off

Filed under FACE™

New Open Group Survey Aims to Understand Cloud Computing ROI and Business Drivers

By Chris Harding, The Open Group

What are the real business benefits from using the Cloud that enterprises see today?

To help answer this question, The Open Group has launched its second annual study to gather information about the evolving business requirements for Cloud Computing and examine the measurable business drivers and ROI to be gained.

We are specifically looking for input from end-user organizations about their business requirements, concerns with implementing Cloud initiatives, and tools for measuring Cloud ROI. We would greatly appreciate your insight and encourage you to spend a few minutes completing the survey: http://www.surveymonkey.com/s/TheOpenGroup_2012CloudROI

The Open Group Cloud Computing Work Group exists to create a common understanding among buyers and suppliers of how enterprises of all sizes and scales of operation can include Cloud Computing technology in a safe and secure way in their architectures to realize its significant cost, scalability and agility benefits. It includes some of the industry’s leading Cloud providers and end-user organizations, collaborating on standard models and frameworks aimed at eliminating vendor lock-in for enterprises looking to benefit from Cloud products and services. It has created a series of whitepapers, guides and standards to help business approach and implement Cloud Computing initiatives, which are available from download from The Open Group bookstore. The Open Group book, Cloud Computing for Business, gives managers reliable and independent guidance that will help to support decisions and actions.

The results of the survey will contribute to our future work and will be publicly available for the benefit of the industry as a whole.

Dr. Chris Harding is Director for Interoperability and SOA at The Open Group. He has been with The Open Group for more than ten years, and is currently responsible for managing and supporting its work on interoperability, including SOA and interoperability aspects of Cloud Computing. Before joining The Open Group, he was a consultant, and a designer and development manager of communications software. With a PhD in mathematical logic, he welcomes the current upsurge of interest in semantic technology, and the opportunity to apply logical theory to practical use. He has presented at Open Group and other conferences on a range of topics, and contributes articles to on-line journals. He is a member of the BCS, the IEEE, and the AOGEA, and is a certified TOGAF practitioner.

Comments Off

Filed under Cloud, Cloud/SOA

Remembering the French Riviera through The Open Group Photo Contest

By The Open Group Conference Team

The Open Group Conference in Cannes was as unforgettable as the beautiful beaches of the French Riviera. For those of you who were unable to attend, conference attendees submitted a record number of 24 photos to the Cannes Photo Contest, ranging from pictures of the Gala Dinner to the clear blue waters of the Mediterranean Sea!

The contest ended today at noon PT, and without further ado, here are the winners:

The Open Cannes(vas) Award – For best photo taken in and around Cannes

“Street Semantics”
By Tomi Pitkänen, ICT Architecture

Best of Cannes Conference - For any photo taken during conference activities

“Open Group Gala – Allen Brown, Birgit Hartje, Len Fehskens”
By Judy Cerenzia, The Open Group

Honorable Mentions

“”Rue Du Suquet”
By Len Fehskens, The Open Group

“Panorama”
By Len Fehskens, The Open Group

“Cannes”
By Judy Cerenzia, The Open Group

“Traverse de la Tour to L’église Saint Nicolas, Cannes”
By Diane MacDonald, The Open Group

“Hard Duty”
By Dave Lounsbury, The Open Group

Thank you to all those who participated in this contest – whether it was submitting one of your own photos or voting for your favorite photo. Please visit The Open Group’s Facebook page to view all of the submissions. We will also add other photos of the conference soon.

We’re always trying to improve our programs, so if you have any feedback regarding the photo contest, please email photo@opengroup.org or leave a comment below. We will see you in Washington, D.C.!

Comments Off

Filed under Conference

Video Highlights of Day 2 at the Cannes Conference

By The Open Group Conference Team

How important is top-down buy-in when building a strategy for enterprise transformation? The Day 2 speakers of The Open Group Conference in Cannes address this question, and Peter Haviland, chief architect and head of business architecture within Ernst & Young’s Advisory Services practice, summarizes each of the plenary sessions, including:

  • “IT Capacity Build Up and Enterprise Architecture Enablement – Transformation at Ministry of Foreign Affairs” by Saeed Al Daheri, IT director of the UAE Ministry of Foreign Affairs
  • “World Class EA 2012: Putting Your Architecture Team In the Middle of Enterprise Transformation” by Peter Haviland, chief architect and head of business architecture advisory services at Ernst & Young, U.S.
  • “Future Airborne Capability Environment (FACE™): Transforming the DoD Avionics Software Industry Through the Use of Open Standards” by Kirk Avery, Lockheed Martin and Judy Cerenzia, The Open Group

1 Comment

Filed under Conference, Enterprise Architecture, Enterprise Transformation, FACE™

Cannes Conference Day 2: Proactively Engaging in the Transformation Process Paramount for Enterprise Architects

By The Open Group Conference Team

After the conference’s first night on the French Riviera, Day 2 of the Cannes Conference continued with the theme of transformation. The first plenary session led by Dr. Saeed Al Daheri, IT director of the United Arab Emirates Ministry of Foreign Affairs (MOFA), examined how one of the world’s emerging countries emphasized the alignment of IT and strategy.

MOFA wanted to increase performance by building up process, people and technology. Dr. Al Daheri was in charge of this project and decided to focus on three key initiatives: establishing EA, building IT capacity and running quick wins. MOFA wanted its Enterprise Architecture (EA) program to become central to the operation of IT and to have a mandate over all domains of the enterprise, including business strategy all the way down to business processes. EA provided the foundation to align IT and business, which was considered to be of paramount importance.

As with most major transformations within an organization, Dr. Al Daheri and his team faced several key challenges, which included leadership endorsement, recruitment and IT culture and the traditional view of IT. Through clear communication and education, the project received a top-down mandate that helped them receive buy-in from key stakeholders, which was essential for success. Regarding recruiting, the skills of an architect were hard to come by, especially one who speaks Arabic, so in order to succeed the IT department added 10 new positions to support this initiative and created a training program to develop the skill of existing staff. And finally through more proactive engagement with the rest of MOFA and by anticipating business needs and outlining clear roles and responsibilities, IT was able to work hand-in-hand with the business to achieve the ultimate goal of increased performance.

Through careful planning and proper implementation, MOFA was able to reduce vendor selection to 5 weeks, realize 26% cost savings and reduce project time by 17% – truly transformative results that were achieved through IT and business alignment.

A New Approach to EA: Less Thinking, More Doing

In the second plenary session, Peter Haviland, chief architect and head of business architecture within Ernst & Young‘s Advisory Services, along with two colleagues, Mick Adams and Garth Emrich, presented “World-Class EA 2012: Less Thinking, More Doing.” There’s a lot of talk of enterprise transformation, but how involved are enterprise architects in this process? Haviland started the presentation by asking the question, “How many architects are truly seeking out proactive opportunities?”

Haviland argued that EA is in prime position to help transform organizations through the improvement of the execution of strategy across business functions and the investment in process, tools, training and IT. But in order to do so, architects need to seek out opportunities to become a crucial part of enterprise transformation. Haviland listed out four questions that architects need to ask themselves to become more proactive.

  • What’s the context? Understanding the context of the situation is key to enabling enterprise transformation. EAs need to take a step back and look at the bigger picture, rather than purely focusing on building models. This will ensure alignment with the overall business strategy.
  • How do you flex your capability? Once you have completed your situational analysis, how can your skills translate into producing the desired results? Using your skills to help the enterprise achieve its goal of enterprise transformation will ultimately raise the visibility of EA within your organization.
  • What are the risks, opportunities and costs? E&Y recently completed a global survey that explored the top 10 risks that can be turned into opportunities, with the number one risk being regulation and compliance. It’s essential to understand the risks, opportunities and costs before embarking on enterprise transformation, for that is where the biggest gains can be realized.
  • If I’m an architect, what do I want to own? Assess the project and determine where your skill set will provide the biggest overall impact. This will allow you to provide the most value as an architect and set you up for success.

Being more proactive will help architects not only become a more integral part of your organization, but it will also establish EA as a key driver of enterprise transformation.

How to Create Value in the FACE™ of Shrinking Government Budgets

Improving performance while cutting costs – this is the mandate of most organizations these days, including governments. While budget cuts to the U.S. Department of Defense (DoD) budget require them to scale back on new platforms and funding for military technology procurements, the need for civilian safety and military performance continues to be a top priority. But how can the DoD do more with less?

Judy Cerenzia, The Open Group program director for the Future Airborne Capability Environment (FACE) Consortium, and Kirk Avery, chief software architect for Lockheed Martin Mission Systems and Sensors, addressed this question during final plenary session of the day. This session examined how FACE was able to help the DoD and the avionics industry provide complex mission capability faster in an environment of shrinking budgets.

In order to achieve this goal, FACE saw the need to transform the operating environment by developing a common operating environment (COE) to support applications across multiple DoD avionics systems – something that had never been done before. After reaching out to the DoD and other stakeholders including corporations that produce military components, FACE concluded that a successful COE would enable real time operating systems, stability, competition to prevent vendor lock-in, the ability to withstand extreme environmental conditions and a system life that spans many years.

With this in mind, FACE set out to develop a non-proprietary open environment that enabled a flexible software open systems architecture. The hard work of the consortium, which was established in June 2010, resulted in the creation of the FACE Business Guide and the recently released FACE Technical Standard. Both deliverables have helped the DoD and the avionics industry achieve their goal of providing complex mission capability faster with less budget and realize other benefits that include:

  • Reduction of time to field capabilities of new technologies
  • Interoperable software components within the environment
  • Portability of software components across an avionics platforms
  • Reduction of integration effort, schedule and cost
  • Enablement of truly open software components in existing and future avionics systems

Transformation within the government is quite an accomplishment, and FACE is looking to further develop common operating environments through continued collaboration between government and the avionics industry.

A Day 2 video recap by Peter Haviland will be published soon. To view the full list of conference sessions, please visit http://www3.opengroup.org/cannes2012

1 Comment

Filed under Conference, Enterprise Architecture, Enterprise Transformation, FACE™, TOGAF®

Cannes Conference Day 1: Communication Key for Business Transformation, According to Open Group Speakers

By The Open Group Conference Team

Video recap by Dave Lounsbury, CTO of The Open Group

Much like the wind that blows through the Côte d’Azur, talk of business transformation swept through Cannes like a warm breeze yesterday as Day 1 of The Open Group Cannes Conference concluded. The underlying theme of the day was communication and shared languages – a common concept for all enterprise architects, but this time with a slight twist.

Innovator Dr. Alex Osterwalder presented the first session of the day entitled “Business Models, IT and Enterprise Transformation,” which discussed concepts from his well-known book “Business Model Generation.” As Dr. Osterwalder explained, often times there’s a language gap between IT and strategy when it comes to business models, which is why long meetings are largely unproductive.

Dr. Alex Osterwalder explaining the business model canvas

Dr. Osterwalder stressed the importance of simplicity in models, meaning that business models should be created in such a way that anyone in the company can understand them upon first glance. This is the basis for a concept Osterwalder calls the business model canvas, a literal illustration of an organization’s business model using the following key assets – key partners, key activities, key resources, value propositions, customer relationship, channels, customer segments, cost structure and revenue streams.

The audience was then encouraged to work in pairs and use the business model canvas to break down the business model of one participant. Each group had eight minutes to map out the nine components on a large sheet of paper representing the business model canvas using post-its. The audience enjoyed this exercise, which demonstrated that creating a business model does not have to be a laborious process, and that simple is often times best.

Dr. Osterwalder went on to discuss real-life examples such as Apple’s iPod and Nestle Nespresso, dissecting each company’s business model utilizing the business model canvas to learn why both endeavors were so successful. Apple was disruptive because as Steve Jobs said when the first iPod was released, “It’s a thousand songs in your pocket.” The iPod created a dependency on the product and the iTunes service, and one of the unknown factors of the customer relationships was that iTunes made it so easy to upload and manage your music that the barrier to transfer services was too high for most consumers. Nespresso’s business model was built on the creation of the single drink aluminum cans, the product’s key resource, which are only made by Nespresso.

Companies of all sizes have used the business model canvas to adjust their business models, including Fortune 500 companies and government organizations, and Dr. Osterwalder thought that enterprise architects can act as a bridge between strategy and IT facilitating communication between all facets of the business and overseeing the management of business models.

BNP Paribas saves 1.5B Euro through Careful Business Transformation

In the next plenary session, Eric Boulay, CEO of Arismore, and Hervé Gouezel, Advisor to the CEO of BNP Paribas, looked at how enterprise architects can do a better job of presenting CEOs with Enterprise Architecture’s value proposition. Conversely, Boulay stated that the CEOs also need to outline what expectations need to be met by enterprise architects in order to enable business transformation via enterprise architects.

Boulay argued that a director of transformation is now needed within organizations to manage and develop transformation capability. The results of Enterprise Architecture must be merchandised at the C-level in order to communicate business value, and the director of transformation would be enable architects to continue to invent through this new role.

In the same session, Hervé Gouezel discussed the 2009 merger of BNP Paribas and Fortis Bank and the strategy that went into creating a somewhat seamless transition. The original plan had three phases: phase 1 – take six days to pick new management and six weeks to define taskforces, workgroup organizations and stabilization measures; phase 2 – take six months to plan and synergize; and phase 3 – implement projects and programs over a three year period.

Needless to say, this was a huge undertaking, and the goal of the three-phase process was to save the company 500 million Euros. With careful planning and implementation and by following the three-phased approach, BNP Paribas saved over 1.5 billion Euros – three times the targeted amount! This goes to show that careful planning and implementation can lead to true business transformation.

The Semantics of Enterprise Architecture

Len Fehskens, VP of skills and capabilities at The Open Group, presented the final plenary of the day. Fehskens revisited Enterprise Architecture’s most basic, yet seemingly impossible question: How do you define Enterprise Architecture?

Bewildered by the fact that so many different opinions exist around a discipline that nominally has one name, Fehskens went on to discuss the danger of assumptions and the fact that assumptions are rarely made explicit. He also exposed the biggest assumption of all: We’re all sharing the same assumptions about Enterprise Architecture (EA).

Fehskens urged architects to remain open-minded and be aware of the differing perspectives regarding what EA is. The definition of Enterprise Architecture at this point encompasses a variety of opinions, and even if your definition is “correct,” it’s necessary for architects to understand that logical arguments do not change strongly held beliefs. Fehskens ended the session by presenting the teachings St. Augustine, “Let us, on both sides, lay aside all arrogance. Let us not, on either side, claim that we have already discovered the truth. Let us seek it together as something which is known to neither of us. For then only may we seek it, lovingly and tranquilly, if there be no bold presumption that it is already discovered and possessed.”

In other words, Fehskens said, before Enterprise Architecture can move forward as a discipline and fulfill its potential within the enterprise, architects must first learn to agree to disagree regarding the definition of EA. Communication must first be established before true business transformation (and the value of EA) can be realized.

Day 2 of the conference looks to be equally exciting, continuing the theme of enterprise transformation. To view the sessions for the remainder of the conference, please visit: http://www3.opengroup.org/cannes2012

3 Comments

Filed under Conference, Enterprise Architecture, Enterprise Transformation

Connect with @theopengroup on April 17 for an Identity Management Tweet Jam #ogChat

By Patty Donovan, The Open Group

In about a week, The Open Group will be hosting its very first tweet jam! In case you’re not familiar with tweet jams, a tweet jam is a one hour “discussion” hosted on Twitter. The purpose of the tweet jam is to share knowledge and answer questions on a chosen topic – in this case, identity management. Each tweet jam is led by a moderator (The Open Group) and a dedicated group of experts to keep the discussion flowing. The public (or anyone using Twitter interested in the topic) is free (and encouraged!) to join the discussion.

Tweet, Tweet – Come Join Us

You can join our Identity Management Tweet Jam on April 17 at 9:00 a.m. PT/12:00 p.m. ET/5:00 p.m. BST. We welcome Open Group members and interested participants from all backgrounds to participate in the session and interact with our panel of experts in the identity management space.

Here is the current line-up for our expert panel:

To access the discussion, please follow the #ogChat hashtag next Wednesday during the allotted discussion time. Other hashtags we recommend you use for this tweet jam that encompass the topics that will be discussed include:

  • Identity management: #IdM
  • Single sign-on: #SSO
  • Cloud computing: #cloud
  • Mobile: #mobile
  • IT security: #ITSec
  • Information security: #InfoSec
  • Enterprise identity: #EntID
  • Identity ecosystem: #IDecosys

Below are a list of the questions that will be addressed during the hour-long discussion:

  1. What are the biggest challenges of identity management today?
  2. What should be the role of governments and private companies in creating identity management standards?
  3. What are the barriers to developing an identity ecosystem?
  4. Identity attributes may be valuable and subject to monetization. How will this play out?
  5. How secure are single sign-on schemes through Web service providers such as Google and Facebook?
  6. Is identity management more or less secure on mobile devices?
Participation Guidance

Whether you’re a newbie or veteran Twitter user, here are a few tips to keep in mind:

  • Have your first #ogChat tweet be a self-introduction: name, affiliation, occupation.
  • Start all other tweets with the question number you’re responding to and the #ogChat hashtag.
    • Sample: “Q2: @theopengroup, attributes are absolutely more critical than biometrics #IdM #ogChat”
  • Please refrain from product or service promotions. The goal of a tweet jam is to encourage an exchange of knowledge and  stimulate discussion.
  • While this is a professional get-together, we don’t have to be stiff! Informality will not be an issue!
  • A tweet jam is akin to a public forum, panel discussion or Town Hall meeting – let’s be focused and thoughtful.

If you have any questions prior to the event, please direct them to Rod McLeod (rmcleod at bateman-group dot com). We anticipate a lively chat on April 17, so you will be able to join!

Patricia Donovan is Vice President, Membership & Events, at The Open Group and a member of its executive management team. In this role she is involved in determining the company’s strategic direction and policy as well as the overall management of that business area. Patricia joined The Open Group in 1988 and has played a key role in the organization’s evolution, development and growth since then. She also oversees the company’s marketing, conferences and member meetings. She is based in the US.

2 Comments

Filed under Identity Management, Tweet Jam

Why We Can’t Agree on What We Mean by “Enterprise Architecture” and Why That’s OK, At Least for Now

By Leonard Fehskens, The Open Group

Many people have commented that one of the most significant consequences of the Internet is the “democratization of commentary.” The ability to comment on subjects of interest to a community is no longer limited to those few who have access to traditional methods of broadcast communications (e.g., printed media, radio and television). At the same time, membership in such communities is no longer limited to those who are physically proximate. The result is everyone has a wide-reaching public voice now (even this blog is one such example).

The chorus of public voices speaking about Enterprise Architecture has created something of a din. Over the past several years my listening to this chorus has revealed an extraordinary diversity of opinion about what we mean by “Enterprise Architecture.” I have tried to sort out and categorize this diversity of opinion to try to understand how the Enterprise Architecture community could think so many different things about the idea that unites it. Creating a true profession of Enterprise Architecture will require that we come to some sort of convergence and agreement as to what the profession is about, and I hope that understanding the roots of this wide diversity of opinion will facilitate achieving that convergence.

At The Open Group Conference in Cannes, France later this month, I will be speaking on this subject. Here is a preview of that talk.

Assumptions and Approaches 

In many discussions about Enterprise Architecture I have seen preliminary apparent agreement rapidly disintegrate into disagreement bordering on hostility. People who initially thought they were saying the same things discovered as they explored the implications of those statements that they actually meant and understood things quite differently. How can this happen?

There seem to me to be two things that contribute to this phenomenon. The first is the assumptions we make, and the second is the approaches we adopt in defining, thinking about and talking about Enterprise Architecture. As important as the nature of these assumptions and approaches is the fact that we are almost never explicit about them. Indeed, one of the most widespread and consequential assumptions we make is that we all share the same assumptions.

To keep this article short and to avoid “stealing my own thunder” from my upcoming conference presentation, I’m going to step from the tip of one iceberg to the next, hopefully whetting your appetite for a more in-depth treatment.

How We Approach the Problem

There are an even half dozen ways that I have observed people approach the problem of defining Enterprise Architecture that have, by their use, created additional problems. They are:

  • The use of ambiguous language – many of the words we have borrowed from common usage to talk about Enterprise Architecture have multiple meanings.
  • Failing to understand, and account for, the difference between denotation and connotation – a word denotes its literal meaning, but it also connotes a set of associations. We may all agree explicitly on what a word denotes, but at the same time each hold, probably implicitly, very different connotative associations for the word.
  • The use of figures of speech (metaphor, simile, metonymy, synecdoche) – figures of speech are expressive rhetorical gestures, but they too often have very little practical value as models for reasoning about the subject to which they are applied.
  • Conflation – the inclusion of a related but distinct discipline as an integral part of Enterprise Architecture.
  • Mixing up roles and job definitions or job descriptions – jobs are defined to meet the needs of a specific organization and may include parts of many different roles.
  • The “blind men and the elephant” syndrome – defining something to be the part of it that we individually know.

The Many Things We Make Assumptions About

The problem with assumptions is not that we make them, but that we do so implicitly, or worse, unknowingly. Our assumptions often reflect legitimate choices that we have made, but we must not forget that there are other possible choices that others can make.

I’ve identified fifteen areas where people make assumptions that lead to sometimes radically different perspectives on Enterprise Architecture. They have to do with things like what we think “architecture,” “enterprise,” and “business” mean; what we think the geography, landscape or taxonomy of Enterprise Architecture is; how we name or think we should name architectures; what kinds of things can have architectures; what we think makes a good definition; and several more. Come to my talk at The Open Group conference in Cannes at the end of the month if you want to explore this very rich space.

What Can We Do?

It’s tempting when someone comes at a problem from a different perspective, or makes a different choice from among a number of options, to conclude that they don’t understand our position, or too often, that they are simply wrong. Enterprise Architecture is a young discipline, and it is still sorting itself out. We need to remain open to alternative perspectives, and rather than focus on our differences, look for ways to accommodate these different perspectives under unifying generalizations. The first step to doing do is to be aware of our assumptions, and to acknowledge that they are not the only assumptions that might be made.

In the words of St. Augustine, “Let us, on both sides, lay aside all arrogance. Let us not, on either side, claim that we have already discovered the truth. Let us seek it together as something which is known to neither of us. For then only may we seek it, lovingly and tranquilly, if there be no bold presumption that it is already discovered and possessed.”

Len Fehskens is Vice President of Skills and Capabilities at The Open Group. He is responsible for The Open Group’s activities relating to the professionalization of the discipline of enterprise architecture. Prior to joining The Open Group, Len led the Worldwide Architecture Profession Office for HP Services at Hewlett-Packard. Len is based in the US.

6 Comments

Filed under Conference, Enterprise Architecture