Category Archives: Cybersecurity

The Open Group Austin 2016 Event Highlights

By Loren K. Baynes, Director, Global Marketing Communications, The Open Group

During the week of July 18th, The Open Group hosted over 200  attendees from 12 countries at the Four Seasons hotel on the beautiful banks of Lady Bird Lake in Austin, Texas, USA.

On Monday, July 18, Steve Nunn, President and CEO of The Open Group, welcomed the audience and set the stage for all the great upcoming speakers and content.

Steve’s remarks included the recent release of the Open Business Architecture (O-BA) Preliminary Standard Part I to Support Business Transformation.  This is the first in a series of installments that will help Business Architects get to grips with transformation initiatives and manage the demands of key stakeholders within the organization. Steve also referenced William Ulrich, President, Business Architecture Guild, who consulted on the development of the standard.

The plenary began with Jeff Scott, President, Business Innovation Partners, with his presentation “The Future of Business Architecture, Challenges and Opportunities”.  Jeff stated some interesting facts, which included noting that Architects are among the best and brightest members of our organizations.  He also stated that Business Architects need support from a wide group of senior managers, not just the CEO. The ultimate goal of Business Architecture is not to model the organization but to unlock organizational capacity and move forward.

By Loren K. Baynes

Jeff Scott

The Business Architecture (BA) theme continued with Aaron Rorstrom, Principal Enterprise Architect, Capgemini.  Aaron further elaborated on The Open Business Architecture (O-BA) Standard.  The O-BA Standard provides guidance to companies for establishing BA practice and addresses three transformation challenges: consistent communication, alignment and governance, systemic nature.

The sessions were followed by Q&A moderated by Steve Nunn.

Up next was “ArchiMate® 3.0 – A New Standard for Architecture” with Marc Lankhorst, Managing Consultant and Service Line Manager, Enterprise Architect, BiZZdesign and Iver Band, Enterprise Architect, Cambia Health Solutions.

Marc and Iver discussed practical experiences and a Healthcare case study, which included a discussion on personal health and wellness websites.

ArchiMate®, an Open Group standard, provides a language with concepts to describe architectures; a framework to organize these concepts; a graphical notation for these concepts; a vision on visualizations for different stakeholders. ArchiMate 3.0 has recently been released due to: the increasing demand for relating Enterprise Architecture (EA) to business strategy; technology innovations that mix IT and physical world; usage in new domains (i.e. manufacturing, healthcare, retail); improved consistency and comprehensibility; improved alignment between Open Group standards, notably TOGAF®.

The final session of Monday’s plenary featured a panel on “Architecture Standards Development” with Marc Lankhorst, Iver Band, Mike Lambert (Fellow of The Open Group) and Harry Hendrickx (Business Architect, Hewlett Packard Enterprise).  Moderated by Chris Forde, GM, Asia Pacific and VP, Enterprise Architecture, The Open Group, the panel represented a diverse group of the population contributing to the development of open standards.

In the afternoon, sessions were divided into tracks – Security, ArchiMate, Open Business Architecture.

Don Bartusiak, Chief Engineer, Process Control, ExxonMobil Research & Engineering presented “Security in Industrial Controls – Bringing Open Standards to Process Control Systems”.  Don went into detail on the Breakthrough R&D project which is designed to make step-change improvement to reduce cost to replace and to increase value generation via control system.  ExxonMobil is working with The Open Group and others to start-up a consortium of end user companies, system integrators, suppliers, and standards organizations for sustained success of the architecture.

Also featured was “Applying Open FAIR in Industrial Control System Risk Scenarios” by Jim Hietala, VP, Business Development and Security, The Open Group.  The focus of ICS systems is reliability and safety.  Jim also shared some scenarios of recent real life cyberattacks.

The evening concluded with guests enjoying a lively networking reception at the Four Seasons.

Day two on Tuesday, July 19 kicked off the Open Source/Open Standards day with a discussion between Steve Nunn and Andras Szakal, VP & CTO, IBM U.S. Federal. Steve and Andras shared their views on Executable Standards: convergence of creation of open source and innovation standards; the difference between Executable Standards and traditional standards (i.e. paper standards); emergence of open source; ensuring interoperability and standardization becomes more effective of time. They further explored open technology as driving the software defined enterprise with SOA, social, Open Cloud architecture, e-Business, mobile, big data & analytics, and dynamic cloud.

A panel session continued the conversation on Open Standards and Open Source.  The panel was moderated by Dave Lounsbury, CTO and VP, Services for The Open Group.  Panelists were Phil Beauvoir, Archi Product Manager, Consultant; John Stough, Senior Software Architect, JHNA, Inc.; Karl Schopmeyer, Independent Consultant and representing Executable Standards activity in The Open Group.  Topics included describing Archi, Future Airborne Capability Environment (FACE™, a consortium of The Open Group) and OpenPegasus™, an open-source implementation of the DMTF, CIM and WBEM standards.

The Open Group solves business problems with the development and use of open standards.  Interoperability is key.  Generally, no big barriers exist, but there are some limitations and those must be realized and understood.

Steve presented Karl with a plaque in recognition of his outstanding leadership for over 20 years of The Open Group Enterprise Management Forum and OpenPegasus Project.

Rick Solis, IT Business Architect, ExxonMobil Global Services Co. presented “Driving IT Strategic Planning at IT4IT™ with ExxonMobil”.  Business is looking for IT to be more efficient and add value. ExxonMobil has been successfully leveraging IT4IT concepts and value chain. The IT4IT™ vision is a vendor-neutral Reference Architecture for managing the business of IT.  Rich emphasized people need to think about the value streams in the organization that add up to the business value.  Furthermore, it is key to think seamlessly across the organization.

Joanne Woytek, Program Manager for the NASA SEWP Program, NASA spoke about “Enabling Trust in the Supply Chain”.  SEWP (Solutions for Enterprise-Wide Procurement) is the second biggest IT contract in the US government.  Joanne gave a brief history of their use of standards, experience with identifying risks and goal to improve acquisition process for government and industry.

Andras Szakal again took the stage to discuss mitigating maliciously tainted and counterfeit products with standards and accreditation programs.  The Open Trusted Technology Provider™ Standard (O-TTPS) is an open standard to enhance the security of the global supply chain and the integrity of Commercial Off The Shelf (COTS) Information and Communication Technology (ICT). It has been approved as an ISO/IEC international standard.

Afternoon tracks consisted of Healthcare, IT4IT™, Open Platform 3.0™ and Professional Development.  Speakers came from organizations such as IBM, Salesforce, Huawei, HPE and Conexiam.

The evening culminated with an authentic Texas BBQ and live band at Laguna Gloria, a historic lakefront landmark with strong ties to Texas culture.

By Loren K. Baynes

The Open Group Austin 2016 at Laguna Gloria

Wednesday, July 20 was another very full day.  Tracks featured Academia Partnering, Enterprise Architecture, Open Platform 3.0 (Internet of Things, Cloud, Big Data, Smart Cities), ArchiMate®.  Other companies represented include San Jose State University, Quest Diagnostics, Boeing, Nationwide and Asurion.

The presentations are freely available only to members of The Open Group and event attendees.  For the full agenda, please click here.

In parallel with the Wednesday tracks, The Open Group hosted the third TOGAF® User Group Meeting.  The meeting is a lively, interactive, engaging discussion about TOGAF, an Open Group standard.  Steve Nunn welcomed the group and announced there are almost 58,000 people certified in TOGAF.  It is a very large community with global demand and interest.  The key motivation for offering the meeting is to hear from people who aren’t necessarily ‘living and breathing’ TOGAF. The goal is to share what has worked, hasn’t worked and meet other folks who have learned a lot from TOGAF.

Terry Blevins, Fellow of The Open Group, was the emcee.  The format was an “Oxford Style” debate with Paul Homan, Enterprise Architect, IBM and Chris Armstrong, President, Armstrong Processing Group (APG).  The Proposition Declaration: Business Architecture and Business Architects should be within the business side of an organization. Chris took the ‘pro’ position and Paul was ‘con’.

Chris believes there is no misalignment with Business and IT; business got exactly what they wanted.  Paul queried where do the Business Architectures live within the organization? BA is a business-wide asset.  There is a need to do all that in one place.

Following the debate, there was an open floor with audience questions and challenges. Questions and answers covered strategy in Architecture and role of the Architect.

The meeting also featured an ‘Ask the Experts’ panel with Chris Forde; Jason Uppal, Chief Architect, QRS; Bill Estrem, TOGAF Trainer, Metaplexity Associates; Len Fehskens, Chief Editor, Journal of Enterprise Architecture, along with Chris Armstrong and Paul.

Organizations in attendance included BMC Software, City of Austin, Texas Dept. of Transportation, General Motors, Texas Mutual Insurance, HPE, IBM.

A more detailed blog of the TOGAF User Group meeting will be forthcoming.

A special ‘thank you’ to all of our sponsors and exhibitors:  avolution, BiZZdesign, Good e-Learning, Hewlett Packard Enterprise, AEA, Orbus Software, Van Haren Publishing

@the opengroup #ogAUS

Hope to see you at The Open Group Paris 2016! #ogPARIS

By Loren K. BaynesLoren K. Baynes, Director, Global Marketing Communications, joined The Open Group in 2013 and spearheads corporate marketing initiatives, primarily the website, blog, media relations and social media. Loren has over 20 years experience in brand marketing and public relations and, prior to The Open Group, was with The Walt Disney Company for over 10 years. Loren holds a Bachelor of Business Administration from Texas A&M University. She is based in the US.

 

 

Comments Off on The Open Group Austin 2016 Event Highlights

Filed under Accreditations, ArchiMate, ArchiMate®, Association of Enterprise Architects, Business Architecture, Business Transformation, Certifications, Cloud, COTS, Cybersecurity, digital technologies, Digital Transformation, EA, enterprise architecture, Internet of Things, Interoperability, Jeff Kyle, O-TTPS, Open FAIR, Open Platform 3.0, Professional Development, Security, Standards, Steve Nunn, The Open Group Austin 2016, TOGAF®, TOGAF®

The Open Group London 2016 – Day One Highlights

By Loren K. Baynes, Director, Global Marketing Communications, The Open Group

On Monday, April 25th, The Open Group London 2016 kicked off with an opening speech from The Open Group President and CEO Steve Nunn to a packed room at the Central Hall Westminster.  The magnificent venue is just a stone’s throw from the iconic Westminster Abbey. Almost 300 guests from 27 countries around the globe have joined this exciting, informative event.

After a warm welcome and a recap of the successes of The Open Group IT4IT™ Forum to date – including the launch of the Standard and Management Guide – Steve went on to announce the launch of the IT4IT™ Certification Program.

The IT4IT Foundation Certification is now available to individuals who demonstrate knowledge and understanding of the IT4IT™ Reference Architecture, Version 2.0 standard. The first level of certification being launched provides validation that the candidate has gained knowledge of the terminology, structure, basic concepts, and understands the core principles of the IT4IT Reference Architecture and the IT Value Chain.

Monday’s plenary sessions continued the focus on  IT4IT, beginning with a presentation from Tony Price, Director, WW IT4IT Strategic Consulting, Hewlett Packard Enterprise, and Erik van Busschbach, World-Wide Chief Technologist for IT Management, HPE Software Services CTO Office, Hewlett Packard Enterprise. Erik and Tony explained how organizations can use IT4IT to move away from talking about Architecture towards discussions around business value. Every audience wants value but they all perceive this value in different ways. Tony explained the importance of contextualizing value to individuals in order for it to be effective.

By Loren K. Baynes, Director, Global Marketing Communications

Erik van Busschbach, Tony Price, Steve Nunn

The IT4IT discussion also featured a joint presentation on ‘Managing the Business of IT’ from Michael Fulton, Principal Architect, CC&C Solutions; David Hornford, Managing Partner, Conexiam; Luke Bradley, Principle Architect, Technology Shared Services Centre, Vodafone Group; David Gilmour, Director, Panastra Pte Ltd, Singapore.

The speakers went into detail about the impact IT4IT can have on an organization. Mike Fulton started with the basics of IT4IT and the Value Chain model, before going on to discuss where IT4IT fits into TOGAF®, an Open Group standard, COBIT and Agile. Luke Bradley provided insight into how IT4IT was being used at Vodafone Group, where there are four main areas of transformation – process, service model, organization, and technology. The importance of getting away from bulk renewal projects and moving towards smaller sensible building blocks was stressed by David Gilmour, who also explained how IT4IT was a “jolly good thing” for business, which raised a smile in the packed-out room.

Gunnar Menzel, Vice President & Chief Architect Officer, ‎Capgemini, came to the stage proudly displaying his medal from the London Marathon from the day before the event – many congratulations to him for a fantastic time of 03:52:15! His presentation focused on how IT4IT can help with Agile DevOps. Businesses that realize DevOps’ full potential are more agile in providing new products and services and can deliver superior quality, but enterprises often encounter difficulties due to the growing number of product choices, definitions and services.

Gunnar directed delegates to The Open Group whitepaper, ‘IT4IT™ Agile Scenario’, which was released in February 2016 and includes a DevOps definition, DevOps Maturity Model as well as a DevOps Implementation framework.

The final session before Monday’s break for lunch came from Henry Franken, CEO at BiZZdesign and chair of The ArchiMate® Forum at The Open Group. Henry presented the results of a survey looking at business transformation, noting that a “business as usual” approach is preventing effective business transformation, along with a lack of strategic design insights and a lack of organizational commitment. He explained how businesses should be taking small steps to embrace change, collaborate on change and make sure to utilize techniques to digitize change capabilities.

The afternoon saw additional tracks taking place on IT4IT, Security and Enterprise Architecture, including:

  • Trusted and Secure OpenStack Cloud, Shawn Mullen, Cloud Security Architect, IBM, US
  • Seven Reasons IT4IT™ is Good News for Architects, Daniel Warfield, Senior Enterprise Architect, CC&C Americas
  • A Future for Enterprise Architecture, Len Fehskens, Chief Editor, Association of Enterprise Architects
  • Mils Initiatives: Emerging Open Group Standards for Modular Approach to Critical Systems, Rance DeLong, Staff Scientist – EC Projects, The Open Group

Sally Long, Director of The Open Group Trusted Technology Forum (OTTF), also presented on OTTF in a session which focused on cybersecurity and supply chain risks, how the standard and the accreditation can address them, and what steps organizations can take to assure products are more secure and enterprises stay safe. The presentation was a recap of a recently recorded webinar which can be found here.

Robert Wiesman, CEO at Build the Vision Inc., took the opportunity to discuss his use of EA as a business technique to conduct Architecture-based planning for a huge business transformation.

After a full day of sessions, the first day of the London event concluded with drinks and networking at the Central Hall Westminster.

@theopengroup #ogLON

By Loren K. Baynes, Director, Global Marketing CommunicationsLoren K. Baynes, Director, Global Marketing Communications, joined The Open Group in 2013 and spearheads corporate marketing initiatives, primarily the website, blog, media relations and social media. Loren has over 20 years experience in brand marketing and public relations and, prior to The Open Group, was with The Walt Disney Company for over 10 years. Loren holds a Bachelor of Business Administration from Texas A&M University. She is based in the US.

 

Comments Off on The Open Group London 2016 – Day One Highlights

Filed under Accreditations, ArchiMate, ArchiMate®, Boundaryless Information Flow™, Certifications, digital business, Enterprise Architecture, Enterprise Transformation, interoperability, IT4IT, OTTF, standards, Steve Nunn, The Open Group London 2016, TOGAF®, TOGAF®

The Open Group London 2016 to Take Place April 25-28

By The Open Group

The Open Group, the vendor-neutral IT consortium, is hosting an event in London, April 25-28. Following on from the San Francisco event earlier this year, The Open Group London 2016 will focus on how Enterprise Architecture is enabling organizations to build better systems through architecting for digital business strategies.

The event will be held at Central Hall Westminster and key speakers include:

  • Steve Nunn,  President & CEO, The Open Group
  • Gunnar Menzel, VP, Chief Architect Officer, Capgemini Infrastructure
  • Shawn Mullen, Cloud Security Architect, IBM
  • Nemanja Kostic, Head of Application Architecture, Zurich Insurance
  • Gururaj Anjan, Enterprise Architect, Tata Consultancy Services

Full details on the range of speakers can be found here.

Monday’s keynote session, including presentations from both vendors and end-user organizations, will look at IT4IT™ and managing the business of IT. It will address how CIOs can go beyond current process-based approaches and equip their teams with the right information and tools to support new ecosystem collaborations, completely automate end-to-end workflows, and provide the business with the controls to govern IT.

The first UK/European TOGAF® User Group meeting will also take place on April 27. Attendees will have the opportunity to network with industry peers, expand their knowledge and collaborate to bring a strong user community.  The inaugural TOGAF User Group meeting in San Francisco earlier this year was very productive and engaging.

The London event will cover key themes relating to The Open Group industry forums including Healthcare, IT4IT, Open Platform 3.0™, and Risk, Dependability & Trusted Technology. Additional topics of discussion at the three-day event will include:

  • EA & Government – the increasing awareness of EA and the growing adoption of TOGAF® in India. Plenary presentations include a focus on the e-Pragati initiative of the state of Andhra Pradesh
  • ArchiMate® – New features and practical use cases
  • The Open Business Data Lake a reference architecture that demonstrates how to leverage more internal and external data, how to be more agile in creating insights for business value and how to improve the productivity of actually delivering it

Registration for The Open Group London event is open now, available to members and non-members, and can be found here.

Get event updates via Twitter – @theopengroup #ogLON

Sponsors and exhibitors include: avolution, BiZZdesign, Good e-Learning, Hewlett Packard Enterprise (HPE), Troux by Planview, Association of Enterprise Architects (AEA), Orbus, Van Haren Publishing, itSMF UK

Comments Off on The Open Group London 2016 to Take Place April 25-28

Filed under ArchiMate, ArchiMate®, architecture, Association of Enterprise Architects, digital business, EA, enterprise architecture, Healthcare, Internet of Things, Interoperability, IT4IT, OTTF, Security Architecture, Standards, Steve Nunn, The Open Group, The Open Group London 2016, TOGAF®, Uncategorized

The Open Trusted Technology Provider™ Standard (O-TTPS) Approved as ISO/IEC International Standard

The Open Trusted Technology Provider™ Standard (O-TTPS), a Standard from The Open Group for Product Integrity and Supply Chain Security, Approved as ISO/IEC International Standard

Doing More to Secure IT Products and their Global Supply Chains

By Sally Long, The Open Group Trusted Technology Forum Director

As the Director of The Open Group Trusted Technology Forum, I am thrilled to share the news that The Open Trusted Technology Provider™ Standard – Mitigating Maliciously Tainted and Counterfeit Products (O-TTPS) v 1.1 is approved as an ISO/IEC International Standard (ISO/IEC 20243:2015).

It is one of the first standards aimed at assuring both the integrity of commercial off-the-shelf (COTS) information and communication technology (ICT) products and the security of their supply chains.

The standard defines a set of best practices for COTS ICT providers to use to mitigate the risk of maliciously tainted and counterfeit components from being incorporated into each phase of a product’s lifecycle. This encompasses design, sourcing, build, fulfilment, distribution, sustainment, and disposal. The best practices apply to in-house development, outsourced development and manufacturing, and to global supply chains.

The ISO/IEC standard will be published in the coming weeks. In advance of the ISO/IEC 20243 publication, The Open Group edition of the standard, technically identical to the ISO/IEC approved edition, is freely available here.

The standardization effort is the result of a collaboration in The Open Group Trusted Technology Provider Forum (OTTF), between government, third party evaluators and some of industry’s most mature and respected providers who came together as members and, over a period of five years, shared and built on their practices for integrity and security, including those used in-house and those used with their own supply chains. From these, they created a set of best practices that were standardized through The Open Group consensus review process as the O-TTPS. That was then submitted to the ISO/IEC JTC1 process for Publicly Available Specifications (PAS), where it was recently approved.

The Open Group has also developed an O-TTPS Accreditation Program to recognize Open Trusted Technology Providers who conform to the standard and adhere to best practices across their entire enterprise, within a specific product line or business unit, or within an individual product. Accreditation is applicable to all ICT providers in the chain: OEMS, integrators, hardware and software component suppliers, value-add distributors, and resellers.

While The Open Group assumes the role of the Accreditation Authority over the entire program, it also uses third-party assessors to assess conformance to the O-TTPS requirements. The Accreditation Program and the Assessment Procedures are publicly available here. The Open Group is also considering submitting the O-TTPS Assessment Procedures to the ISO/IEC JTC1 PAS process.

This international approval comes none-too-soon, given the global threat landscape continues to change dramatically, and cyber attacks – which have long targeted governments and big business – are growing in sophistication and prominence. We saw this most clearly with the Sony hack late last year. Despite successes using more longstanding hacking methods, maliciously intentioned cyber criminals are looking at new ways to cause damage and are increasingly looking at the technology supply chain as a potentially profitable avenue. In such a transitional environment, it is worth reviewing again why IT products and their supply chains are so vulnerable and what can be done to secure them in the face of numerous challenges.

Risk lies in complexity

Information Technology supply chains depend upon complex and interrelated networks of component suppliers across a wide range of global partners. Suppliers deliver parts to OEMS, or component integrators who build products from them, and in turn offer products to customers directly or to system integrators who integrate them with products from multiple providers at a customer site. This complexity leaves ample opportunity for malicious components to enter the supply chain and leave vulnerabilities that can potentially be exploited.

As a result, organizations now need assurances that they are buying from trusted technology providers who follow best practices every step of the way. This means that they not only follow secure development and engineering practices in-house while developing their own software and hardware pieces, but also that they are following best practices to secure their supply chains. Modern cyber criminals go through strenuous efforts to identify any sort of vulnerability that can be exploited for malicious gain and the supply chain is no different.

Untracked malicious behavior and counterfeit components

Tainted products introduced into the supply chain pose significant risk to organizations because altered products introduce the possibility of untracked malicious behavior. A compromised electrical component or piece of software that lies dormant and undetected within an organization could cause tremendous damage if activated externally. Customers, including governments are moving away from building their own high assurance and customized systems and moving toward the use of commercial off the shelf (COTS) information and communication technology (ICT), typically because they are better, cheaper and more reliable. But a maliciously tainted COTS ICT product, once connected or incorporated, poses a significant security threat. For example, it could allow unauthorized access to sensitive corporate data including intellectual property, or allow hackers to take control of the organization’s network. Perhaps the most concerning element of the whole scenario is the amount of damage that such destructive hardware or software could inflict on safety or mission critical systems.

Like maliciously tainted components, counterfeit products can also cause significant damage to customers and providers resulting in failed or inferior products, revenue and brand equity loss, and disclosure of intellectual property. Although fakes have plagued manufacturers and suppliers for many years, globalization has greatly increased the number of out-sourced components and the number of links in every supply chain, and with that comes increased risk of tainted or counterfeit parts making it into operational environments. Consider the consequences if a faulty component was to fail in a government, financial or safety critical system or if it was also maliciously tainted for the sole purpose of causing widespread catastrophic damage.

Global solution for a global problem – the relevance of international standards

One of the emerging challenges is the rise of local demands on IT providers related to cybersecurity and IT supply chains. Despite technology supply chains being global in nature, more and more local solutions are cropping up to address some of the issues mentioned earlier, resulting in multiple countries with different policies that included disparate and variable requirements related to cybersecurity and their supply chains. Some are competing local standards, but many are local solutions generated by governmental policies that dictate which country to buy from and which not to. The supply chain has become a nationally charged issue that requires the creation of a level playing field regardless of where your company is based. Competition should be based on the quality, integrity and security of your products and processes and not where the products were developed, manufactured, or assembled.

Having transparent criteria through global international standards like our recently approved O-TTPS standard (ISO/IEC 20243) and objective assessments like the O-TTPS Accreditation Program that help assure conformance to those standards is critical to both raise the bar on global suppliers and to provide equal opportunity (vendor-neutral and country-nuetral) for all constituents in the chain to reach that bar – regardless of locale.

The approval by ISO/IEC of this universal product integrity and supply chain security standard is an important next step in the continued battle to secure ICT products and protect the environments in which they operate. Suppliers should explore what they need to do to conform to the standard and buyers should consider encouraging conformance by requesting conformance to it in their RFPs. By adhering to relevant international standards and demonstrating conformance we will have a powerful tool for technology providers and component suppliers around the world to utilize in combating current and future cyber attacks on our critical infrastructure, our governments, our business enterprises and even on the COTS ICT that we have in our homes. This is truly a universal problem that we can begin to solve through adoption and adherence to international standards.

By Sally Long, OTTF DirectorSally Long is the Director of The Open Group Trusted Technology Forum (OTTF). She has managed customer supplier forums and collaborative development projects for over twenty years. She was the release engineering section manager for all multi-vendor collaborative technology development projects at The Open Software Foundation (OSF) in Cambridge Massachusetts. Following the merger of the OSF and X/Open under The Open Group, she served as director for multiple forums in The Open Group. Sally has a Bachelor of Science degree in Electrical Engineering from Northeastern University in Boston, Massachusetts.

Contact:  s.long@opengroup.org; @sallyannlong

Comments Off on The Open Trusted Technology Provider™ Standard (O-TTPS) Approved as ISO/IEC International Standard

Filed under Accreditations, Cybersecurity, OTTF, Standards, supply chain, Supply chain risk, The Open Group

The Open Group Baltimore 2015 Highlights

By Loren K. Baynes, Director, Global Marketing Communications, The Open Group

The Open Group Baltimore 2015, Enabling Boundaryless Information Flow™, July 20-23, was held at the beautiful Hyatt Regency Inner Harbor. Over 300 attendees from 16 countries, including China, Japan, Netherlands and Brazil, attended this agenda-packed event.

The event kicked off on July 20th with a warm Open Group welcome by Allen Brown, President and CEO of The Open Group. The first plenary speaker was Bruce McConnell, Senior VP, East West Institute, whose presentation “Global Cooperation in Cyberspace”, gave a behind-the-scenes look at global cybersecurity issues. Bruce focused on US – China cyber cooperation, major threats and what the US is doing about them.

Allen then welcomed Christopher Davis, Professor of Information Systems, University of South Florida, to The Open Group Governing Board as an Elected Customer Member Representative. Chris also serves as Chair of The Open Group IT4IT™ Forum.

The plenary continued with a joint presentation “Can Cyber Insurance Be Linked to Assurance” by Larry Clinton, President & CEO, Internet Security Alliance and Dan Reddy, Adjunct Faculty, Quinsigamond Community College MA. The speakers emphasized that cybersecurity is not a simply an IT issue. They stated there are currently 15 billion mobile devices and there will be 50 billion within 5 years. Organizations and governments need to prepare for new vulnerabilities and the explosion of the Internet of Things (IoT).

The plenary culminated with a panel “US Government Initiatives for Securing the Global Supply Chain”. Panelists were Donald Davidson, Chief, Lifecycle Risk Management, DoD CIO for Cybersecurity, Angela Smith, Senior Technical Advisor, General Services Administration (GSA) and Matthew Scholl, Deputy Division Chief, NIST. The panel was moderated by Dave Lounsbury, CTO and VP, Services, The Open Group. They discussed the importance and benefits of ensuring product integrity of hardware, software and services being incorporated into government enterprise capabilities and critical infrastructure. Government and industry must look at supply chain, processes, best practices, standards and people.

All sessions concluded with Q&A moderated by Allen Brown and Jim Hietala, VP, Business Development and Security, The Open Group.

Afternoon tracks (11 presentations) consisted of various topics including Information & Data Architecture and EA & Business Transformation. The Risk, Dependability and Trusted Technology theme also continued. Jack Daniel, Strategist, Tenable Network Security shared “The Evolution of Vulnerability Management”. Michele Goetz, Principal Analyst at Forrester Research, presented “Harness the Composable Data Layer to Survive the Digital Tsunami”. This session was aimed at helping data professionals understand how Composable Data Layers set digital and the Internet of Things up for success.

The evening featured a Partner Pavilion and Networking Reception. The Open Group Forums and Partners hosted short presentations and demonstrations while guests also enjoyed the reception. Areas focused on were Enterprise Architecture, Healthcare, Security, Future Airborne Capability Environment (FACE™), IT4IT™ and Open Platform™.

Exhibitors in attendance were Esteral Technologies, Wind River, RTI and SimVentions.

By Loren K. Baynes, Director, Global Marketing CommunicationsPartner Pavilion – The Open Group Open Platform 3.0™

On July 21, Allen Brown began the plenary with the great news that Huawei has become a Platinum Member of The Open Group. Huawei joins our other Platinum Members Capgemini, HP, IBM, Philips and Oracle.

By Loren K Baynes, Director, Global Marketing CommunicationsAllen Brown, Trevor Cheung, Chris Forde

Trevor Cheung, VP Strategy & Architecture Practice, Huawei Global Services, will be joining The Open Group Governing Board. Trevor posed the question, “what can we do to combine The Open Group and IT aspects to make a customer experience transformation?” His presentation entitled “The Value of Industry Standardization in Promoting ICT Innovation”, addressed the “ROADS Experience”. ROADS is an acronym for Real Time, On-Demand, All Online, DIY, Social, which need to be defined across all industries. Trevor also discussed bridging the gap; the importance of combining Customer Experience (customer needs, strategy, business needs) and Enterprise Architecture (business outcome, strategies, systems, processes innovation). EA plays a key role in the digital transformation.

Allen then presented The Open Group Forum updates. He shared roadmaps which include schedules of snapshots, reviews, standards, and publications/white papers.

Allen also provided a sneak peek of results from our recent survey on TOGAF®, an Open Group standard. TOGAF® 9 is currently available in 15 different languages.

Next speaker was Jason Uppal, Chief Architecture and CEO, iCareQuality, on “Enterprise Architecture Practice Beyond Models”. Jason emphasized the goal is “Zero Patient Harm” and stressed the importance of Open CA Certification. He also stated that there are many roles of Enterprise Architects and they are always changing.

Joanne MacGregor, IT Trainer and Psychologist, Real IRM Solutions, gave a very interesting presentation entitled “You can Lead a Horse to Water… Managing the Human Aspects of Change in EA Implementations”. Joanne discussed managing, implementing, maintaining change and shared an in-depth analysis of the psychology of change.

“Outcome Driven Government and the Movement Towards Agility in Architecture” was presented by David Chesebrough, President, Association for Enterprise Information (AFEI). “IT Transformation reshapes business models, lean startups, web business challenges and even traditional organizations”, stated David.

Questions from attendees were addressed after each session.

In parallel with the plenary was the Healthcare Interoperability Day. Speakers from a wide range of Healthcare industry organizations, such as ONC, AMIA and Healthway shared their views and vision on how IT can improve the quality and efficiency of the Healthcare enterprise.

Before the plenary ended, Allen made another announcement. Allen is stepping down in April 2016 as President and CEO after more than 20 years with The Open Group, including the last 17 as CEO. After conducting a process to choose his successor, The Open Group Governing Board has selected Steve Nunn as his replacement who will assume the role with effect from November of this year. Steve is the current COO of The Open Group and CEO of the Association of Enterprise Architects. Please see press release here.By Loren K. Baynes, Director, Global Marketing Communications

Steve Nunn, Allen Brown

Afternoon track topics were comprised of EA Practice & Professional Development and Open Platform 3.0™.

After a very informative and productive day of sessions, workshops and presentations, event guests were treated to a dinner aboard the USS Constellation just a few minutes walk from the hotel. The USS Constellation constructed in 1854, is a sloop-of-war, the second US Navy ship to carry the name and is designated a National Historic Landmark.

By Loren K. Baynes, Director, Global Marketing CommunicationsUSS Constellation

On Wednesday, July 22, tracks continued: TOGAF® 9 Case Studies and Standard, EA & Capability Training, Knowledge Architecture and IT4IT™ – Managing the Business of IT.

Thursday consisted of members-only meetings which are closed sessions.

A special “thank you” goes to our sponsors and exhibitors: Avolution, SNA Technologies, BiZZdesign, Van Haren Publishing, AFEI and AEA.

Check out all the Twitter conversation about the event – @theopengroup #ogBWI

Event proceedings for all members and event attendees can be found here.

Hope to see you at The Open Group Edinburgh 2015 October 19-22! Please register here.

By Loren K. Baynes, Director, Global Marketing CommunicationsLoren K. Baynes, Director, Global Marketing Communications, joined The Open Group in 2013 and spearheads corporate marketing initiatives, primarily the website, blog, media relations and social media. Loren has over 20 years experience in brand marketing and public relations and, prior to The Open Group, was with The Walt Disney Company for over 10 years. Loren holds a Bachelor of Business Administration from Texas A&M University. She is based in the US.

Comments Off on The Open Group Baltimore 2015 Highlights

Filed under Accreditations, Boundaryless Information Flow™, Cybersecurity, Enterprise Architecture, Enterprise Transformation, Healthcare, Internet of Things, Interoperability, Open CA, Open Platform 3.0, Security, Security Architecture, The Open Group Baltimore 2015, TOGAF®

Securing Business Operations and Critical Infrastructure: Trusted Technology, Procurement Paradigms, Cyber Insurance

Following is the transcript of an Open Group discussion on ways to address supply chain risk in the information technology sector marketplace.

Listen to the podcast. Find it on iTunes. Get the mobile app for iOS or Android. Sponsor: The Open Group

Dana Gardner: Hello, and welcome to a special Thought Leadership Panel Discussion, coming to you in conjunction with The Open Group’s upcoming conference on July 20, 2015 in Baltimore.

I’m Dana Gardner, Principal Analyst at Interarbor Solutions, and I’ll be your host and moderator as we explore ways to address supply chain risk in the information technology sector market.

We’ll specifically examine how The Open Group Trusted Technology Forum (OTTF) standards and accreditation activities are enhancing the security of global supply chains and improving the integrity of openly available IT products and components.

We’ll also learn how the age-old practice of insurance is coming to bear on the problem of IT supply-chain risk, and by leveraging insurance models, the specter of supply chain disruption and security yields may be significantly reduced.

To update us on the work of the OTTF and explain the workings and benefits of supply-chain insurance, we’re joined by our panel of experts. Please join me in welcoming Sally Long, Director of The Open Group Trusted Technology Forum. Welcome, Sally.

Sally Long: Thank you.

Gardner: We’re also here with Andras Szakal, Vice President and Chief Technology Officer for IBM U.S. Federal and Chairman of The Open Group Trusted Technology Forum. Welcome back, Andras.

Andras Szakal: Thank you for having me.

Gardner: And Bob Dix joins us. He is Vice President of Global Government Affairs and Public Policy for Juniper Networks and is a member of The Open Group Trusted Technology Forum. Welcome, Bob.

Bob Dix: Thank you for the invitation. Glad to be here.

Gardner: Lastly, we are joined by Dan Reddy, Supply Chain Assurance Specialist, college instructor and Lead of The Open Group Trusted Technology Forum Global Outreach and Standards Harmonization Work Group. Thanks for being with us, Dan.

Dan Reddy: Glad to be here, Dana.

Gardner: Sally, let’s start with you. Why don’t we just get a quick update on The Open Group Trusted Technology Forum (OTTF) and the supply-chain accreditation process generally? What has been going on?

OTTP standard

Long: For some of you who might not have heard of the O-TTPS, which is the standard, it’s called The Open Trusted Technology Provider™ Standard. The effort started with an initiative in 2009, a roundtable discussion with U.S. government and several ICT vendors, on how to identify trustworthy commercial off-the-shelf (COTS) information and communication technology (ICT), basically driven by the fact that governments were moving away from high assurance customized solution and more and more using COTS ICT.

That ad-hoc group formed under The OTTF and proceeded to deliver a standard and an accreditation program.

The standard really provides a set of best practices to be used throughout the COTS ICT product life cycle. That’s both during in-house development, as well as with outsourced development and manufacturing, including the best practices to use for security in the supply chain, encompassing all phases from design to disposal.

Just to bring you up to speed on just some of the milestones that we’ve had, we released our 1.0 version of the standard in 2013, launched our accreditation program to help assure conformance to the standard in February 2014, and then in July, we released our 1.1 version of the standard. We have now submitted that version to ISO for approval as a publicly available specification (PAS) and it’s a fast track for ISO.

The PAS is a process for adopting standards developed in other standards development organizations (SDOs), and the O-TTPS has passed the draft ISO ballot. Now, it’s coming up for final ballot.

That should bring folks up to speed, Dana, and let them know where we are today.

Gardner: Is there anything in particular at The Open Group Conference in Baltimore, coming up in July, that pertains to these activities? Is this something that’s going to be more than just discussed? Is there something of a milestone nature here too?

Long: Monday, July 20, is the Cyber Security Day of the Baltimore Conference. We’re going to be meeting in the plenary with many of the U.S. government officials from NIST, GSA, and the Department of Homeland Security. So there is going to be a big plenary discussion on cyber security and supply chain.

We’ll also be meeting separately as a member forum, but the whole open track on Monday will be devoted to cyber security and supply chain security.

The one milestone that might coincide is that we’re publishing our Chinese translation version of the standard 1.1 and we might be announcing that then. I think that’s about it, Dana.

OTTF background

Gardner: Andras, for the benefit of our listeners and readers who might be new to this concept, perhaps you could fill us in on the background on the types of problems that OTTF and the initiatives and standards are designed to solve. What’s the problem that we need to address here?

Szakal: That’s a great question. We realized, over the last 5 to 10 years, that the traditional supply-chain management practices, supply-chain integrity practices, where we were ensuring the integrity of the delivery of a product to the end customer, ensuring that it wasn’t tampered with, effectively managing our suppliers to ensure they provided us with quality components really had expanded as a result of the adoption of technology and the pervasive growth of technology in all aspects of manufacturing, but especially as IT has expanded into the Internet of Things, critical infrastructure and mobile technologies, and now obviously cloud and big data.

And as we manufacture those IT products we have to recognize that now we’re in a global environment, and manufacturing and sourcing of components occurs worldwide. In some cases, some of these components are even open source or freely available. We’re concerned, obviously, about the lineage, but also the practices of how these products are manufactured from a secure engineering perspective, as well as the supply-chain integrity and supply-chain security practices.

What we’ve recognized here is that the traditional life cycle of supplychain security and integrity has expanded to include all the way down to the design aspects of the product through sustainment and managing that product over a period of time, from cradle to grave, and disposal of the product to ensure that those components, if they were hardware-based, don’t actually end up recycled in a way that they pose a threat to our customers.

Gardner: So it’s as much a lifecycle as it is a procurement issue.

Szakal: Absolutely. When you talk about procurement, you’re talking about lifecycle and about mitigating risks to those two different aspects from sourcing and from manufacturing.

So from the customer’s perspective, they need to be considering how they actually apply techniques to ensure that they are sourcing from authorized channels, that they are also applying the same techniques that we use for secure engineering when they are doing the integration of their IT infrastructure.

But from a development perspective, it’s ensuring that we’re applying secure engineering techniques, that we have a well-defined baseline for our life cycle, and that we’re controlling our assets effectively. We understand who our partners are and we’re able to score them and ensure that we’re tracking their integrity and that we’re applying new techniques around secure engineering, like threat analysis and risk analysis to the supply chain.

We’re understanding the current risk landscape and applying techniques like vulnerability analysis and runtime protection techniques that would allow us to mitigate many of these risks as we build out our products and manufacture them.

It goes all the way through sustainment. You probably recognize now, most people would, that your products are no longer a shrink-wrap product that you get, install, and it lives for a year or two before you update it. It’s constantly being updated. So to ensure that the integrity and delivery of that update is consistent with the principles that we are trying to espouse is also really important.

Collaborative effort

Gardner: And to that point, no product stands alone. It’s really a result of a collaborative effort, very complex number of systems coming together. Not only are standards necessary, but cooperation among all those players in that ecosystem becomes necessary.

Dan Reddy, how have we done in terms of getting mutual assurance across a supply chain that all the participants are willing to take part? It seems to me that, if there is a weak link, everyone would benefit by shoring that up. So how do we go beyond the standards? How are we getting cooperation, get all the parties interested in contributing and being part of this?

Reddy: First of all, it’s an evolutionary process, and we’re still in the early days of fully communicating what the best practices are, what the standards are, and getting people to understand how that relates to their place in the supply chain.

Certainly, the supplier community would benefit by following some common practices so they don’t wind up answering customized survey questions from all of their customers.

That’s what’s happening today. It’s pretty much a one-off situation, where each customer says, “I need to protect my supply chain. Let me go find out what all of my suppliers are doing.” The real benefit here is to have the common language of the requirements in our standard and a way to measure it.

So there should be an incentive for the suppliers to take a look at that and say, “I’m tired of answering these individual survey questions. Maybe if I just document my best practices, I can avoid some of the effort that goes along with that individual approach.”

Everyone needs to understand that value proposition across the supply chain. Part of what we’re trying to do with the Baltimore conference is to talk to some thought leaders and continue to get the word out about the value proposition here.

Gardner: Bob Dix, the government in the U.S., and of course across the globe, all the governments, are major purchasers of technology and also have a great stake in security and low risk. What’s been driving some of the government activities? Of course, they’re also interested in using off-the-shelf technology and cutting costs. So what’s the role that governments can play in driving some of these activities around the OTTF?

Risk management

Dix: This issue of supply chain assurance and cyber security is all about risk management, and it’s a shared responsibility. For too long I think that the government has had a tendency to want to point a finger at the private sector as not sufficiently attending to this matter.

The fact is, Dana, that many in the private sector make substantial investments in their product integrity program, as Andras was talking about, from product conception, to delivery, to disposal. What’s really important is that when that investment is made and when companies apply the standard the OTTF has put forward, it’s incumbent upon the government to do their part in purchasing from authorized and trusted sources.

In today’s world, we still have a culture that’s pervasive across the government acquisition community, where decision-making on procurements is often driven by cost and schedule, and product authenticity, assurance, and security are not necessarily a part of that equation. It’s driven in many cases by budgets and other considerations, but nonetheless, we must change that culture to focus to include authenticity and assurance as a part of the decision making process.

The result of focusing on cost and schedule is often those acquisitions are made from untrusted and unauthorized sources, which raises the risk of acquiring counterfeit, tainted, or even malicious equipment.

Part of the work of the OTTF is to present to all stakeholders, in industry and government alike, that there is a process that can be uniform, as has been stated by Sally and Dan as well, that can be applied in an environment to raise the bar of authenticity, security, and assurance to improve upon that risk management approach.

Gardner: Sally, we’ve talked about where you’re standing in terms of some progress in your development around these standards and activities. We’ve heard about the challenges and the need for improvement.

Before we talk about this really interesting concept of insurance that would come to bear on perhaps encouraging standardization and giving people more ways to reduce their risk and adhere to best practices, what do you expect to see in a few years? If things go well and if this is adopted widely and embraced in true good practices, what’s the result? What do we expect to see as an improvement?

What I am trying to get at here is that if there’s a really interesting golden nugget to shoot for, a golden ring to grab for, what is that we can accomplish by doing this well?

Powerful impact

Long: The most important and significant aspect of the accreditation program is when you look at the holistic nature of the program and how it could have a very powerful impact if it’s widely adopted.

The idea of an accreditation program is that a provider gets accredited for conforming to the best practices. A provider that can get accredited could be an integrator, an OEM, the component suppliers of hardware and software that provide the components to the OEM, and the value-add resellers and distributors.

Every important constituent in that supply chain could be accredited. So not only from a business perspective is it important for governments and commercial customers to look on the Accreditation Registry and see who has been accredited for the integrators they want to work with or for the OEMs they want to work with, but it’s also important and beneficial for OEMs to be able to look at that register and say, “These component suppliers are accredited. So I’ll work with them as business partners.” It’s the same for value-add resellers and distributors.

It builds in these real business-market incentives to make the concept work, and in the end, of course, the ultimate goal of having a more secure supply chain and more products with integrity will be achieved.

To me, that is one of the most important aspects that we can reach for, especially if we reach out internationally. What we’re starting to see internationally is that localized requirements are cropping up in different countries. What that’s going to mean is that vendors need to meet those different requirements, increasing their cost, and sometimes even there will end up being trade barriers.

Back to what Dan and Bob were saying, we need to look at this global standard and accreditation program that already exists. It’s not in development; we’ve been working on it for five years with consensus from many, many of the major players in the industry and government. So urging global adoption of what already exists and what could work holistically is really an important objective for our next couple of years.

Gardner: It certainty sounds like a win, win, win if everyone can participate, have visibility, and get designated as having followed through on those principles. But as you know and as you mentioned, it’s the marketplace. Economics often drives business behavior. So in addition to a standards process and the definitions being available, what is it about this notion of insurance that might be a parallel market force that would help encourage better practices and ultimately move more companies in this direction?

Let’s start with Dan. Explain to me how cyber insurance, as it pertains to the supply chain, would work?

Early stages

Reddy: It’s an interesting question. The cyber insurance industry is still in the early stages, even though it goes back to the ’70s, where crime insurance started applying to outsiders gaining physical access to computer systems. You didn’t really see the advent of hacker insurance policies until the late ’90s. Then, starting in 2000, some of the first forms of cyber insurance covering first and third party started to appear.

What we’re seeing today is primarily related to the breaches that we hear about in the paper everyday, where some organization has been comprised, and sensitive information, like credit card information, is exposed for thousands of customers. The remediation is geared toward the companies that have to pay the claim and sign people up for identity protection. It’s pretty cut and dried. That’s the wave that the insurance industry is riding right now.

What I see is that as attacks get to be more sophisticated and potentially include attacks on the supply chain, it’s going to represent a whole new area for cyber insurance. Having consistent ways to address supplier-related risk, as well as the other infrastructure related risks that go beyond simple data breach, is going to be where the marketplace has to make an adjustment. Standardization is critical there.

Gardner: Andras, how does this work in conjunction with OTTF? Would insurance companies begin their risk assessment by making sure that participants in the supply chain are already adhering to your standards and seeking accreditation? Then, maybe they would have premiums that would reflect the diligence that companies extend into their supply chains. Maybe you could just explain to me, not just the insurance, but how it would work in conjunction with OTTF, maybe to each’s mutual benefit.

Szakal: You made a really great point earlier about the economic element that would drive compliance. For us in IBM, the economic element is the ability to prove that we’re providing the right assurance that is being specified in the requests for proposals (RFPs), not only in the federal sector, but outside the federal sector in critical infrastructure and finance. We continue to win those opportunities, and that’s driven our compliance, as well as the government policy aspect worldwide.

But from an insurance point of view, insurance comes in two forms. I buy policy insurance in a case where there are risks that are out of my control, and I apply protective measures that are under my control. So in the case of the supply chain, the OTTF is a set of practices that help you gain control and lower the risk of threat in the manufacturing process.

The question is, do you buy a policy, and what’s the balance here between a cyber threat that is in your control, and those aspects of supply chain security which are out of your control? This is with the understanding that there is an infinite number of a resources or revenue that you can apply to allocate to both of these aspects.

There’s going to have to be a balance, and it really is going to be case by case, with respect to customers and manufacturers, as to where the loss of potential intellectual property (IP) with insurance, versus applying controls. Those resources are better applied where they actually have control, versus that of policies that are protecting you against things that are out of your control.

For example, you might buy a policy for providing code to a third party, which has high value IP to manufacture a component. You have to share that information with that third-party supplier to actually manufacture that component as part of the overarching product, but with the realization that if that third party is somehow hacked or intruded on and that IP is stolen, you have lost some significant amount of value. That will be an area where insurance would be applicable.

What’s working

Gardner: Bob Dix, if insurance comes to bear in conjunction with standards like what the OTTF is developing in supply chain assurance, it seems to me that the insurance providers themselves would be in a position of gathering information for their actuarial decisions and could be a clearing house for what’s working and what isn’t working.

It would be in their best interest to then share that back into the marketplace in order to reduce the risk. That’s a market-driven, data-driven approach that could benefit everyone. Do you see the advent of insurance as a benefit or accelerant to improvement here?

Dix: It’s a tool. This is a conversation that’s been going on in the community for quite some time, the lack of actuarial data for catastrophic losses produced by cyber events, that is impacting some of the rate setting and premium setting by insurance companies, and that has continued to be a challenge.

But from an incentive standpoint, it’s just like in your home. If you have an alarm system, if you have a fence, if you do other kinds of protective measures, your insurance on your homeowners or liability insurance may get a reduction in premium for those actions that you have taken.

As an incentive, the opportunity to have an insurance policy to either transfer or buy down risk can be driven by the type of controls that you have in your environment. The standard that the OTTF has put forward provides guidance about how best to accomplish that. So, there is an opportunity to leverage, as an incentive, the reduction in premiums for insurance to transfer or buy down risk.

Gardner: It’s interesting, Sally, that the insurance industry could benefit from OTTF, and by having more insurance available in the marketplace, it could encourage more participation and make the standard even more applicable and valuable. So it’s interesting to see over time how that plays out.

Any thoughts or comments on the relationship between what you are doing at OTTF and The Open Group and what the private insurance industry is moving toward?

Long: I agree with what everyone has said. It’s an up-and-coming field, and there is a lot more focus on it. I hear at every conference I go to, there is a lot more research on cyber security insurance. There is a place for the O-TTPS in terms of buying down risk, as Bob was mentioning.

The other thing that’s interesting is the NIST Cybersecurity Framework. That whole paradigm started out with the fact that there would be incentives for those that followed the NIST Cybersecurity Framework – that incentive piece became very hard to pull together, and still is. To my knowledge, there are no incentives yet associated with it. But insurance was one of the ideas they talked about for incentivizing adopters of the CSF.

The other thing that I think came out of one of the presentations that Dan and Larry Clinton will be giving at our Baltimore Conference, is that insurers are looking for simplicity. They don’t want to go into a client’s environment and have them prove that they are doing all of these things required of them or filling out a long checklist.

That’s why, in terms of simplicity, asking for O-TTPS-accredited providers or lowering their rates based on that – would be a very simplistic approach, but again not here yet. As Bob said, it’s been talked about a lot for a long time, but I think it is coming to the fore.

Market of interest

Gardner: Dan Reddy, back to you. When there is generally a large addressable market of interest in a product or service, there often rises a commercial means to satisfy that. How can enterprises, the people who are consuming these products, encourage acceptance of these standards, perhaps push for a stronger insurance capability in the marketplace, or also get involved with some of these standards and practices that we have been talking about?

If you’re a publicly traded company, you would want to reduce your exposure and be able to claim accreditation and insurance as well. Let’s look at this from the perspective of the enterprise. What should and could they be doing to improve on this?

Reddy: I want to link back to what Sally said about the NIST Cyber Security Framework. What’s been very useful in publishing the Framework is that it gives enterprises a way to talk about their overall operational risk in a consistent fashion.

I was at one of the workshops sponsored by NIST where enterprises that had adopted it talked about what they were doing internally in their own enterprises in changing their practices, improving their security, and using the language of the framework to address that.

Yet, when they talked about one aspect of their risk, their supplier risk, they were trying to send the NIST Cybersecurity Framework risk questions to their suppliers, and those questions aren’t really sufficient. They’re interesting. You care about the enterprise of your supplier, but you really care about the products of your supplier.

So one of the things that the OTTF did is look at the requirements in our standard related to suppliers and link them specifically to the same operational areas that were included in the NIST Cybersecurity Framework.

This gives the standard enterprise looking at risk, trying to do standard things, a way to use the language of our requirements in the standard and the accreditation program as a form of measurement to see how that aspect of supplier risk would be addressed.

But remember, cyber insurance is more than just the risk of suppliers. It’s the risk at the enterprise level. But the attacks are going to change over time, and we’ll go beyond the simple breaches. That’s where the added complexity will be needed.

Gardner: Andras, any suggestions for how enterprises, suppliers, vendors, systems integrators, and now, of course, the cloud services providers, should get involved? Where can they go for more information? What can they do to become part of the solution on this?

International forum

Szakal: Well, they can always become a member of the Trusted Technology Forum, where we have an international forum.

Gardner: I thought you might say that.

Szakal: That’s an obvious one, right? But there are a couple of places where you can go to learn more about this challenge.

One is certainly our website. Download the framework, which was a compendium of best practices, which we gathered as a result of a lot of hard work of sharing in an open, penalty-free environment all of the best practices that the major vendors are employing to mitigate risks to counterfeit and maliciously tainted products, as well as other supply chain risks. I think that’s a good start, understanding the standard.

Then, it’s looking at how you might measure the standard against what your practices are currently using the accreditation criteria that we have established.

Other places would be NIST. I believe that it’s 161 that is the current pending standard for protecting supply chain security. There are several really good reports that the Defense Science Board and other organizations have conducted in the past within the federal government space. There are plenty of materials out there, a lot of discussion about challenges.

But I think the only place where you really find solutions, or at least one of the only places that I have seen is in the TTF, embedded in the standard as a set of practices that are very practical to implement.

Gardner: Sally, the same question to you. Where can people go to get involved? What should they perhaps do to get started?

Long: I’d reiterate what Andras said. I’d also point them toward the accreditation website, which is www.opengroup.org/accreditation/o-ttps. And on that accreditation site you can see the policy, standard and supporting docs. We publicize our assessment procedures so you have a good idea of what the assessment process will entail.

The program is based on evidence of conformance as well as a warranty from the applicant. So the assessment procedures being public will allow any organizations thinking about getting accredited to know exactly what they need to do.

As always, we would appreciate any new members, because we’ll be evolving the standard and the accreditation program, and it is done by consensus. So if you want a say in that, whether our standard needs to be stronger, weaker, broader, etc., join the forum and help us evolve it.

Impact on business

Gardner: Dan Reddy, when we think about managing these issues, often it falls on the shoulders of IT and their security apparatus, the Chief Information Security Officer perhaps. But it seems that the impact on business is growing. So should other people in the enterprise be thinking about this? I am thinking about procurement or the governance risk and compliance folks. Who else should be involved other than IT in their security apparatus in mitigating the risks as far as IT supply chain activity?

Reddy: You’re right that the old model of everything falls on IT is expanding, and now you see issues of enterprise risk and supply chain risk making it up to the boards of directors, who are asking tough questions. That’s one reason why boards look at cyber insurance as a way to mitigate some of the risk that they can’t control.

They’re asking tough questions all the way around, and I think acquisition people do need to understand what are the right questions to ask of technology providers.

To me, this comes back to scalability. This one-off approach of everyone asking questions of each of their vendors just isn’t going to make it. The advantage that we have here is that we have a consistent standard, built by consensus, freely available, and it’s measurable.

There are a lot of other good documents that talk about supply chain risk and secure engineering, but you can’t get a third-party assessment in a straightforward method, and I think that’s going to be appealing over time.

Gardner: Bob Dix, last word to you. What do you see happening in the area of government affairs and public policy around these issues? What should we hope for or expect from different governments in creating an atmosphere that improves risk across supply chain?

Dix: A couple things have to happen, Dana. First, we have got to quit blaming victims when we have breaches and compromises and start looking at solutions. The government has a tendency in the United States and in other countries around the world, to look at legislating and trying to pass regulatory measures that impose requirements on industry without a full understanding of what industry is already doing.

In this particular example, the government has had a tendency to take an approach that excludes vendors from being able to participate in federal procurement activities based on a risk level that they determine.

The really great thing about the work of the OTTF and the standard that’s being produced is it allows a different way to look at it and instead look at those that are accredited as having met the standard and being able to provide a higher assurance level of authenticity and security around the products and services that they deliver. I think that’s a much more productive approach.

Working together

And from a standpoint of public policy, this example on the great work that’s being done by industry and government working together globally to be able to deliver the standard provides the government a basis by which they can think about it a little differently.

Instead of just focusing on who they want to exclude, let’s look at who actually is delivering the value and meeting the requirements to be a trusted provider. That’s a different approach and it’s one that we are very proud of in terms of the work of The Open Group and we will continue to work that going forward.

Gardner: Excellent. I’m afraid we will have to leave it there. We’ve been exploring ways to address supply chain risk in the information technology sector marketplace, and we’ve seen how The Open Group Trusted Technology Forum standards and accreditation activities are enhancing the security of global supply chain and improving the integrity of openly available IT products and components. And we have also learned how the age-old practice of insurance is coming to bear on the problem of IT supply chain risk.

This special BriefingsDirect Thought Leadership Panel Discussion comes to you in conjunction with The Open Group’s upcoming conference on July 20, 2015 in Baltimore. It’s not too late to register on The Open Group’s website or to follow the proceedings online and via Twitter and other social media during the week of the presentation.

So a big thank you to our guests. We’ve been joined today by Sally Long, Director of The Open Group Trusted Technology Forum. Thanks so much, Sally.

Long: Thank you, Dana.

Gardner: And a big thank you to Andras Szakal, Vice President and Chief Technology Officer for IBM U.S. Federal and Chairman of The Open Group Trusted Technology Forum. Thank you, Andras.

Szakal: Thank you very much for having us and come join the TTF. We can use all the help we can get.

Gardner: Great. A big thank you too to Bob Dix, Vice President of Global Government Affairs & Public Policy for Juniper Networks and a member of The Open Group Trusted Technology Forum. Thanks, Bob.

Dix: Appreciate the invitation. I look forward to joining you again.

Gardner: And lastly, thank you to Dan Reddy, Supply Chain Assurance Specialist, college instructor and Lead of The Open Group Trusted Technology Forum Global Outreach and Standards Harmonization Work Group. I appreciate your input, Dan.

Reddy: Glad to be here.

Gardner: And lastly, a big thank you to our audience for joining us at the special Open Group sponsored Thought Leadership Panel Discussion.

I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for these Open Group discussions associated with the Baltimore Conference ( (Register Here). Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes. Get the mobile app for iOS or Android. Sponsor: The Open Group

Join the conversation @theopengroup #ogchat #ogBWI

Transcript of a Briefings Direct discussion on ways to address supply chain risk in the information technology sector marketplace. Copyright The Open Group and Interarbor Solutions, LLC, 2005-2015. All rights reserved.

You may also be interested in:

1 Comment

Filed under Cybersecurity, OTTF, Supply chain risk, The Open Group Baltimore 2015

Global Cooperation and Cybersecurity: A Q&A with Bruce McConnell

By The Open Group

Cyber threats are becoming an increasingly critical issue for both companies and governments. The recent disclosure that the U.S. Office of Personnel Management had been hacked is proof that it’s not just private industry that is vulnerable to attack. In order to address the problems that countries and industry face, there must be more global cooperation in terms of what behaviors are acceptable and unacceptable in cyberspace.

Bruce McConnell is Senior Vice President of the EastWest Institute (EWI), and is responsible for its global cooperation in cyberspace initiative. Bruce has served in the U.S. Department of Homeland Security and as Deputy Under Secretary Cybersecurity, where he was responsible for ensuring the cybersecurity of all federal civilian agencies and helping the owners and operators of the most critical U.S. infrastructure protect themselves from cyber threats. We recently spoke with him in advance of The Open Group Baltimore event about the threats facing government and businesses today, the need for better global cooperation in cyberspace and the role that standards can play in helping to foster that cooperation.

In your role as Deputy Under Secretary for Cybersecurity in the Obama Administration, you were responsible for protecting U.S. infrastructure from cyber threats. In your estimation, what are the most serious threats in cyberspace today?

User error. I say that because a lot of people these days like to talk about these really scary sounding cyber threats, like some nation state or terrorist group that is going to take down the grid or turn off Wall Street, and I think we spend too much time focusing on the threat and less time focusing on other aspects of the risk equation.

The three elements of risk are threats, vulnerability and consequences. A lot of what needs to be done is to reduce vulnerability. Part of what EWI is working on is promoting the availability of more secure information and communications in technology so that buyers and users can start with an infrastructure that is actually defensible as opposed to the infrastructure we have today which is very difficult to defend. We figure that, yes, there are threats, and yes, there are potential consequences, but one of the places that we need more work in particular is reducing vulnerabilities.

EWI is also working on reducing threats and consequences by working with countries to, for example, agree that certain key assets, such as core Internet infrastructure or financial services markets and clearinghouses should not be attacked by anybody. You have to work all aspects of the equation.

What steps can be taken by governments or businesses to better shore up the infrastructure from cyber threats?

One of the things that has been missing is a signal from the marketplace that it wants more secure technology. There’s been complacency for a long time and denial that this is really a problem, and the increasing visibility of these high profile attacks, like on Target, Sony, JP Morgan Chase and others, are getting companies at the most senior level—in the C-Suite and in the Boardroom—to start paying attention and asking questions of their IT team: ‘How are we protecting ourselves?’ ‘Are we going to be the next ones?’ Because there are two kinds of companies in the U.S.—those that have been hacked and those that know they’ve been hacked.

One of the things EWI has been working on with The Open Group and some of the large IT companies is a set of questions that buyers of IT could ask suppliers about what they do to make sure their products are secure—how they are paying attention to their supply chain, who’s responsible for security at their organization, etc. We think that companies and the government—from the standpoint of education, not regulation—can do more to send signals to the marketplace and suppliers so that they offer more secure technology. In the past customers haven’t been willing to pay more for security—it does cost more. I think that’s changing, but we need to give them tools to be able to ask that question in a smart way.

With respect to government specifically, I think one of the great things the U.S government has done recently is coming out with a Cybersecurity Framework, which was developed mostly by the private sector. NIST, of course, acted as the facilitator, but there’s a lot of uptake there that we’re seeing in terms of companies and sectors—like the financial services sector—adopting and adapting it. It has raised the level of security inside corporations. Insurance carriers are starting to use it as the basis for underwriting insurance policies. It’s not mandatory but it’s a good guidepost, and I think it will become a standard of care.

Why has there been that level of complacency for so long?

I think it’s two things, and they’re both cultural.

One is that the IT community inside companies has not been able to communicate effectively to senior management regarding the nature of the threat or the degree of risk. They don’t speak the same language. When the CFO comes into the CEO’s office and talks about foreign exchange exposure or the General Counsel comes in and speaks about reputational risk, they’re speaking a language that most CEOs can understand. But when the IT guy comes in and talks about Trojans and botnets, he’s speaking a foreign language. There’s been a tendency for that message to not be expressed in business terms that the CEO can understand or be able to quantify and think about as a risk. But it’s a risk just like any of those other risks—foreign exchange risk, competitive risk, natural disasters, cyber attacks. I think that’s changing now, and some companies are pulling the Chief Information Security Officer out from under the CIO and having them report to the Chief Risk Officer, whether it’s the General Counsel or the CFO. That puts them in a different position, and then it can be positioned against other risks and managed in a different way. It’s not a technology problem, it’s as much a human problem—it’s about training employees, it’s about background checks on systems administrators.

The second piece is that it’s invisible. Unlike a hurricane or fire, where you can see the damage, the damage from a cyber attack is invisible. When I was at Homeland Security, we said, ‘What’s it going to take for people to wake up? Well, something really bad will have to happen.’ And something really bad is happening all the time. There’s billions of dollars of financial fraud and theft, there’s theft of intellectual property, the theft of identities—there’s lots of bad things happening but they’re kind of invisible. People don’t react to something they can’t see, we react to the threats that we can see. I think that there’s just a conceptual gap that security professionals haven’t figured out how to convert into something tangible.

How much difference is there anymore in the threats that governments are facing as opposed to businesses? Are these things converging more?

We certainly saw the Office of Personnel Management got the same kind of breaches that Target got: people’s personal data. In the intellectual property area, attackers steal from both businesses and governments. Fraud is probably more directed at businesses and banks just because they handle the money, although some of the IRS data will probably be used to perpetrate fraud. Certainly the government has some systems that are of higher value to society than any single corporate system, but if the core Internet infrastructure, which is owned and run by companies, went down, that would be bad for everybody.

I think the threats are converging also in the sense that attackers are always looking for high-value targets so both governments and companies these days have high-value targets. And they use similar tactics—what we saw was that one family of malware would be used to attack government systems and a slightly different version of that family would be used to attack commercial systems. It was the same kind of malware, and maybe the same perpetrators.

Your session at The Open Group Baltimore event is focused on global cooperation in cyberspace. Where does global cooperation in cyberspace stand today, and why is it important to have that cooperation?

It’s in the spirit of the Baltimore event—Boundaryless Information Flow™. The Internet is a global phenomenon and not a great respecter of national boundaries. The information and technology we all use comes from all over the world. From a security and management standpoint, this is not something that any single government can manage on its own. In order to allow for the boundaryless movement of information in a secure way, governments have to work together to put the right policies and incentives in place. That includes cooperating on catching and investigating cyber criminals. It involves the matter of ensuring buyers can get the best, most secure technology no matter where it is manufactured. It involves cooperating on the types of behavior that are unacceptable in cyberspace. Even reaching agreement on what institutions can be used to manage this global resource is crucial because there’s no real governance of the Internet—it’s still run on an ad hoc basis. That’s been great, but the Internet is becoming too important to be left to everybody’s good will. I’ll cover these issues in more depth in Baltimore.

Who is working on these issues right now and what kind of things are they doing? Who are the “allies” in trying to put together global cooperation initiatives?

There are a lot of different coalitions of people working together. They range from a group called the United Nations Group of Governmental Experts, which by the time of the Baltimore conference will have conducted its fourth in a series of meetings over a two-year period to discuss norms of behavior in cyberspace, along the lines of what kinds of behaviors should nation states not engage in vis a vis cyberattacks. There’s a case where you have a U.N.-based organization and 20 countries or so working together to try to come up with some agreements in that area. Certainly EWI’s work is supported primarily by companies, both U.S. and foreign companies. We bring a broad multi-stakeholder group of people together from countries, companies and non-profit organizations from all the major cyber powers, whether they are national cyber powers like China, Russia, U.S, Germany, India, or corporate cyber powers like Microsoft and Huawei Technologies because in the Internet, companies are important. There are a lot of different activities going on to find ways of cooperating and increasingly recognize the seriousness of the problem.

In terms of better cooperation, what are some of the issues that need to be addressed first and how can those things be better accomplished?

There are so many things to work on. Despite efforts, the state of cooperation isn’t great. There’s a lot of rhetoric being applied and countries are leveling charges and accusing each other of attacking them. Whether or not those charges are true, this is not the way to build trust and cooperation. One of the first things that governments really need to do if they want to cooperate with each other is tone down the rhetoric. They need to sit down, listen to each other and try to understand where the other one’s coming from rather than just trading charges in public. That’s the first thing.

There’s also a reflection of the lack of trust between the major cyber powers these days. How do you build trust? You build trust by working together on easy projects first, and then working your way up to more difficult topics. EWI has been promoting conversations between governments about how to respond if there’s a server in one country that’s been captured by a bot and is attacking machines in another country. You have to say, ‘Could you take a look at that?’ But what are the procedures for reducing the impact of an incident in one country caused by malware coming from a server in of another country? This assumes, of course, that the country itself is not doing it deliberately. In a lot of these attacks people are spoofing servers so it looks like they’re coming from one place but it’s actually originating someplace else. Maybe if we can get governments cooperating on mutual assistance in incident response, it would help build confidence and trust that we could work on larger issues.

As the Internet becomes increasingly more crucial to businesses and government and there are more attacks out there, will this necessitate a position or department that needs to be a bridge between state departments and technology? Do you envision a role for someone to be a negotiator in that area and is that a diplomatic or technological position or both?

Most of the major national powers have cyber ambassadors. The German’s Foreign Office has a cyber ambassador, the Chinese have one. The U.S. has a cyber coordinator, the French have a cyber ambassador and the British just named a new cyber ambassador. States are recognizing there is a role for the foreign ministry to play in this area. It’s not just a diplomatic conversation.

There are also global forums where countries, companies and NGOs get together to talk about these things. EWI hosts one every year – this year’ it’s in New York September 9-10. I think there are a lot of places where the conversations are happening. That gets to a different question: At some point do we need more structure in the way these issues are managed on a global basis? There’s a big debate right now just on the topic of the assignment of Internet names and numbers as the U.S. lets go of its contract with ICANN—who’s going to take that on, what’s it going to look like? Is it going to be a multi-stakeholder body that involves companies sitting at the table or is it only going to be only governments?

Do you see a role for technology standards in helping to foster better cooperation in cyberspace? What role can they play?

Absolutely. In the work we’re doing to try to tell companies they want more secure products. We’re referencing a lot of different standards including those The Open Group and the Trusted Technology Forum have been developing. Those kind of technical standards are critical to getting everyone on a level playing fields in terms of being able to measure how secure products are and to having a conversation that’s fact-based instead of brochure based. There’s a lot of work to be done, but they’re going to be critical to the implementation of any of these larger cooperative agreements. There’s a lot of exciting work going on.

Join the conversation @theopegroup #ogchat #ogBWI

*********

Beginning in 2009, Bruce McConnell provided programmatic and policy leadership to the cybersecurity mission at the U.S. Department of Homeland Security. He became Deputy Under Secretary for Cybersecurity in 2013, and responsible for ensuring the cybersecurity of all federal civilian agencies and for helping the owners and operators of the most critical U.S. infrastructure protect themselves from growing cyber threats. During his tenure, McConnell was instrumental in building the national and international credibility of DHS as a trustworthy partner that relies on transparency and collaboration to protect privacy and enhance security.

Before DHS, McConnell served on the Obama-Biden Presidential Transition Team, working on open government and technology issues. From 2000-2008 he created, built, and sold McConnell International and Government Futures, boutique consultancies that provided strategic and tactical advice to clients in technology, business and government markets. From 2005-2008, he served on the Commission on Cybersecurity for the 44th Presidency.

From 1999-2000, McConnell was Director of the International Y2K Cooperation Center, sponsored by the United Nations and the World Bank, where he coordinated regional and global preparations of governments and critical private sector organizations to successfully defeat the Y2K bug.

McConnell was Chief of Information Policy and Technology in the U.S. Office of Management and Budget from 1993-1999, where he led the government-industry team that reformed U.S. encryption export policy, created an information security strategy for government agencies, redirected government technology procurement and management along commercial lines, and extended the presumption of open government information onto the Internet.

McConnell is also a senior advisor at the Center for Strategic and International Studies. He received a Master of Public Administration from the Evans School for Public Policy at the University of Washington, where he maintains a faculty affiliation, and a Bachelor of Sciences from Stanford University.

 

1 Comment

Filed under Cybersecurity, RISK Management, The Open Group, The Open Group Baltimore 2015