The second morning at the Open Group Conference changed themes a bit. The focus shifted from Enterprise Architecture and Business Architecture to Security and Cloud. A topic that is very near and dear to my heart. There was quite a bit of discussion in these session on how we can enable Cloud solutions from an Enterprise Architecture perspective.
- The Digital Identity Challenge – How the US National Strategy for Trusted Identities in Cyberspace (NSTIC) Program Is Responding
— Dr Peter Alterman, Senior Advisor at National Program Office, National Strategy for Trusted Identities in Cyberspace, NIST, and Senior Advisor for Strategic Initiatives at National Institute of Health (NIH)
- Lessons From the Cloud: What I’ve Learned in 10 Years of Cloud Computing
Brandon Dunlap, Managing Director of Research, Brightfly
Session 1: The Digital Identity Challenge – How the US National Strategy for Trusted Identities in Cyberspace (NSTIC) Program Is Responding
This was a very interesting session both from an informative perspective on the specific working group but also what the federal government is doing to protect it’s citizens. What I really liked about the session was it gave insights into the actions the Obama administration is doing to protect all of our digital identities to protect us from theft and fraud.
It was stated a few times that this administration is very sensitive to the Big Brother or George Orwell scenarios. Kudos to this team and the Obama administration. It also brings me back to a security quote from the early 1700’s that applies just as much then as it does now.
“Any society that would give up a little liberty to gain a little security will deserve neither and lose both.”
Below are the key messages from that presentation:
- Goal by 2016
- Allowing people to choose their authentication provider through an Identity Ecosystem
- Private sector will run this effort but the federal government will provide support
- Not government ran
- The private sector has the highest ability to execute on this vision
- The government will define the governance model
- No new standards, will align to proven security standards
- Tie all this back to the national security policy
- Protect Privacy and Civil Liberties are Fundamental
- Avoid a George Orwell scenario
- What’s being done so far?
- Series of workshops on privacy and governance
- Supporting existing eGovernment and federated identity management (SSA, IRS, Health ID, etc.)
- Going forward
- Workshops on technical, legal and attributes in the near future
- Establish a functioning governance entity
- Create governance models and standards
- Criteria for selecting grants
- Explore models for addressing liability
- Support adoption of attribute management architectures
- Prepare for pilot for grants
- Ensure early adoption ID’s are being distributed early and broadly.
Session 2: O-Automated Compliance Expert Working Group (O-ACEML)
The Open Group recently published the Open Automated Compliance Expert Markup Language (O-ACEML) standard. This new technical standard addresses needs to automate the process of configuring IT environments to meet compliance requirements. O-ACEML will also enable customer organizations and their auditors to streamline data gathering and reporting on compliance postures.
O-ACEML is aimed at helping organizations to reduce the cost of compliance by easing manual compliance processes. The standard is an open, simple, and well defined XML schema that allows compliance requirements to be described in machine understandable XML, as opposed to requiring humans to interpret text from documents. The standard also allows for a remediation element, which enables multiple requirements (from different compliance regulations) to be blended into a single policy. An example of where this is needed would be in password length and complexity requirements, which may differ between different regulations. O-ACEML allows for the most secure setting to be selected and applied, enabling all of the regulations to be met or exceeded.
According to AMR Research, North American Companies are estimated to spend $29.9B on regulatory compliance and will spend $8.8B this year on technology solutions to solve their compliance requirements. The cost worldwide is huge, and the need to comply is not an option. Reducing this cost is therefore a business imperative.
How is this enabling compliance to make it action oriented
- Compliance is manual and complicated
- Solution: automated it
- O-ACEML is a simple way for humans to create security policies
- O-ACEML provides a way to have insights into environments that are complex with many end devices or computers via a standard XML structure
- Aid auditors in compliance checks
- This standard is targeted towards Compliance Organizations such as:
Create an XML based solution that can provide a common vocabulary for both Risk Management, Security and Audit functions
- As seem above O-ACEML is primarily split into three areas:
- O-ACEML will be used by compliance organizations to express requirements.
- O-ACEML will be used by compliance automation tools to implement these requirements through configuration controls upon the underlying device in a automated manner.
- O-ACEML will be used to form a auditable historical log which records the details of any configuration change.
- This solution allows for descriptive rules that specify a specific action(e.g., shut down this port)
- Since this is XML based it is highly dynamic and technology agnostic
- The XML de
fines what the systems should do, how it should do it and log the result in the XML structure
- Below is a sample workflow of an O-ACEML
- Looking to publish to the industry
- Push simple tooling
- Working with PCI, MITRE, NIST and others
- Automated Compliance Expert Working Group Charter
The last session talked about cloud computing risks, how to identify them and prevention.