Open Group Conference Austin 2011–Keynote Coverage Day 2

The second morning at the Open Group Conference changed themes a bit. The focus shifted from Enterprise Architecture and Business Architecture to Security and Cloud. A topic that is very near and dear to my heart. There was quite a bit of discussion in these session on how we can enable Cloud solutions from an Enterprise Architecture perspective.

 

Session 1: The Digital Identity Challenge – How the US National Strategy for Trusted Identities in Cyberspace (NSTIC) Program Is Responding

Open Group Conference Austin 2011–Keynote Coverage Day 2

This was a very interesting session both from an informative perspective on the specific working group but also what the federal government is doing to protect it’s citizens. What I really liked about the session was it gave insights into the actions the Obama administration is doing to protect all of our digital identities to protect us from theft and fraud.

It was stated a few times that this administration is very sensitive to the Big Brother or George Orwell scenarios. Kudos to this team and the Obama administration. It also brings me back to a security quote from the early 1700’s that applies just as much then as it does now.

“Any society that would give up a little liberty to gain a little security will deserve neither and lose both.”

 

Below are the key messages from that presentation:

  • Goal by 2016
  • Allowing people to choose their authentication provider through an Identity Ecosystem
  • Private sector will run this effort but the federal government will provide support
    • Not government ran
    • The private sector has the highest ability to execute on this vision
    • The government will define the governance model
    • No new standards, will align to proven security standards
    • Tie all this back to the national security policy
  • Protect Privacy and Civil Liberties are Fundamental
  • Avoid a George Orwell scenario
  • What’s being done so far?
    • Series of workshops on privacy and governance
    • Supporting existing eGovernment and federated identity management (SSA, IRS, Health ID, etc.)
  • Going forward
    • Workshops on technical, legal and attributes in the near future
    • Establish a functioning governance entity
    • Create governance models and standards
    • Criteria for selecting grants
    • Explore models for addressing liability
    • Support adoption of attribute management architectures
    • Prepare for pilot for grants
  • Ensure early adoption ID’s are being distributed early and broadly.

 

Session 2: O-Automated Compliance Expert Working Group (O-ACEML)

The Open Group recently published the Open Automated Compliance Expert Markup Language (O-ACEML) standard. This new technical standard addresses needs to automate the process of configuring IT environments to meet compliance requirements. O-ACEML will also enable customer organizations and their auditors to streamline data gathering and reporting on compliance postures.

O-ACEML is aimed at helping organizations to reduce the cost of compliance by easing manual compliance processes. The standard is an open, simple, and well defined XML schema that allows compliance requirements to be described in machine understandable XML, as opposed to requiring humans to interpret text from documents. The standard also allows for a remediation element, which enables multiple requirements (from different compliance regulations) to be blended into a single policy. An example of where this is needed would be in password length and complexity requirements, which may differ between different regulations. O-ACEML allows for the most secure setting to be selected and applied, enabling all of the regulations to be met or exceeded.

 

The Need?

According to AMR Research, North American Companies are estimated to spend $29.9B on regulatory compliance and will spend $8.8B this year on technology solutions to solve their compliance requirements. The cost worldwide is huge, and the need to comply is not an option. Reducing this cost is therefore a business imperative.

 

How is this enabling compliance to make it action oriented

  • Compliance is manual and complicated
  • Solution: automated it
  • O-ACEML is a simple way for humans to create security policies
  • O-ACEML provides a way to have insights into environments that are complex with many end devices or computers via a standard XML structure
  • Aid auditors in compliance checks
  • This standard is targeted towards Compliance Organizations such as:
    • TCG
    • PCI
    • NIST
    • ISO
    • COBIT

Solution

Create an XML based solution that can provide a common vocabulary for both Risk Management, Security and Audit functions

Mike Walker's Blog: Open Group Conference Austin 2011–Keynote Coverage Day 2

  • As seem above O-ACEML is primarily split into three areas:
    1. O-ACEML will be used by compliance organizations to express requirements.
    2. O-ACEML will be used by compliance automation tools to implement these requirements through configuration controls upon the underlying device in a automated manner.
    3. O-ACEML will be used to form a auditable historical log which records the details of any configuration change.
  • This solution allows for descriptive rules that specify a specific action(e.g., shut down this port)
  • Since this is XML based it is highly dynamic and technology agnostic
  • The XML de
    fines what the systems should do, how it should do it and log the result in the XML structure
  • Below is a sample workflow of an O-ACEML

Mike Walker's Blog: Open Group Conference Austin 2011–Keynote Coverage Day 2

Next steps

  • Looking to publish to the industry
  • Push simple tooling
  • Working with PCI, MITRE, NIST and others

Links

 

Session 3: Lessons From the Cloud: What I’ve Learned in 10 Years of Cloud Computing

The last session talked about cloud computing risks, how to identify them and prevention.

 

Key Tweets

 

Mike_walker_headshot__medium__-_copy_normal mikejwalker: Ben Franklin – “Any society that would give up a little liberty to gain a little security will deserve neither and lose both.” #ogaus

8 minutes ago via TweetDeck · Reply · View Tweet

Tog-o_normal

theopengroup: Dunlap: You need to understand the business that your organization is in so you can protect it. Talk to people find their pain points #ogaus

9 minutes ago via HootSuite · Reply · View Tweet

Sfitwitter_normal

systemsflow: @bdunlap 1st response to "InfoSec too expensive" argument – save $$ by ditching half your security app portfolio as redundant #ogaus

9 minutes ago via HootSuite · Reply · View Tweet

Sfitwitter_normal

systemsflow: Big message from BrightFly’s Brandon Dunlap: cloud providers (Dropbox, Google, 37 signals, etc.) need to publish security controls #ogaus

19 minutes ago via HootSuite · Reply · View Tweet

E4b0c3b66caf4a9ea23f587ab6a85da4_7_normal

tinamonod: RT @omkhar: Great discussion with @ARSzakal and @HPPearsonabout #Cloud #Security at the networking event last night #ogaus

23 minutes ago via web · Reply · View Tweet

27400_1024994226_7193_q_normal

edocastro: Dunlap: Workers with a credit card are the new IT department; they are going out and procuring services that you are unable to vet #ogaus

24 minutes ago via Twitter for Windows Phone · Reply · View Tweet

Tog-o_normal

theopengroup: Entertaining and interesting presentations by both our keynotes this morning! #ogaus

24 minutes ago via HootSuite · Reply · View Tweet

Mike_walker_headshot__medium__-_copy_normal

mikejwalker: AMR: NA companies are estimated to spend $29.9B on reg compliance and will spend $8.8B this year on technology solutions #entarch#ogaus

25 minutes ago via TweetDeck · Reply · View Tweet

 

Default_pr
ofile_4_normal  dave_mcnally: Brandon Dunlap at #ogaus "in many cases they (cloud providers) can do IT better than us"

 

Mike_walker_headshot__medium__-_copy_normal  mikejwalker: Dunlap providing great tips to get in front of cloud security and operational risks #ogaus

SmartestITCan

: RT @omkhar: Great discussion with @ARSzakal and @HPPearsonabout #Cloud #Security at the networking event last night #ogaus

Sfitwitter_normal  systemsflow: Dunlap: Individuals are still the weakest link in security, and especially when using #cloud services / SaaS. #ogaus

Tog-o_normal  theopengroup: Dunlap: The weakest link in Cloud security is not technology, it’s the people, mostly those procuring low-cost services = Rogue IT #ogaus

Sfitwitter_normal  systemsflow: Dunlap: Business users with a corporate credit card buying cloud-based services are the new "rogue IT" #ogaus

Tog-o_normal theopengroup: Dunlap: Workers with a credit card are the new IT department; they are going out and procuring services that you are unable to vet #ogaus

Img_8459b_normal ebuise: RT @tetradian: [post] Why the bottom-line doesn’t come first in enterprise-architecture http://bit.ly/qAc6AJ (expand) #entarch #bizarch #ogaus

Jwgaus_normalMike_walker_headshot__medium__-_copy_normal  JWGaus: @mikejwalker #ogaus #cloud being more secure and having less visibility are not mutually exclusive.

Mike_walker_headshot__medium__-_copy_normal  mikejwalker: Brandon Dunlap – #cloud limits our visibility in #security controls. I disagree. Often times they are more secure than on-prem #ogaus

Mike_walker_headshot__medium__-_copy_normal  mikejwalker: ISACA Risk/Reward Barometer US Edition says that 41% of it’s survey participants feel that the risk outweighs the reward of #cloud #ogaus

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s