The second morning at the Open Group Conference changed themes a bit. The focus shifted from Enterprise Architecture and Business Architecture to Security and Cloud. A topic that is very near and dear to my heart. There was quite a bit of discussion in these session on how we can enable Cloud solutions from an Enterprise Architecture perspective.
The Digital Identity Challenge - How the US National Strategy for Trusted Identities in Cyberspace (NSTIC) Program Is Responding -- Dr Peter Alterman, Senior Advisor at National Program Office, National Strategy for Trusted Identities in Cyberspace, NIST, and Senior Advisor for Strategic Initiatives at National Institute of Health (NIH)
Lessons From the Cloud: What I’ve Learned in 10 Years of Cloud Computing Brandon Dunlap, Managing Director of Research, Brightfly
This was a very interesting session both from an informative perspective on the specific working group but also what the federal government is doing to protect it’s citizens. What I really liked about the session was it gave insights into the actions the Obama administration is doing to protect all of our digital identities to protect us from theft and fraud.
It was stated a few times that this administration is very sensitive to the Big Brother or George Orwell scenarios. Kudos to this team and the Obama administration. It also brings me back to a security quote from the early 1700’s that applies just as much then as it does now.
“Any society that would give up a little liberty to gain a little security will deserve neither and lose both.”
Below are the key messages from that presentation:
Goal by 2016
Allowing people to choose their authentication provider through an Identity Ecosystem
Private sector will run this effort but the federal government will provide support
Not government ran
The private sector has the highest ability to execute on this vision
The government will define the governance model
No new standards, will align to proven security standards
Tie all this back to the national security policy
Protect Privacy and Civil Liberties are Fundamental
Avoid a George Orwell scenario
What’s being done so far?
Series of workshops on privacy and governance
Supporting existing eGovernment and federated identity management (SSA, IRS, Health ID, etc.)
Going forward
Workshops on technical, legal and attributes in the near future
Establish a functioning governance entity
Create governance models and standards
Criteria for selecting grants
Explore models for addressing liability
Support adoption of attribute management architectures
Prepare for pilot for grants
Ensure early adoption ID’s are being distributed early and broadly.
Session 2: O-Automated Compliance Expert Working Group (O-ACEML)
The Open Group recently published the Open Automated Compliance Expert Markup Language (O-ACEML) standard. This new technical standard addresses needs to automate the process of configuring IT environments to meet compliance requirements. O-ACEML will also enable customer organizations and their auditors to streamline data gathering and reporting on compliance postures.
O-ACEML is aimed at helping organizations to reduce the cost of compliance by easing manual compliance processes. The standard is an open, simple, and well defined XML schema that allows compliance requirements to be described in machine understandable XML, as opposed to requiring humans to interpret text from documents. The standard also allows for a remediation element, which enables multiple requirements (from different compliance regulations) to be blended into a single policy. An example of where this is needed would be in password length and complexity requirements, which may differ between different regulations. O-ACEML allows for the most secure setting to be selected and applied, enabling all of the regulations to be met or exceeded.
The Need?
According to AMR Research, North American Companies are estimated to spend $29.9B on regulatory compliance and will spend $8.8B this year on technology solutions to solve their compliance requirements. The cost worldwide is huge, and the need to comply is not an option. Reducing this cost is therefore a business imperative.
How is this enabling compliance to make it action oriented
Compliance is manual and complicated
Solution: automated it
O-ACEML is a simple way for humans to create security policies
O-ACEML provides a way to have insights into environments that are complex with many end devices or computers via a standard XML structure
Aid auditors in compliance checks
This standard is targeted towards Compliance Organizations such as:
TCG
PCI
NIST
ISO
COBIT
Solution
Create an XML based solution that can provide a common vocabulary for both Risk Management, Security and Audit functions
As seem above O-ACEML is primarily split into three areas:
O-ACEML will be used by compliance organizations to express requirements.
O-ACEML will be used by compliance automation tools to implement these requirements through configuration controls upon the underlying device in a automated manner.
O-ACEML will be used to form a auditable historical log which records the details of any configuration change.
This solution allows for descriptive rules that specify a specific action(e.g., shut down this port)
Since this is XML based it is highly dynamic and technology agnostic
The XML de fines what the systems should do, how it should do it and log the result in the XML structure
Below is a sample workflow of an O-ACEML
Next steps
Looking to publish to the industry
Push simple tooling
Working with PCI, MITRE, NIST and others
Links
The last session talked about cloud computing risks, how to identify them and prevention.
Key Tweets
8 minutes ago via TweetDeck · Reply · View Tweet
theopengroup: Dunlap: You need to understand the business that your organization is in so you can protect it. Talk to people find their pain points #ogaus
9 minutes ago via HootSuite · Reply · View Tweet
systemsflow: @bdunlap 1st response to "InfoSec too expensive" argument - save $$ by ditching half your security app portfolio as redundant #ogaus
9 minutes ago via HootSuite · Reply · View Tweet
systemsflow: Big message from BrightFly's Brandon Dunlap: cloud providers (Dropbox, Google, 37 signals, etc.) need to publish security controls #ogaus
19 minutes ago via HootSuite · Reply · View Tweet
tinamonod: RT @omkhar: Great discussion with @ARSzakal and @HPPearsonabout #Cloud #Security at the networking event last night #ogaus
23 minutes ago via web · Reply · View Tweet
edocastro: Dunlap: Workers with a credit card are the new IT department; they are going out and procuring services that you are unable to vet #ogaus
24 minutes ago via Twitter for Windows Phone · Reply · View Tweet
theopengroup: Entertaining and interesting presentations by both our keynotes this morning! #ogaus
24 minutes ago via HootSuite · Reply · View Tweet
mikejwalker: AMR: NA companies are estimated to spend $29.9B on reg compliance and will spend $8.8B this year on technology solutions #entarch#ogaus
25 minutes ago via TweetDeck · Reply · View Tweet
SmartestITCan : RT @omkhar: Great discussion with @ARSzakal and @HPPearsonabout #Cloud #Security at the networking event last night #ogaus
Technorati Tags: Enterprise Architecture,Open Group Conference,Open Group
Comments