Title: OASIS: Integrating Standards for Web Services, Business Processes
1www.oasis-open.org
Jim Hietala Vice President, Security
44 Montgomery Street Suite 960 San Francisco,
CA 94104 USA Tel 1 303 495 3123 Cell 1 303 995
5387 j.hietala_at_opengroup.org www.opengroup.org
2Security Forum Vision Mission
- The Open Group Boundaryless Information Flow,
achieved through global interoperability in a
secure, reliable and timely manner - The Open Group Security Forum To facilitate the
rapid development of secure architectures
supporting boundaryless information flow through - Development of industry standards, either
independently or through co-operation (adopt,
adapt, publish) - Developing guides, business rationales
scenarios, use cases - Developing reference and common system
architectures, and support services - The Open Group also manages and supports the
Jericho Forum
3IT Changes Affecting Security
- Web 2.0 coming to most enterprises, like it or
not - Consumerization of IT with mobile devices
- Shift in user patterns an increasing of user
logins are now contractors, consultants, and
business partners - Perimeter security model proving ineffective at
securing this evolving environment
4Web Security Study
- 7 of sites compromised automatically
- 7.7 of sites had a high severity detectable
through scanning - 9 of 10 sites have at least one serious
vulnerability - Average of 7 vulnerabilities/site
Web Application Security Consortium, 2007, and
White Hat Security, analysis of 600 sites
5Security Standards Needs Exist at Multiple Levels
- Security function interoperability- SAML, XACML,
etc. - Implementation levelISO27002, PCI DSS, etc.
- Architecture need for new standard security
architecture describing information-centric vs.
perimeter-centric security
6The Open Group Security Forum Key
Accomplishments
Guides, White Papers Security, Privacy, DRM,
Identity Management, PKI, IdM Architectures,
Security Design Patterns, Electronic Chattel
Paper, Trust models, Common Core Identifiers
Guides, White Papers Information Security
Strategy
Standards CDSA- Authentication API AZN-API-
Authorization API UAS
12/2007 Integration of Network Applications
Consortium
Standards XDAS- Distributed Audit Service APKI-
Architecture for Public Key Encryption XSSO-
Single Sign-On CDSA
Standards DCE- Distributed Computing
Environment XBSS- Baseline Security
Services XDSF- Distributed Security Framework GSS
API- Generic Security Services
7The Open Group Future Security Activities
www.oasis-open.org
- Continued support of Jericho Forum activities
- Ongoing standards work in these areas
- Risk management taxonomy
- Secure Mobile Architectures
- Trust models
- XML platform compliance reporting
- Standard security architectures
- Initiating Security Practitioners Conferences
- Workshop approach to develop understanding and
requirements around key emerging security issues
such as Cloud Computing and Virtualization
8Thank You!