Security Forum

1

• Security Forum
• Identity Management Forum
• Briefing to Q307 Conference
• July 2007

2
Security and IdM ForumsAgenda in Austin (1 of 3)

• Tuesday July 24th
• Introductions agenda review
• FAIR tutorial all-day Alex Hutton and Jack
  Jones, Risk Management Insight
• Wednesday July 25th
• 09.00-10.30
• Introductions, agenda and Forum Plan review - Web
  site, context with Jericho Forum, key objectives
  in 2007
• Industry news update/reports from members
• Risk Management standard development the FAIR
  measurement taxonomy and analysis method
• 11.00-12.30
• Presentation Risk Management and the INFORM tool
  - Dr Jeremy Ward, Symantec
• Presentation Trends in Risk Assessment, Analysis
  and Compliance - Jim Hietela, Compliance
  Marketing
• Risk Management standard development (contd.)
• 14.00-17.30 Risk Management standard development
  (contd.)

3
Agenda in Austin (2 of 3)

• Thursday July 26th
• 0900-10.30 Identity Management
• ISO JTC1 WG5 - development of new set of
  standards including Biometrics privacy with
  Identity Management Architectures, draft document
  N5531. Includes development of Framework for
  Identity Management Architectures, draft document
  5517.
• Identity Management Progress in ITU-T SG17 on
  their work on interoperability/interworking,
  common data models, discovery, privacy, and
  governance. 
• Common Core Identifiers plan to exploit this
  work in ISO/IEC JTC1 SC27
• Digital Identity and Privacy follow-up
  development on Jan07 (San Diego) discussion on
  crypto-identities and domains of identities.
• 11.00-12.30 Update XDAS
• Summary start-up,Web site
• Project Objective To develop an open standard
  for IT Audit that the Audit community (vendors
  and auditors) adopt as THE global standard for
  meeting todays audit requirements
• Starting base document 1998 Distributed Audit
  Services (XDAS) preliminary specification
• Overlapping new standard CEE
• Initial updates XDAS Record Format, and XDAS
  taxonomy

4
Agenda in Austin (3 of 3)

• 14.00-15.30 SOA-Security joint meeting of
  Security Forum with SOA WG
• review progress on project since formation
  following Jan 07 meeting, to evaluate
  requirements and potential solutions for secure
  architectures in SOA environmentsOpening status
  summary
• Presentations - use cases and business scenarios
  to identify real requirements
• Securing SOAs - Government Example - Paul Ashley
  (IBM Australia)
• Models for web-services security run-time and
  mediated (proxy) security - Sridhar Muppidi Ron
  Williams (IBM Austin)
• SOA use case for the financial industry Wan-yen
  Hsu (HP)
• Discussion
• From these use-cases, evaluate security
  requirements/challenges that are specific to the
  SOA environment
• Assess how existing solutions can satisfy these
  SOA-specific security requirements
• 16.00-17.30 Security/Identity Management Forum
  plans
• Current and future projects
• Security plenary and APC streams in Budapest
  Conference (October 07)
• 17.30 Close. 

5
Project BriefingRisk Measurement - Context

• We all recognize that perfect security isnt
  possible
• Our fundamental purpose as professionals is to
  help our employers manage risk by estimating as
  accurately as possible the frequency and
  magnitude of loss.
• Unfortunately, the methods and concepts many of
  us have followed for years dont reflect the true
  nature of risk, and have limited our ability to
  be effective. We havent been able to credibly
  answer some very basic questions
• How much risk management is enough?
• How much risk do we have?
• How much less risk will we have if we employ
  solution X, Y, or Z?
• Each of these questions implies an ability to
  measure risk.
• Without agreement on a sound understanding of
  fundamental risk concepts and factors, we cant
  produce credible measures for it .
• FAIR - Factor Analysis for Information Risk
  http//www.riskmanagementinsight.com
• FAIR seeks to provide the necessary foundation
  through its taxonomy, definitions, and analysis
  methods.

6
FAIR White Paper

• Key messages from RMI White Paper
• Information risk is a complex subject
• Information Security professionals have not yet
  developed a generally agreed methodology which
  produces consistent measurements
• There are no perfect solutions for how to measure
  risk.
• In keeping with this truth, FAIR is not a perfect
  solution
• FAIR does, however, provide a rational,
  effective, and defensible solution to the
  challenges of evaluating information risk.
• The White paper covers
• Risk concepts high-level discussion of risk
  factor measurements.
• Risk Analysis some of the realities surrounding
  risk analysis and probabilities, to provide a
  common understanding
• Risk Landscape Components outlines the four
  primary components that have characteristics
  (factors) that, in combination with one another,
  drive risk.
• Risk Factoring begins to decompose information
  risk into its fundamental parts. The resulting
  taxonomy describes how the risk factors combine
  to drive risk, and establishes a foundation for
  the rest of the FAIR framework.
• Controls section introduces three dimensions of
  a controls landscape.
• Measuring Risk briefly discusses measurement

7
What FAIR provides

• A logical framework that includes
• A taxonomy of the factors that make up
  information risk. This taxonomy provides a
  foundational understanding of information risk,
  without which we couldnt reasonably do the rest.
  It also provides a set of standard definitions
  for our terms.
• A method for measuring the factors that drive
  information risk, including threat event
  frequency, vulnerability, and loss.
• A computational engine that derives risk by
  mathematically simulating the relationships
  between the measured factors.
• A simulation model that allows us to apply the
  taxonomy, measurement method, and computational
  engine to build and analyze risk scenarios of
  virtually any size or complexity.

8
Projects BriefingIdentity Management

• Current activities
• ISO JTC1 SC27 WG5 - development of new set of
  standards making up a Framework for Identity
  Management Architectures (N5531), comprising
• Authentication Context for Biometrics (N5515)
• Framework for Identity Management Architectures
  (N5517)
• Privacy Framework (N5519)
• The Open Group has Category C Liaison status with
  ISO JTC1 SC27
• Identity Management interest in monitoring ITU-T
  SG17 work on interoperability/interworking,
  common data models, discovery, privacy, and
  governance. 
• Common Core Identifiers submission to ISO JTC1
  SC27, to influence their development of a
  standard on Identifiers
• Digital Identity and Privacy interest in
  following-up discussion in our Jan07 (San Diego)
  review of crypto-identities and domains of
  identities.

9
Project BriefingUpdate XDAS project (1 of 2)

• New Security Forum projecthttp//www.opengroup.or
  g/projects/sec-das
• ObjectiveTo develop an open standard for IT
  Audit that the Audit community (vendors and
  auditors) adopt as THE global standard for
  meeting todays audit requirements
• Starting base document is The Open Groups 1998
  Distributed Audit Services (XDAS) preliminary
  specification, which is downloadable free of
  charge from The Open Group's online
  bookstorehttp//www.opengroup.org/bookstore/cata
  log/p441.htm
• For this reason, the project name Update-XDAS
  was adopted
• Project champion Novell
• Other participants
• 1998 XDAS specification covered three critical
  aspects of audit logging
• Security Event Taxonomy
• Event Record Format
• Auditing API
• Related work
• Novell is leading open source project OpenXDAS,
  which has been based on the 1998 XDAS
  specification
• MITRE is leading development of a Common Event
  Expression (CEE) standard, which aims to provide
  a common set of audit event expressions which
  will provide for interoperable data exchange
  between conforming implementations.

10
Update XDAS project (2 of 2)

• Initial review of the stated CEE objectives
  indicates
• CEE overlaps with security event taxonomy in XDAS
• CEE current objectives will not meet the
  requirements that the Update-XDAS project
  participants consider are essential to meet our
  IT Audit needs.
• Update-XDAS project has established co-operative
  link with CEE leaders, with common aim to avoid
  competing standards and so promote
  interoperability
• Informative Burton Group assessment on Auditing
  Standards available at http//srmsblog.burtongrou
  p.com/2007/07/an-auditing-sta.html
• Further informative debate in blog at
  http//raffy.ch/blog/2007/06/07/common-event-exch
  ange-formats-xdas/
• Update-XDAS project held 1st Conference Call on
  July 18th
• Outcome was understanding of the key priorities
  that participants want in security auditing
• Objective was confirmed as to create an open
  standard that the IT audit community (vendors and
  auditors) will adopt as THE global standard for
  meeting todays audit requirements
• Objective is NOT to justify the existing
  definition of security auditing in the 1998 XDAS
  specification, but rather to build on the sound
  foundation it provides.
• Initial proposals for revising the XDAS Record
  Format and XDAS taxonomy proposed on July 19th -
  now under review.

11
Project BriefingSOA and Security current
status

• Web site http//www.opengroup.org/projects/soa-se
  c
• Summary of objectivesTo evaluate requirements
  and potential solutions for secure architectures
  in SOA environments
• Is SOA a suitable approach for describing a
  de-perimeterized architecture
• What additional security issues must be addressed
  in SOA environments
• Teleconferences reports available to members at
  www.opengroup.org/projects/soa-sec/protected
• SOA-Sec task group Co-Chairs
• Fred Etemadieh (Trusted Systems Consulting)
• Owen Sayers (Capgemini)
• Shawn Smolsky (Lockheed Martin)
• Agreed initial deliverables
• Charter - completed
• Develop use cases and business scenarios to
  facilitate analyzing real SOA security
  challenges/issues, why we care, and proposed
  solutions. Arising from this, evaluate
  opportunities for developing new standards and
  best practice guides
• Examine compliance drivers on requirements,
  including views from government, business and
  technology perspectives.

12
SOA and Security agenda

• Opening status summary
• Presentations - use cases and business scenarios
  to identify real requirements
• Securing SOAs - Government Example - Paul Ashley
  (IBM Australia)
• Models for web-services security run-time and
  mediated (proxy) security - Sridhar Muppidi Ron
  Williams (IBM Austin)
• SOA use case for the financial industry Wan-yen
  Hsu (HP)
• Discussion
• From these use-cases, evaluate security
  requirements/challenges that are specific to the
  SOA environment
• Assess how existing solutions can satisfy these
  SOA-specific security requirements