Introduction to the security forum
Download
1 / 8

Introduction to the Security Forum - PowerPoint PPT Presentation


Jet Propulsion Laboratory California Institute of Technology 4800 Oak Grove Drive Pasadena, California 91109-8099 J. Steven Jenkins, Ph.D. Principal Engineer +1 818 354-6055 steven.jenkins@jpl.nasa.gov. Introduction to the Security Forum. What We Used to Do.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha

Download Presentation

Introduction to the Security Forum

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Introduction to the security forum l.jpg

Jet Propulsion Laboratory

California Institute of Technology

4800 Oak Grove Drive

Pasadena, California 91109-8099

J. Steven Jenkins, Ph.D.

Principal Engineer

+1 818 354-6055

steven.jenkins@jpl.nasa.gov

Introduction to the Security Forum


What we used to do l.jpg

What We Used to Do

  • Security Standards Development

    • X/Open Basic Security Services (XBSS)

    • Common Data Security Architecture (CDSA)

      • With reference implementation

    • Authorization API (AZN API)

  • Work on PKI

    • Architecture (APKI)

    • DCE/PKI Integration


Why we don t do that now l.jpg

Why We Don’t Do That Now

  • Security standards development is well addressed by some other organizations

    • IETF, OASIS

  • Some high-profile standards did not achieve the desired uptake and effect

    • CDSA, AZN

  • There are significant challenges in security that are not being addressed anywhere on a systematic basis


Classical security analysis l.jpg

Classical Security Analysis

  • Classical model in a cartoon

    • Analyze threats

    • Analyze vulnerabilities

    • Analyze risks

    • Design and implement countermeasures

  • What’s wrong with the classical model?

    • It starts with bad things to prevent

    • It assumes all risk is bad

    • The result often prevents good things


Our model is different l.jpg

Our Model Is Different

  • We believe that security exists to ensure that business gets done according to policy

  • Policies are business-driven, for example:

    • Comply with the law because you want to stay in business

    • Respect your customers because you want to keep them

    • Understand your risks and make business decisions about which to accept and how


Managing risk l.jpg

Managing Risk

  • Risk is not necessarily a bad thing

    • Every business transaction carries risk

  • Some ways to deal with risk

    • Disclaim it

    • Transfer it by contract

    • Hedge against it

    • Insure against it

    • Accept it

  • Security helps you manage risk by design


Active loss prevention l.jpg

Active Loss Prevention

  • The Open Group has had an Active Loss Prevention Initiative for several years

  • It provides a framework for addressing IT issues related to risk and loss in the context of law, insurance, and business

  • The ALP Initiative is now integrated into the Security Forum

    • A welcome addition because their aims are the same as ours


Summary l.jpg

Summary

  • Our mission is to bridge the gap between business objectives and traditional “security” technology

    • Clear ways to talk about business security

    • Analytical tools to turn objectives into design

    • Identification of gaps in both understanding and technology

      • What are the emerging requirements?

    • Better understanding between buyers and suppliers of IT


ad
  • Login