1 / 53

Security, Transactions and Open Standards

Security, Transactions and Open Standards. David Petraitis European Representative. CISO Executive Summit, Geneva, 16 June 2004. David.Petraitis@ oasis-open.org. Open Standards and the role of the CISO. Future Shock – “De-perimiterization” Why do standards matter?

thetrick
Download Presentation

Security, Transactions and Open Standards

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security, Transactions and Open Standards David Petraitis European Representative CISO Executive Summit, Geneva, 16 June 2004 David.Petraitis@oasis-open.org

  2. Open Standards and the role of the CISO • Future Shock – “De-perimiterization” • Why do standards matter? • What is a “standard”; how can you tell? • Service-oriented architectures, web services and e-business • Key directions in Web Services Standards • What your company can do

  3. The CISO has to deal with “Future Shock” daily!

  4. Orderly business systems suffer…

  5. De-perimiterization

  6. A smooth sailing business environment is transformed…

  7. Into a fight for your business survival

  8. It’s enough to make the CISO want to…

  9. Why then do standards matter?

  10. “It is necessary that those between whom commerce is carried on should understand one another.” Voltaire, Philosophical Dictionary, 1752

  11. Why do standards matter for e-business? • Businesses require expansion of the value chain into unlimited, de-perimiterized extranets • Support of multiple platforms is a business necessity • Must support multiple languages, taxonomies, semantics and business processes But… • Normalizing data, processes and users costs time and money

  12. Unstable business and technical requirements Persistent technical base with stable versioning New and emerging business requirements Evolving and converging standards Diversity of business partners and technologies Interoperable standards Need for long term support Reliable, fixed terms of availability Why do standards matter?Risk Reduction for e-commerce

  13. Strategies for Companies in e-Business Standards MarketPower Dictate Adopt Submit Join Heterogeneity Homogeneity

  14. “Without standards, a technology cannot become ubiquitous, particularly when it is part of a larger network.” The Economist, 8 May 2003

  15. What is a “standard” and how can you tell?

  16. What is a Standard? • Anything that a vendor publishes? Or on which a few vendors agree? • They may be “specifications” • Some call them “de facto” standards • But they are not necessarily open standards • Open standards are distinguishable: • Published, clear rules • Level playing field with public input • Transparent operations • Transparent output

  17. What’s an “Open Standard”? An open standard is: • publicly available in stable, persistent versions • developed and approved under a published process • open to input: public comments, public archives, no NDAs • subject to explicit, disclosed IPR terms Anything else is to some extent proprietary: • This is a policy distinction, not a pejorative • See the US, EU, WTO governmental & regulatory definitions of “standards”

  18. Regulatory mandates for standards Increasingly, it matters to government buyers, users and regulators whether standards are “real” standards. • WTO Technical Barriers to Trade Agreement, Annex 3: • http://www.wto.org/english/docs_e/legal_e/final_e.htm. • National criteria, such as in the U.S. gov’t: • http://www.whitehouse.gov/omb/circulars/a119/a119.html. • These rules focus on desirable process attributes: public process, public archives, open to comment without NDA or noncompete restrictions, etc.

  19. OASIS is a member-led, international nonprofit standards consortium concentrating on structured information and global e-business standards • Members of OASIS are • Vendors, users, academics and governments • Organizations, individuals and industry groups • Best known for e-business standards such as • UDDI • SAML • ebXML • WS-Security • WSRP • WSRM • SPML • XACML • UBL • Host for key security standards projects also including • PKI TC • DSS • DSML

  20. OASIS e-Business since 1993 16 current OASIS Standards • DocBook v4.1 • DSML v2 • ebXML RIM v2 • ebXML RS v2 • ebXML MSG v2 • ebXML CPPA v2 • SAML v1.0 • XACML v1.0 • UDDI v2 • SAML v1.1 • WSRP v1 • XCBF v1.1 (Biometrics) • SPML v1.0 (Provisioning) • CAP v1.0 (Emergency TC) • WS-Security v1.0 • AVDL v1.0 About 60 approved Committee Drafts

  21. Standards convergence and interoperability • OASIS encourages and structures bilateral technical liaisons • OASIS participates in and coordinates with many other standards and industry coordination efforts, e.g., • ISO / IEC / ITU / ECE e-Business MoU • ISO Category-A liaisons with TC154, various JTC1 Subcommittees • W3C and OASIS management meetings • Scoping and cooperative planning with GGF, DMTF, RosettaNet, EAN/UCC, OAGi, AIAG, CIDX, PIDX, etc ...

  22. Standards convergence and interoperability (cont.) • OASIS puts software vendors, industry adopters, small developers and academics into the same conversation on accessible terms • OASIS permits members to define specification projects that address their own needs: loose coupling, but coupling • Strong interoperability bias: Standards are expected to declare their dependencies, modularity and composability • This results in a market-based architecture based on user requirements, instead of a top-down map

  23. Standard Adoption • To be successful, a standard must be used • Adoption is most likely when the standard is • Freely accessible • Meets the needs of a large number of adopters • Flexible enough to change as needs change • Produces consistent results • Checkable for conformance, compatibility • Implemented and thus practically available • Sanction and traction both matter

  24. Traction XML W3C SOAP v1.1 SOAP v1.2 W3C Market Adoption WSDL v1.1 WSDL v1.2 W3C ISO 15000 ebXML(x4) OASIS WS-Security WS-S OASIS UDDI v2,3 OASIS UDDI v2,3 UDDI.org SGML ISO BPEL4WS WS-BPEL OASIS Proprietary JCV Consortia SDO Sanction Open Standardization

  25. Service-oriented architectures, web services and e-business

  26. Data Content Orchestration & Management Security & Access Service Description Service Discovery Messaging Current OASIS alpha model for mapping e-Business work • Work in progress • Loosely coupled • Approachable to end users • Driven by self-description Common language (XML) Common transport (HTTP, etc.)

  27. Each specification is a dot Data Content Orchestration & Management DRAFT Service Description Security & Access UDDI Service Discovery Messaging ebXML RegRep Common language (XML) Common transport (HTTP, etc.)

  28. Some projects issue more than one spec Data Content Orchestration & Management DRAFT Service Description Security & Access Service Discovery Messaging Common language (XML) Common transport (HTTP, etc.)

  29. Approval levels Specs are at different stages Data Content Orchestration & Management Pre-approval Committee Draft OASIS Standard DRAFT Service Description Security & Access Service Discovery Messaging Common language (XML) Common transport (HTTP, etc.)

  30. Approval levels Orchestration & Management OASIS Work(May 2004) Data Content DRAFT Service Description Security & Access Service Discovery Messaging Common language (XML) Common transport (HTTP, etc.)

  31. Approval levels CIQ, DocBook, OpenOffice, UBL, XLIFF CAM Orchestration & Management [Auto Repair], AVDL, eGov, Election, eProc, Emerg, Legal XML(7), Materials, PLCS, PPS, TaxML, WAS ASAP, BTP, ebXML-BP, WSBPEL, WSCAF Data Content WSDM, WSRF*, WSN* HumanML, UIML, WSRP [DSML], RLTC, XACML, SPML DRAFT Service Description FWSI, TransWS, BCM, ebSOA* Security & Access ebXML CPPA DSS, PKI, SAML, WSS, XCBF UDDI Service Discovery Messaging ebXML RegRep [Conformance], ebXML IIC, XSLT Conf, Common language (XML) DITA*, EntityRes, RELAX-NG, Topic Maps (3), XDI, XRI Common transport (HTTP, etc.) ebXML MSG, WS-Rel. * New TCs

  32. Multiple standards and methods may co-exist

  33. Loose coupling to other methods More exclusive Lightweight code Heavyweight code, more functionality Limited use case Highly scalable Easier to tool, deploy Bigger tools, higher cost Multiple co-existing standards: The method you choose may depend on your needs More complex Simpler

  34. Key directions in Web Services security

  35. Data Content Orchestration & Management Security & Access Service Description Service Discovery Messaging Common language (XML) Common transport (HTTP, etc.) Web Services Security

  36. Data Content Orchestration & Management Security & Access Service Description Service Discovery Messaging CAM ASAP, BTP, ebXML-BP, WSBPEL, WSCAF WSDM, WSRF, WSN [DSML], RLTC, XACML, SPML DSS, PKI, SAML, WSS, XCBF Common language (XML) Common transport (HTTP, etc.)

  37. Web Services security • Most e-business implementations require a traceable, auditable, bookable level of assurance when data is exchanged • IT operations demand “transactional” level of reliable functionality is demanded, whether it’s an economic event (booking a sale) or a pure information exchange • Dealings between divisions often need security and reliability as much as deals between companies

  38. Security: function by function • Identity authentication • Encryption and protection against interception • Control of access and authority

  39. Identity authentication The latest e-business security standards implement the next generation of identity deployment • In the 1990’s, PKI assumed a universal network of official certification authorities • Newer federated / distributed identity models permit identity certification to be decentralized and shared among service providers and existing registrars • SAML • WS-Security • XCBF

  40. Identity authentication • SAML (Security Assertion Markup Language ) • A standard way to convey identity and authorization data • Winner of PC Magazine’s Technology Excellence Award in 2002 and Digital ID World 2003 award for innovation in 2003 • SAML 1.0 approved as an OASIS Standard in Nov. 2002; SAML 1.1 in Aug. 2003 • SAML 2.0 out soon

  41. Identity authentication • WS-Security (Web Services Security) • The standard method for attaching security data to a web services message • Wide support in web services toolmaking • Profiles (modules) completed or in development for: • SAML • Rights expression languages • Username-token/ password pairs • X.509 PKI • WS-Security 2004 1.0 suite approved as an OASIS Standard in March 2004

  42. Identity authentication • XCBF (eXtensible Common Biometric Format) • Method for conveying biometric identity data such as retina scans and fingerprints • Coordinated with other world efforts, including ITU-T standards and the ANSI X9.84 banking industry biometrics initiative • Expect to see more tools and devices commercially deployed soon • XCBF 1.1 approved as an OASIS Standard in August 2003

  43. Encryption and protection against interception & intrusion • A key problem with encrypted messages travelling over a shared or public network: if you encrypt the wrong bits, it doesn’t arrive, or the recipient can’t process it • Shared and automated methods for managing security require a shared vocabulary about security weaknesses and risks • DSS • PKI TC • AVDL • WAS

  44. Encryption and protection against interception & intrusion • PKI TC (Public Key Infrastructure Technical Committee) • Promotion and research regarding industry use of PKI digital signatures and practical obstacles to deployment • Project underway • DSS (Digital Signature Services) • Develop methods for processing production and consumption of digital signatures • Project underway

  45. Encryption and protection against interception & intrusion • WAS (Web Application Security) • Threat model and classification scheme for web security vulnerabilities • WAS 1.0 is under development • AVDL (Application Vulnerability Description Lang.) • Uniform method for describing appl. security vulnerabilities • AVDL 1.0 approved as an OASIS Standard in June 2004 • Network Magazine started a petition campaign to support wide deployment of AVDL and WAS: http://www.networkmagazine.com/watchdog/avdl.jhtml

  46. Control of access and authority • In transactional information exchanges, you often must apply • access lists, • directories of recipients, • levels of authority, and • access policies • So that you know who gets what, and who should get it • XACML • SPML

  47. Control of access and authority • SPML (Service Provisioning Markup Language) • Disseminates and leverages directories and access lists, such as employee authorizations • Demo’ed at Burton Catalyst 2003 in SF • SPML 1.0 approved as an OASIS Standard -- August 2003 • XACML (Access Control Markup Language) • Method for conveying and applying data access policies and controls • Demo’ed at XML2003 in Philadelphia • XACML 1.0 approved as an OASIS Standard in Feb. 2003 • Role-based access profile issued in May 2004

  48. What should your company be doing?

  49. Reducing Risk in new e-business technologies • Avoid reinventing the wheel • Stay current with emerging technologies • Influence industry direction • Ensure consideration of own needs • Realization of interoperability and network effects • Reduce development cost/time • savedevelopment on new technologies • share cost/time with other participants Specify standards compliance as a risk reduction strategy

  50. What can my company do? • Participate • Understand the ground rules • Contribute actively Or… • Be a good observer In any case… • Make your needs known • Use cases, functions, platforms, IPR, availability, tooling • Be pragmatic: standardization is a voluntary process

More Related