Jet Propulsion Laboratory California Institute of Technology 4800 Oak Grove Drive Pasadena, California 91109-8099 J. Steven Jenkins, Ph.D. Principal Engineer +1 818 354-6055 email@example.com. Introduction to the Security Forum. What We Used to Do.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Jet Propulsion Laboratory California Institute of Technology 4800 Oak Grove Drive Pasadena, California 91109-8099 J. Steven Jenkins, Ph.D. Principal Engineer +1 818 354-6055 firstname.lastname@example.org Introduction to the Security Forum
What We Used to Do • Security Standards Development • X/Open Basic Security Services (XBSS) • Common Data Security Architecture (CDSA) • With reference implementation • Authorization API (AZN API) • Work on PKI • Architecture (APKI) • DCE/PKI Integration
Why We Don’t Do That Now • Security standards development is well addressed by some other organizations • IETF, OASIS • Some high-profile standards did not achieve the desired uptake and effect • CDSA, AZN • There are significant challenges in security that are not being addressed anywhere on a systematic basis
Classical Security Analysis • Classical model in a cartoon • Analyze threats • Analyze vulnerabilities • Analyze risks • Design and implement countermeasures • What’s wrong with the classical model? • It starts with bad things to prevent • It assumes all risk is bad • The result often prevents good things
Our Model Is Different • We believe that security exists to ensure that business gets done according to policy • Policies are business-driven, for example: • Comply with the law because you want to stay in business • Respect your customers because you want to keep them • Understand your risks and make business decisions about which to accept and how
Managing Risk • Risk is not necessarily a bad thing • Every business transaction carries risk • Some ways to deal with risk • Disclaim it • Transfer it by contract • Hedge against it • Insure against it • Accept it • Security helps you manage risk by design
Active Loss Prevention • The Open Group has had an Active Loss Prevention Initiative for several years • It provides a framework for addressing IT issues related to risk and loss in the context of law, insurance, and business • The ALP Initiative is now integrated into the Security Forum • A welcome addition because their aims are the same as ours
Summary • Our mission is to bridge the gap between business objectives and traditional “security” technology • Clear ways to talk about business security • Analytical tools to turn objectives into design • Identification of gaps in both understanding and technology • What are the emerging requirements? • Better understanding between buyers and suppliers of IT