Tuesday, July 24, 2012

Summer in the Capital -– Looking back at The Open Group Conference in Washington, D.C.

This guest post comes courtesy of Jim Hietala, Vice President of Security at The Open Group.

By Jim Hietala

This past week in Washington D.C., The Open Group held our Q3 conference. The theme for the event was "Cybersecurity – Defend Critical Assets and Secure the Global Supply Chain," and the conference featured a number of thought-provoking speakers and presentations.

Cybersecurity is at a critical juncture, and conference speakers highlighted the threat and attack reality and described industry efforts to move forward in important areas. The conference also featured a new capability, as several of the events were livestreamed to the Internet.

For those who did not make the event, here's a summary of a few of the key presentations, as well as what The Open Group is doing in these areas. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

Joel Brenner, attorney with Cooley, was our first keynote. Joel's presentation was titled, “Turning Us Inside-Out: Crime and Economic Espionage on our Networks.” The talk mirrored his recent book, “America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare,” and Joel talked about current threats to critical infrastructure, attack trends, and challenges in securing information.

Joel's presentation was a wakeup call to the very real issues of IP theft and identity theft. Beyond describing the threat and attack landscape, Joel discussed some of the management challenges related to ownership of the problem, namely that the different stakeholders in addressing cybersecurity in companies, including legal, technical, management, and HR, all tend to think that this is someone else's problem. Joel stated the need for policy spanning the entire organization to fully address the problem.

The DoD now requires the creation of a program protection plan, which is the single focal point for security activities on the program.



Kristin Baldwin
, principal deputy, systems engineering, Office of the Assistant Secretary of Defense, Research and Engineering, described the U.S. Department of Defense (DoD) Trusted Defense Systems Strategy and challenges, including requirements to secure their multi-tiered supply chain. She also talked about how the acquisition landscape has changed over the past few years.

In addition, for all programs, the DoD now requires the creation of a program protection plan, which is the single focal point for security activities on the program. Kristin's takeaways included needing a holistic approach to security, focusing attention on the threat, and avoiding risk exposure from gaps and seams.

Overarching framework

DoD’s Trusted Defense Systems Strategy provides an overarching framework for trusted systems. Stakeholder integration with acquisition, intelligence, engineering, industry, and research communities is key to success. Systems engineering brings these stakeholders, risk trades, policy, and design decisions together. Kristin also stressed the importance of informing leadership early and providing programs with risk-based options.

Dr. Don Ross of NIST presented a perfect storm of proliferation of information systems and networks and an increasing sophistication of threat, resulting in an increasing number of penetrations of information systems in the public and private sectors potentially affecting security and privacy. He proposed a need for an integrated project team approach to information security.

Dr. Ross also provided an overview of the changes coming in NIST SP 800-53, version 4, which is presently available in draft form. He also advocated a dual protection strategy approach involving traditional controls at network perimeters that assumes attackers outside of organizational networks, as well as agile defenses, are already inside the perimeter.

The objective of agile defenses is to enable operation while under attack and to minimize response times to ongoing attacks.

The objective of agile defenses is to enable operation while under attack and to minimize response times to ongoing attacks. This new approach mirrors thinking from the Jericho Forum and others on de-perimeterization and security and is very welcome.

The Open Group Trusted Technology Forum provided a panel discussion on supply chain security issues and the approach that the forum is taking towards addressing issues relating to taint and counterfeit in products.

The panel included Andras Szakal of IBM, Edna Conway of Cisco and Dan Reddy of EMC, as well as Dave Lounsbury, CTO of The Open Group. OTTF continues to make great progress in the area of supply chain security, having published a snapshot of the Open Trusted Technology Provider Framework, working to create a conformance program, and in working to harmonize with other standards activities.

Dave Hornford, partner at Conexiam and chair of The Open Group Architecture Forum, provided a thought provoking presentation titled, "Secure Business Architecture, or just Security Architecture?" Dave's talk described the problems in approaches that are purely focused on securing against threats and brought forth the idea that focusing on secure business architecture was a better methodology for ensuring that stakeholders had visibility into risks and benefits.

Positive and negative

Geoff Besko, CEO of Seccuris and co-leader of the security integration project for the next version of TOGAF, delivered a presentation that looked at risk from a positive and negative view. He recognized that senior management frequently have a view of risk embracing as taking risk with am eye on business gains if revenue/market share/profitability, while security practitioners tend to focus on risk as something that is to be mitigated. Finding common ground is key here.

Katie Lewin, who is responsible for the GSA FedRAMP program, provided an overview of the program, and how it is helping raise the bar for federal agency use of secure cloud computing.

The conference also featured a workshop on security automation, which featured presentations on a number of standards efforts in this area, including on SCAP, O-ACEML from The Open Group, MILE, NEA, AVOS and SACM. One conclusion from the workshop was that there's presently a gap and a need for a higher level security automation architecture encompassing the many lower level protocols and standards that exist in the security automation area.

There's presently a gap and a need for a higher level security automation architecture encompassing the many lower level protocols and standards that exist in the security automation area.



In addition to the public conference, a number of forums of The Open Group met in working sessions to advance their work in the Capitol. These included:
All in all, the conference clarified the magnitude of the cybersecurity threat, and the importance of initiatives from The Open Group and elsewhere to make progress on real solutions.

Join us at our next conference in Barcelona on October 22-25!

This guest post comes courtesy of Jim Hietala, Vice President of Security at The Open Group. Copyright The Open Group and Interarbor Solutions, LLC, 2005-2012. All rights reserved.

You may also be interested in:

Monday, July 23, 2012

With CMS 10, HP puts workload configuration data newly in hands of those who can best use it to manage services delivery

HP today introduced HP Configuration Management System (CMS) 10, a broad update designed to give more types of IT leaders better insight and control over everything from discrete IT devices to complete services-enabled business processes.

Especially important for the operational control of hybrid services delivery and converged cloud implementations, CMS 10 gathers and shares the configuration patterns and characteristics of highly virtualized workloads. The update helps manage dynamic virtualized applications both inside enterprise data centers as well as leading clouds.

"CMS 10 improves control of converged clouds," said Jimmy Augustine, product marketing manager at HP Software. "It sees the virtual machines and updates the Universal Configuration Management Data Base (UCMDB) with the dynamic information from public and private clouds."

With the new software, HP says clients can reduce costs and risks associated with service disruptions while reducing the time spent on manual discovery by more than 50 percent thanks to automated discovery capabilities. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

With the growing adoption of cloud computing, organizations are under increased pressure to deliver new services and scale existing ones. The complexities of cloud-based infrastructures coupled with a lack of visibility have hampered organizations’ ability to efficiently and predictably manage IT performance.

“Service disruptions within complex cloud and virtualized environments are difficult to identify and resolve,” said Shane Pearson, vice president, Product Marketing, Operations, Software, HP. “With the new enhancements to HP Configuration Management System, IT executives now have the configuration intelligence they need at their fingertips to make rapid decisions to ensure consistent business service availability.”

CMS 10 also introduces new capabilities specifically for service lifecycle design and operations, notably within both business service management (BSM) and IT service management (ITSM).

CMS 10 also introduces new capabilities specifically for service lifecycle design and operations.



I was especially impressed by the ability of CMS 10 users to extend the view of operations to business process analysts, enterprise architects and DevOps managers -- all provided by a new browser-based access and query capability. These business-function-focused leaders can seek out the information they need to cut through the complexity of systems data to measure and react to how an entire application or processes are behaving systemically.

What's more, CMS 10 level insights can be extended to security professionals and business architects to gather data on compliance, performance, and even for better architecting the next process or hybrid services mix. The fact that CMS 10 already supports across many VMs and cloud types shows the importance of ensuring configuration conformity as a baseline capability for hybrid cloud uses.

The CMS update broadly supports virtual machines better, has multi-tenancy support to appeal to service providers, and delivers its outputs via web browsers and search interfaces. "You can see the full applications support infrastructure, and discover out of the box the whole workload support," says Augustine.

More specifically, the new HP CMS 10 includes HP Universal Discovery with Content Pack 11, HP Universal Configuration Management Data Base (UCMDB), HP UCMDB Configuration Manager, and HP UCMDB Browser. With the new solution, enterprises, governments and managed service providers (MSPs) can now:
  • Quickly discover software and hardware inventory, as well as associated dependencies in a single unified discovery solution

    You can see the full applications support infrastructure, and discover out of the box.


  • Speed time to value with the product’s simplified user interface and enhanced scalability, allowing all IT teams to consume as well as use rich intelligence hosted in the HP CMS
  • More easily manage multiple client environments within a single UCMDB with improved security, automation and scalability
  • Automatically locate and catalog new technologies related to network hardware, open source middleware, storage, ERP, and infrastructure software providers
  • Introduce new server compliance thresholds.
HP CMS 10 is a key component of the HP IT Performance Suite, an enterprise performance software platform designed to improve performance with operational intelligence for many types of users and uses.

HP CMS, currently available worldwide in 10 languages, is also available through HP channel partners. More information about CMS 10 is available at www.hp.com/go/CMS.

You may also be interested in: