Showing posts with label OTTF. Show all posts
Showing posts with label OTTF. Show all posts

Tuesday, June 30, 2015

Securing Business Operations and Critical Infrastructure: Trusted Technology, Procurement Paradigms, and Cyber Insurance

Transcript of a BriefingsDirect discussion on ways to address supply chain risk in the information technology sector market.

Listen to the podcast. Find it on iTunes. Get the mobile app for iOS or Android. Download the transcript. Sponsor: The Open Group.

Dana Gardner: Hello, and welcome to a special BriefingsDirect thought leadership panel discussion coming to you in conjunction with The Open Group's upcoming conference on July 20, 2015 in Baltimore.

Gardner
I'm Dana Gardner, Principal Analyst at Interarbor Solutions, and I'll be your host and moderator as we explore ways to address supply chain risk in the information technology sector market.

We'll specifically examine how The Open Group Trusted Technology Forum (OTTF) standards and accreditation activities are enhancing the security of global supply chains and improving the integrity of openly available IT products and components.

We'll learn how the age-old practice of insurance is coming to bear on the problem of IT supply-chain risk. By leveraging insurance models, the specter of supply chain disruption and security ills may be significantly reduced.
Attend The Open Group Baltimore 2015
July 20-23, 2015
Register Here
To update us on the work of the OTTF, and explain the workings and benefits of supply-chain insurance, we're joined by our panel of experts. Please join me in welcoming Sally Long, Director of The Open Group Trusted Technology Forum. Welcome, Sally.

Sally Long: Thank you.

Gardner: We're also here with Andras Szakal, Vice President and Chief Technology Officer for IBM U.S. Federal and Chairman of The Open Group Trusted Technology Forum. Welcome back, Andras.

Andras Szakal: Thank you for having me.

Gardner: And Bob Dix joins us. He is Vice President of Global Government Affairs and Public Policy for Juniper Networks and is a member of The Open Group Trusted Technology Forum. Welcome, Bob.

Bob Dix: Thank you for the invitation. Glad to be here.

Gardner: Lastly, we are joined by Dan Reddy, Supply Chain Assurance Specialist, college instructor and Lead of The Open Group Trusted Technology Forum Global Outreach and Standards Harmonization Work Group. Thanks for being with us, Dan.

Dan Reddy: Glad to be here, Dana.

Gardner: Sally, please give us an update on The Open Group Trusted Technology Forum (OTTF) and the supply-chain accreditation process generally. What has been going on?

OTTP standard

Long: For some of you who might not have heard of the O-TTPS, which is the standard, it’s called The Open Trusted Technology Provider™ Standard. The effort started with an initiative in 2009, a roundtable discussion with U.S. government and several ICT vendors, on how to identify trustworthy commercial off-the-shelf (COTS) information and communication technology (ICT), basically driven by the fact that governments were moving away from high assurance customized solution and more and more using COTS ICT.

Long
That ad-hoc group formed under the OTTF and proceeded to deliver a standard and an accreditation program.

The standard really provides a set of best practices to be used throughout the COTS ICT product life cycle. That’s both during in-house development, as well as with outsourced development and manufacturing, including the best practices to use for security in the supply chain, encompassing all phases from design to disposal.

Just to bring you up to speed on just some of the milestones that we've had, we released our 1.0 version of the standard in 2013, launched our accreditation program to help assure conformance to the standard in February 2014, and then in July, we released our 1.1 version of the standard. We have now submitted that version to ISO for approval as a publicly available specification (PAS) and it’s a fast track for ISO.

The PAS is a process for adopting standards developed in other standards development organizations (SDOs), and the O-TTPS has passed the draft ISO ballot. Now, it’s coming up for final ballot.

That should bring folks up to speed, Dana, and let them know where we are today.

Gardner: Is there anything in particular at The Open Group Conference in Baltimore, coming up in July, that pertains to these activities? Is this something that’s going to be more than just discussed? Is there something of a milestone nature here, too?

Long: Monday, July 20, is the Cyber Security Day of the Baltimore Conference. We're going to be meeting in the plenary with many of the U.S. government officials from NIST, GSA, and the Department of Homeland Security. So there is going to be a big plenary discussion on cyber security and supply chain.

We'll also be meeting separately as a member forum, but the whole open track on Monday will be devoted to cyber security and supply chain security.

The one milestone that might coincide is that we're publishing our Chinese translation version of the standard 1.1 and we might be announcing that then. I think that’s about it, Dana.

OTTF background

Gardner: Andras, for the benefit of our listeners and readers who might be new to this concept, perhaps you could fill us in on the background on the types of problems that OTTF initiatives and standards are designed to solve. What’s the problem that we need to address here?

Szakal: That’s a great question. We realized, over the last 5 to 10 years, that the traditional supply-chain management practices -- supply-chain integrity practices, where we were ensuring the integrity of the delivery of a product to the end customer, ensuring that it wasn't tampered with, effectively managing our suppliers to ensure they provided us with quality components -- really had expanded as a result of the adoption of technology. There has been pervasive growth of technology in all aspects of manufacturing, but especially as IT has expanded into the Internet of Things, critical infrastructure and mobile technologies, and now obviously cloud and big data.

Szakal
And as we manufacture those IT products we have to recognize that now we're in a global environment, and manufacturing and sourcing of components occurs worldwide. In some cases, some of these components are even open source or freely available. We're concerned, obviously, about the lineage, but also the practices of how these products are manufactured from a secure engineering perspective, as well as the supply-chain integrity and supply-chain security practices.

What we've recognized here is that the traditional life cycle of supply-chain security and integrity has expanded to include all the way down to the design aspects of the product through sustainment and managing that product over a period of time, from cradle to grave, and disposal of the product to ensure that those components, if they were hardware-based, don't actually end up recycled in a way that they pose a threat to our customers.

Gardner: So it’s as much a lifecycle as it is a procurement issue.

Szakal: Absolutely. When you talk about procurement, you're talking about lifecycle and about mitigating risks to those two different aspects from sourcing and from manufacturing.

So from the customer's perspective, they need to be considering how they actually apply techniques to ensure that they are sourcing from authorized channels, that they are also applying the same techniques that we use for secure engineering when they are doing the integration of their IT infrastructure.

But from a development perspective, it’s ensuring that we're applying secure engineering techniques, that we have a well-defined baseline for our life cycle, and that we're controlling our assets effectively. We understand who our partners are and we're able to score them and ensure that we're tracking their integrity and that we're applying new techniques around secure engineering, like threat analysis and risk analysis to the supply chain.

We're understanding the current risk landscape and applying techniques like vulnerability analysis and runtime protection techniques that would allow us to mitigate many of these risks as we build out our products and manufacture them.

It goes all the way through sustainment. You probably recognize now, most people would, that your products are no longer a shrink-wrap product that you get, install, and it lives for a year or two before you update it. It’s constantly being updated. So to ensure that the integrity and delivery of that update is consistent with the principles that we are trying to espouse is also really important.

Collaborative effort

Gardner: And to that point, no product stands alone. It’s really a result of a collaborative effort, very complex number of systems coming together. Not only are standards necessary, but cooperation among all those players in that ecosystem becomes necessary.

Dan Reddy, how have we done in terms of getting mutual assurance across a supply chain, that all the participants are willing to take part? It seems to me that, if there is a weak link, everyone would benefit by shoring that up. So how do we go beyond the standards? How are we getting cooperation, get all the parties interested in contributing and being part of this?

Reddy: First of all, it’s an evolutionary process, and we're still in the early days of fully communicating what the best practices are, what the standards are, and getting people to understand how that relates to their place in the supply chain.

Reddy
Certainly, the supplier community would benefit by following some common practices so they don’t wind up answering customized survey questions from all of their customers.

That's what's happening today. It's pretty much a one-off situation, where each customer says, "I need to protect my supply chain. Let me go find out what all of my suppliers are doing." The real benefit here is to have the common language of the requirements in our standard and a way to measure it.

So there should be an incentive for the suppliers to take a look at that and say, "I'm tired of answering these individual survey questions. Maybe if I just document my best practices, I can avoid some of the effort that goes along with that individual approach."

Everyone needs to understand that value proposition across the supply chain. Part of what we're trying to do with the Baltimore conference is to talk to some thought leaders and continue to get the word out about the value proposition here.

Gardner: Bob Dix, the government in the U.S., and, of course, across the globe, all the governments, are major purchasers of technology and also have a great stake in security and low risk. What’s been driving some of the government activities? They're also interested in using COTS technology and cutting costs. So what role can governments play in driving some of these activities around the OTTF?

Risk management

Dix: This issue of supply chain assurance and cyber security is all about risk management, and it's a shared responsibility. For too long I think that the government has had a tendency to want to point a finger at the private sector as not sufficiently attending to this matter.

Dix
The fact is, Dana, that many in the private sector make substantial investments in their product integrity program, as Andras was talking about, from product conception, to delivery, to disposal. What’s really important is that when that investment is made and when companies apply the standard the OTTF has put forward, it’s incumbent upon the government to do their part in purchasing from authorized and trusted sources.

In today's world, we still have a culture that's pervasive across the government acquisition community, where decision-making on procurements is often driven by cost and schedule, and product authenticity, assurance, and security are not necessarily a part of that equation. It’s driven in many cases by budgets and other considerations, but nonetheless, we must change that culture to focus to include authenticity and assurance as a part of the decision making process.
Often those acquisitions are made from untrusted and unauthorized sources, which raises the risk of acquiring counterfeit, tainted, or even malicious equipment.

The result of focusing on cost and schedule is often those acquisitions are made from untrusted and unauthorized sources, which raises the risk of acquiring counterfeit, tainted, or even malicious equipment.

Part of the work of the OTTF is to present to all stakeholders, in industry and government alike, that there is a process that can be uniform, as has been stated by Sally and Dan, that can be applied in an environment to raise the bar of authenticity, security, and assurance to improve upon that risk management approach.

Gardner: Sally, we've talked about where you're standing in terms of some progress in your development around these standards and activities. We've heard about the challenges and the need for improvement.

Before we talk about this interesting concept of insurance that would come to bear on -- and perhaps encouraging standardization and giving people more ways to reduce their risk and adhere to best practices -- what do you expect to see in a few years? If things go well and if this is adopted widely and embraced in true good practices, what's the result? What do we expect to see as an insurance improvement?

Powerful impact

Long: The most important and significant aspect of the accreditation program is when you look at the holistic nature of the program and how it could have a very powerful impact if it's widely adopted.

The idea of an accreditation program is that a provider gets accredited for conforming to the best practices. A provider that can get accredited could be an integrator, an OEM, the component suppliers of hardware and software that provide the components to the OEM, and the value-add resellers and distributors.

Every important constituent in that supply chain could be accredited. So not only from a business perspective is it important for governments and commercial customers to look on the Accreditation Registry and see who has been accredited for the integrators they want to work with or for the OEMs they want to work with, but it’s also important and beneficial for OEMs to be able to look at that register and say, "These component suppliers are accredited. So I'll work with them as business partners." It's the same for value-add resellers and distributors.
Attend The Open Group Baltimore 2015
July 20-23, 2015
Register Here
It builds in these real business-market incentives to make the concept work, and in the end, of course, the ultimate goal of having a more secure supply chain and more products with integrity will be achieved.

To me, that is one of the most important aspects that we can reach for, especially if we reach out internationally. What we're starting to see internationally is that localized requirements are cropping up in different countries. What that’s going to mean is that vendors need to meet those different requirements, increasing their cost, and sometimes even there will end up being trade barriers.

Back to what Dan and Bob were saying, we need to look at this global standard and accreditation program that already exists. It's not in development; we've been working on it for five years with consensus from many, many of the major players in the industry and government. So urging global adoption of what already exists and what could work holistically is really an important objective for our next couple of years.

Gardner: It certainty sounds like a win, win, win if everyone can participate, have visibility, and get designated as having followed through on those principles. But as you know and as you mentioned, it’s the marketplace. Economics often drives business behavior. So in addition to a standards process and the definitions being available, what is it about this notion of insurance that might be a parallel market force that would help encourage better practices and ultimately move more companies in this direction?

Let’s start with Dan. Explain to me how cyber insurance, as it pertains to the supply chain, would work.

Early stages

Reddy: It’s an interesting question. The cyber insurance industry is still in the early stages, even though it goes back to the '70s, where crime insurance started applying to outsiders gaining physical access to computer systems. You didn't really see the advent of hacker insurance policies until the late '90s. Then, starting in 2000, some of the first forms of cyber insurance covering first and third party started to appear.

What we're seeing today is primarily related to the breaches that we hear about in the paper everyday, where some organization has been comprised, and sensitive information, like credit card information, is exposed for thousands of customers. The remediation is geared toward the companies that have to pay the claim and sign people up for identity protection. It's pretty cut and dried. That's the wave that the insurance industry is riding right now.

What I see is that as attacks get to be more sophisticated and potentially include attacks on the supply chain, it’s going to represent a whole new area for cyber insurance. Having consistent ways to address supplier-related risk, as well as the other infrastructure related risks that go beyond simple data breach, is going to be where the marketplace has to make an adjustment. Standardization is critical there.

Gardner: Andras, how does this work in conjunction with OTTF? Would insurance companies begin their risk assessment by making sure that participants in the supply chain are already adhering to your standards and seeking accreditation? Then, maybe they would have premiums that would reflect the diligence that companies extend into their supply chains. Maybe you could just explain to me, not just the insurance, but how it would work in conjunction with OTTF, maybe to each’s mutual benefit.
The question is, do you buy a policy, and what’s the balance here between a cyber threat that is in your control, and those aspects of supply chain security which are out of your control.

Szakal: You made a really great point earlier about the economic element that would drive compliance. For us in IBM, the economic element is the ability to prove that we're providing the right assurance that is being specified in the requests for proposals (RFPs), not only in the federal sector, but outside the federal sector in critical infrastructure and finance. We continue to win those opportunities, and that’s driven our compliance, as well as the government policy aspect worldwide.

But from an insurance point of view, insurance comes in two forms. I buy policy insurance in a case where there are risks that are out of my control, and I apply protective measures that are under my control. So in the case of the supply chain, the OTTF is a set of practices that help you gain control and lower the risk of threat in the manufacturing process.

The question is, do you buy a policy, and what’s the balance here between a cyber threat that is in your control, and those aspects of supply chain security which are out of your control. This is with the understanding that there is an infinite number of a resources or revenue that you can apply to allocate to both of these aspects.

There's going to have to be a balance, and it really is going to be case by case, with respect to customers and manufacturers, as to where the loss of potential intellectual property (IP) with insurance, versus applying controls. Those resources are better applied where they actually have control, versus that of policies that are protecting you against things that are out of your control.

For example, you might buy a policy for providing code to a third party, which has high value IP to manufacture a component. You have to share that information with that third-party supplier to actually manufacture that component as part of the overarching product, but with the realization that if that third party is somehow hacked or intruded on and that IP is stolen, you have lost some significant amount of value. That will be an area where insurance would be applicable.

What's working

Gardner: Bob Dix, if insurance comes to bear in conjunction with standards like what the OTTF is developing in supply chain assurance, it seems to me that the insurance providers themselves would be in a position of gathering information for their actuarial decisions and could be a clearing house for what's working and what isn't working.

It would be in their best interest to then share that back into the marketplace in order to reduce the risk. That’s a market-driven, data-driven approach that could benefit everyone. Do you see the advent of insurance as a benefit or accelerant to improvement here?

Dix: It's a tool. This is a conversation that’s been going on in the community for quite some time, the lack of actuarial data for catastrophic losses produced by cyber events, that is impacting some of the rate setting and premium setting by insurance companies, and that has continued to be a challenge.

But from an incentive standpoint, it’s just like in your home. If you have an alarm system, if you have a fence, if you do other kinds of protective measures, your insurance on your homeowners or liability insurance may get a reduction in premium for those actions that you have taken.

As an incentive, the opportunity to have an insurance policy to either transfer or buy down risk can be driven by the type of controls that you have in your environment. The standard that the OTTF has put forward provides guidance about how best to accomplish that. So, there is an opportunity to leverage, as an incentive, the reduction in premiums for insurance to transfer or buy down risk.
The opportunity to have an insurance policy to either transfer or buy down risk can be driven by the type of controls that you have in your environment.

Gardner: It’s interesting, Sally, that the insurance industry could benefit from OTTF, and by having more insurance available in the marketplace, it could encourage more participation and make the standard even more applicable and valuable. So it's interesting to see over time how that plays out.

Any thoughts or comments on the relationship between what you are doing at OTTF and The Open Group and what the private insurance industry is moving toward?

Long: I agree with what everyone has said. It's an up-and-coming field, and there is a lot more focus on it. I hear at every conference I go to, there is a lot more research on cyber security insurance. There is a place for the O-TTPS in terms of buying down risk, as Bob was mentioning.

The other thing that's interesting is the NIST Cybersecurity Framework. That whole paradigm started out with the fact that there would be incentives for those that followed the NIST Cybersecurity Framework - that incentive piece became very hard to pull together, and still is. To my knowledge, there are no incentives yet associated with it. But insurance was one of the ideas they talked about for incentivizing adopters of the CSF.

The other thing that I think came out of one of the presentations that Dan and Larry Clinton will be giving at our Baltimore Conference, is that insurers are looking for simplicity. They don’t want to go into a client’s environment and have them prove that they are doing all of these things required of them or filling out a long checklist.

That’s why, in terms of simplicity, asking for O-TTPS-accredited providers or lowering their rates based on that - would be a very simplistic approach, but again not here yet. As Bob said, it's been talked about a lot for a long time, but I think it is coming to the fore.

Market of interest

Gardner: Dan Reddy, back to you. When there is generally a large addressable market of interest in a product or service, there often rises a commercial means to satisfy that. How can enterprises, the people who are consuming these products, encourage acceptance of these standards, perhaps push for a stronger insurance capability in the marketplace, or also get involved with some of these standards and practices that we have been talking about?

If you're a publicly traded company, you would want to reduce your exposure and be able to claim accreditation and insurance as well. Let’s look at this from the perspective of the enterprise. What should and could they be doing to improve on this?

Reddy: I want to link back to what Sally said about the NIST Cyber Security Framework. What’s been very useful in publishing the Framework is that it gives enterprises a way to talk about their overall operational risk in a consistent fashion.
Cyber insurance is more than just the risk of suppliers. It’s the risk at the enterprise level.

I was at one of the workshops sponsored by NIST where enterprises that had adopted it talked about what they were doing internally in their own enterprises in changing their practices, improving their security, and using the language of the framework to address that.

Yet, when they talked about one aspect of their risk, their supplier risk, they were trying to send the NIST Cybersecurity Framework risk questions to their suppliers, and those questions aren’t really sufficient. They're interesting. You care about the enterprise of your supplier, but you really care about the products of your supplier.

So one of the things that the OTTF did is look at the requirements in our standard related to suppliers and link them specifically to the same operational areas that were included in the NIST Cybersecurity Framework.

This gives the standard enterprise looking at risk, trying to do standard things, a way to use the language of our requirements in the standard and the accreditation program as a form of measurement to see how that aspect of supplier risk would be addressed.

But remember, cyber insurance is more than just the risk of suppliers. It’s the risk at the enterprise level. But the attacks are going to change over time, and we'll go beyond the simple breaches. That’s where the added complexity will be needed.

Gardner: Andras, any suggestions for how enterprises, suppliers, vendors, systems integrators, and now, of course, the cloud services providers, should get involved? Where can they go for more information? What can they do to become part of the solution on this?

International forum

Szakal: Well, they can always become a member of the Trusted Technology Forum, where we have an international forum.

Gardner: I thought you might say that.

Szakal: That’s an obvious one, right? But there are a couple of places where you can go to learn more about this challenge.

One is certainly our website. Download the framework, which was a compendium of best practices, which we gathered as a result of a lot of hard work of sharing in an open, penalty-free environment all of the best practices that the major vendors are employing to mitigate risks to counterfeit and maliciously tainted products, as well as other supply chain risks. I think that’s a good start, understanding the standard.

Then, it's looking at how you might measure the standard against what your practices are currently using the accreditation criteria that we have established.
The only place where you really find solutions, or at least one of the only places that I have seen is in the TTF, embedded in the standard as a set of practices that are very practical to implement.

Other places would be NIST. I believe that it’s 161 that is the current pending standard for protecting supply chain security. There are several really good reports that the Defense Science Board and other organizations have conducted in the past within the federal government space. There are plenty of materials out there, a lot of discussion about challenges.

But I think the only place where you really find solutions, or at least one of the only places that I have seen is in the TTF, embedded in the standard as a set of practices that are very practical to implement.

Gardner: Sally, the same question to you. Where can people go to get involved? What should they perhaps do to get started?

Long: I'd reiterate what Andras said. I'd also point them toward the accreditation website, which is www.opengroup.org/accreditation/o-ttps. And on that accreditation site you can see the policy, standard and supporting docs. We publicize our assessment procedures so you have a good idea of what the assessment process will entail.

The program is based on evidence of conformance as well as a warranty from the applicant. So the assessment procedures being public will allow any organizations thinking about getting accredited to know exactly what they need to do.

As always, we would appreciate any new members, because we'll be evolving the standard and the accreditation program, and it is done by consensus. So if you want a say in that, whether our standard needs to be stronger, weaker, broader, etc., join the forum and help us evolve it.

Impact on business

Gardner: Dan Reddy, when we think about managing these issues, often it falls on the shoulders of IT and their security apparatus, the Chief Information Security Officer perhaps. But it seems that the impact on business is growing. So should other people in the enterprise be thinking about this? I am thinking about procurement or the governance risk and compliance folks. Who else should be involved other than IT in their security apparatus in mitigating the risks as far as IT supply chain activity?

Reddy: You're right that the old model of everything falls on IT is expanding, and now you see issues of enterprise risk and supply chain risk making it up to the boards of directors, who are asking tough questions. That's one reason why boards look at cyber insurance as a way to mitigate some of the risk that they can't control.

They're asking tough questions all the way around, and I think acquisition people do need to understand what are the right questions to ask of technology providers.
They're asking tough questions all the way around, and I think acquisition people do need to understand what are the right questions to ask of technology providers.

To me, this comes back to scalability. This one-off approach of everyone asking questions of each of their vendors just isn't going to make it. The advantage that we have here is that we have a consistent standard, built by consensus, freely available, and it's measurable.

There are a lot of other good documents that talk about supply chain risk and secure engineering, but you can't get a third-party assessment in a straightforward method, and I think that's going to be appealing over time.

Gardner: Bob Dix, last word to you. What do you see happening in the area of government affairs and public policy around these issues? What should we hope for or expect from different governments in creating an atmosphere that improves risk across supply chain?

Dix: A couple things have to happen, Dana. First, we have got to quit blaming victims when we have breaches and compromises and start looking at solutions. The government has a tendency in the United States and in other countries around the world, to look at legislating and trying to pass regulatory measures that impose requirements on industry without a full understanding of what industry is already doing.

In this particular example, the government has had a tendency to take an approach that excludes vendors from being able to participate in federal procurement activities based on a risk level that they determine.

The really great thing about the work of the OTTF and the standard that's being produced is it allows a different way to look at it and instead look at those that are accredited as having met the standard and being able to provide a higher assurance level of authenticity and security around the products and services that they deliver. I think that's a much more productive approach.

Working together

And from a standpoint of public policy, this example on the great work that's being done by industry and government working together globally to be able to deliver the standard provides the government a basis by which they can think about it a little differently.

Instead of just focusing on who they want to exclude, let's look at who actually is delivering the value and meeting the requirements to be a trusted provider. That's a different approach and it's one that we are very proud of in terms of the work of The Open Group and we will continue to work that going forward.

Gardner: I'm afraid we will have to leave it there. We've been exploring ways to address supply chain risk in the information technology sector marketplace, and we've seen how The Open Group Trusted Technology Forum standards and accreditation activities are enhancing the security of global supply chain and improving the integrity of openly available IT products and components. And we have also learned how the age-old practice of insurance is coming to bear on the problem of IT supply chain risk.
Attend The Open Group Baltimore 2015
July 20-23, 2015
Register Here
This special BriefingsDirect thought leadership panel discussion comes to you in conjunction with The Open Group's upcoming conference on July 20, 2015 in Baltimore. It's not too late to register on The Open Group's website or to follow the proceedings online and via Twitter and other social media during the week of the presentation.

So a big thank you to our guests: Sally Long, Director of The Open Group Trusted Technology Forum; Andras Szakal, Vice President and Chief Technology Officer for IBM U.S. Federal and Chairman of The Open Group Trusted Technology Forum; Bob Dix, Vice President of Global Government Affairs and Public Policy for Juniper Networks and a member of The Open Group Trusted Technology Forum, and Dan Reddy, Supply Chain Assurance Specialist, college instructor and Lead of The Open Group Trusted Technology Forum Global Outreach and Standards Harmonization Work Group.

And lastly, a big thank you to our audience for joining us at the special Open Group-sponsored thought leadership panel discussion.

I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for these Open Group discussions associated with the July 20 Baltimore Conference. Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes. Get the mobile app for iOS or Android. Download the transcript. Sponsor: The Open Group.

Transcript of a BriefingsDirect discussion on ways to address supply chain risk in the information technology sector market. Copyright The Open Group and Interarbor Solutions, LLC, 2005-2015. All rights reserved.

You may also be interested in:

Friday, July 13, 2012

The Open Group Trusted Technology Forum is Leading the Way to Securing Global IT Supply Chains

Transcript of a BriefingsDirect podcast focusing on the upcoming Open Group Conference and the effort to develop standards to make IT supply chains secure, verified, and trusted.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: The Open Group.

Register for The Open Group Conference
July 16-18 in Washington, D.C. Watch the live stream.

Dana Gardner: Hello, and welcome to a special BriefingsDirect thought leadership interview series coming to you in conjunction with the Open Group Conference this month in Washington, D.C. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, and I'll be your host throughout these discussions.

The conference focuses on enterprise architecture (EA), enterprise transformation, and securing global supply chains. We're here now to focus on the latest effort to make global supply chains for technology providers more secure, verified, and therefore trusted. We'll examine the advancement of The Open Group Trusted Technology Forum (OTTF), which was established in late 2010.

We’ve assembled a panel of experts, including some of the major speakers at The Open Group Conference, to provide an update on the achievements at OTTF, and to learn more about how technology suppliers and buyers can expect to benefit. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

Please join me now in welcoming our panel. We're here with Dave Lounsbury, Chief Technical Officer at The Open Group. Welcome, Dave.

Dave Lounsbury: Hello, Dana.

Gardner: We're also here with Dan Reddy, Senior Consultant Product Manager in the Product Security Office at EMC Corp. Welcome, Dan.

Dan Reddy: Hi, Dana.

Gardner: We're also joined by Andras Szakal, Vice President and Chief Technology Officer at IBM's U.S. Federal Group, and also the Chair of the OTTF. He also leads the development of The Open Trusted Technology Provider Standard. Welcome back, Andras.

Andras Szakal: Thank you very much, Dana.

Gardner: And lastly, we're here with Edna Conway, Chief Security Strategist for Global Supply Chain at Cisco. Welcome, Edna.

Edna Conway: Delighted to be here, Dana.

Gardner: Dave Lounsbury, first to you. OTTF was created about 18 months ago, but I suspect that the urgency for these types of supply chain trust measures has only grown. We’ve seen some congressional testimony and we’ve seen some developments in the market that make this a bit more pressing.

Why this is an important issue, and why is there a sense of urgency in the markets?

Boundaryless information

Lounsbury: You framed it very nicely at the beginning, Dana. The Open Group has a vision of boundaryless information flow, and that necessarily involves interoperability. But interoperability doesn't have the effect that you want, unless you can also trust the information that you're getting, as it flows through the system.

Therefore, it’s necessary that you be able to trust all of the links in the chain that you use to deliver your information. One thing that everybody who watches the news would acknowledge is that the threat landscape has changed. As systems become more and more interoperable, we get more and more attacks on the system.

As the value that flows through the system increases, there’s a lot more interest in cyber crime. Unfortunately, in our world, there's now the issue of state-sponsored incursions in cyberspace, whether officially state-sponsored or not, but politically motivated ones certainly.

So there is an increasing awareness on the part of government and industry that we must protect the supply chain, both through increasing technical security measures, which are handled in lots of places, and in making sure that the vendors and consumers of components in the supply chain are using proper methodologies to make sure that there are no vulnerabilities in their components.

I'm sure that Andras, Edna, and Dan will give us a lot more detail on what those vulnerabilities are, but from an Open Group perspective, I'll note that the demand we're hearing is increasingly for work on standards in security, whether it's the technical security aspects or these global supply-chain aspects. That’s top of everybody's mind these days.

Gardner: Let’s go through our panel and try to get a bit more detail about what it is that we are trying to solve or prevent. Dan Reddy, what do you view as some of the critical issues that need to be addressed, and why the OTTF has been created in the first place?

Reddy: One of the things that we're addressing, Dana, is the supply chain item that was part of the Comprehensive National Cybersecurity Initiative (CNCI), which spans the work of two presidents. Initiative 11 was to develop a multi-pronged approach to global supply chain risk management. That really started the conversation, especially in the federal government as to how private industry and government should work together to address the risks there.

In the OTTF, we've tried create a clear measurable way to address supply-chain risk. It’s been really hard to even talk about supply chain risk, because you have to start with getting a common agreement about what the supply chain is, and then talk about how to deal with risk by following best practices.

Gardner: Andras, the same question. It seems like a vexing issue. How can one possibly develop the ability to verify deep into the supply chains, in many cases coming across international boundaries, and then bring into some play a standard to allow this to continue with a sense of security and trust? It sounds pretty daunting.

Szakal: In many ways, it is. One of the observations that I've made over the last couple of years is that this group of individuals, who are now part of this standards forum, have grown in their ability to collaborate, define, and rise to the challenges, and work together to solve the problem.

Standards process

Technology supply chain security and integrity are not necessarily a set of requirements or an initiative that has been taken on by the standards committee or standards groups up to this point. The people who are participating in this aren't your traditional IT standards gurus. They had to learn the standards process. They had to understand how to approach the standardization of best practices, which is how we approach solving this problem.

It’s sharing information. It’s opening up across the industry to share best practices on how to secure the supply chain and how to ensure its overall integrity. Our goal has been to develop a framework of best practices and then ultimately take those codified best practices and instantiate them into a standard, which we can then assess providers against. It’s a big effort, but I think we’re making tremendous progress.

Gardner: Because The Open Group Conference is taking place in Washington, D.C., what’s the current perception in the U.S. Government about this in terms of its role? Is this a "stand by and watch?" Is this "get involved?" Is there the thought of adding some teeth to this at some point that the government can display in terms of effective roles?

Szakal: Well, the whole forum arose out of the work that Dan just discussed with the CNCI. The government has always taken a prominent role, at least to help focus the attention of the industry.

The government has always taken a prominent role, at least to help focus the attention of the industry.



Now that they’ve corralled the industry and they’ve got us moving in the right direction, in many ways, we’ve fought through many of the intricate complex technology supply chain issues and we’re ahead of some of the thinking of folks outside of this group because the industry lives these challenges and understands the state of the art. Some of the best minds in the industry are focused on this, and we’ve applied some significant internal resources across our membership to work on this challenge.

So the government is very interested in it. We’ve had collaborations all the way from the White House across the Department of Defense (DoD) and within the Department of Homeland Security (DHS), and we have members from the government space in NASA and DoD.

It’s very much a collaborative effort, and I'm hoping that it can continue to be so and be utilized as a standard that the government can point to, instead of coming up with their own policies and practices that may actually not work as well as those defined by the industry.

Gardner: Edna Conway, have we missed anything in terms of being well-versed in understanding the challenge here?

Conway: The challenge is moving a little bit, and our colleagues on the public side of the public-private partnership addressing supply-chain integrity have recognized that we need to do it together.

More importantly, you need only to listen to a statement, which I know has often been quoted, but it’s worth noting again from EU Commissioner Algirdas Semeta. He recently said that in a globalized world, no country can secure the supply chain in isolation. He recognized that, again quoting, national supply chains are ineffective and too costly unless they’re supported by enhanced international cooperation.

Mindful focus

The one thing that we bring to bear here is a mindful focus on the fact that we need a public-private partnership to address comprehensively in our information and communications technology industry supply chain integrity internationally. That has been very important in our focus. We want to be a one-stop shop of best practices that the world can look at, so that we continue to benefit from commercial technology which sells globally and frequently builds once or on a limited basis.

Combining that international focus and the public-private partnership is something that's really coming home to roost in everyone’s minds right now, as we see security value migrating away from an end point and looking comprehensively at the product lifecycle or the global supply chain.

Gardner: We obviously have an important activity. We have now more collaboration among and between public and private sectors as well as the wider inclusion of more countries and more regions.

Dave Lounsbury, perhaps you could bring us up to speed on where we are in terms of this as a standard. Eighteen months isn’t necessarily a long time in the standards business, but there is, as we said, some emergency here. Perhaps you could set us up in understanding where we are in the progression and then we’ll look at some of the ways in which these issues are being addressed.

Lounsbury: I’d be glad to, Dana, but before I do that, I want to amplify on the point that Edna and Andras made. I had the honor of testifying before the House Energy and Commerce Committee on Oversight Investigations, on the view from within the U.S. Government on IT security.

It was even more gratifying to see that the concerns that were raised in the hearings were exactly the ones that the OTTF is pursuing.



It was very gratifying to see that the government does recognize this problem. We had witnesses in from the DoD and Department of Energy (DoE). I was there, because I was one of the two voices on industry that the government wants to tap into to get the industry’s best practices into the government.

It was even more gratifying to see that the concerns that were raised in the hearings were exactly the ones that the OTTF is pursuing. How do you validate a long and complex global supply chain in the face of a very wide threat environment, recognizing that it can’t be any single country? Also, it really does need to be not a process that you apply to a point, but something where you have a standard that raises the bar for our security for all the participants in your supply chain.

So it was really good to know that we were on track and that the government, and certainly the U.S. Government, as we’ve heard from Edna, the European governments, and I suspect all world governments are looking at exactly how to tap into this industry activity.

Now to answer your question directly -- in the last 18 months, there has been a tremendous amount of progress. The thing that I'll highlight is that early in 2012, the OTTF published a snapshot of the standard. A snapshot is what The Open Group uses to give a preview of what we expect the standards will apply. It has fleshed out two areas, one on tainted products and one on counterfeit products, the standards and best practices needed to secure a supply chain against those two vulnerabilities.

So that’s out there. People can take a look at that document. Of course, we would welcome their feedback on it. We think other people have good answers too. Also, if they want to start using that as guidance for how they should shape their own practices, then that would be available to them.

Normative guidance

Of course, with Andras as the Chair, Edna as the Vice-Chair, and Dan as a key contributor, I'm probably the least qualified one on the call to talk about the current state, but what they've been focusing on is how you would go from having the normative guidance of the standard to having some sort of a process by which a vendor could indicate their conformance to those best practices and standards.

That’s the top development topic inside the OTTF itself. Of course, in parallel with that, we're continuing to engage in an outreach process and talking to government agencies that have a stake in securing the supply chain, whether it's part of government policy or other forms of steering the government to making sure they are making the right decisions. In terms of exactly where we are, I'll defer to Edna and Andras on the top priority in the group.

Gardner: Let’s do that. Edna, can you perhaps fill us in on what the prioritization, some of the activities, a recap if you will of what’s been going on at OTTF and where things stand?

Conway: We decided that this was, in fact, a comprehensive effort that was going to grow over time and change as the challenges change. We began by looking at two primary areas, which were counterfeit and taint in that communications technology arena. In doing so, we first identified a set of best practices, which you referenced briefly inside of that snapshot.

Where we are today is adding the diligence, and extracting the knowledge and experience from the broad spectrum of participants in the OTTF to establish a set of rigorous conformance criteria that allow a balance between flexibility and how one goes about showing compliance to those best practices, while also assuring the end customer that there is rigor sufficient to ensure that certain requirements are met meticulously, but most importantly comprehensively.

Register for The Open Group Conference
July 16-18 in Washington, D.C. Watch the live stream.

We have a practice right now where we're going through each and every requirement or best practice and thinking through the broad spectrum of the development stage of the lifecycle, as well as the end-to-end nodes of the supply chain itself.

This is to ensure that there are requirements that would establish conformance that could be pointed to, by both those who would seek accreditation to this international standard, as well as those who would rely on that accreditation as the imprimatur of some higher degree of trustworthiness in the products and solutions that are being afforded to them, when they select an OTTF accredited provider.

Gardner: Andras, when we think about the private sector having developed a means for doing this on its own, that now needs to be brought into a standard and towards an accreditation process. I'm curious where in an organization like IBM, that these issues are most enforceable.

Is this an act of the procurement group? Is it the act of the engineering and the specifying? Is it a separate office, like Dan is, with the product security office? I know this is a big subject. I don’t want to go down too deeply, but I'm curious as to where within the private sector the knowledge and the expertise for these sorts of things seem to reside?

Szakal: That’s a great question, and the answer is both. Speaking for IBM, we recently celebrated our 100th anniversary in 2011. We’ve had a little more time than some folks to come up with a robust engineering and development process, which harkens back to the IBM 701 and the beginning of the modern computing era.

Integrated process

We have what we call the integrated product development process (IPD), which all products follow and that includes hardware and software. And we have a very robust quality assurance team, the QSE team, which ensures that the folks are following those practices that are called out. Within each of line of business there exist specific requirements that apply more directly to the architecture of a particular product offering.

For example, the hardware group obviously has additional standards that they have to follow during the course of development that is specific to hardware development and the associated supply chain, and that is true with the software team as well.

The product development teams are integrated with the supply chain folks, and we have what we call the Secure Engineering Framework, of which I was an author and the Secure Engineering Initiative which we have continued to evolve for quite some time now, to ensure that we are effectively engineering and sourcing components and that we're following these Open Trusted Technology Provider Standard (O-TTPS) best practices.

In fact, the work that we've done here in the OTTF has helped to ensure that we're focused in all of the same areas that Edna’s team is with Cisco, because we’ve shared our best practices across all of the members here in the OTTF, and it gives us a great view into what others are doing, and helps us ensure that we're following the most effective industry best practices.

Gardner: It makes sense, certainly, if you want to have a secure data center, you need to have the various suppliers that contribute to the creation of that data center operating under some similar processes.

We want to be able to encourage suppliers, which may be small suppliers, to conform to a standard, as we go and select who will be our authorized suppliers.



Dan Reddy at EMC, is the Product Security Office something similar to what Andras explained for how IBM operates? Perhaps you could just give us a sense of how it’s done there in terms of who is responsible for this, and then how those processes might migrate out to the standard?

Reddy: At EMC in our Product Security Office, we house the enabling expertise to define how to build their products securely. We're interested in building that in as soon as possible throughout the entire lifecycle. We work with all of our product teams to measure where they are, to help them define their path forward, as they look at each of the releases of their other products. And we’ve done a lot of work in sharing our practices within the industry.

One of the things this standard does for us, especially in the area of dealing with the supply chain, is it gives us a way to communicate what our practices are with our customers. Customers are looking for that kind of assurance and rather than having a one-by-one conversation with customers about what our practices are for a particular organization. This would allow us to have a way of demonstrating the measurement and the conformance against a standard to our own customers.

Also, as we flip it around and take a look at our own suppliers, we want to be able to encourage suppliers, which may be small suppliers, to conform to a standard, as we go and select who will be our authorized suppliers.

Gardner: Dave Lounsbury at The Open Group, it seems that those smaller suppliers that want to continue to develop and sell goods to such organizations as EMC, IBM, and Cisco would be wise to be aware of this standard and begin to take steps, so that they can be in compliance ahead of time or even seek accreditation means.

What would you suggest for those various suppliers around the globe to begin the process, so that when the time comes, they're in an advantageous position to continue to be vigorous participants in these commerce networks?

Publications catalog


Lounsbury: Obviously, the thing I would recommend right off is to go to The Open Group website, go to the publications catalog, and download the snapshot of the OTTF standard. That gives a good overview of the two areas of best practices for protection from tainted and counterfeit products we’ve mentioned on the call here.

That’s the starting point, but of course, the reason it’s very important for the commercial world to lead this is that commercial vendors face the commercial market pressures and have to respond to threats quickly. So the other part of this is how to stay involved and how to stay up to date?

And of course the two ways that The Open Group offers to let people do that is that you can come to our quarterly conferences, where we do regular presentations on this topic. In fact, the Washington meeting is themed on the supply chain security.

Of course, the best way to do it is to actually be in the room as these standards are evolved to meet the current and the changing threat environment. So, joining The Open Group and joining the OTTF is absolutely the best way to be on the cutting edge of what's happening, and to take advantage of the great information you get from the companies represented on this call, who have invested years-and-years, as Andras said, in making their own best practices and learning from them.

Gardner: Edna Conway, we’ve mentioned a couple of the early pillars of this effort -- taint and counterfeit. Do we have a sense of what might be the next areas that would be targeted. I don’t mean for you all to set in stone your agenda, but I'm curious as to what's possible next areas would be on the short list of priorities?

It's from that kind of information sharing, as we think in a more comprehensive way, that we begin to gather the expertise.



Conway: You’ve heard us talk about CNCI, and the fact that cybersecurity is on everyone’s minds today. So while taint embodies that to some degree, we probably need to think about partnering in a more comprehensive way under the resiliency and risk umbrella that you heard Dan talk about and really think about embedding security into a resilient supply chain or a resilient enterprise approach.

In fact, to give that some forethought, we actually have invited at the upcoming conference, a colleague who I've worked with for a number of years who is a leading expert in enterprise resiliency and supply chain resiliency to join us and share his thoughts.

He is a professor at MIT, and his name is Yossi Sheffi. Dr. Sheffi will be with us. It's from that kind of information sharing, as we think in a more comprehensive way, that we begin to gather the expertise that not only resides today globally in different pockets, whether it be academia, government, or private enterprise, but also to think about what the next generation is going to look like.

Resiliency, as it was known five years ago, is nothing like supply chain resiliency today, and where we want to take it into the future. You need only look at the US national strategy for global supply chain security to understand that. When it was announced in January of this year at Davos by Secretary Napolitano of the DHS, she made it quite clear that we're now putting security at the forefront, and resiliency is a part of that security endeavor.

So that mindset is a change, given the reliance ubiquitously on communications, for everything, everywhere, at all times -- not only critical infrastructure, but private enterprise, as well as all of us on a daily basis today. Our communications infrastructure is essential to us.

Thinking about resiliency

Given that security has taken top ranking, we’re probably at the beginning of this stage of thinking about resiliency. It's not just about continuity of supply, not just about prevention from the kinds of cyber incidents that we’re worried about, but also to be cognizant of those nation-state concerns or personal concerns that would arise from those parties who are engaging in malicious activity, either for political, religious or reasons.

Or, as you know, some of them are just interested in seeing whether or not they can challenge the system, and that causes loss of productivity and a loss of time. In some cases, there are devastating negative impacts to infrastructure.

Gardner: Andras at IBM, any thoughts on where the next priorities are? We heard resiliency and security. Any other inputs from your perspective?

Szakal: I am highly focused right now on trying to establish an effective and credible accreditation program, and working to test the program with the vendors.

From an IBM perspective, we're certainly going to try to be part of the initial testing of the program. When we get some good quality data with respect to challenges or areas that the OTTF thinks need refinement, then the members will make some updates to the standard.

We'll then be able to take that level of confidence and assurance that we get from knowing that and translate it to the people who are acquiring our technology as well.



There's another area too that I am highly focused on, but have kind of set aside, and that's the continued development and formalization of the framework itself that is to continue the collective best practices from the industry and provide some sort of methods by which vendors can submit and externalize those best practices. So those are a couple of areas that I think that would keep me busy for the next 12 months easily.

Gardner: Before we wrap up, I want to try to develop some practical examples of where and how this is being used successfully, and I’d like to start with you, Dan. Do you have any sense of where, in a supply chain environment, the focus on trust and verification has come to play and has been successful?

I don’t know if you can mention names, but at least give our listeners and readers a sense of how this might work by an example of what’s already taken place?

Reddy: I'm going to build on what I said a little bit earlier in terms of working with our own suppliers. What we're envisioning here is an ecosystem, where as any provider of technology goes and sources the components that go into our products, we can turn around and have an expectation that those suppliers will have gone through this process. We'll then be able to take that level of confidence and assurance that we get from knowing that and translate it to the people who are acquiring our technology as well.

As Andras is saying, this is going to take a while to roll out and get everyone to take advantage of this, but ultimately, our success is going to be measured by if we have a fully functioning ecosystem, where this is the way that we measure conformance against the standard, whether you are a large or a small company.

Further along


We think that this initiative is further along than most anything else in the landscape today. When people take a look at it, they'll realize that all of the public and private members that have created this have done it through a very rigorous conformance and consensus process. We spend a lot of time weighing and debating every single practice that goes into the standard and how it’s expressed.

You may be able to read 50 pages quickly, but there is a lot behind it. As people figure out how those practices match up with their own practices and get measured against them, they're going to see a lot of the value.

Conway: It’s being used in a number of companies that are part of OTTF in a variety of ways. You’ve heard Dan talk about what we would expect of our suppliers, and obviously, for me, the supply chain is near and dear to my heart, as I develop that strategy. But, what I think you will see is a set of practices that companies are already embracing.

For example, at Cisco, we think about establishing trustworthy networks. Dan’s company may have a slightly different view given the depth and breadth of the portfolio of what EMC delivers to its many customers with integrity. Embedding this kind of supply chain security as a foundational element of what you're delivering to the customer requires that you actually have a go-to-market strategy that allows you to address integrity and security within it.

Then to flip back to what Dan said, you need areas of discipline, where there are best practices with regard to things like logistics security and electronic fabrication practices, obviously, looking uniquely in our industry which is what the OTTF is focusing on.

You need areas of discipline, where there are best practices with regard to things like logistics security and electronic fabrication practices.



If you look deeply, you'll find that there is a way to take a best practice and actually follow it. I just came from Florida, where I was stuck in a tropical storm so I have those storm "spaghetti models" that the media show on the television to predict the path of storm action. If you looked at O-TTPS as a spaghetti model, so to speak, you would have the hub being the actual best practice, but there are already pockets of best practices being used.

You heard Andras talk about the fact that IBM has a robust methodology with regard to secure engineering. You heard Dan mention it as well. We too at Cisco have a secure development lifecycle with practices that need to be engaged in. So it’s embracing the whole, and then bringing it down into the various nodes of the supply chain and practices.

There are pockets right now in development, in logistics, and in fabrication already well under way that we are going to both capitalize on, and hopefully raise the bar for the industry overall. Because if we do this properly, in the electronics industry we all use the vast majority of a similar set of supply-chain partners.

What that will do is raise the bar for the customers and allow those of us who are innovators to differentiate on our innovation and on how we might achieve the best practices, rather than worrying about are you trustworthy or not. If we do it right, trust will be an automatic given.

Gardner: I have to imagine that going out to the market with the ability to assert that level of trust is a very good position in terms of marketing and competitive analysis. So this isn’t really something that goes on without a lot of commercial benefits associated with it, when it’s done properly. Any reaction to that Andras in terms of companies that do this well? I guess they should feel that they have an advantage in the market.

Secure by Design

Szakal: Especially now in this day and age, any time that you actually approach security as part of the lifecycle -- what we call an IBM Secure by Design -- you're going to be ahead of the market in some ways. You're going to be in a better place. All of these best practices that we’ve defined are additive in effect. However, the very nature of technology as it exists today is that it will be probably another 50 or so years, before we see a perfect security paradigm in the way that we all think about it.

So the researchers are going to be ahead of all of the providers in many ways in identifying security flaws and helping us to remediate those practices. That’s part of what we're doing here, trying to make sure that we continue to keep these practices up to date and relevant to the entire lifecycle of commercial off-the-shelf technology (COTS) development.

So that’s important, but you also have to be realistic about the best practices as they exist today. The bar is going to move as we address future challenges.

Gardner: I'm afraid we have to leave it there. We’ve been talking about making global supply chains for technology providers more secure, verified, and therefore, trusted. We’ve been learning about the achievements of OTTF and how technology suppliers and buyers will expect to benefit from that moving forward.

You also have to be realistic about the best practices as they exist today. The bar is going to move as we address future challenges.



This special BriefingsDirect discussion comes to you in conjunction with The Open Group Conference from July 16 - 20 in Washington, D.C. You’ll hear more from these and other experts on the ways that IT and enterprise architecture support any enterprise transformation as well as how global supply chains are being better secured.

I’d like to thank our panel for this very interesting discussion. We’ve been here with Dave Lounsbury, Chief Technical Officer at The Open Group. Thanks, Dave.

Lounsbury: Thank you, Dana.

Gardner: We’ve also been here with Dan Reddy, Senior Consultant Product Manager in the Product Security Office at EMC. Thanks, Dan.

Reddy: Thanks, Dana.

Gardner: We’ve been joined by Andras Szakal, Vice President and Chief Technology Officer at IBM’s US Federal Group as well as the Chairman of the OTTF. Thank you, Andras.

Szakal: My pleasure, Dana.

Gardner: And lastly, Edna Conway, Chief Security Strategist for Global Supply Chain at Cisco. Thanks so much for your input.

Conway: My pleasure. I’ll look forward to seeing everyone in Washington.

Gardner: Yes, and I’ll look forward to all of your presentations and discussions in Washington as well. I encourage our readers and listeners to attend the conference and learn even more. Some of the proceedings will be online and available for streaming, and you could take advantage of that as well.

This is Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator through these thought leadership interviews. Thanks again for listening, and come back next time.

Register for The Open Group Conference
July 16-18 in Washington, D.C. Watch the live stream.

Listen to the podcast. Find it on iTunes/iPod. Download the transcript. Sponsor: The Open Group.

Transcript of a BriefingsDirect podcast focusing on the upcoming Open Group Conference and the effort to develop standards to make IT supply chains secure, verified, and trusted. Copyright The Open Group and Interarbor Solutions, LLC, 2005-2012. All rights reserved.

You may also be interested in: